VBscript and impersonation

J

Jim Andersen

I've tried to run a VBscript with elevated privileges, but with no success.
My code works fine, except if I try to run it using impersonation.

Have anyone made it work ? Will you try it on your installation to see if it
works? Shouldn't take more than a few minutes.

I have used the "Impersonation" setting in web.config.
I have tried Process.Start and specified username/password in
StartupInformation

When supplying username/password to Process.Start it calls an unmanaged API,
LogonUser, so I also tried calling that directly.

But vbscript simply won't start.
It gives me this error:
Microsoft Windows scripting version 5.6 (etc... the banner-info) followed by
"Windows Script Host"...
"Can't find script engine 'VBScript' for 'C:\test.vbs'."

or "application failed to initialize properly (0x0000142)"

Googling for these suggested installing the latest version of vbscript, or
re-installing, or messing with registry-keys but nothing helped.

This is the code for a webform with a label and a button:
Protected Sub knpCommit_Click(ByVal sender As Object, ByVal e As
System.EventArgs) Handles knpCommit.Click
Dim myProcess As New Process
Dim output As String

With myProcess.StartInfo
.FileName = "c:\windows\system32\cscript.exe"
.Arguments = "c:\TestScript.vbs"
.UseShellExecute = False
.RedirectStandardOutput = True
End With

myProcess.Start()
Me.Label1.Text = "efter start"
output = myProcess.StandardOutput.ReadToEnd()
myProcess.WaitForExit()
Me.Label1.Text = output

myProcess.Dispose()

End Sub

With this in web.comfig it fails:
<identity impersonate="true" userName="myDomain\myUserName"
password="MyPassWord" />

This is the script in c:\TestScript.vbs:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("C:\ScriptLog.txt", 2)

Set WshNetwork = WScript.CreateObject("WScript.Network")
objFile.WriteLine WshNetwork.UserName
objFIle.Close
WScript.Echo "Testscript 1: Username: " & WshNetwork.UserName
 
J

Joe Kaplan

Are you using .NET 1.x or 2.0? Impersonation does not extend to the
credentials used for new process creation, so that is why that isn't
working. However, in .NET 2.0 that Start method now takes credentials to
solve this problem.

Joe K.
 
J

Jim Andersen

Joe said:
Are you using .NET 1.x or 2.0?
2.0

Impersonation does not extend to the
credentials used for new process creation, so that is why that isn't
working.
ok.

However, in .NET 2.0 that Start method now takes
credentials to solve this problem.
Click to expand...

Do you mean Process.Start ? That doesn't work either. As you can see from my
example.

/jim
 
J

Joe Kaplan

Can you tell if it is actually starting cscript with the correct user
account? If so, then the problem might be related to the user profile
getting loaded or not. I can't think of a reason why Process.Start with
credentials wouldn't work otherwise though.

You might consider using filemon and regmon to try to see what files and
registry keys are accessed or fail to load in both a working and non-working
scenario in order to get a handle on what the key difference is.

Sorry,

Joe K.
 
J

Jim Andersen

Joe said:
Can you tell if it is actually starting cscript with the correct user
account?
Click to expand...

I don't see how? I use the script to do that (echoing USERNAME to std_out
and a file), but the script doesn't run :)
If so, then the problem might be related to the user profile
getting loaded or not.
Click to expand...

I am not that much into User Profiles and the loading of them.
You might consider using filemon and regmon to try to see what files
and registry keys are accessed or fail to load in both a working and
non-working scenario in order to get a handle on what the key
difference is.
Click to expand...

That road is probably a dead end. It will most likely mean I have to do
changes to the registry and securitysettings and what not, on the server.
Im not ready for that battle, with the servers admin. I'll just have to
write my scripts to a queue-file, and use Scheduler to run a job with RunAs
that executes my scripts.

Would have been nice to be able to do it in real-time, and tell the user the
result immediately instead of having him wait untill the Scheduler runs the
job..

/jim
 
J

Joe Kaplan

Filemon and regmon are just diagnostic tools that may help you figure out
what actually isn't working. It doesn't necessarily mean you have to do
anything specific except put them on the server and run them when your code
executes. However, if you don't want to mess with that, I can understand.

Regarding figuring out if cscript is launching with the correct user, I was
thinking of using some sort of external process monitoring tool like task
manager or process explorer to see what is going on there.

Sorry I didn't have any better ideas, but without knowing exactly why it
isn't working, it is hard to give you recommendations.

Joe K.
 
J

Jim Andersen

Hi Joe,

Joe said:
Filemon and regmon are just diagnostic tools that may help you figure
out what actually isn't working. It doesn't necessarily mean you
have to do anything specific except put them on the server and run
them when your code executes.
Click to expand...

I understand that. But the only thing they can tell me, is either that
everything seems to work, or, that some registry keys are missing, og that
some security settings need to be altered from their default settings. And
then I would have to fight with our security/server-manager to have these
changes approved.
However, if you don't want to mess
with that, I can understand.
:)

Regarding figuring out if cscript is launching with the correct user,
I was thinking of using some sort of external process monitoring tool
like task manager or process explorer to see what is going on there.
Click to expand...

I could do that.... but then again, I could be in a position where I could
see it runs as the specific user, but not knowing if the User Profile also
was loaded....
Sorry I didn't have any better ideas, but without knowing exactly why
it isn't working, it is hard to give you recommendations.
Click to expand...

I was hoping someone would try this at home, and see if it was just me. If I
knew someone else could make this work, and I wasn't flogging a dead horse,
I might try investigating.

thx for your time

/jim
 
G

glenn

If you all are interested, I am pretty much in the same situation. Running a .net 2.0 web service on IIS5 on XP Pro(because I didn't have time to up to 2003). I'm trying to use Process.Start under a particular user/account and am getting the same error dialog "The application failed to initialize properly (0xc0000142)....."

The app shows up in the task manager with the correct user while immediately showing the error dialog. I have installed Process Monitor (FileMon RegMon were depreciated..). The trace is below. Could it be something with the Local Security Settings.

Glenn

Here the trace:
13799 7:37:36.1720506 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2588
13802 7:37:36.1725943 PM FinSci.LELauncher.exe 1008 QueryNameInformationFile C:\Services\LE\FinSci.LELauncher.exe SUCCESS Name: \Services\LE\FinSci.LELauncher.exe
13804 7:37:36.1729032 PM FinSci.LELauncher.exe 1008 Load Image C:\Services\LE\FinSci.LELauncher.exe SUCCESS Image Base: 0x400000, Image Size: 0x8000
13806 7:37:36.1730465 PM FinSci.LELauncher.exe 1008 Load Image C:\WINDOWS\system32\ntdll.dll SUCCESS Image Base: 0x7c900000, Image Size: 0xb0000
13807 7:37:36.1730592 PM FinSci.LELauncher.exe 1008 QueryNameInformationFile C:\Services\LE\FinSci.LELauncher.exe SUCCESS Name: \Services\LE\FinSci.LELauncher.exe
13808 7:37:36.1732295 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: , AllocationSize: n/a
13809 7:37:36.1736779 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
13810 7:37:36.1737083 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 3024
13811 7:37:36.1738156 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS AllocationSize: 36,864, EndOfFile: 36,588, NumberOfLinks: 1, DeletePending: False, Directory: False
13812 7:37:36.1739418 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS Offset: 0, Length: 16,384
13814 7:37:36.1741522 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS
13815 7:37:36.1741921 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
13816 7:37:36.1743314 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS AllocationSize: 36,864, EndOfFile: 36,588, NumberOfLinks: 1, DeletePending: False, Directory: False
13817 7:37:36.1744144 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS Offset: 0, Length: 36,588
13820 7:37:36.1747714 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\Prefetch\FINSCI.LELAUNCHER.EXE-3179F5C0.pf SUCCESS
13825 7:37:36.1748242 PM FinSci.LELauncher.exe 1008 CreateFile C: SUCCESS Access: Read Attributes, Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
13828 7:37:36.1748594 PM FinSci.LELauncher.exe 1008 QueryInformationVolume C: SUCCESS VolumeCreationTime: 4/28/2006 9:33:08 PM, VolumeSerialNumber: 7866-85B5, SupportsObjects: True, VolumeLabel:
13829 7:37:36.1748731 PM FinSci.LELauncher.exe 1008 FileSystemControl C: SUCCESS Control: FSCTL_FILE_PREFETCH
13830 7:37:36.1748989 PM FinSci.LELauncher.exe 1008 CreateFile C:\ SUCCESS Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
13831 7:37:36.1749170 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\ SUCCESS 0: ATI, 1: AUTOEXEC.BAT, 2: Backups, 3: boot.ini, 4: caavsetup.log, 5: CONFIG.SYS, 6: Documents, 7: Documents and Settings, 8: downloads, 9: driver.txt, 10: icons, 11: Inetpub, 12: IO.SYS, 13: LMHOSTS.txt, 14: log.txt, 15: MSDOS.SYS, 16: NTDETECT.COM, 17: ntldr, 18: pagefile.sys, 19: Program Files, 20: RawPacketFile 01.rawpkt, 21: RECYCLER, 22: Services, 23: setupcpm.log, 24: sp6, 25: SQLEVAL, 26: StockChartX.lic, 27: System Volume Information, 28: TAL, 29: Temp, 30: Tests, 31: VS2005ImageLibrary, 32: WINDOWS
13832 7:37:36.1749891 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\ NO MORE FILES
13833 7:37:36.1750066 PM FinSci.LELauncher.exe 1008 CloseFile C:\ SUCCESS
13836 7:37:36.1751001 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS SUCCESS Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
13837 7:37:36.1751638 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS SUCCESS 0: ., 1: .., 2: $hf_mig$, 3: $MSI31Uninstall_KB893803v2$, 4: $NtUninstallKB873339$, 5: $NtUninstallKB885250$, 6: $NtUninstallKB885835$, 7: $NtUninstallKB885836$, 8: $NtUninstallKB886185$, 9: $NtUninstallKB887472$, 10: $NtUninstallKB887742$, 11: $NtUninstallKB888111WXPSP2$, 12: $NtUninstallKB888113$, 13: $NtUninstallKB888302$, 14: $NtUninstallKB890046$, 15: $NtUninstallKB890859$, 16: $NtUninstallKB891781$, 17: $NtUninstallKB893756$, 18: $NtUninstallKB894391$, 19: $NtUninstallKB896358$, 20: $NtUninstallKB896422$, 21: $NtUninstallKB896423$, 22: $NtUninstallKB896424$, 23: $NtUninstallKB896428$, 24: $NtUninstallKB898461$, 25: $NtUninstallKB899587$, 26: $NtUninstallKB899589$, 27: $NtUninstallKB899591$, 28: $NtUninstallKB900485$, 29: $NtUninstallKB900725$, 30: $NtUninstallKB901017$, 31: $NtUninstallKB901214$, 32: $NtUninstallKB902400$, 33: $NtUninstallKB904706$, 34: $NtUninstallKB905414$, 35: $NtUninstallKB905749$, 36: $NtUninstallKB908519$, 37: $NtUninstallKB908531$, 38: $NtUninstallKB910437$, 39: $NtUninstallKB911280$, 40: $NtUninstallKB911562$, 41: $NtUninstallKB911564$, 42: $NtUninstallKB911565$, 43: $NtUninstallKB911567$, 44: $NtUninstallKB911927$, 45: $NtUninstallKB912812$, 46: $NtUninstallKB912919$, 47: $NtUninstallKB913446$, 48: $NtUninstallKB913580$, 49: $NtUninstallKB914388$, 50: $NtUninstallKB914389$, 51: $NtUninstallKB916281$, 52: $NtUninstallKB916595$, 53: $NtUninstallKB917159$, 54: $NtUninstallKB917344$, 55: $NtUninstallKB917422$, 56: $NtUninstallKB917537$, 57: $NtUninstallKB917734_WMP9$, 58: $NtUninstallKB917953$, 59: $NtUninstallKB918439$, 60: $NtUninstallKB918899$, 61: $NtUninstallKB919007$, 62: $NtUninstallKB920213$, 63: $NtUninstallKB920214$, 64: $NtUninstallKB920670$, 65: $NtUninstallKB920683$, 66: $NtUninstallKB920685$, 67: $NtUninstallKB920872$, 68: $NtUninstallKB921398$, 69: $NtUninstallKB921883$, 70: $NtUninstallKB922582$, 71: $NtUninstallKB922616$, 72: $NtUninstallKB922760$, 73: $NtUninstallKB922819$, 74: $NtUninstallKB923191$, 75: $NtUninstallKB923414$, 76: $NtUninstallKB923980$, 77: $NtUninsta???D? ????D?
13840 7:37:36.1754152 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS NO MORE FILES
13842 7:37:36.1754725 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS SUCCESS
13846 7:37:36.1756116 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32 SUCCESS Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
13848 7:37:36.1757211 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: ., 1: .., 2: $winnt$.inf, 3: 1025, 4: 1028, 5: 1031, 6: 1033, 7: 1037, 8: 1041, 9: 1042, 10: 1054, 11: 12520437.cpx, 12: 12520850.cpx, 13: 2052, 14: 3076, 15: 39E6940C2B.sys, 16: 3com_dmi, 17: 6to4svc.dll, 18: aaaamon.dll, 19: access.cpl, 20: acctres.dll, 21: accwiz.exe, 22: acelpdec.ax, 23: acledit.dll, 24: aclui.dll, 25: activeds.dll, 26: activeds.tlb, 27: actmovie.exe, 28: actxprxy.dll, 29: admgmt.msc, 30: admparse.dll, 31: admwprox.dll, 32: admxprox.dll, 33: ADODC.SRG, 34: adprop.dll, 35: adptif.dll, 36: adsiis.dll, 37: adsiisex.dll, 38: adsldp.dll, 39: adsldpc.dll, 40: adsmsext.dll, 41: adsnds.dll, 42: adsnt.dll, 43: adsnw.dll, 44: advapi32.dll, 45: advpack.dll, 46: ahui.exe, 47: Alert.bmp, 48: alg.exe, 49: alrsvc.dll, 50: amcompat.tlb, 51: amstream.dll, 52: ansi.sys, 53: apcups.dll, 54: append.exe, 55: apphelp.dll, 56: appmgmt, 57: appmgmts.dll, 58: appmgr.dll, 59: appwiz.cpl, 60: arp.exe, 61: AS-IFce1.ocx, 62: asctrls.ocx, 63: asferror.dll, 64: AsIO.dll, 65: aspperf.dll, 66: asr_fmt.exe, 67: asr_ldm.exe, 68: asr_pfu.exe, 69: AsusSetup.exe, 70: AsusSetup.ini, 71: asycfilt.dll, 72: at.exe, 73: ati2cqag.dll, 74: ati2dvag.dll, 75: ati2edxx.dll, 76: ati2evxx.dll, 77: ati2evxx.exe, 78: Ati2mdxx.exe, 79: ati2sgag.exe, 80: ati3duag.dll, 81: ATIDDC.DLL, 82: ATIDEMGR.dll, 83: atifglpf.xml, 84: atiicdxx.dat, 85: atiiiexx.dll, 86: atikvmag.dll, 87: atioglx1.dll, 88: atioglxx.dll, 89: atipdlxx.dll, 90: atitvo32.dll, 91: ativcoxx.dll, 92: ativvaxx.dll, 93: atkctrs.dll, 94: atl.dll, 95: ATL70.DLL, 96: atl71.dll, 97: atmadm.exe, 98: atmfd.dll, 99: atmlib.dll, 100: atmpvcno.dll, 101: atrace.dll, 102: attrib.exe, 103: audiosrv.dll, 104: auditusr.exe, 105: authz.dll, 106: AUTMGR32.EXE, 107: autochk.exe, 108: autoconv.exe, 109: autodisc.dll, 110: AUTOEXEC.NT, 111: autofmt.exe, 112: autolfn.exe, 113: AUTPRX32.DLL, 114: avicap.dll, 115: avicap32.dll, 116: avifil32.dll, 117: avifile.dll, 118: avmeter.dll, 119: avtapi.dll, 120: avwav.dll, 121: axctrnm.h, 122: AxFormEx6k.dep, 123: AxFormEx6k.ocx, 124: axperf.ini, 125: azman.msc???D? ????D?
13852 7:37:36.8853156 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: dhcpmgmt.msc, 1: dhcpmon.dll, 2: dhcpsapi.dll, 3: dhcpsnap.dll, 4: diactfrm.dll, 5: diantz.exe, 6: digest.dll, 7: dimap.dll, 8: dinput.dll, 9: dinput8.dll, 10: DirectX, 11: diskcomp.com, 12: diskcopy.com, 13: diskcopy.dll, 14: diskmgmt.msc, 15: diskpart.exe, 16: diskperf.exe, 17: dispex.dll, 18: dllcache, 19: dllhost.exe, 20: dllhst3g.exe, 21: dmadmin.exe, 22: dmband.dll, 23: dmcompos.dll, 24: dmconfig.dll, 25: dmdlgs.dll, 26: dmdskmgr.dll, 27: dmdskres.dll, 28: dmime.dll, 29: dmintf.dll, 30: dmloader.dll, 31: dmocx.dll, 32: dmremote.exe, 33: dmscript.dll, 34: dmserver.dll, 35: dmstyle.dll, 36: dmsynth.dll, 37: dmusic.dll, 38: dmutil.dll, 39: dmview.ocx, 40: dnsapi.dll, 41: dnsmgmt.msc, 42: dnsmgr.dll, 43: dnsrslvr.dll, 44: docprop.dll, 45: docprop2.dll, 46: domadmin.dll, 47: domain.msc, 48: doskey.exe, 49: dosx.exe, 50: dpcdll.dll, 51: dplay.dll, 52: dplaysvr.exe, 53: dplayx.dll, 54: dpmodemx.dll, 55: dpnaddr.dll, 56: dpnet.dll, 57: dpnhpast.dll, 58: dpnhupnp.dll, 59: dpnlobby.dll, 60: dpnmodem.dll, 61: dpnsvr.exe, 62: dpnwsock.dll, 63: dpserial.dll, 64: dpvacm.dll, 65: dpvoice.dll, 66: dpvsetup.exe, 67: dpvvox.dll, 68: dpwsock.dll, 69: dpwsockx.dll, 70: driverquery.exe, 71: drivers, 72: drmclien.dll, 73: drmstor.dll, 74: drmv2clt.dll, 75: drprov.dll, 76: DRVVFP.CNT, 77: DRVVFP.HLP, 78: drwatson.exe, 79: drwtsn32.exe, 80: ds16gt.dLL, 81: ds32gt.dll, 82: dsa.msc, 83: dsadd.exe, 84: dsadmin.dll, 85: dsauth.dll, 86: dsdmo.dll, 87: dsdmoprp.dll, 88: dsget.exe, 89: dskquota.dll, 90: dskquoui.dll, 91: dsmod.exe, 92: dsmove.exe, 93: dsound.dll, 94: dsound.vxd, 95: dsound3d.dll, 96: dsprop.dll, 97: dsprpres.dll, 98: dsquery.dll, 99: dsquery.exe, 100: dsrm.exe, 101: dssec.dat, 102: dssec.dll, 103: dssenh.dll, 104: dssite.msc, 105: dsuiext.dll, 106: dsuiwiz.dll, 107: dswave.dll, 108: dumprep.exe, 109: duser.dll, 110: dvdplay.exe, 111: DVDProX2.dll, 112: dvdupgrd.exe, 113: dwwin.exe, 114: dx3j.dll, 115: dx7vb.dll, 116: dx8vb.dll, 117: dxdiag.exe, 118: dxdiagn.dll, 119: dxmasf.dll, 120: dxtmsft.dll, 121: dxtrans.dll, 122???D? ????D?
13855 7:37:36.8857356 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: kbdmac.dll, 1: kbdmaori.dll, 2: kbdmlt47.dll, 3: kbdmlt48.dll, 4: kbdmon.dll, 5: kbdne.dll, 6: kbdnec.dll, 7: kbdno.dll, 8: kbdno1.dll, 9: kbdpl.dll, 10: kbdpl1.dll, 11: kbdpo.dll, 12: kbdro.dll, 13: kbdru.dll, 14: kbdru1.dll, 15: kbdsf.dll, 16: kbdsg.dll, 17: kbdsl.dll, 18: kbdsl1.dll, 19: kbdsmsfi.dll, 20: kbdsmsno.dll, 21: kbdsp.dll, 22: kbdsw.dll, 23: kbdtat.dll, 24: kbdtuf.dll, 25: kbdtuq.dll, 26: kbduk.dll, 27: kbdukx.dll, 28: kbdur.dll, 29: kbdus.dll, 30: kbdusl.dll, 31: kbdusr.dll, 32: kbdusx.dll, 33: kbduzb.dll, 34: kbdycc.dll, 35: kbdycl.dll, 36: kd1394.dll, 37: kdcom.dll, 38: kerberos.dll, 39: kernel32.dll, 40: key01.sys, 41: keyboard.drv, 42: keyboard.sys, 43: keymgr.dll, 44: KGyGaAvL.sys, 45: kmddsp.tsp, 46: korean.uce, 47: krnl386.exe, 48: ksproxy.ax, 49: ksuser.dll, 50: l3codeca.acm, 51: l3codecp.acm, 52: l3codecx.ax, 53: label.exe, 54: langwrbk.dll, 55: lanman.drv, 56: laprxy.dll, 57: LegitCheckControl.DLL, 58: licdll.dll, 59: licmgr.exe, 60: licmgr10.dll, 61: licwmi.dll, 62: lights.exe, 63: linkinfo.dll, 64: lmhsvc.dll, 65: lmrt.dll, 66: lnkstub.exe, 67: loadfix.com, 68: loadperf.dll, 69: locale.nls, 70: localsec.dll, 71: localspl.dll, 72: localui.dll, 73: locator.exe, 74: lodctr.exe, 75: logagent.exe, 76: Logfiles, 77: loghours.dll, 78: login.cmd, 79: logman.exe, 80: logoff.exe, 81: logon.scr, 82: logonui.exe, 83: logonui.exe.manifest, 84: lpk.dll, 85: lpq.exe, 86: lpr.exe, 87: lprhelp.dll, 88: lprmonui.dll, 89: lrwizdll.dll, 90: lsasrv.dll, 91: lsass.exe, 92: lusrmgr.msc, 93: lz32.dll, 94: lzexpand.dll, 95: l_except.nls, 96: l_intl.nls, 97: Macromed, 98: magnify.exe, 99: mag_hook.dll, 100: main.cpl, 101: makecab.exe, 102: mapi32.dll, 103: mapistub.dll, 104: mcastmib.dll, 105: mcd32.dll, 106: mcdsrv32.dll, 107: mchgrcoi.dll, 108: MCI.SRG, 109: MCI32.DEP, 110: MCI32.OCX, 111: mciavi.drv, 112: mciavi32.dll, 113: mcicda.dll, 114: mciole16.dll, 115: mciole32.dll, 116: mciqtz32.dll, 117: mciseq.dll, 118: mciseq.drv, 119: mciwave.dll, 120: mciwave.drv, 121: MCMM___T.DLL, 122: mdhcp.dll, 123: MDM.EX???D? ????D?
13856 7:37:36.8863779 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: MSTMON_T.HL_, 1: mstsc.exe, 2: mstscax.dll, 3: mstsmhst.dll, 4: mstsmmc.dll, 5: msutb.dll, 6: msv1_0.dll, 7: msvbvm50.dll, 8: msvbvm60.dll, 9: msvcirt.dll, 10: MSVCIRT.PDB, 11: MSVCIRTD.DLL, 12: MSVCIRTD.PDB, 13: msvcp50.dll, 14: msvcp60.dll, 15: MSVCP60.PDB, 16: MSVCP60D.DLL, 17: MSVCP60D.PDB, 18: msvcp70.dll, 19: msvcp71.dll, 20: msvcr70.dll, 21: msvcr71.dll, 22: msvcrt.dll, 23: MSVCRT.PDB, 24: msvcrt20.dll, 25: msvcrt40.dll, 26: MSVCRTD.DLL, 27: MSVCRTD.PDB, 28: msvfw32.dll, 29: msvidc32.dll, 30: msvidctl.dll, 31: msvideo.dll, 32: msw3prt.dll, 33: mswdat10.dll, 34: mswebdvd.dll, 35: MSWINSCK.DEP, 36: MSWINSCK.OCX, 37: MSWMDM.dll, 38: mswsock.dll, 39: mswstr10.dll, 40: msxbde40.dll, 41: msxml.dll, 42: msxml2.dll, 43: msxml2r.dll, 44: msxml3.dll, 45: msxml3r.dll, 46: msxml4.dll, 47: msxml4r.dll, 48: msxml6.dll, 49: msxml6r.dll, 50: msxmlr.dll, 51: msyuv.dll, 52: MTAG32_T.DLL, 53: mtxclu.dll, 54: mtxdm.dll, 55: mtxex.dll, 56: mtxlegih.dll, 57: mtxoci.dll, 58: mui, 59: MUINST_T.EXE, 60: MUNZ___T.UNM, 61: mycomput.dll, 62: mydocs.dll, 63: narrator.exe, 64: narrhook.dll, 65: nbtstat.exe, 66: ncobjapi.dll, 67: ncpa.cpl, 68: ncpa.cpl.manifest, 69: ncxpnt.dll, 70: nddeapi.dll, 71: nddeapir.exe, 72: nddenb32.dll, 73: ndptsp.tsp, 74: net.exe, 75: net.hlp, 76: net1.exe, 77: netapi.dll, 78: netapi32.dll, 79: netcfgx.dll, 80: netdde.exe, 81: netevent.dll, 82: netfxperf.dll, 83: neth.dll, 84: netid.dll, 85: netlogon.dll, 86: netman.dll, 87: netmsg.dll, 88: netplwiz.dll, 89: Netprof.dat, 90: netrap.dll, 91: netsetup.cpl, 92: netsetup.exe, 93: netsh.exe, 94: netshell.dll, 95: netstat.exe, 96: netui0.dll, 97: netui1.dll, 98: netui2.dll, 99: netware.drv, 100: newdev.dll, 101: nlbmgr.exe, 102: nlhtml.dll, 103: nlsfunc.exe, 104: nmevtmsg.dll, 105: nmmkcert.dll, 106: nntpapi.dll, 107: noise.chs, 108: noise.cht, 109: noise.dat, 110: noise.deu, 111: noise.eng, 112: noise.enu, 113: noise.esn, 114: noise.fra, 115: noise.ita, 116: noise.nld, 117: noise.sve, 118: noise.tha, 119: notepad.exe, 120: npp, 121: npptools.dll, 122: nscompat.???D? ????D?
13857 7:37:36.8866258 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: rsmps.dll, 1: rsmsink.exe, 2: rsmui.exe, 3: rsnotify.exe, 4: rsop.msc, 5: rsopprov.exe, 6: rsservps.dll, 7: rsshell.dll, 8: rssubps.dll, 9: rsvp.exe, 10: rsvp.ini, 11: rsvpcnts.h, 12: rsvpmsg.dll, 13: rsvpperf.dll, 14: rsvpsp.dll, 15: rtcshare.exe, 16: rtipxmib.dll, 17: rtm.dll, 18: rtutils.dll, 19: runas.exe, 20: rundll32.exe, 21: runonce.exe, 22: rwinsta.exe, 23: rwnh.dll, 24: r_server.exe, 25: safrcdlg.dll, 26: safrdm.dll, 27: safrslv.dll, 28: samlib.dll, 29: samsrv.dll, 30: sapi.cpl.manifest, 31: savedump.exe, 32: sbe.dll, 33: sbeio.dll, 34: sc.exe, 35: scarddlg.dll, 36: scardssp.dll, 37: scardsvr.exe, 38: sccbase.dll, 39: sccsccp.dll, 40: scecli.dll, 41: scesrv.dll, 42: schannel.dll, 43: schedsvc.dll, 44: schmmgmt.dll, 45: schmmgmt.msc, 46: schtasks.exe, 47: sclgntfy.dll, 48: SCP32.DLL, 49: scredir.dll, 50: SCRIPTLE.DLL, 51: scriptpw.dll, 52: scrnsave.scr, 53: scrobj.dll, 54: SCRRUN.DEP, 55: scrrun.dll, 56: sdbinst.exe, 57: sdhcinst.dll, 58: sdpblb.dll, 59: secedit.exe, 60: seclogon.dll, 61: secpol.msc, 62: secupd.dat, 63: secupd.sig, 64: secur32.dll, 65: security.dll, 66: SELFREG.DLL, 67: sendcmsg.dll, 68: sendmail.dll, 69: sens.dll, 70: sensapi.dll, 71: senscfg.dll, 72: serialui.dll, 73: servdeps.dll, 74: services.exe, 75: services.msc, 76: serwvdrv.dll, 77: sessmgr.exe, 78: sethc.exe, 79: Setup, 80: setup.bmp, 81: setup.exe, 82: setupapi.dll, 83: setupdll.dll, 84: setver.exe, 85: sfc.dll, 86: sfc.exe, 87: sfcfiles.dll, 88: sfc_os.dll, 89: sfmapi.dll, 90: shadow.exe, 91: share.exe, 92: shdoclc.dll, 93: shdocvw.dll, 94: shell.dll, 95: shell32.dll, 96: ShellExt, 97: shellstyle.dll, 98: shfolder.dll, 99: shgina.dll, 100: shiftjis.uce, 101: shimeng.dll, 102: shimgvw.dll, 103: shlwapi.dll, 104: shmedia.dll, 105: shmgrate.exe, 106: shrpubw.exe, 107: shscrap.dll, 108: shsvcs.dll, 109: shutdown.exe, 110: sigtab.dll, 111: sigverif.exe, 112: simpdata.tlb, 113: sisbkup.dll, 114: skdll.dll, 115: skeys.exe, 116: slayerxp.dll, 117: slbcsp.dll, 118: slbiop.dll, 119: slbrccsp.dll, 120: sl_anet.acm, 121: SmartUI2.ocx, 1???D? ????D?
13858 7:37:36.8869251 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 SUCCESS 0: winbrand.dll, 1: winchat.exe, 2: WINDBVER.EXE, 3: WindowsLogon.manifest, 4: winfax.dll, 5: winhelp.hlp, 6: winhlp32.exe, 7: winhttp.dll, 8: wininet.dll, 9: winipsec.dll, 10: winlogon.exe, 11: winmine.exe, 12: winmm.dll, 13: winmsd.exe, 14: winnls.dll, 15: winntbbu.dll, 16: winoldap.mod, 17: winrnr.dll, 18: wins, 19: winscard.dll, 20: winsevnt.dll, 21: winshfhc.dll, 22: winsmgmt.msc, 23: winsmon.dll, 24: winsock.dll, 25: WINSOCK.SRG, 26: winspool.drv, 27: winspool.exe, 28: winsrpc.dll, 29: winsrv.dll, 30: winssnap.dll, 31: winsta.dll, 32: winstrm.dll, 33: wintrust.dll, 34: winver.exe, 35: wjview.exe, 36: wkssvc.dll, 37: wldap32.dll, 38: wlnotify.dll, 39: wmadmod.dll, 40: wmadmoe.dll, 41: wmasf.dll, 42: WMDMLOG.dll, 43: WMDMPS.dll, 44: WMDRMdev.dll, 45: WMDRMNet.dll, 46: wmerrenu.dll, 47: wmerror.dll, 48: wmi.dll, 49: wmidx.dll, 50: wmimgmt.msc, 51: wmiprop.dll, 52: wmiscmgr.dll, 53: wmnetmgr.dll, 54: wmp.dll, 55: wmp.ocx, 56: wmpasf.dll, 57: wmpcd.dll, 58: wmpcore.dll, 59: wmpdxm.dll, 60: wmploc.dll, 61: wmpshell.dll, 62: wmpui.dll, 63: wmsdmod.dll, 64: wmsdmoe.dll, 65: wmsdmoe2.dll, 66: wmspdmod.dll, 67: wmspdmoe.dll, 68: wmstream.dll, 69: wmv8ds32.ax, 70: wmvadvd.dll, 71: WMVADVE.DLL, 72: wmvcore.dll, 73: wmvdmod.dll, 74: wmvdmoe2.dll, 75: wmvds32.ax, 76: wow32.dll, 77: wowdeb.exe, 78: wowexec.exe, 79: wowfax.dll, 80: wowfaxui.dll, 81: wpa.bak, 82: wpa.dbl, 83: wpabaln.exe, 84: wpdconns.dll, 85: wpdmtp.dll, 86: wpdmtpdr.dll, 87: wpdmtpus.dll, 88: wpdsp.dll, 89: wpdtrace.dll, 90: wpd_ci.dll, 91: wpnpinst.exe, 92: WPWIZDLL.DLL, 93: write.exe, 94: ws2help.dll, 95: ws2_32.dll, 96: wscntfy.exe, 97: wscript.exe, 98: wscsvc.dll, 99: wscui.cpl, 100: wsecedit.dll, 101: wshatm.dll, 102: wshbth.dll, 103: wshcon.dll, 104: wshext.dll, 105: wship6.dll, 106: wshisn.dll, 107: wshnetbs.dll, 108: wshom.ocx, 109: WshRm.dll, 110: wshtcpip.dll, 111: wsnmp32.dll, 112: wsock32.dll, 113: wstdecod.dll, 114: wstpager.ax, 115: wstrenderer.ax, 116: wtsapi32.dll, 117: wuapi.dll, 118: wuauclt.exe, 119: wuauclt1.exe, 120: wuaucpl.cpl, 121:???D? ????D?
13862 7:37:36.8877451 PM FinSci.LELauncher.exe 1008 QueryDirectory C:\WINDOWS\system32 NO MORE FILES
13863 7:37:36.8878310 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32 SUCCESS
13865 7:37:36.8880041 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\ntdll.dll SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
13871 7:37:36.8888615 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\ntdll.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
13874 7:37:36.8888901 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 3748
13877 7:37:36.8890387 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\ntdll.dll SUCCESS AllocationSize: 708,608, EndOfFile: 708,096, NumberOfLinks: 1, DeletePending: False, Directory: False
13879 7:37:36.8891968 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 0, Length: 16,384
13883 7:37:36.8894647 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 702,976, Length: 5,120
13886 7:37:36.8896136 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 74,752, Length: 4,096
13888 7:37:36.8898031 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 32
13889 7:37:36.8899034 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 16
13890 7:37:36.8900031 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 32
13891 7:37:36.8901070 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 28
13892 7:37:36.8905106 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 502,784, Length: 4,096
13893 7:37:36.8914179 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 21
13894 7:37:36.8915265 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 3
13895 7:37:36.8916297 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 33
13896 7:37:36.8917340 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 33
13897 7:37:36.8918398 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 1
13898 7:37:36.8921954 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 136,192, Length: 4,096
13899 7:37:36.8923126 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 103,424, Length: 4,096
13900 7:37:36.8924222 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 54,272, Length: 4,096
13901 7:37:36.8925683 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 193,536, Length: 4,096
13902 7:37:36.8927038 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 510,976, Length: 4,096
13903 7:37:36.8930267 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 6
13904 7:37:36.8931259 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 1
13905 7:37:36.8932237 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,093, Length: 2
13906 7:37:36.8933224 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,095, Length: 2
13907 7:37:36.8934215 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 5
13908 7:37:36.8935909 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\ntdll.dll SUCCESS
13909 7:37:36.8936284 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
13913 7:37:36.8938047 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\ntdll.dll SUCCESS AllocationSize: 708,608, EndOfFile: 708,096, NumberOfLinks: 1, DeletePending: False, Directory: False
13919 7:37:36.8940100 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
13928 7:37:36.1871978 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
13929 7:37:36.1872292 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 224
13932 7:37:36.1873694 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
13933 7:37:36.1874951 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 0, Length: 16,384
13937 7:37:36.1877474 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 265,728, Length: 5,120
13941 7:37:36.1878959 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 29,696, Length: 4,096
13943 7:37:36.1884597 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 238,592, Length: 4,096
13944 7:37:36.1895467 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 245,248, Length: 4,096
13945 7:37:36.1896858 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 242,688, Length: 2,560
13946 7:37:36.1901244 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
13947 7:37:36.1901587 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
13951 7:37:36.1903437 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
13957 7:37:36.1905471 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\kernel32.dll SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
13963 7:37:36.1929890 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\kernel32.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
13967 7:37:36.1930119 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2120
13970 7:37:36.1931596 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\kernel32.dll SUCCESS AllocationSize: 987,136, EndOfFile: 984,064, NumberOfLinks: 1, DeletePending: False, Directory: False
13971 7:37:36.1932902 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 0, Length: 16,384
13975 7:37:36.1935281 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 978,944, Length: 5,120
13979 7:37:36.1936827 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 41,984, Length: 4,096
13981 7:37:36.1938683 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 32
13982 7:37:36.1939696 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 16
13983 7:37:36.1940716 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 32
13984 7:37:36.1941730 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 28
13985 7:37:36.1946760 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 521,216, Length: 4,096
13986 7:37:36.1955109 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 21
13987 7:37:36.1956347 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 3
13988 7:37:36.1957398 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 33
13989 7:37:36.1958452 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 33
13990 7:37:36.1959508 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 1
13991 7:37:36.1962952 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 95,232, Length: 4,096
13992 7:37:36.1964068 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 533,504, Length: 4,096
13993 7:37:36.1965254 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 283,648, Length: 4,096
13994 7:37:36.1966355 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 451,584, Length: 4,096
13995 7:37:36.1967764 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 230,400, Length: 4,096
13996 7:37:36.1969001 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 517,120, Length: 4,096
13997 7:37:36.1970564 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 541,696, Length: 1,024
13998 7:37:36.1973755 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 6
13999 7:37:36.1974856 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 1
14000 7:37:36.1975845 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,437, Length: 2
14001 7:37:36.1976831 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,439, Length: 2
14002 7:37:36.1977822 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 5
14003 7:37:36.1979599 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\kernel32.dll SUCCESS
14004 7:37:36.1979973 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14008 7:37:36.1981781 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\kernel32.dll SUCCESS AllocationSize: 987,136, EndOfFile: 984,064, NumberOfLinks: 1, DeletePending: False, Directory: False
14014 7:37:36.1983899 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\unicode.nls SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14018 7:37:36.2007568 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\unicode.nls SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14020 7:37:36.2007823 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2712
14027 7:37:36.2009302 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\unicode.nls SUCCESS AllocationSize: 90,112, EndOfFile: 89,588, NumberOfLinks: 1, DeletePending: False, Directory: False
14028 7:37:36.2010387 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\unicode.nls SUCCESS Offset: 0, Length: 16,384
14032 7:37:36.2013433 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\unicode.nls SUCCESS Offset: 84,468, Length: 5,120
14036 7:37:36.2030381 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\unicode.nls SUCCESS
14037 7:37:36.2030635 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0156250
14041 7:37:36.9125109 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\unicode.nls SUCCESS AllocationSize: 90,112, EndOfFile: 89,588, NumberOfLinks: 1, DeletePending: False, Directory: False
14047 7:37:36.9127092 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\locale.nls SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14053 7:37:36.9151820 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\locale.nls SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14057 7:37:36.9152033 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2864
14060 7:37:36.9153666 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\locale.nls SUCCESS AllocationSize: 249,856, EndOfFile: 249,270, NumberOfLinks: 1, DeletePending: False, Directory: False
14061 7:37:36.9155032 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\locale.nls SUCCESS Offset: 0, Length: 16,384
14065 7:37:36.9158935 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\locale.nls SUCCESS Offset: 244,150, Length: 5,120
14068 7:37:36.2075323 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\locale.nls SUCCESS
14069 7:37:36.2075648 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14072 7:37:36.9170385 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\locale.nls SUCCESS AllocationSize: 249,856, EndOfFile: 249,270, NumberOfLinks: 1, DeletePending: False, Directory: False
14079 7:37:36.9172385 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\sorttbls.nls SUCCESS Access: Read Data/List Directory, Read Attributes, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14086 7:37:36.9197180 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\sorttbls.nls SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14090 7:37:36.9197447 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 3236
14093 7:37:36.9199051 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\sorttbls.nls SUCCESS AllocationSize: 24,576, EndOfFile: 22,040, NumberOfLinks: 1, DeletePending: False, Directory: False
14094 7:37:36.9200159 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\sorttbls.nls SUCCESS Offset: 0, Length: 16,384
14095 7:37:36.9202493 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\sorttbls.nls SUCCESS Offset: 16,920, Length: 5,120
14096 7:37:36.9212662 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\sorttbls.nls SUCCESS
14097 7:37:36.9212924 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14099 7:37:36.9214197 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\sorttbls.nls SUCCESS AllocationSize: 24,576, EndOfFile: 22,040, NumberOfLinks: 1, DeletePending: False, Directory: False
14103 7:37:36.9215475 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\ntdll.dll SUCCESS
14105 7:37:36.9216650 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14107 7:37:36.9217807 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\kernel32.dll SUCCESS
14109 7:37:36.9218936 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\unicode.nls SUCCESS
14111 7:37:36.9220222 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\locale.nls SUCCESS
14113 7:37:36.9221407 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\sorttbls.nls SUCCESS
14115 7:37:36.9222909 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\ntdll.dll SUCCESS Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14116 7:37:36.9224199 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\ntdll.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14117 7:37:36.9224360 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 1988
14118 7:37:36.2133241 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\ntdll.dll SUCCESS AllocationSize: 708,608, EndOfFile: 708,096, NumberOfLinks: 1, DeletePending: False, Directory: False
14119 7:37:36.2134281 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 0, Length: 16,384
14120 7:37:36.2136040 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 702,976, Length: 5,120
14121 7:37:36.2137139 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 74,752, Length: 4,096
14122 7:37:36.2138862 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 32
14123 7:37:36.2139858 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 16
14124 7:37:36.2141007 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 32
14125 7:37:36.2142006 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 28
14126 7:37:36.2145826 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 502,784, Length: 4,096
14127 7:37:36.2155122 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 21
14128 7:37:36.2156213 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 3
14129 7:37:36.2157237 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 33
14130 7:37:36.2158275 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 33
14131 7:37:36.2159337 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 1
14132 7:37:36.2162912 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 136,192, Length: 4,096
14133 7:37:36.2164038 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 103,424, Length: 4,096
14134 7:37:36.2165081 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 54,272, Length: 4,096
14135 7:37:36.2166465 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 193,536, Length: 4,096
14136 7:37:36.2167851 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 510,976, Length: 4,096
14137 7:37:36.2171134 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 6
14138 7:37:36.2172118 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 1
14139 7:37:36.2173099 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,093, Length: 2
14140 7:37:36.2174078 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,095, Length: 2
14141 7:37:36.2175063 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\ntdll.dll SUCCESS Offset: 75,094, Length: 5
14142 7:37:36.2176703 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\ntdll.dll SUCCESS
14144 7:37:36.2177169 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14172 7:37:36.2182269 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14173 7:37:36.2183601 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14174 7:37:36.2183803 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 3052
14175 7:37:36.9277773 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
14176 7:37:36.9278806 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 0, Length: 16,384
14178 7:37:36.9280973 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 265,728, Length: 5,120
14179 7:37:36.9282231 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 29,696, Length: 4,096
14180 7:37:36.9288798 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 238,592, Length: 4,096
14181 7:37:36.9301162 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 245,248, Length: 4,096
14182 7:37:36.9302431 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 242,688, Length: 2,560
14183 7:37:36.9306897 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14184 7:37:36.9307243 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14193 7:37:36.9310841 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\kernel32.dll SUCCESS Access: Execute/Traverse, Disposition: Open, Options: Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a
14194 7:37:36.9312168 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\kernel32.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14195 7:37:36.9312366 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2528
14196 7:37:36.2221260 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\kernel32.dll SUCCESS AllocationSize: 987,136, EndOfFile: 984,064, NumberOfLinks: 1, DeletePending: False, Directory: False
14197 7:37:36.2222296 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 0, Length: 16,384
14199 7:37:36.2224267 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 978,944, Length: 5,120
14200 7:37:36.2225388 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 41,984, Length: 4,096
14201 7:37:36.2227108 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 32
14202 7:37:36.2228192 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 16
14203 7:37:36.2229204 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 32
14204 7:37:36.2230798 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 28
14205 7:37:36.2235738 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 521,216, Length: 4,096
14206 7:37:36.2243421 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 21
14207 7:37:36.2244521 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 3
14208 7:37:36.2245564 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 33
14209 7:37:36.2246628 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 33
14210 7:37:36.2247770 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 1
14211 7:37:36.2251240 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 95,232, Length: 4,096
14212 7:37:36.2252352 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 533,504, Length: 4,096
14213 7:37:36.2253491 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 283,648, Length: 4,096
14214 7:37:36.2254597 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 451,584, Length: 4,096
14215 7:37:36.2255997 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 230,400, Length: 4,096
14216 7:37:36.2257283 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 517,120, Length: 4,096
14217 7:37:36.2258845 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 541,696, Length: 1,024
14218 7:37:36.2262096 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 6
14219 7:37:36.2263098 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 1
14220 7:37:36.2264092 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,437, Length: 2
14221 7:37:36.2265089 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,439, Length: 2
14222 7:37:36.2266090 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\kernel32.dll SUCCESS Offset: 43,438, Length: 5
14223 7:37:36.2267821 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\kernel32.dll SUCCESS
14224 7:37:36.2268150 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14233 7:37:36.9364372 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\ntdll.dll SUCCESS
14235 7:37:36.9365515 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14237 7:37:36.9366641 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\kernel32.dll SUCCESS
14239 7:37:36.9366908 PM FinSci.LELauncher.exe 1008 CloseFile C: SUCCESS
14243 7:37:36.9367994 PM FinSci.LELauncher.exe 1008 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FinSci.LELauncher.exe NAME NOT FOUND Desired Access: Read
14247 7:37:36.9370217 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32 SUCCESS Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a
14248 7:37:36.9371234 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32 IS DIRECTORY Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14249 7:37:36.9372187 PM FinSci.LELauncher.exe 1008 FileSystemControl C:\WINDOWS\system32 SUCCESS Control: FSCTL_IS_VOLUME_MOUNTED
14250 7:37:36.9373242 PM FinSci.LELauncher.exe 1008 QueryOpen C:\Services\LE\FinSci.LELauncher.exe.Local FAST IO DISALLOWED
14251 7:37:36.9374153 PM FinSci.LELauncher.exe 1008 CreateFile C:\Services\LE\FinSci.LELauncher.exe.Local NAME NOT FOUND Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
14252 7:37:36.9375776 PM FinSci.LELauncher.exe 1008 QueryOpen C:\WINDOWS\system32\mscoree.dll FAST IO DISALLOWED
14253 7:37:36.9376996 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
14254 7:37:36.9378038 PM FinSci.LELauncher.exe 1008 QueryBasicInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS CreationTime: 9/23/2005 7:28:52 AM, LastAccessTime: 12/13/2006 7:37:36 PM, LastWriteTime: 9/23/2005 7:28:52 AM, ChangeTime: 11/26/2006 12:10:14 AM, FileAttributes: A
14255 7:37:36.9379033 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14257 7:37:36.9380517 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a
14258 7:37:36.9381815 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14259 7:37:36.9381973 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2396
14260 7:37:36.2290802 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
14261 7:37:36.2291854 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 0, Length: 16,384
14264 7:37:36.2296282 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 265,728, Length: 5,120
14265 7:37:36.2297577 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 29,696, Length: 4,096
14266 7:37:36.2303564 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 238,592, Length: 4,096
14267 7:37:36.2315790 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 245,248, Length: 4,096
14268 7:37:36.2317077 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 242,688, Length: 2,560
14269 7:37:36.2321498 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14270 7:37:36.2321846 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
14272 7:37:36.9416010 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
14276 7:37:36.9417204 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14278 7:37:36.9418918 PM FinSci.LELauncher.exe 1008 QueryOpen C:\WINDOWS\system32\mscoree.dll FAST IO DISALLOWED
14279 7:37:36.9420139 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
14280 7:37:36.9421188 PM FinSci.LELauncher.exe 1008 QueryBasicInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS CreationTime: 9/23/2005 7:28:52 AM, LastAccessTime: 12/13/2006 7:37:36 PM, LastWriteTime: 9/23/2005 7:28:52 AM, ChangeTime: 11/26/2006 12:10:14 AM, FileAttributes: A
14281 7:37:36.9422165 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14283 7:37:36.9423961 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a
14284 7:37:36.9425242 PM FinSci.LELauncher.exe 1008 CreateFile C:\WINDOWS\system32\mscoree.dll SUCCESS Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Complete If Oplocked, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
14285 7:37:36.9425409 PM FinSci.LELauncher.exe 1008 Thread Create SUCCESS Thread ID: 2508
14286 7:37:36.2334091 PM FinSci.LELauncher.exe 1008 QueryStandardInformationFile C:\WINDOWS\system32\mscoree.dll SUCCESS AllocationSize: 274,432, EndOfFile: 270,848, NumberOfLinks: 1, DeletePending: False, Directory: False
14287 7:37:36.2335115 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 0, Length: 16,384
14288 7:37:36.2337162 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 265,728, Length: 5,120
14289 7:37:36.2338274 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 29,696, Length: 4,096
14290 7:37:36.2343658 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 238,592, Length: 4,096
14291 7:37:36.2354828 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 245,248, Length: 4,096
14292 7:37:36.2356060 PM FinSci.LELauncher.exe 1008 ReadFile C:\WINDOWS\system32\mscoree.dll SUCCESS Offset: 242,688, Length: 2,560
14293 7:37:36.2360418 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14295 7:37:36.2360862 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0156250
14304 7:37:36.2363269 PM FinSci.LELauncher.exe 1008 RegOpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option NAME NOT FOUND Desired Access: Query Value, Set Value
14305 7:37:36.2363468 PM FinSci.LELauncher.exe 1008 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Desired Access: Query Value
14306 7:37:36.2363686 PM FinSci.LELauncher.exe 1008 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled SUCCESS Type: REG_DWORD, Length: 4, Data: 1
14307 7:37:36.2363848 PM FinSci.LELauncher.exe 1008 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS
14308 7:37:36.2364008 PM FinSci.LELauncher.exe 1008 RegOpenKey HKU\S-1-5-21-3067666840-2297765368-137829522-1168\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers NAME NOT FOUND Desired Access: Query Value
14309 7:37:36.2365164 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32\mscoree.dll SUCCESS
14312 7:37:36.2367126 PM FinSci.LELauncher.exe 1008 Load Image C:\WINDOWS\system32\mscoree.dll SUCCESS Image Base: 0x79000000, Image Size: 0x45000
14314 7:37:36.9461640 PM FinSci.LELauncher.exe 1008 Load Image C:\WINDOWS\system32\kernel32.dll SUCCESS Image Base: 0x7c800000, Image Size: 0xf4000
14316 7:37:36.2373124 PM FinSci.LELauncher.exe 1008 RegOpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Desired Access: Read
14317 7:37:36.2373336 PM FinSci.LELauncher.exe 1008 RegQueryValue HKLM\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat SUCCESS Type: REG_DWORD, Length: 4, Data: 0
14318 7:37:36.2373450 PM FinSci.LELauncher.exe 1008 RegCloseKey HKLM\SYSTEM\ControlSet001\Control\Terminal Server SUCCESS
29928 7:43:04.4450223 PM FinSci.LELauncher.exe 1008 Thread Exit SUCCESS User Time: 0.0000000, Kernel Time: 0.0000000
29929 7:43:04.4454227 PM FinSci.LELauncher.exe 1008 Process Exit SUCCESS Exit Status: -1073741502, User Time: 0.0156250, Kernel Time: 0.0312500
29930 7:43:03.7360826 PM FinSci.LELauncher.exe 1008 CloseFile C:\WINDOWS\system32 SUCCESS
 
G

Glenn McDonald

Well, just a follow up to close my little contribution to this thread. I could not get the native .Net call to work. So I ended up with a Win32 call: CreateProcessWithLogonW. One of the keys was to make sure that the user logged in with network creditials only and that they had access to the desktop: startupInfo.lpDesktop = @"winsta0\default";
This was all on google, but took a little effort to extract.
Cheers,
Glenn
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Impersonation? 1
TextTransform.exe and Windows Auth/Impersonation Problem 0
Impersonation in ASP.NET 4
Impersonation and accessing Windows file share 9
Strange behavour with SqlMembershipProvider and impersonation 5
impersonation in web application 7
Impersonation headaches with ASP.NET 2.0 -- help! 2
Problems with Thread Impersonation 0

Members online

No members online now.
Total: 39 (members: 0, guests: 39)
Robots: 213

Forum statistics

Threads
473,767
Messages
2,569,570
Members
45,045
Latest member
DRCM

Latest Threads

Top