Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 13:23:18	2025-06-13 13:54:01	1843 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,006 [root] INFO: Date set to: 20250613T09:56:13, timeout set to: 1800
2025-06-13 10:56:13,530 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-13 10:56:13,530 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-13 10:56:13,530 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-13 10:56:13,530 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 10:56:13,530 [root] INFO: analysis running as an admin
2025-06-13 10:56:13,530 [root] INFO: analysis package specified: "exe"
2025-06-13 10:56:13,530 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 10:56:14,155 [root] DEBUG: imported analysis package "exe"
2025-06-13 10:56:14,155 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 10:56:14,155 [lib.common.common] INFO: wrapping
2025-06-13 10:56:14,155 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 10:56:14,155 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\esentutl.exe
2025-06-13 10:56:14,155 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 10:56:14,155 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 10:56:14,155 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 10:56:14,155 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 10:56:14,421 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 10:56:14,436 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 10:56:14,467 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 10:56:14,483 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 10:56:14,499 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 10:56:14,499 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 10:56:14,499 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 10:56:14,499 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 10:56:14,499 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 10:56:14,499 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 10:56:14,514 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 10:56:14,514 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 10:56:14,514 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 10:56:14,514 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 10:56:14,514 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 10:56:14,514 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 10:56:14,514 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 10:56:14,514 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 10:56:14,655 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 10:56:14,655 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 10:56:14,655 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 10:56:14,655 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 10:56:14,655 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 10:56:14,655 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 10:56:14,655 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 10:56:14,655 [modules.auxiliary.disguise] INFO: Disguising GUID to 9b7cdcea-e4d9-4c24-8a0c-bc615bd315ed
2025-06-13 10:56:14,655 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 10:56:14,655 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 10:56:14,655 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 10:56:14,655 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 10:56:14,655 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 10:56:14,655 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 10:56:14,655 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 10:56:14,655 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 10:56:14,655 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 10:56:14,655 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 10:56:14,655 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 10:56:14,655 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 10:56:14,655 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 10:56:14,655 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 10:56:14,671 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 10:56:14,671 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 10:56:14,671 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 10:56:14,686 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 10:56:14,686 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 10:56:14,702 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe
2025-06-13 10:56:14,780 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 10:56:14,780 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-13 10:56:14,811 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 10:56:14,811 [root] INFO: Disabling sleep skipping.
2025-06-13 10:56:14,811 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 10:56:14,811 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 10:56:14,827 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 10:56:14,827 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 10:56:14,827 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 10:56:14,827 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 10:56:14,843 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 10:56:14,843 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 10:56:14,843 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824800000, thread 4624, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-13 10:56:14,843 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 10:56:14,858 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 10:56:14,858 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 10:56:14,858 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-13 10:56:14,858 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 10:56:14,858 [root] DEB <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 13:23:18	2025-06-13 13:53:42	none

File Details

File Name	esentutl.exe
File Type	PE32 executable (console) Intel 80386, for MS Windows
File Size	331264 bytes
MD5	eaf25f0c3d74b745875bb27b8c483fca
SHA1	6b146e5c04cede443f2463b1821333e23b3066de
SHA256	685ad8a16cacb7109bb05bf91bcc3ad7edcedd96ea00e52136a01dd05ff4640e [VT] [MWDB] [Bazaar]
SHA3-384	194a828b7092990ba9b95c156a53fb00332f148d2b450c3d967f93761941fce36c0f6300481c1c832daf080230b25ffb
CRC32	CE2729B9
TLSH	T1C0640901E2D08021D5F331B42A7DA236897FBC646B3485CB758C8A9D6B77AC58D70F6B
Ssdeep	6144:tOrKGG0G1jyCzYBHien+BWh4FyNAm+UCKiNN60jef/m:tObG08lzr5BrFKAm+UCKiu0je
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

;5<f<

api-ms-win-core-kernel32-legacy-l1-1-0.dll

?4?8?@?D?\?`?|?

=#=I=

TEMPUPGD%d.EDB

WriteFileGather

tFj\V

errSystem

3)323;3D3M3S3n3

;b>l>v>

SectorSizeTooBig

QPVWh

8"9,9B9

?3?=?l?

;D$ t

ReleaseMutex

DESCRIPTION: Generates formatted output of various database file types.%c

0 10 20 30 40 50 60 70 80 90 100

:&;,;5;;;X;\;`;d;h;l;p;t;x;|;

1#181=1O1y1

7$7z7

Database %s will be forced to a clean-shutdown state.%c

SingleIorp

WQPR+

%u (0x%08x)

Page: %d%c

FAILURE: GetOverlappedResult (read) returned wrong number of bytes:

wszContext

<)<A<G<M<n<u<

Checkpoint file: %s%c

Reserved

%wsStatus: Complete!

3#3)3.3_3~3

4 44484H4L4\4`4p4t4

0C0z0

2^3"4,464>4L4R4Z4a4

t$(ht

8,9X9g9l9{9

CreateSemaphoreExW

m_semX

2#2;2L2^2l2u2z2

!api-ms-win-core-file-l1-2-0.dll

1(1<1P1d1x1

SH:MaxExt(KB)

_wsplitpath_s

;-;V;_;h;q;z;

1&1.141D1K1S1Y1q1

2$2+21282>2E2K2S2Y2`2f2m2s2z2

Pause/throttle: %u ms per %u I/O's

8h;y;

s - dump space usage%c

SYNTAX: %s /p <database name> [options]%c

xonecore\ds\esent\src\os\norm.cxx

>F?L?U?[?p?t?x?|?

RegSetValueExW

/2 - set 2k database page size (default: auto-detect)%c

CopyFileExW

0<0A0G0P0V0|0

Del Ref Disk p=%p, PathId=%ws, Cref=%d

DHSVW

0 0$0(0,0004080<0@0D0H0L0P0T0X0i0u0

4n4y4

AEs(%3d extents, %3d pages) Extents:

cpi.pfnCompletion

NTFS Attribute List Size:

</security>

PQRVRVh

%d MB read

Pgno Ranges (user min-max: %u - %u; DB End Contiguous Unused: %u - %u; Total: %u)

le_cMaxWriteIOs: %d

overrides the /o option.%c

Average: %.3f MB%c

8:8D8q8

T$pRP

9p0vJ3

:':-:5:?:Y:

Owned

9Z9j9

ux95$

option must be used in conjunction with /t<db>%c

GetProcessAffinityMask

IO, IO-Completion, %I64X, IOR, %s, %d, %s, %d, %s, %d, 0x%x, OP, %s, 0x%016I64X, 0x%08X, Err=%d, Disp=%d, %d, 0x%x, TM, %I64u, %lu, for TID 0x%x, EngineFile=%d:0x%I64x, Fmf=0x%x

`.data

/2 - set 2k database page size (default: auto-detect)%c

possdd = { Ver.Size=%d.%d, ib[] = %d,%d,%d,%d, DevType.Mod = %d.%d, BusType = %d, CommandQueueing = %d };

SYNTAX: %s /m[mode-modifier] <filename> [options]%c

8L9Y9

logs.%c

LCMapStringW

Microsoft Corporation

2-222G2]2b2o2

LoadLibraryExW

v|h`3@

CloseState

6Y7p7

OutputDebugStringA

_XcptFilter

- verifies a snapshot of a live database. This%c

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

_lock

ReadFile failed with %d. Offset = 0x%x`%08x. cbToRead = %d.

KERNEL32.DLL

%d reads performed

0123456789

UnmapViewOfFile

LV:Seeks

api-ms-win-core-wow64-l1-1-0.dll

<?xml version='1.0' encoding='utf-8' standalone='yes'?>

JET_MissingLogCreateNewLogStream

Name,Type,SH:IDensity,SH:ISize(KB),SH:grbit,SH:MDensity,SH:Growth,SH:MinExt(KB),SH:MaxExt(KB)

GetStateFolder

/2 - set 2k database page size (default: auto-detect)%c

t$ZPh`

t$HWP

JustFoundIoMismatchOffset

6M6[6m6

eFTLCreated

_initterm

IO Patrol Dog: cioActive = %d, cioHung = %d, LongestWallTime = %u msec, LongestCIoTime = %u ciotime (=%u msec)

PriExtType

Usage Error: Invalid api version specification.

.idata$5

onecore\ds\esent\src\os\sqm.cxx

2+2:2

3C3H3R3_3f3

Underflow of a metered section, left a group we didn't enter!!!

<0=S=]=s=

464b4q4v4

Flush Map File: %s%c

m_cWait

swscanf_s

9H9V9[9f9w9

csecHangTime

JetGetDatabaseFileInfoW

=!=*=3=<=E=K=^=d=

Total bytes written = %#I64x (%I64d) (%I64d MB)

wcschr

NtQuerySystemInformation

onecore\ds\esent\src\os\osfile.cxx

FN;5`

2 3D3N3d3

k - dump checkpoint file%c

Microsoft

Performing soft recovery...

Extents (bytes):

Destination File: %.64ls

.didat$2

Beta Feature %d staging value %d (usbsmCurrent = %d).

4A5M5S5\5b5p5|5

:&;,;5;\;`;d;h;l;p;t;x;|;

/d[path] - location of database files, or current directory%c

>%>+>2>8>?>E>O>U>\>b>i>o>v>|>

(not valid with /d switch, not valid with /b switch)%c

eFTLClean

CombinedIoRunShouldMatchInsertTargetOffset

Owned(MB)

recommended that before proceeding with an integrity-%c

%d Available (%.1f%%) )

uoVjpj

=.=O=\=i=r=y=

8!818A8Q8a8q8

to stop when a certain log generation is recovered.%c

Usage Error: Unable to allocate enough space for database names: %s kbytes.

If a certain database is not in the list, it won't get recovered.%c

?C?M?c?

SetEvent

SleepConditionVariableSRW

_exit

;/<L<

7<7G7W7q7

/p<x> - add artificial 1 second pause once every x I/O's%c

GetProfileStringW

517E7

>@?I?Y?x?

2'2-252F2f2

MoveFileExW

0 == cbData % OSMemoryPageCommitGranularity()

?!?(?/?F?L?g?m?

303D3X3l3

m_cCurrent

2I2N2n2s2

5b6i6

4&4,43494@4F4M4S4Z4`4g4m4w4}4

F8;V<|

VSS Subsystem Init failed, 0x%x

/32 - set 32k database page size (default: auto-detect)%c

EnforceTag%s%s

6b6r6~6

HungIO

Copy Progress (% complete)

m_semS

585B5X5

DESCRIPTION: Performs off-line compaction of a database.%c

.tls$ZZZ

write

Initiating DEFRAGMENTATION mode...%c

0Q1W1\1b1n1y1~1

4*414\4c4

VPQRht

v,hd0@

api-ms-win-core-localregistry-l1-1-0.dll

D$ :BYt

DESCRIPTION: Database utilities for the Extensible Storage Engine for Microsoft(R) Windows(R).

<(=.=7===

GetFileAttributesW

5.5T5o5

5k5q5

m_osdi.m_osdtd = { Ver.Size=%d.%d, TrimEnabled=%d };

%ld KB%c

4 5)525;5D5J5k5

m_osdi.m_osdcod = { Ver.Size=%d.%d, Max/OptimalTransfer=%I64u/%I64u };

osgvip = { Ver.Rev = %d.%d, bIDEDeviceMap = %#x, fCapabilities = %#x }

onecore\ds\esent\src\os\memory.cxx

;H$u.

.CRT$XIA

9\$ t

?$?3?9?L?g?m?

)D$<W

4'5g5s5

Int:Nodes

u1hHC@

:m:r:

< <(<.<6<;<L<T<b<h<n<w<}<

Data:KeyComp

%d Long Value Trees, %d Secondary Indices )

\\.\PhysicalDrive%u

909>9E9L9S9\9b9x9~9

m_handle

#legacy

PARAMETERS: <file name> - file name to verify%c

D$lPS

fixup of torn writes at the end of the log file%c

D$8t,

2!3D3R3h3|3

Usage Error: Config store spec not accepted, generally takes form of /config reg:HKLM\<RegPathToUse>.

<9<E<N<b<

>7>w>

<t<z<

(default: TEMPREPAIR*.EDB)%c

FileDescription

?K?|?

7!7'7-7

Error: %s specification '%s' is invalid.

le_cRecoveries: %d

9$9a9j9

~\;F<|

D$HPh

Checksum: %s /k <file name> [options]

is preserved uncompacted, and the temporary database will%c

if [path] not specified (default: directory%c

FAILURE: WriteFile:

%cNote:%c

WWWWh

%-*.*s

Bit-Field

integrity can still be maintained.%c

Heap A&B

L$$_^[3

ntdll.dll

%d Data (%.1f%%),

:):2:@:F:T:[:r:

10.0.17763.1

DeviceIoControl

strtoul

8>8I8O8Y8|8

WakeAllConditionVariable

UsePersistedFormat

SetThreadPriority

2,2:2P2

3$303:3A3M3W3^3

9!909;9A9Q9\9j9u9|9

Database root leaked %d pages.

AdjustTokenPrivileges

NOTES: 1) This operation does not run database recovery.%c

3+353K3q3

?7?B?g?r?

=,=R=

FAILURE: SetEvent:

0#0-0<0B0L0Q0q0w0

3.333;3G3k3q3

)l$`f

?\u#f

GetNativeSystemInfo

[%d:%d]

=Y>t>z>

;g;l;y;(<.<8<

CD@u$

2 2)22282P2{2

database operations for the previous shutdown.%c

4 4=4w4

0"1L1

4\5y5\7y7

<2=8=>=D=J=O=T=|=

D$PPW

vsspause

single

Defragmentation: %s /d <database name> [options]

/32 - set 32k database page size (default: auto-detect)%c

9"9<9B9W9c9o9v9

ErrOSFileIIoControlReadOnly

Initiating RECOVERY mode...%c

292A2

Usage Error: Invalid database extension size.

=6=G=R=]=t=

L$0;Hdu

.rdata$zETW9

%d.%d

api-ms-win-core-delayload-l1-1-0.dll

/c<file> - dump the log file, in CSV format, to <file>%c

%x-%x

Recovery: %s /r <logfile base name> [options]

Volume=%ws, eosDiskType = %d, fFixed = %d

%d Leaked (%.1f%%),

<!<?<J<T<]<b<g<m<

Database: %s%c

Trace File: %s%c%c

GetProcessMemoryInfo

Count, Ave

FWaitForAllReads. GetOverlappedResult failed with %d. Offset = 0x%x`%08x. dwBytesToRead = %d. dwBytesRead = %d.

<$=*=;=A=M=[=w=

;A$t;

api-ms-win-core-file-l1-2-0.dll

?%?+?2?8???E?L?R?Y?_?f?l?s?y?

SWh0L@

<filename> - name of file to dump. The type of the%c

030B0

2\2c2p2

%d MB/second

Deleted Volume p=%p, Path=%ws, CanonicalPath=%ws

SmallDurationNotSoSmallTruncation

FAILED: DevIoCtrl( query prop \ StorageDeviceProperty ) -> %d / %d / %d in %I64u us

5.636

:D;\;a;n;

/32 - set 32k database page size (default: auto-detect)%c

TerminateProcess

Depth

8#8.848F8O8U8[8y8

#leaked

Wh@*@

COSFile::ErrRename() %ws --> %ws

<9<H<Y<y<

1(1O1h1{1

PARAMETERS: <database name> - filename of database to compact%c

j(SVj

level="asInvoker"

40666P6V6n6y6

Heap B

7&727P7a7

Copy File: %s /y <source file> [options]

SVWj@

4)484r4

4C5L5

IO Patrol Dog has detected a DOUBLE DISK WHAMMY!!!

6a6f6t6

4 4&484B4L4V4`4j4t4~4

Log files: %s%c

5$5A5Q5a5q5

9 9,90949

it was in at the time of that backup.%c%c

SetThreadErrorMode

/t - on successful recovery, truncate log files%c

FAILED: DevIoCtrl( query prop \ %hs ) -> %d / %d / %d in %I64u us

CreateMutexW

Operation terminated with error %d (%s) after %d.%d seconds.

Upgrading Record Format

/16 - set 16k database page size (default: auto-detect)%c

9T$ w

=$=J=P=

t$(hH

???I?i?

>4>Q>X>n>}?

xESENT

DESCRIPTION: Repairs a corrupted or damaged database.%c

9pxtkB

.xdata$x

optional ending log generation (also as a hex%c

logs.%c

='=2=W=b=

GetModuleHandleW

Reser(MB)

GetTimeFormatW

Smallest: %.3f MB%c

LV:Bytes(histo)

Error: Source file specification.'%s' is invalid.

<#=(=9=?=n=

Error: Destination file specification.'%s' is invalid.

/16 - set 16k database page size (default: auto-detect)%c

.CRT$XLZ

:>:];j;w;

NOTES: 1) Repair does not run database recovery. If a database%c

System\Setup

ESENT.dll

.giats

kernelbase.dll

eFTLPostProcessed

5R5Z5`5z5

.rsrc

/o - suppress logo%c

%I64d

3/4k4

le_cMaxWriteBuffers: %d

FoundIoKeyAndObjectMismatchFileId

;,<[<y<

current directory)%c

;3;Q;p;

D$Du(

OriginalFilename

Qhh@@

:@:P:b:

4"4L5

Data:Nodes

9%9m9(;R;X;

11171

MultiIoru

PageSize: %d

FileTimeToSystemTime

database/filename

$hX)A

0G1X1a1j1s1y1

>(?4?H?d?

/o - suppress logo%c

646p6

******************************** SPACE DUMP *******

%wc

Unknown

strcspn

Scanning

;H u6

8.9>9D9^9d9p9v9

~X;~\s

PUTIL_THREAD_PROC( TMDispatch )

KD3JD

<empty>

Y__^[

File: %s%c

;,;7;V;a;

5"5*50575=5D5J5Q5W5^5d5n5t5{5

6I6X6]6l6 7&7l7

888C8

8%8N8Z8

4o5w5

AutoInc

CloseHandle

Wh n@

temporary database

cmsecIOElapsed

@.reloc

_vsnprintf

%I64u (0x%0*I64x)

<<<<< Press a key for more help >>>>>

Usage: Dump <Object> <Address> [<Depth>|*]

fwprintf

0"0(0/050<0B0I0O0i0y0

9-979M9p9z9

?6???

Temp database size: %d%c

: :$:G:\:o:

Restoring to '%s' from '%s'...

FTL file: %s%c

VirtualProtect

<!<*<2<><L<V<a<j<r<~<

Gh9^lr

_purecall

onecore\ds\esent\src\os\string.cxx

9<:C:W:x:

1M2|2

CSV Output Data File

GetSystemTimeAsFileTime

>r>y>

l - dump log file or set of logs%c

0x%0*I64X bytes @ 0x%0*I64X

__p__fmode

9t$0w

<Z=n=

Add Ref Disk p=%p, PathId=%ws, Cref=%d

QSVWh

<5<><C<H<M<R<W<]<f<k<p<v<{<

>">G>R>w>

/u<#> - set Engine Format Version parameter%c

LV:Size(histo)

FAILED!

%ws%ws%ws

|L6\u

9-9J9

3/3?3Y3b3

TEMP%d.EDB

626X6s6

SH:ISize(KB)

Yt+_h

m_pclsOwner

eFTLDirty

4'4b4w4

;V;i;s;

multi

%ws%ws Independent fields:%c

_h;Wl

/a - dump all nodes including deleted ones%c

;!;I;O;Y;c;m;w;

SetUnhandledExceptionFilter

/n<node> - dump the specified node from the database%c

mechanism. It only applies when verifying checksums%c

F8Ph 7@

Ignoring errors previously encountered, and proceeding with the file copy. The destination file is likely CORRUPT!

u(9Btt#[

OPTIONS: zero or more of the following switches, separated by a space:%c

Bytes affected by read errors = %#I64x (%I64d) (%I64d kB)

api-ms-win-core-file-l2-1-0.dll

MODES OF OPERATION:

/32 - set 32k database page size (default: auto-detect)%c

if necessary (NOTE: requires read/write access%c

0]0`1e1%7,787J7

Full S.M.A.R.T. Versions: %hs - %hs - %hs

.text

D$,VVVP

tt$Qhh@@

0@1_1

Image: "%ws"

P +W(

:&:>:m:y:

/i - ignore IO read errors%c

/32 - set 32k database page size (default: auto-detect)%c

30%, 40%, 50%, 60%, 70%, 80%, 90%, 93%, 95%, 97%, 100%

.rdata$brc

PQVWh4

2%2:2O2^2f2{2

onecore\ds\esent\src\os\task.cxx

;';1;G;w;

, NAF

File System: %s%c

(default: no pause)%c

TEMPREPAIR%d.EDB

SYNTAX: %s /r <3-character logfile base name> [options]%c

%ws%ws Sets of fields:%c

5,6J6~6

D$(WPVSWWhP

onecore\ds\esent\src\sync\sync.cxx

- location of system files (eg. checkpoint file)%c

=O=^=p=v=

/32 - set 32k database page size (default: auto-detect)%c

LocalAlloc

SingleIors

.idata$4

0*1g1

%d pages seen

D$4u<

<*<J<t<z<

EseNoLo-S%d-E%d

Initiating COPY FILE mode...%c

>K>Q>t>{>

>+>2>q>

.rdata$T$brc

%wsStatus: Got FAIL status!

8?8_8

8"8&82868B8F8R8V8b8f8r8v8

__dllonexit

FAILED: DevIoCtrl( IOCTL_DISK_GET_CACHE_INFORMATION ) -> %d / %d / %d in %I64u us

You MUST delete the logfiles for this database%c%c

Winsta0\Default

t:jpj

StorageDeviceSeekPenaltyProperty

esevss.dll

3'3?3R3[3d3m3s3

ErrFileCreate( %ws, 0x%x ) -> 0x%p{0x%p} )

%d seconds taken

<HSVW

<null>

printf

Wh ^D

<=<G<]<n<

0N1T1e1

wprintf

JetSetSystemParameterW

8/8K8Q8n8

=,=6=A=J=R=^=l=v=

It is recommended that you immediately perform a full backup%c

FORMAT STRING FAIL

/o - suppress logo%c

DEFRAGMENTATION/COMPACTION:%c

/2 - set 2k database page size (default: auto-detect)%c

/u<#> - set Engine Format Version parameter%c

LV:ExtraSeeks(histo)

le_ulFTLVersion*: %d.%02d.%02d (0x%x.0x%x.0x%x)

;3;=;S;

3%30373=3E3K3S3Y3a3g3r3{3

050E0X0

an optional bookmark (key plus optional data) is%c

Usage Error: Missing %s specification.

uDh@*@

t _^[

StorageAdapterProperty

CreateEventW

171A1W1

(dump-nodes mode only)%c

LoadLibraryExA

RemoveDirectoryW

m_groupQuiesced

F,PVh

StorageDeviceCopyOffloadProperty

Empty

%ws%ws analyze LV trees.%c

Number of write errors = %d

SetLastError

2) If the file is not a database file, the options are%c

.rsrc$01

Meted Queue

@D3CD

DebugBreak

;#;H;T;r;

/i - ignore mismatched/missing database attachments%c

82898g8q8

SH:IDensity

%ld bytes%c

070B0g0r0

COPY FILE:%c

rNULL

RegDeleteValueW

.idata

Log file: %s%c

EseShadowInit

File: %.64ls

LV:ExtraSeeks

/vss - copies a snapshot of the file, does not replay%c

le_ftPostProcessed: %ws %ws

TVWjT

D$0PWVj

Usage Error: Invalid pause interval specification.

MBCS

FILE_FLAG_RANDOM_ACCESS

2G3R3

%*d-%c

PPPPf

SmartData

le_ftFirstOpen: %ws %ws

VirtualAlloc

%ws/f<field[,field]>%c

MapViewOfFileEx

%d bad checksums

0, , , ,

CombinedIoRunShouldMatchInsertTargetFileId

FAILURE: GetOverlappedResult (write):

>E?z?

4"4,4=4C4J4Q4V4\4b4h4n4

scrub_off

RECOVERY:%c

IOREQ-Heap-Enqueue %I64X:%016I64X for TID 0x%x into I/O %hs (%s at %016I64X for %08X bytes), EngineFile=%d:0x%I64x ql=%d

u&;5\

GetSystemWindowsDirectoryW

1,2x2

/8 - set 8k database page size (default: auto-detect)%c

959X9_9u9

1-141?1D1J1s2|2

7%8.8

LeaveCriticalSection

4'4,414f4

@1HD;

VirtualQueryEx

L$l_^3

@H@uP

Failed to allocate %d bytes, failing command.

/a - allow recovery to lose committed data if database%c

QPQPh<

6s7|7

%cJET_snpRecoveryControl - invalid callback data %c

FAILURE: GetQueuedCompletionsStatus got the wrong number of bytes:

v`Ph 9@

D$D;B\t

Defragmentation

:1;T;

7+7;7S7f7t7

GetDateFormatW

Wh(P@

_controlfp

.text$yd

OwnPgnoMax

SetEndOfFile

494J4R4d4h4l4p4t4

onecore\ds\esent\src\os\error.cxx

:>:I:O:Y:

Log File: %s%c

626B6H6g6m6

CreateDirectoryW

Del Ref Volume p=%p, Path=%ws, CanonicalPath=%ws, Cref=%d

Kd9|$

SetThreadPriorityBoost

cCorrLVs

err = %d (%ws

api-ms-win-core-localization-l1-2-0.dll

6!616A6T6]6b6g6l6r6|6

%c%cThis may have happenned due to a corrupted database header.

6'7@7I7Q7]7c7k7

/t<table> - perform dump for specified table only%c

TEMPSCRUB%d.EDB

8F8P8f8

4 4I4l4

2,383S3j3p3~3

0(1-1?1d1{1

<5<U<r<

GetNLSVersionEx

(default: log file path)%c

/vss - checksums a snapshot of a live database, does not%c

[%d:%d:%d]

UseEngineDefault

080R0

;#;*;0;7;=;D;J;d;h;l;p;t;x;|;

161C1H1Y1e1w1

|$$9|$Du

AcquireSRWLockExclusive

api-ms-win-core-threadpool-legacy-l1-1-0.dll

4/4?4a4

=1=A=G=M=_=e=t=z=

3S6u7

>)>/>9>

LV:Comp(histo)

vssrec

m_fQR

VersndNode

LegalCopyright

FWaitForWrite: GetOverlappedResult failed with %d. Offset = 0x%x`%08x. dwBytesToWrite = %d. dwBytesWritten = %d.

SetFileInformationByHandle

6 6'6-646:6D6J6Q6W6^6d6k6w6}6

OwnedExts

%*.*f

?,?9???I?O?e?

%ws%ws- Space info fields to print.%c

0KB, 4KB, 8KB, 16KB, 32KB, 64KB, 128KB, 256KB, 512KB, 1MB, Over-1MB

EseShadowMountSimpleShadow

FTL Trace File Header:

GetSystemTime

?/?5?k?

;B@v<

O0W0d0s0

D=Defragmentation, R=Recovery, G=inteGrity, K=checKsum,

'04090_0u0

9.989A9M9S9g9l9v9|9

NOTES: 1) If instating is disabled (ie. /p), the original database%c

_^[Y]

fWrite

ThereCanBeOnlyOne

1, 2, 3, 4, 5, 6, 7, 8, 16, 32, Over-32

3S3]3{3

1N2e2q2

8'8-848:8A8G8O8U8\8b8i8o8v8|8

%ws%ws /f#all - Print out all fields for%c

Status (% complete)

Usage Error: Invalid option '%s'.

9#929*:3:

UnknownQ

686B6X6

Database Directory: %s%c

onecore\ds\esent\src\eseutil\dbspacedump.cxx

=?=F=\=~=

HeapDestroy

eArchive

Total Size: %.3f MB%c

.rdata$zzzdbg

t2h`;@

AssertFail

;%;+;5;];g;};

tLhH;@

%d Internal Trees,

(default: log file path)%c

::$ATTRIBUTE_LIST

REPAIR:%c

LV:Size

DevIoCtrl( SMART_GET_VERSION ) --> %d / %d

QueryWorkingSetEx

2$2g2

GetDriveTypeW

.rdata

api-ms-win-core-errorhandling-l1-1-0.dll

8 8/858Q8W8i8o8}8

Usage Error: Only one type of recovery allowed.

1%1;1@1M1c1h1

:$:-:6:<:V:u:

4*4/454I4U4n4

m_cWaitNeg

0 == m_cbReserve

:5:F:N:Z:m:y:

api-ms-win-appmodel-runtime-l1-1-0.dll

%ws%ws /f#spacehints - Prints the spacehint settings%c

72777=7a7p7w7~7

Unable to start debugger automatically.

4*434<4E4N4Z4d4k4q4y4

yes

UnhandledProcessIoErr=%d

m_fQW

IsWow64Process

D$(QP

PQSRhh

9#9*959=9D9O9W9^9i9q9x9

/o - suppress logo%c

Bh+Fh

m_osdi.m_osdci = { ParamSavable=%d, Read/Write.CacheEnabled=%d/%d, Read/Write.RetentionPriority=%d/%d, S/B=%d - [ %d - %d, %d } }

/2 - set 2k database page size (default: auto-detect)%c

OsTimeInitHung

WaitForSingleObject

SetHandleInformation

/e - don't checksum database file%c

Initiating SECURE mode...%c

operations for the previous shutdown.%c

3$3(3,3034383|3

clean-shutdown state.%c

api-ms-win-core-threadpool-l1-1-0.dll

backup database

OpenProcessToken

Repair: %s /p <database name> [options]

D$$Pj

Int:FreeBytes

FAILURE: CreateFile:

A4;G4r

le_ftLastClose: %ws %ws

DESCRIPTION: Verifies the checksums of a database,%c

;%;:;?;E;l;};

u:hx4@

IOREQ-Heap-Dequeue, %I64X:%016I64X, for TID 0x%x IOR, %d, %d, %d, 0x%x, from I/O Heap %hs, OP, %s, 0x%08X, 0x%x, %I64u, EngineFile=%d:0x%I64x, ql=%d

/t<db> - set temp. database name (default: TEMPINTEG*.EDB)%c

logfile path

api-ms-win-core-sysinfo-l1-1-0.dll

<-<B<a<t<z<

>i?o?

/t<db> - set temp. database name (default: TEMPCHKSUM*.EDB)%c

Restoring to <current directory> from '%s'...

unknown, unknown

=R=^=j=v=

/4 - set 4k database page size (default: auto-detect)%c

memcpy

.idata$3

~l+Xh

%.*s%s

FAILED: DevIoCtrl( SMART_RCV_DRIVE_DATA ) -> %d / %d / %d in %I64u us

u;j\h@

/16 - set 16k database page size (default: auto-detect)%c

%*s%s%c%c

onecore\ds\esent\src\os\library.cxx

destination file

*********************************************************************************************************************************************************

.PV: %u.%u.%u.%u SV: %u.%u.%u.%u GLE: %u ERR: %d(%hs%hs:%u): %hs%hs(%u)

%I64u

File Information:%c

.didat$5

D$43u

/t<db> - set temp. database name%c

5#5*52595V5c5t5z5

Data:Unreclaim

DbRoot

%ws%ws /f#default - Produces default output.%c

api-ms-win-core-processtopology-obsolete-l1-1-0.dll

contain the defragmented version of the database.%c

.\TEMPDFRG%d.EDB

/4 - set 4k database page size (default: auto-detect)%c

5\5^6p6

1-Page, 2-Pages, 3-Pages, 4-Pages, 8-Pages, 16-Pages, 32-Pages, 64-Pages, 96-Pages, 128-Pages, Over-128

WriteFile failed with %d. Offset = 0x%x`%08x. cbToWrite = %d. cbWritten = %d.

DeleteTimerQueueEx

D$!:BZt

repair_off

__setusermatherr

@lQRPVh<

HeapFree

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

_except_handler4_common

8,888=8O8g8t8

GetTickCount

7F7M7`7z7

->ProductRev = %hs;

~T;~Xv

user32.dll

.CRT$XIY

GetVolumeInformationW

3#3/3=3K3S3Y3_3j3

RETAIL

[%ws %03x.%03x %04d/%02d/%02d-%02d:%02d:%02d]

1>2V2`2

=T>i>n>

6,747:7Q7

/2 - set 2k database page size (default: auto-detect)%c

Lgpos: %06X,%04X,%04X%c

(default: <database>.integ.raw)%c

UNKNOWN.PTH

9|$<t

SetConsoleCtrlHandler

9/9<9E9N9W9]9

%8I64u,%5I64u,%5I64u,%5I64u,%12I64u

%hs%hs

%s: pinst %s failed to query the allocated region from %#I64x with error %s (0x%x).

M(SVW

9F:w:

%d Used (%.1f%%), %d Available (%.1f%%) )

7+737

:Y;`;v;

405\5s5{5

api-ms-win-core-memory-l1-1-0.dll

8D8H8L8P8`8d8h8l8p8t8x8|8

EventSetInformation

AeRes

393D3U3k3z3

Moving '%s' to '%s'...

m_cOwner

Node%Tbl

cLVRefs

INTEGRITY:%c

Usage Error: Invalid node/lgpos specification.

#spacehints

DONE!

Cluster Size: %u bytes%c

api-ms-win-core-io-l1-1-0.dll

PARAMETERS: [mode-modifier] - an optional letter designating the type of%c

M0b0i0

DESCRIPTION: Removes all deleted records from database.%c

4D4P4

/p - preserve temporary database (ie. don't instate)%c

Eseutil Cmd End: time %02d:%02d,

>!>&>+>

3!3'32393s3y3

SystemTimeToTzSpecificLocalTime

444>4T4m4t4

QRPQRPh

Beginning Verbose Recovery ----------------

PQVWh(

/16 - set 16k database page size (default: auto-detect)%c

FAILURE: ReadFile:

Note: This database is over 20%% empty, an offline defragmentation can be used to shrink the file.

Gx;P u

FoundIoKeyShouldNotBeMax

Source File: %.64ls

Usage Error: Invalid batch I/O size.

Flush map file: %s%c

Add Ref Volume p=%p, Path=%ws, CanonicalPath=%ws, Cref=%d

1M1R1Y1_1m1

Recovery has indicated that there might be a lossy recovery option. Run recovery with the /a argument.%wc

2$3*3B3

.rdata$sxdata

SPACE[%ws\%ws] OE[ %5d]: %6d - %6d (%4d):

;(;/;4;:;l;

m_dwPartitionCompleteKey

=4=^=

Vhh@@

5%5;5B5L5[5m5

t~y#P

VSS Subsystem Init failed, requires esevss.dll and OS support (Windows 2008 or higher).

131I1[1a1l1

LV:Seeks(histo)

Operation terminated unsuccessfully after %d.%d seconds.

le_cbLastKnownBuffer: %I64d

FILE_FLAG_NO_BUFFERING

:$:-:6:<:U:

GetOverlappedResult

5%5@5N5

- dumps a snapshot of a live database, replays%c

source database

Bytes affected by write errors = %#I64x (%I64d) (%I64d kB)

L$d^3

CreateProcessW

%d milliseconds per read

(Completion Info: ipage=%d, cpage=%d, dwTickDuration=%d)

Enumerated %d Tables (

EseShadowCreateShadow

6A7\7

( State().m_cw & 0x00007fff ) != 0x00007fff

uiAccess="false"

OwningTableName

Warning:%c

JetEndSession

checkpoint file, or log file (or set of log files).%c

WriteError

api-ms-win-security-base-l1-1-0.dll

Global\{5E5C36C0-5E7C-471f-84D7-110FDC1AFD0D}

.\TEMPINTEG%d.EDB

SYNTAX: %s /k <file name> [options]%c

.CRT$XCAA

api-ms-win-core-sysinfo-l1-2-0.dll

P=rePair, M=file duMp, Y=copY file

Vx9z(|V

=(=/=5=C=J=T=^=o=s=y=}=

File Copy

SECURE:%c

C8+D$

api-ms-win-core-localization-l1-1-0.dll

wszIssueSource

->Vendor = %hs;

010\0y0

CreateThread

.00cfg

IORuns(histo)

_wcsicmp

7&717;7n7

api-ms-win-core-datetime-l1-1-0.dll

/f<name> - set prefix to use for name of report files%c

FreeLibrary

Avail(MB)

%ls (%d), %ls

T$8PQ

LV:ExtraBytes

9&9,91979L9R9x9~9

1ADQS

:!;Q;Y;w;

<1<K<S<Y<f<

The ESE engine did not return expected stat data size.

The debugger could not be attached to process %d! Win32 error %d%s%s

GPT:%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X

JustFoundIoCouldntDelete

?=?P?b?

9':2:g:r:

CompanyName

SmartDataStrConversionSawTruncatedChars

PQRVRVh(

GetCurrentThreadId

Extent Statistics:%c

?,?3?I?q?{?

WaitForThreadpoolTimerCallbacks

.%c%c

%c<<<<< Press a key to continue >>>>>%c%c

NtQueryVolumeInformationFile

/v - verbose output%c

file dump to perform. Valid values are:%c

OeRes

To allow recovery in the original location for all other database, use /n*.%c

COSFile::Flush Failed[%8x] err %d (error %d) - %ws

%-*.*ws

GetProcessHeap

5#5)5:5?5I5O5_5j5

%ws Objid(%d) leaked %d pages.

Sleep

(default: log file path)%c

GetFileSizeEx

/r<start gen>[-<end gen>]%c

8)8F8c8

677g7

L$$PQj

File Name: %s%c

%d uninitialized pages

D$8Pj

5Y5p5

/8 - set 8k database page size (default: auto-detect)%c

Table: %s%c

GetDiskFreeSpaceExW

Checksum Status (% complete)

;K;Q;s;~;

/vsspause - pause after the snapshot completes.%c

5$5,545<5D5L5T5\5d5l5t5|5

cbRun

_wtol

UNKNOWN

=>>N>T>z>

RegOpenKeyExW

5-5:5G5P5V5s5|5

ReleaseSemaphore

iswalpha

9#:3:g:

Fx9x(|

8!878O8

t$(8E

(Completion Info: ipage=%d, cpage=%d, dwTickDuration=%d, dwBytesTransferred=%d != cbRead=%d)

onecore\ds\esent\src\os\sysinfo.cxx

0#1<1X1q1

_wcsnicmp

FindFirstFileW

Note:%c

On-disk Size: 0x%08I64x bytes (%I64d kB)%c

9V9b9

( CioreqIOHeap() + 1 ) <= m_cioreqMax

6A6M6

SYNTAX: %s /g <database name> [options]%c

3(4A4

api-ms-win-core-console-l1-1-0.dll

CloseThreadpoolTimer

4)535I5

5$555A5Q5Y5a5

AllocationlessInsertShouldSucceed

D$L t

System path: %s%c

8,8084888<8@8D8H8L8P8T8X8

VIP List

ResolveDelayLoadedAPI

%*d%%

m_fSet

t9QPQ

Internal

D$(9O8u

=)=/=:=@=G=M=T=Z=v=~=

GetCurrentPackageFullName

%*d.%03d

>7>A>W>r>

wcsrchr

/8 - set 8k database page size (default: auto-detect)%c

being requested (eg. if using /mh, then%c

6(6<6P6d6x6

Operation completed successfully with %d (%s) after %d.%d seconds.

m_osdi.m_osdspd = { Ver.Size=%d.%d, IncursSeekPenalty=%d };

5+686g6q6

[%d]%d-%d (%d, Pool: %ws%ws),

0$0*01060;0A0K0P0U0[0b0g0l0r0

9T:c:s:

;$;*;

.didat$7

7 797?7I7S7\7b7

m_cQuiesced

JetInit

7e7j7o7t7

(default: <database>.integ.raw)%c

FwdScans

2,2@2T2h2|2

strchr

SetFileValidData

0A0H0W0]0h0n0{0

__set_app_type

;Fhu&

</trustInfo>

FAILURE: CreateIoCompletionPort:

L0W0]0g0b1h1

JetGetSystemParameterW

Unknown BTree enum: %d

GetVolumeNameForVolumeMountPointW

VhD<@

Usage Error: Invalid log generation range specification.

383E3R3_3h3n3

is in a "Dirty Shutdown" state it is strongly%c

m_cOOWR

040904B0

>">(>.>4>;>B>I>P>W>^>e>k>w>

FAILURE: GetOverlappedResult (write) returned wrong number of bytes:

JetGetErrorInfoW

=%>1>U>

.rdata$zETW2

8>8D8W8]8c8k8q8y8

=%=+=8=X=]=o=

>N>]>

wcstol

:':1:9:@:G:R:[:

3) The pause (/p) option is provided as a throttling%c

CreateFileMappingW

%ws version %d.%02d.%04d.%04d (%ws)

u19^,

File Dump: %s /m[mode-modifier] <filename>

m_semWriter

swprintf_s

This is a FTL trace log. Checksums are not maintained for such a file.%c

< <$<(<,<0<4<$=2=D=J=

$SVW3

Mounted shadow volumes located at:%c

Reser%Tbl

FAILURE: VirtualAlloc buffer size underflow or overflow:

Name,Type,ObjidFDP,PriExt,PgnoFDP,Owned,Available,Internal,Data

>!>*>2>>>L>V>a>j>r>~>

3Q3^3s3

7A7a7p7y7

9$969@9T9Z9b9j9r9

/16 - set 16k database page size (default: auto-detect)%c

0x%I64x highest dbtime (pgno 0x%x)

fAdded

Default Database Location: yes%c

5+6;6C6

AvailExts

Data:FreeBytes

NOTES: 1) Integrity-check does not run database recovery. If a%c

Ph4*A

Patching

4$4,444<4D4L4T4\4d4l4t4|4

LV:ChunkSize

2R4Z4r4z4

_LSh|

%s: pinst %s failed to do operation (ioctl=%d) with error %s (0x%x).

8\9y9

wcscat_s

m_cOOW2

:B;N;\;f;q;z;

- copies a snapshot of a live database, replays%c

Whh@@

OutOfReservedIoreqs

Usage Error: Invalid maximum cache size specification.

ReadFile

>">'>->9>Y>e>k>p>

9!9-95999?9C9I9M9S9Z9`9f9p9y9}9

RegQueryValueExW

Operation completed successfully in %d.%d seconds.

VarFileInfo

Error: Could not backup to '%s'.

Database: %s%c%c

=$=*=1=8=?=F=M=T=[=c=k=s=

9t$$r&

tSPhd

FoundIoKeyAndObjectMismatchOffset

7!8'8-8?8E8v8|8

strstr

;E<U<b<o<x<~<

FirewallTag%s%s

;";G;R;w;

%ws%ws which we collect stats.%c

;+;1;=;C;t;z;

JetTerm2

:@:v:

8$868Q8c8p8u8

$QhH8@

t$`SP

m_pfnPartitionComplete

vprintf

_vsnwprintf

ObjidFDP

api-ms-win-core-libraryloader-l1-2-0.dll

ResumeThread

0123456789abcdefMessageBoxW

:A;_;w;

WARNING: page %d%s checksum verification failed but the corruption ( bit %d ) can be corrected

PQVWh

CreateFileW

LV:Ratio(histo)

m_fQ2

Out of memory error during OS Layer pre-init.

@d@3C

Whh@@

>6>H>S>\>a>

PARAMETERS: <source file> - name of file to copy%c

Database issue: database has %d pages overbooked.

Restore

jjjjh

OwnPgnoMin

onecore\ds\esent\src\os\osfs.cxx

SH:MDensity

/u[log] - stop recovery when the Undo phase is reached with the option%c

PARAMETERS: <database name> - filename of database to verify%c

D$ Pj

JetBeginSessionW

=^=l=

Avail%Tbl

cbRunT < ulMax

PQQh<)@

Error: Could not re-instate '%s'. It may be manually re-instated by manually copying '%s' to '%s' (this will overwrite the original copy of the file with the defragmented copy).

5(5.5?5N5W5l5t5

New Database Location: %s

6!7<7A7f7

FormatMessageW

/4 - set 4k database page size (default: auto-detect)%c

%s loaded.

so that the path to the temporary database is%c

InitializeCriticalSectionAndSpinCount

:1:@:G:N:U:]:c:x:~:

7$7*71777>7D7N7T7[7a7h7n7u7{7

31464;4@4

D$LPj

0#0-030>0E0T0[0s0

/16 - set 16k database page size (default: auto-detect)%c

ForDo

9"9G9R9w9

%d:%d

031:1Z1z1

Database: %s%c

10.0.17763.1 (WinBuild.160101.0800)

%*I64d

Usage Error: Invalid default restore location option.

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

;'<R<

database location

DeleteCriticalSection

GetQueuedCompletionStatus

2$3v3{3

specified file should match the dump type%c

Error: %s '%s' cannot be the same as %s.

_wmakepath_s

6$6,646<6D6L6T6\6d6l6t6x6|6

FfbFailedWithSuccess

%0*I64X

2) The /g option pauses the utility for user input before%c

2+202=2S2X2e2{2

DuplicateHandle

Usage Error: Mode selection must be preceded by '-' or '/'.

.CRT$XLA

;|$||

GetFileSize

0/0<0I0R0Y0

;'<-<#=)=

WARNING: Volume=%ws is not detected as fixed, MemoryMapping operations will all be forcibly COW'd

9\:v:|;

;$;*;3;9;K;T;[;|;

313;3Q3|3

tNj\W

vDhH7@

t*h8D@

t$ h,

8,9s9

0"0/050P0U0\0i0p0}0

Vh$<@

%ws%ws

redirected to a path with read/write permissions.%c

le_tracelogstate: %ws (%d 0x%x)

s(QR

uL;T$

JET_MissingLogContinueToUndo

---------------------------------------------------------------------------------------------------------------------------------------------------------

rH:B`t

Jh+Nh

m_cQS

onecore\ds\esent\src\os\thread.cxx

D%OfDb

WriteFile

api-ms-win-core-privateprofile-l1-1-0.dll

0 0&0/0?0I0S0\0b0h0n0t0

21393F3U3b3j3

3$3,343<3D3L3T3\3d3l3t3|3

There are %d overbooked pages.

VirtualFree

>$>->6><>q>

? t:h

/4 - set 4k database page size (default: auto-detect)%c

2"2*212

8-9:9@9F9L9h9|9

api-ms-win-core-heap-l2-1-0.dll

api-ms-win-core-processthreads-l1-1-0.dll

7)767?7H7Q7W7o7

ignored.%c

>8>{>

FFbError:%I32u

Percentile:%-3u Length:%11.3f%c

COSFile::ErrIOSetFileSize

DESCRIPTION: Copies a database or log file.%c

7?7g7

SpcReserve

Securing

;';-;;;B;T;^;d;n;

SYNTAX: %s /d <database name> [options]%c

t$hQSW

<+<5<?<H<W<b<h<n<x<

728:8W8f8

(open failed)

6*6/696?6f6m6v6|6

- for dump of a set of log files only, specifies%c

Error while retrieving file system information.%c

7W8|8

le_ftLastOpen: %ws %ws

Data(MB)

%I64u.%03I64u

Lengths:%11.3f-%11.3f Extents:%I64d%c

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

__wgetmainargs

ReleaseSRWLockExclusive

>&>,>

:/:6:L:W:`:i:r:{:

StorageDeviceTrimProperty

1"1G1R1w1

~ _^[

949?9U9m9

4.4A4L4W4b4i4w4

:K:U:k:

Internal(MB)

m_cEntry

JetInit4W

Database issue: objid(%d) has %d pages overbooked.

database directory

api-ms-win-core-delayload-l1-1-1.dll

QueryPerformanceCounter

JetRestore2W

FAILURE: VirtualAlloc:

9/9H9O9

m_fQ1

SYNTAX: %s /y <source file> [options]%c

t$09w8td

JetTestHook

msvcrt.dll

ReadFileScatter

Error: Access to source database '%s' failed with Jet error %i.

StringFileInfo

Deleted Disk p=%p, PathId=%ws

%ws%ws fields.%c

FAILURE: CreateThread:

api-ms-win-core-handle-l1-1-0.dll

minuser32.dll

D$D@t

m - dump meta-data%c

Checkpoint File: %s%c

cSepRtChk

h - dump database header (default)%c

t$4hH

?'?n?

Long IO, %I64u msec, fReport = %d

End Stats: g_cioreqInUse(High Water)=%d

ueVVW

GenAvailExt

Temp. Database: %s%c

#BadFileName#

config

.text$mn

LSVW3

4]5c5<6B6

8 8%8

010^0j0s0

N/A%c

onecore\ds\esent\src\os\trace.cxx

QueueUserWorkItem

Usage Error: Duplicate %s specification.

929@9P9b9t9

O<9_8vS3

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

[%ws %03x.%03x %04d/%02d/%02d-%02d:%02d:%02d.%d]

JetGetLogFileInfoW

879B9g9r9

0/191O1

Process: "%ws"

4 4:4@4K4Q4_4e4y4

344B4R4r5

report file name prefix

EventWriteTransfer

?!?A?F?{?

9I9m9

/n<path1[:path2]> - new location of database file and optional old location%c

<requestedExecutionLevel

of a database file.%c

9@9N9_9k9

CRYPTSP.dll

4;8@8

Trace File: "%ws"%s

8^9n9

738A8^8j8q8x8

This is a temporary database. Checksums are not maintained for such databases.%c

4=5l5

Created Volume p=%p, Path=%ws, CanonicalPath=%ws

2#2<2

GetFileInformationByHandle

=========================================================================================================================================================

PriExt

D$8=(

3?4Q4p4

Could not allocate a Kernel Semaphore

.didat$6

manifestVersion="1.0"

Upgrade

\$,9\$$t

name,type,objidfdp,pgnofdp,priext,owned,available

3"3)353;3B3H3O3U3\3b3j3p3w3}3

/f<name> - set prefix to use for name of report files%c

%s unloaded

9(:.:8:>:E:K:R:X:a:g:

Initiating FILE DUMP mode...%c

JET_MissingLogContinueTryCurrentLog

9D$4w

%wsOpenLog : %ws: errDefault=%d, lGenNext=%d, %ws, %d DBs, szFile=%ws

Largest: %.3f MB%c

replay logs.%c

IsDebuggerPresent

GlobalMemoryStatusEx

->Product = %hs;

api-ms-win-appmodel-state-l1-1-0.dll

m_sem1

.rdata$zETW1

7+767\7g7o7

OwnExt

lidMax

A0;G0v

;C=i=

Logical Size: 0x%08I64x bytes (%I64d kB)%c

RPhp(@

162x2

QSVWj

System files: %s%c

GetModuleFileNameW

9K:}:

9^9h9w9

of this database. If you restore a backup made before the%c

RaiseFailFastException

2G2]2h2m2w2

api-ms-win-core-processthreads-l1-1-1.dll

>)>a>k>

le_ulSchemaVersion*: %d.%02d.%02d (0x%x.0x%x.0x%x)

9$:l:

onecore\ds\esent\src\os\osdisk.cxx

FWaitForWrite. GetOverlappedResult had the wrong number of bytes! Offset = 0x%x`%08x. dwBytesToWrite = %d. dwBytesWritten = %d

Count, Min, Ave, Max, Total

:):P:Z:p:

Usage Error: Invalid stop recovery option.

ERROR: Processing FTL file header, %d

m_cOAOWW

.CRT$XCA

CryptReleaseContext

NtQueryInformationProcess

6.696?6I6a6n6t6~6

)t$pf

#default

FAILED: DevIoCtrl( SMART_GET_VERSION ) -> %d / %d / %d in %I64u us

757F7N7r7

SetThreadpoolTimer

Created Disk p=%p, PathId=%ws

Add[Fast] Ref Disk p=%p, PathId=%ws, Cref=%d

database is in a "Dirty Shutdown" state it is strongly%c

UnhandledExceptionFilter

FAILURE: CreateEventW:

Initiating CHECKSUM mode...%c

GetWindowsDirectoryW

EventUnregister

Nh+Jh

6!63696?6

fCurrent

:):/:g:m:

wcscpy_s

0'020W0b0

1$1*131>1D1M1X1^1|1

PUTIL_THREAD_PROC( pfnPatrolDog )

GetVersionExW

?$?+?0?6?=?C?J?O?U?\?a?f?l?s?x?}?

Temporary database

Initiating INTEGRITY mode...%c

m_groupCurrent

=B>Q>V>

%d wrong page numbers

5%5.575@5I5O5f5

repair, the database will be rolled back to the state%c

GetDiskFreeSpaceW

VS_VERSION_INFO

1 1'1q1w1

api-ms-win-core-synch-l1-2-0.dll

<*=J=

pioreqBaseMid->ibOffset != pioreqToAddMid->ibOffset

FullName,Type,LV:Size,LV:Size(histo),LV:Comp,LV:Comp(histo),LV:Ratio(histo),LV:Seeks,LV:Seeks(histo),LV:ExtraSeeks,LV:ExtraSeeks(histo),LV:Bytes,LV:Bytes(histo),LV:ExtraBytes,LV:ExtraBytes(histo),Data:FreeBytes,Data:Nodes,Data:KeySizes,Data:DataSizes,Data:Unreclaim,VersndNode,cLVRefs,cCorrLVs,cSepRtChk,lidMax,LV:ChunkSize,OwnExt,GenAvailExt

t$(;t$(uM

495T5^5t5

Name,Type,Owned(MB),O%OfDb,O%OfTable,Avail(MB),Avail%Tbl,AutoInc

=7=B=g=r=

{_[^]

.CRT$XCZ

%wsMissingLog: errDefault=%d, lGenNext=%d, %ws, %ws, %d DBs, szFile=%ws

VW=UUU

Error Interpriting time field %d

Data:DataSizes

%ws/csv%ws- Print all fields CSV delimited.%c

D$(Pj

3@4E4J4O4

%s%c%c

%*.*s <%-*.*s>:

2-2:2?2P2a2l2u2|2

D$,Pj

Node: %d:%d:%d%c

5+5k5r5x5!6*606f6|6

SeBackupPrivilege

IORuns

272B2g2r2

.data

0F0^0h0x0

3$333T3`3v3

D$PpmB

onecore\ds\esent\src\eseutil\eseutil.cxx

GetVolumePathNameW

m_semReader

Histogram (MB,Extents):%c

FAILURE: GetQueuedCompletionsStatus:

m_cOOW1

FAILURE: SetFilePointerEx:

D$HPh(

D$0Ph@

memset

='=/=;=A=I=

SleepEx

Did not recognize the field: %ws

ContigAvailExt

JustFoundIoMismatchFileId

%c FileOffset:%013I64d Offset:%013I64d Length:%013I64d Delta:%+013I64d

Wh [@

2C2O2X2l2

DESCRIPTION: Performs recovery, bringing all databases to a%c

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

5%5+535?5E5M5

1A1K1a1

GetProcAddress

/v - verbose%c

L$(Phd

7a8f8k8p8

ProductName

TlsGetValue

strrchr

50=0C0a0

Please contact PSS.

%ws

Initializing VSS subsystem...%c%c

9V:g:o:

PARAMETERS: <database name> - filename of database to secure%c

/8 - set 8k database page size (default: auto-detect)%c

.idata$6

ResolveDelayLoadsFromDll

;GltL

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)%c

api-ms-win-core-heap-l1-1-0.dll

9PxtTF

Vh 0@

if the database file location changed.%c

%wsOpenCheckp: errDefault=%d

Explicitly setting a page size might bypass this failure.

<'<,<9<O<T<c<

FileError

>=>G>]>m>

- dump the specified page from the database, or if%c

%s: pinst %s failed to set file size with error %s (0x%x) at offset %I64d.

Database: %s%c

+Vt+Vh

/g - run integrity check before repairing%c

8!8d8l8r8y8

<E<O<p<

the starting log generation (as a hex number) and%c

FileVersion

;N;T;o;u;

t$Xhd)A

_wfullpath

Percentiles (%% Extents,MB):%c

:!:':.:4:>:H:Q:U:[:_:e:i:o:v:|:

7]7c7

/d<file> - destination file (default: copy source file to%c

SystemSetupInProgress

TlsAlloc

Rich1n

/t<db> - set temp. database name (default: TEMPDFRG*.EDB)%c

3D$(1D$

SWh 2@

ERROR: page %d%s checksum failed

5 5&5,51575=5B5H5N5S5Y5_5d5j5p5v5|5

AeDebug

Version %s%c

xmlns="urn:schemas-microsoft-com:asm.v1"

4G4e4

?W?b?

esentutl.exe

Wh@J@

1<2J2R2~2

?B?Q?f?l?v?|?

%ws%ws /f#legacy - Print out the legacy set of%c

/t - trim unused database pages, using sparse files%c

%d Overhead (%.1f%%),

:!:,:3:[:f:~:

;H$tL

1#2i2

?)?L?V?l?

?+?8?A?G?^?c?k?q?x?}?

Note: Some small tables/indices were not printed (use /v option to see those smaller than %.1f%% of the database).

D$(Ph

[log] is the log generation number and if not specified %c

4'5D5a5~5

SH:MinExt(KB)

specified page, then dump the leaf page where%c

?7?E?Q?m?z?

MultiIorp

LV:ExtraBytes(histo)

/x - for dump of a single log file only, permits%c

Available

:);.;4;~;

484e4z4

:.:7:D:J:e:k:

/vssrec <basename> <logpath>%c

EventRegister

$FlushFS

m_sem2

0Q0V0v0{0

<5=?=U=

:!:*:0:8:>:K:S:Y:q:v:|:

/b<db> - make backup copy under the specified name%c

:9:C:Y:|:

%i (0x%08x)

DeleteFileW

5$5<5R5b5k5w5}5

%*.*s <0x%0*I64x,%3i>:

D$`PS

0, 1, 2, 3, 4, 5, 6, 7, 8, 16, Over-16

FullName

PostQueuedCompletionStatus

t$Lj4Pf

HeapAlloc

FAILURE: WaitForSingleObjectEx:

9 9.9

7D8K8a8

;!<9<B<w<

EseShadowCreateSimpleShadow

Vh+W0

7$7(7,7<7@7D7T7X7\7l7p7t7

%*.*f%%

_getch

%wsBeginUndo : errDefault=%d, %d DBs

=,>3?

__iob_func

EnforceFail

.data$brc

D$lPh

InternalName

9n:{:

UNKNOWN!

le_ulChecksum: 0x%x

malloc

;*<E<v<

%*ls

:2:9:F:g:v:

OS CreateFileW( path, %#x, %#x, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED | %hs | %hs, NULL )

7(727:7?7O7W7e7v7

HungIoEnforceAction

FAILURE: GetOverlappedResult (read):

8%8.878@8F8U8[8

recovery is first run to properly complete database%c

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

.rsrc$02

_unlock

:%:9:?:H:N:`:d:h:l:p:t:x:|:

3$3.3J3

0&0,060_0

FILE DUMP:%c

%s (2)

4+404Y4^4~4

SeManageVolumePrivilege

9=9S9

0^1c1

|L.\u

=,>2><>

/o - suppress logo%c

FindNextFileW

TlsSetValue

kernel32.dll

7+737<7B7H7N7T7^7g7m7

repair is performed if corruption is detected. This option%c

;JDrCw

.text$di

FindClose

<filename> must be the name of a database).%c

D$@;BTt

Source database

>;>G>P>d>

%wsSPACE USAGE OPTIONS:%c

_wcsupr_s

D$ Ph

Recovery has indicated that there is a lossy recovery option. Run recovery with the /a argument.%wc

<!<(<C<R<

<;<H<M<s<

0"0(0U0h0|0

1N1[1s1

9'9J9U9|9

GetCurrentProcessId

<#<Y<_<f<l<

t)f;O

%d:%d:%d

RegCreateKeyExW

9\$tul

SingleIoru

2+232k2z2

CHECKSUM:%c

.rdata$zETW0

Volume Name: %s%c

CreateThreadpoolTimer

<description>Extensible Storage Engine Utilities for Microsoft(R) Windows(R)</description>

->SerialNum = %hs;

O%OfDb

<1=T=`=f=o=u=

=I=N=n=s=

api-ms-win-core-file-l1-1-0.dll

JetSetSystemParameterA

DelayLoadFailureHook

esentutl.pdb

WaitForSingleObjectEx

7#777=7K7Q7Y7_7s7y7

3:4l4

Int:KeySizes

to the log file)%c

HPh(*@

Space Saved: 0x%08I64x bytes (%I64d kB) (%2d %%)%c

WSh,=@

m_irksem

>$>0>9>U>_>u>

?>?m?w?

FWaitForAllReads. GetOverlappedResult had the wrong number of bytes! Offset = 0x%x`%08x. dwBytesToRead = %d. dwBytesRead = %d.

szMessage

COSFile::ErrIOGetAllocatedRange

4KB, 8KB, 16KB, 32KB, 64KB, 128KB, 256KB, 512KB, 1MB, 2MB, Over-2MB

;V;t;

D$$PRj

Total bytes read = %#I64x (%I64d) (%I64d MB)

m_fQS

/8 - set 8k database page size (default: auto-detect)%c

;Clt;

Table Objid(%d) leaked %d pages.

Debugger

api-ms-win-core-errorhandling-l1-1-3.dll

System files: %s%c

t - for FTL trace file.%c

SYNTAX: %s /z <database name>%c

- location of system files (eg. checkpoint file)%c

6$6*60686>6D6I6O6U6[6c6i6q6w6|6

%d milliseconds for the slowest read

.CRT$XIZ

specified, seek to the bookmark starting at the%c

Int:KeyComp

AllocationlessInsertShouldSucceedPossDupEntry

%ws%ws /f#lvs - Print out all information to%c

%*d%ws

!This program cannot be run in DOS mode.

JET_MissingLogContinueToRedo

/vss - dumps a snapshot of the file, does not replay%c

tfh,;@

Error: Could not fetch the requested object.

ESEUTIL

api-ms-win-eventing-provider-l1-1-0.dll

N`;F<|

Unset(N/A)

>+>5>D>X>^>

<?=f=q=

%8I64u,%5I64u

Too many active threads/workers in this section, must quit to avoid consistency issues!

p - dump flush map file%c

D$(Ph@

2=3B3G3L3

QueryPerformanceFrequency

%d milliseconds used

GetCurrentThread

6H7O7U7Z7

MultiIors

Usage Error: No mode specified.

< =<=H=Q=e=

AL0pA

wcspbrk

the seek ended up%c

EseShadowPurgeShadow

SmallDurationLargerThan35MinTruncation

api-ms-win-core-synch-l1-1-0.dll

515U5Z5

=;>H>O>`>e>l>s>z>

92u)9J

:&:,:3:9:@:F:M:S:Z:`:g:m:t:z:

>">(>5>>>J>P>d>i>s>y>

9D$,v

cPartDelLVs

le_cWriteFailures: %I64d

;'<4<A<N<W<]<

GetCompressedFileSizeW

2!2+212L2h2

The ESE engine did not return expected catalog data.

- checksums a snapshot of a live database, replays%c

api-ms-win-core-psapi-l1-1-0.dll

< <-<3<9<><K<Q<W<\<i<o<u<z<

;H$t;

SPACE[%ws\%ws] %ws Split Buffer Avail: %6d - %6d (%4d)

?(?.?P?

COSDisk::Flush[%8x] Res: %d Delta: +%8.3f +(%8.3f op) - %I64d - %ws

HeapSetInformation

112t2

(default: current directory)%c

5&5C5`5

EnterCriticalSection

.CRT$XCU

/8 - set 8k database page size (default: auto-detect)%c

Log files: %s%c

9%9+92989?9E9L9R9Y9_9i9o9v9|9

Usage Error: Invalid mode.

6<7B7K7P7W7]7b7h7m7s7x7~7

/vsssystempath <systempath>%c

$Ph 8@

t2j`j

source file

L$4;t$<

(header)

:";2;B;L;T;

FAILURE: SetEndOfFile:

/4 - set 4k database page size (default: auto-detect)%c

SH:grbit

5$5(585L5P5`5d5t5

FILE_FLAG_WRITE_THROUGH

- location of system files (eg. checkpoint file)%c

Integrity: %s /g <database name> [options]

LV:Comp

\1a1g1m1s1y1

D$8Ph(

le_ulSchemaID: %d (0x%x)

1%1,12181>1H1N1T1Z1a1g1m1s1z1

%0.3f

</requestedPrivileges>

GetCurrentProcess

<assembly

7V7\7c7

n - dump nodes%c

9!9*929>9L9V9a9j9r9~9

$Qhx8@

3'323W3b3

VssIdToString

onecore\ds\esent\published\inc\sync.hxx

iswascii

999?9a9g9u9{9

>T>Y>y>~>

PgnoFDP

0&060

advapi32.dll

9"9(9c9~9

1-131b1q1b3l3

O%OfTable

EseShadowMountShadow

LocalFree

ForUndo

%wsErrCond : errDefault=%d

819e9

</assembly>

.didat$3

5]6r6x697?7I7

Extents Enumerated: %ld%c

Translation

defragmentation, the database will be rolled back to the state%c

m_osdi.m_ossad = { Ver.Size=%d.%d, MaxTransferLength/PhysicalPages=%d/%d, AlignMsk=%d, Pio=%d, CommandQueueing=%d, Accel=%d, BusType.Maj.Minor=%d.%d.%d };

LV:Bytes

OsDiskTruncateBasicDiskModel

TlsFree

ErrFileOpen( %ws, 0x%x ) -> 0x%p{0x%p} )

SH:Growth

Searched00AndNotEmptyRbt

le_cReOpens: %d

4#4*494>4

Heap A

8'8E8K8r8

TransferShouldLeaveBuildingQEmpty

5(515=5C5[5`5j5p5

> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>

;-<><F<

ProductVersion

1H2Q2Z2c2l2r2

FlushFileBuffers

isprint

CD3AD%

__p__commode

9?:G:R:`:l:

Microsoft.Windows.ESENT.TraceLogging

Log path: %s%c

/4 - set 4k database page size (default: auto-detect)%c

.didat$4

_onexit

check, recovery is first run to properly complete%c

, Original Database Location: %s%c

.CRT$XIAA

8'8/8I8S8Y8_8m8~8

m_cOAWX

;Flt;

Initiating REPAIR mode...%c

^l+Bh

2)2/2=2C2]2e2k2{2

\Debug\ESE.TXT

3#3)3/353;3C3Q3f3p3~3

Windows

Hung IO Patrol Dog found this %p IOREQ is lurking too long. m_ioreqtype = %d, m_iomethod = %d, m_ciotime = %u, cmsecLow = %u

EseShadowTerm

0 == m_cbCommit

OsDiskTruncateDiskFirmwareRev

T$pVW

PVVh<)@

|----|----|----|----|----|----|----|----|----|----|

RSDSl

onecore\ds\esent\src\os\time.cxx

.idata$2

api-ms-win-core-debug-l1-1-0.dll

=D=M=b=

JetDBUtilitiesW

:':2:W:b:

T$$Pj

6%6H6t6

the replay will go to the end of the existing logs.%c

CreateSemaphoreW

0l0p0t0

psapi.dll

4P5Z5d5l5z5

.tls$

%*I64u%ws

4l5v5-6v6

T$ RP

CreateIoCompletionPort

Failed S.M.A.R.T. load: %hs

GetExitCodeThread

LookupPrivilegeValueW

D$hPSh(

1C1H1N1X1b1l1v1

/p<pgno> [/k<key> [/d<data>]]%c

(020H0k0}0

system path

Database: %s%c

.gfids

Kd;S<

ForRedo

u RP+~8

8,80848D8H8L8P8T8X8\8`8d8h8l8p8x8

vsssystempath

s]9T$

( State().m_cw & 0xffff0000 ) != 0xffff0000

recommended that before proceeding with repair,%c

Operating System

Pages %d (

number)%c

8s9Y:

@.didat

|$$u7

5(6:6n6y6

<@<J<`<j<}<

SVWuJh

_cexit

3"3P3i3o3y3

;s<tE+

%ws[%I32u.%I32u.%I32u.%I32u]

GetLocalTime

SetFilePointerEx

Number of read errors = %d

m_sem

1I1^1o1}1

m_cOOWS

>J>V>b>

PgnoOE

%d correctable checksums

GetLastError

<H=Q=Z=c=l=r=

7&8W8d8i8

EventWrite

Logfile base name: %s%c

>I>e>w>

Shh@@

_amsg_exit

TEMPCHKSUM%d.EDB

Usage Error: Invalid argument '%s'. Options must be preceded by '-' or '/'.

Data:KeySizes

D$8QPQPh<

?terminate@@YAXXZ

<!<2<R<]<

t$(;t$(u

t<=|;@

_snwscanf_s

/l<path> - location of log files%c

logfile base name

MBR:%08X

7E7J7

<7<B<g<r<

PARAMETERS: <database name> - filename of database to repair%c

9":(:7:E:T:Y:_:

PgnoAE

393V3v3

api-ms-win-security-lsalookup-l2-1-0.dll

[%ws %03x.%03x %I64d]

4"4(4?4l4x4

7 7)7/757>7D7V7_7f7l7z7

OpenState

<1=j=

m_cAvail

m_semW

api-ms-win-core-timezone-l1-1-0.dll

Index

;3;9;@;E;R;a;i;q;

/o - suppress logo%c

DESCRIPTION: Verifies integrity of a database.%c

GetSystemInfo

%I64i (0x%016I64x)

JET_errSuccess, Operation was successful.

originally logged in log files)%c

%ws%ws for the object.%c

tDSVW

Ah+Bh

EseNoLo

/s<path> - location of system files (eg. checkpoint file)%c

QSVWh M@

GetFileAttributesExW

RegCloseKey

D$\PW

AssertTrackTag%s%s

FAILURE: GetFileSize:

%d milliseconds for the fastest read

@x;Cx

PriExtCpg

WhhI@

drwtsn32

Can be specified for each database file.%c

2"2B2L2b2]4d4z4

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x00400000	0x00047cb0	0x00051d2d	0x00051d2d	10.0	esentutl.pdb	1992-12-15 12:53:12	71099b51c33e38daa19cd45879503390

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	esentutl.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	esentutl.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0004806c	0x00048200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.07
.data	0x00048600	0x0004a000	0x00002e08	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.31
.idata	0x0004a400	0x0004d000	0x00001ac0	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.25
.didat	0x0004c000	0x0004f000	0x00000008	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.06
.rsrc	0x0004c200	0x00050000	0x000006d8	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.83
.reloc	0x0004ca00	0x00051000	0x00004258	0x00004400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.77

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x000502e0	0x000003f4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_MANIFEST	0x000500a0	0x00000240	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.86	None

Imports

Name	Address
__iob_func	0x44d298
_getch	0x44d29c
wcscat_s	0x44d2a0
swprintf_s	0x44d2a4
_wcsupr_s	0x44d2a8
_wfullpath	0x44d2ac
strchr	0x44d2b0
_wcsnicmp	0x44d2b4
_wtol	0x44d2b8
_snwscanf_s	0x44d2bc
__p__commode	0x44d2c0
printf	0x44d2c4
_amsg_exit	0x44d2c8
_wsplitpath_s	0x44d2cc
__wgetmainargs	0x44d2d0
_wmakepath_s	0x44d2d4
wcschr	0x44d2d8
__set_app_type	0x44d2dc
_purecall	0x44d2e0
wcscpy_s	0x44d2e4
exit	0x44d2e8
_exit	0x44d2ec
_cexit	0x44d2f0
_wcsicmp	0x44d2f4
__p__fmode	0x44d2f8
__setusermatherr	0x44d2fc
_initterm	0x44d300
_lock	0x44d304
_unlock	0x44d308
wprintf	0x44d30c
swscanf_s	0x44d310
free	0x44d314
wcstol	0x44d318
memcpy	0x44d31c
_vsnwprintf	0x44d320
malloc	0x44d324
_XcptFilter	0x44d328
iswascii	0x44d32c
fwprintf	0x44d330
isprint	0x44d334
_vsnprintf	0x44d338
strtoul	0x44d33c
strcspn	0x44d340
strrchr	0x44d344
wcsrchr	0x44d348
strstr	0x44d34c
iswalpha	0x44d350
wcspbrk	0x44d354
vprintf	0x44d358
_except_handler4_common	0x44d35c
_controlfp	0x44d360
?terminate@@YAXXZ	0x44d364
_onexit	0x44d368
__dllonexit	0x44d36c
memset	0x44d370

Name	Address
JetBeginSessionW	0x44d000
JetGetSystemParameterW	0x44d004
JetGetErrorInfoW	0x44d008
JetTestHook	0x44d00c
JetInit	0x44d010
JetSetSystemParameterW	0x44d014
JetTerm2	0x44d018
JetGetDatabaseFileInfoW	0x44d01c
JetSetSystemParameterA	0x44d020
JetEndSession	0x44d024
JetRestore2W	0x44d028
JetGetLogFileInfoW	0x44d02c
JetInit4W	0x44d030
JetDBUtilitiesW	0x44d034

Name	Address
GetFileAttributesExW	0x44d080
GetDiskFreeSpaceExW	0x44d084
GetVolumePathNameW	0x44d088
ReadFileScatter	0x44d08c
CreateDirectoryW	0x44d090
GetFileInformationByHandle	0x44d094
FlushFileBuffers	0x44d098
SetFileValidData	0x44d09c
GetFileAttributesW	0x44d0a0
SetFileInformationByHandle	0x44d0a4
WriteFileGather	0x44d0a8
GetFileSize	0x44d0ac
SetFilePointerEx	0x44d0b0
RemoveDirectoryW	0x44d0b4
WriteFile	0x44d0b8
ReadFile	0x44d0bc
GetDriveTypeW	0x44d0c0
DeleteFileW	0x44d0c4
CreateFileW	0x44d0c8
FindClose	0x44d0cc
GetDiskFreeSpaceW	0x44d0d0
FindNextFileW	0x44d0d4
GetFileSizeEx	0x44d0d8
FindFirstFileW	0x44d0dc
SetEndOfFile	0x44d0e0
GetVolumeInformationW	0x44d0e4

Name	Address
HeapFree	0x44d110
HeapDestroy	0x44d114
HeapSetInformation	0x44d118
HeapAlloc	0x44d11c
GetProcessHeap	0x44d120

Name	Address
PostQueuedCompletionStatus	0x44d134
GetQueuedCompletionStatus	0x44d138
GetOverlappedResult	0x44d13c
DeviceIoControl	0x44d140
CreateIoCompletionPort	0x44d144

Name	Address
LocalAlloc	0x44d128
LocalFree	0x44d12c

Name	Address
GetLastError	0x44d064
SetLastError	0x44d068
UnhandledExceptionFilter	0x44d06c
SetUnhandledExceptionFilter	0x44d070

Name	Address
SetHandleInformation	0x44d100
CloseHandle	0x44d104
DuplicateHandle	0x44d108

Name	Address
GetSystemTimeAsFileTime	0x44d244
GetWindowsDirectoryW	0x44d248
GetVersionExW	0x44d24c
GetSystemInfo	0x44d250
GetTickCount	0x44d254
GlobalMemoryStatusEx	0x44d258
GetLocalTime	0x44d25c
GetSystemWindowsDirectoryW	0x44d260
GetSystemTime	0x44d264

Name	Address
GetModuleHandleW	0x44d14c
LoadLibraryExA	0x44d150
FreeLibrary	0x44d154
GetModuleFileNameW	0x44d158
GetProcAddress	0x44d15c
LoadLibraryExW	0x44d160

Name	Address
CopyFileExW	0x44d0f4
MoveFileExW	0x44d0f8

Name	Address
TlsSetValue	0x44d19c
ResumeThread	0x44d1a0
GetCurrentThreadId	0x44d1a4
TlsAlloc	0x44d1a8
TerminateProcess	0x44d1ac
TlsGetValue	0x44d1b0
TlsFree	0x44d1b4
SetThreadPriority	0x44d1b8
CreateProcessW	0x44d1bc
GetCurrentProcessId	0x44d1c0
GetCurrentThread	0x44d1c4
GetCurrentProcess	0x44d1c8
SetThreadPriorityBoost	0x44d1cc
CreateThread	0x44d1d0
GetExitCodeThread	0x44d1d4

Name	Address
WakeAllConditionVariable	0x44d234
Sleep	0x44d238
SleepConditionVariableSRW	0x44d23c

Name	Address
QueryPerformanceCounter	0x44d1ec
QueryPerformanceFrequency	0x44d1f0

Name	Address
VirtualProtect	0x44d174
VirtualAlloc	0x44d178
VirtualQueryEx	0x44d17c
MapViewOfFileEx	0x44d180
CreateFileMappingW	0x44d184
VirtualFree	0x44d188
UnmapViewOfFile	0x44d18c

Name	Address
DeleteCriticalSection	0x44d1f8
ReleaseMutex	0x44d1fc
InitializeCriticalSectionAndSpinCount	0x44d200
ReleaseSemaphore	0x44d204
CreateEventW	0x44d208
CreateMutexW	0x44d20c
EnterCriticalSection	0x44d210
LeaveCriticalSection	0x44d214
WaitForSingleObject	0x44d218
WaitForSingleObjectEx	0x44d21c
SetEvent	0x44d220
ReleaseSRWLockExclusive	0x44d224
AcquireSRWLockExclusive	0x44d228
SleepEx	0x44d22c

Name	Address
IsProcessorFeaturePresent	0x44d1dc

Name	Address
LCMapStringW	0x44d168
FormatMessageW	0x44d16c

Name	Address
OutputDebugStringA	0x44d050
DebugBreak	0x44d054

Name	Address
GetNativeSystemInfo	0x44d26c

Name	Address
FileTimeToSystemTime	0x44d27c
SystemTimeToTzSpecificLocalTime	0x44d280

Name	Address
GetTimeFormatW	0x44d044
GetDateFormatW	0x44d048

Name	Address
GetVolumeNameForVolumeMountPointW	0x44d0ec

Name	Address
SetConsoleCtrlHandler	0x44d03c

Name	Address
EventWriteTransfer	0x44d288
EventRegister	0x44d28c
EventUnregister	0x44d290

Name	Address
SetThreadErrorMode	0x44d078

Name	Address
GetProcessAffinityMask	0x44d1e4

Name	Address
GetProfileStringW	0x44d194

Name	Address
DeleteTimerQueueEx	0x44d274

Name	Address
DelayLoadFailureHook	0x44d05c

Reports: JSON

Statistics (10.20)

Usage

Processing ( 10.14 seconds )

9.324 ProcessMemory
0.775 CAPE
0.027 AnalysisInfo
0.017 BehaviorAnalysis
0.002 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: esentutl.pdb

Resumed a thread in another process

thread_resumed: Process esentutl.exe with process ID 4728 resumed a thread in another process with the process ID 4728

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x0004c000', 'virtual_address': '0x0004f000', 'virtual_size': '0x00000008', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.06'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

C:\Windows\System32\kernel.appcore.dll
\??\CONIN$

\??\CONIN$

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Resources

Imports

msvcrt

ESENT

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-console-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-errorhandling-l1-1-3

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-privateprofile-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-delayload-l1-1-0

Usage

Processing ( 10.14 seconds )

Signatures ( 0.05 seconds )

Reporting ( 0.01 seconds )

Signatures

Screenshots

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP