Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-12 03:30:29 | 2025-06-12 04:01:12 | 1843 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,100 [root] INFO: Date set to: 20250611T16:54:44, timeout set to: 1800 2025-06-11 17:54:44,304 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad 2025-06-11 17:54:44,304 [root] DEBUG: Storing results at: C:\SLtSxJVgsX 2025-06-11 17:54:44,304 [root] DEBUG: Pipe server name: \\.\PIPE\TCjHsIkvb 2025-06-11 17:54:44,304 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 17:54:44,304 [root] INFO: analysis running as an admin 2025-06-11 17:54:44,304 [root] INFO: analysis package specified: "exe" 2025-06-11 17:54:44,304 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 17:54:45,148 [root] DEBUG: imported analysis package "exe" 2025-06-11 17:54:45,148 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 17:54:45,148 [lib.common.common] INFO: wrapping 2025-06-11 17:54:45,148 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 17:54:45,148 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\wbengine.exe 2025-06-11 17:54:45,148 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 17:54:45,148 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 17:54:45,148 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 17:54:45,148 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 17:54:45,336 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 17:54:45,351 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 17:54:45,382 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 17:54:45,414 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 17:54:45,429 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 17:54:45,429 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 17:54:45,429 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 17:54:45,429 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 17:54:45,429 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 17:54:45,429 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 17:54:45,429 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 17:54:45,429 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 17:54:45,429 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 17:54:45,429 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 17:54:45,429 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 17:54:45,429 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 17:54:45,429 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 17:54:45,429 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 17:54:45,695 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-11 17:54:45,695 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 17:54:45,695 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 17:54:45,695 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 17:54:45,695 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 17:54:45,695 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 17:54:45,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 17:54:45,695 [modules.auxiliary.disguise] INFO: Disguising GUID to 1b621a55-cfac-4e69-8e86-c2b86ccae11e 2025-06-11 17:54:45,695 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 17:54:45,695 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 17:54:45,695 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 17:54:45,695 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 17:54:45,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 17:54:45,695 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 17:54:45,695 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 17:54:45,695 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 17:54:45,695 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 17:54:45,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 17:54:45,695 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 17:54:45,695 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 17:54:45,695 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 17:54:45,695 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 17:54:45,695 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 17:54:45,695 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 17:54:45,711 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 17:54:45,758 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 17:54:45,758 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\KhePLP.dll, loader C:\tmpjeo7jmad\bin\ktypyZOY.exe 2025-06-11 17:54:45,945 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 17:54:45,945 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\KhePLP.dll. 2025-06-11 17:54:45,976 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 17:54:45,976 [root] INFO: Disabling sleep skipping. 2025-06-11 17:54:45,976 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 17:54:45,976 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 17:54:45,976 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 17:54:45,976 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 17:54:45,976 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 17:54:45,992 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 17:54:46,008 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 17:54:46,008 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 17:54:46,008 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 1904, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 17:54:46,008 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 17:54:46,023 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 17:54:46,023 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 17:54:46,023 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\KhePLP.dll. 2025-06-11 17:54:46,023 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 17:54:46,023 [root] <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-12 03:30:29 | 2025-06-12 04:00:53 | none |
File Details
| File Name |
wbengine.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 1537536 bytes |
| MD5 | cd9ea97e282a5229e66202312dc021bb |
| SHA1 | 9e859932de99cf2d589eff77da6bd892d5444380 |
| SHA256 | e05cd6d7aea164bfc9c258052a63b4a214833b0d3aa4af89f171dff19ad3cda1 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 5aadc7edd6f1b16d806503e23b981f08e12fbad077af4f731d7940bd7f7572e32377b9a59ba0aa9c8596db830855d997 |
| CRC32 | FE1BF7CC |
| TLSH | T115654A39E2A800ACDDAAC77AC54627A6FE71340E3F3055DB0174C5487F26EF28A39759 |
| Ssdeep | 24576:mtTn6V6laK+Abc7b7rGzbja6eAH03qb1otgHMknBROwG9e0sI3Im:mtTn6V6lB++c7bnGzbjBHb1lHMkBROwd |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
fD9$Xu
D8|$@u
fD9$Fu
EoL! E!e
D9l$4
8\$btBH
!\$(3
l$ VWATAVAWH
fE9$^u
m_lRefCount > 0
(((HRESULT)(hr)) < 0) || (*ppstrFilePath != 0)
SUWAVAWH
wszFileName
@.data
fA9tM
D!uHL
D$hE3
pTable->CBLBBackupSetTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}
OverallPerformanceSetting
Child_{47b7fa87-ce42-48ff-8b18-2f1088121503}
fD9.tDI
SVWATAVAWH
H9E8t
wszDisplayName
g_hFveApi != NULL
RevertToSelf
0 && L"Use OBJECT_ENTRY_NON_CREATEABLE_EX macro if you want to register class categories for non creatable objects."
sqI9L
SUCCEEDED(m_rgVolumeContext[iVol].m_hrResult)
hA_A^A]A\_^[]
pbAppRegistered != NULL
m_state == NOT_INITIALIZED || m_state == CLOSED
hr = hrWin32
ppBackupSpec
r#D8u@
pEngine
\TempMediaId
SetThreadExecutionState
fA9|E
pCBlbVhd
t#D8y
x AWL
strValue.Length()
GetStartupInfoW
H!\$0!\$8
rgVolumeMap
??0CTraceFailureHelper@@QEAA@AEAVCTraceProvider@@JPEBGKPEBX@Z
x ATAUAWH
PA^_^][
A_A]A\_^[]
APPID
USERNAME
guidBagVolumeId != GUID_NULL
!bTargetFailure
pullDirSize
9}PtCH
t$PD9
t$hH;
E9}@vfA
UWAUH
WATAUH
base\stor\blb\util\locutils.cpp
pwszMachineDir
WinReRestoreLogFiles
base\stor\blb\util\volumeutils.cpp
|$ AUAVAWH
L9uot
f9,Qu
l$ VATAUAVAWH
CreateGroupEx
L$`D!;A
ullEndTime >= ullStartTime
(rgSpecs && cSpecs > 0) || (!rgSpecs && !cSpecs)
u*9Q<|%
t$(L;5
RtlClearBits
x1u_H
ADIFM
A;~Pr
NULL != m_pAppBackupContext
@A_A\_
pRowDest != NULL
(UINT)stat
GetSecurityDescriptorLength
m_pIncludeFiles == 0
wcslen(wszPath) + wcslen(x_wszTempGlobalCatalogName) + 3 < MAX_PATH * 2 + 1
D+|$@A
pbExist
%;l$pt
pIsOldFormatVhdsExist
FveEraseDrive
!m_pbHashObject
L{o7Fm_pValuesFirst == NULL
pbMediaFailure
sdk\inc\atlmfc\atlcomcli.h
sdk\inc\atlmfc\atlbase.inl
IsPathMountPoint(ssPath.PeekStr(), &fMountPoint)
base\stor\blb\engine\blbengutils\blbnetworkutils.cpp
RegSetValueExW
CreateXmlReader
D8|$@t
D$0D;
E@H!u@L
hInstTypeLib != 0
MPD8u@uLH
wszSPPMetadataCachePath != NULL
pfIsDirectory
CopyFileExW
bytesRead == len
CreateFile failed for %s
X UVWATAUAVAWH
t$@D;
t$@I;
L$HE3
wszDir
pVssComponentInfo != NULL
GetSecurityDescriptorControl
\Windows\bootstat.dat
H!\$03
base\stor\blb\catalog\bsettbl.cpp
m_pIncludeFiles != 0
Hc{8H
fD9$Bu
cbSize > 0
D8d$X
|$ ATAUAVH
DL$hE3
nLength <= GetData()->nAllocLength
(A_A^A]A\_^[]
CLSIDFromString
M9f(~A
xC@8|$`t
RSDS:/%_
ExtentLength > 0
D$hD8xl
xzD8eHt\H
UgH+UoH
D$XH9D$Pt
dwMountedPathLength < MAX_PATH
CqtKH
t_H9E
H;N0t
9W$v^
UVATAVAWH
(cSPPComponents == 0) == (rgSPPComponents == NULL)
0A_A^A]A\_^[
H!\$ E3
phCryptHash
pguidMediaId
p <= pwstrEnd
eventInfo->wszFailureLogPath != NULL
u;9\$8~5L
pdwRegDisableCompaction
SeSystemEnvironmentPrivilege
VWAVH
)E'Hk
8_^][
cMedia == 1
\$HE2
GetProductInfo
U@!|$(L
pfIsReparsed
L$xH3
nextVolumeContextIndex == cVolumeId
l$8E;
f94Gu
tDD8A
!pVssComponentInfo
%s.vhdx
HiberFil.sys
d$@E3
E8grt
j == m_cVolume
m_wszTargetName != NULL
pIsBMRCompatible != NULL
Microsoft Corporation
\\.\PhysicalDrive%d
LoadLibraryExW
memcmp
H9uwu
;D$HE
OutputDebugStringA
==>%s
g_cInitialized == 1
_XcptFilter
(!isTemplate && !IsGlobalCatalog()) || (isTemplate && IsGlobalCatalog())
SetupDiGetDeviceInterfaceDetailW
A9^$v0
_wcstoi64
usnBeforeSnapShot != BLB_INVALID_USN_ID
cxsparse
_lock
fE9,$u5
Invalid USN nextUsnBeforeSnapshot 0x%016I64X (first USN: %016I64X, last USN: %016I64X)
D$pH;
Backup
T$HE3
pBlbBackupStatUpdater != NULL
`A^_^][
iMediaInfo < cMediaInfo
D8ebt
iVolumeCat != bsiCat.m_cVolume
USVWATAUAVAWH
pwszRestoreAccessPath
pBackupAsync
m_pAppBackupContext
pcCatComponents
%04X.%04X::%02d/%02d-%02d:%02d:%02d.%03d#%02d:%s(%d)%s: %s
D;L$x|
A]A\_
@SUVWAVH
\$8L9|$(
dwBytesWritten == dwBytesToWrite
D8yht
t$@H;
;\$hr
pbIsCSV
pRowSource != NULL
D$XE9O\
SECURITY
fF9$Cu
xU8\$`t>H
tq@8}
H;FDu
L9t$P
D;uXr
base\stor\blb\bmr\asrrestore.cpp
pbIsVirtualSrcVolDependant
AppID
_initterm
cxsparseH
fD9,Bu
base\stor\blb\wsbutil\wsbdeviceutils.cpp
8D$At
SetServiceStatus
wszString
.idata$5
spNode
L9t$8t
m_numNetworkShareVolumes > 0
False
Eh!8I
SCSIOP_MODE_SENSE10
H;K t
pVolumeContext
PA_A^A]_^[]
</Volume>
l$PE3
l$8E3
D9~0vnH
</AppInfoItem>
swscanf_s
A_A]A\_^
W053v
]PH9uHt
??0CTraceHelper@@QEAA@AEAVCTraceProvider@@PEBGKPEBX@Z
CancelIo
9{\vNH
bNeedNetworkShare
H9t$`t
<BackupSpecs Version="%u">
.pdata
pbNewValue != NULL
wcschr
H9\$8u
rgVolumeName
NtQuerySystemInformation
L9g0t
Microsoft
l$ VWATH
System Volume Information\Dedup
ulLen <= m_Len
strChildPath == (strLogicalFilePath.PeekStr() + (strLogicalFilePath.Length() - strChildPath.Length()))
base\stor\blb\util\fileutils.cpp
CsvSupportSettings
ProductVersion
L9t$8u
@UVWAVAWH
\SystemStateBackup
Volume Backup hr
fD9,Hu
m_rgBagCat[i].m_guidVolumeId != GUID_NULL || BlbutilIsEspVolume(m_rgBagCat[i].m_dwVolumeFlags)
wszMetadata != NULL
ppWriterInfoList
|$XhsBH
dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'
guidTemplateId != GUID_NULL
A^A\_
.?AVCAtlException@ATL@@
ServerNt
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
wszVolumeGuidPath
.data$r$brc
A^A]_^]
L$hD;y
D8e8L
8A_A^A]A\_^][
OVERWRITE(m_ulFeatures) || SNAPSHOT(m_ulFeatures)
u&fD9C
base\stor\blb\dsm\dsmutils\dll\dsmfsenumerator.cpp
CloseServiceHandle
xwD8e`t=H
GetMessageW
wszSuccessLogName && wszFailureLogName
L9l$`ttHcs8H
\\?\GLOBALROOT%ws
B H;E
cSourcePath > 0
@SUVWATAUAVH
moD;}
H;C0ubJ
wszAppend
rgVolumeContext
t"D8A
towlower
(rgComponentNameOrdered[i] != NULL) && (rgComponent[j].m_wszName != NULL)
m_eImpersonationType == BLB_IT_UNDEFINED
fD94Bu
base\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cpp
ppAppRestoreInfo
SetEvent
$UserProfile$
pbPerformResize
t"E8z
t$ WATAVH
L$XE3
_exit
RtlSetBit
fD9,Ou
pCatalog != NULL
fD9,Zu
D9d$`v
!|$xH
!\$`H
fE9$Hu
SetThreadToken
?m_dwTraceLevel@CTraceProvider@@0KA
8A_A^A\_^[
start backup -templateId:{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x} -quiet
fD9.u
9T$`@
L$HfH
\WindowsImageBackup
0A^_^
9^Hv+E
MoveFileExW
pbPrevKey == NULL || keycomp.CompareKeys(pbKey, pbPrevKey) > 0
9D$Hu$H
pMedia != NULL
DetailedHR
abase\stor\blb\engine\blbengutils\blbvolumeutils.cpp
f9,Xu
!\$0L
D;}Hs
D;uHr
rgVolume != NULL
pGroup != NULL
Failed to query USN journal for volume handle %x
(cSkippedWriterInfo == 0) == (rgSkippedWriterInfo == NULL)
m_rgVolumeMap
pguidVolumeId
m_dwAutoPlayROTCookie == 0
wcslen(pwszLogFile) < (MAX_PATH - 7)
pullExcludedFileSize
D8d$0t
D9KhvCA
fE9$vu
pFirstUsn
H9\$8t
0A_A^A\_^
H!\$`8
@8l$xtjH
pbIsLastBackupOnTarget != NULL
spSystemStateNode
wszDeviceName
D$0fA
UnregServer
base\stor\blb\dsm\dsmfs\dll\filesystemiterator.cpp
HKEY_PERFORMANCE_DATA
DsmutilIsPathUnderParent(ssFilePath.PeekStr(), ssVolumePath.PeekStr(), &bIsUnderParent, &dwParentPathLength)
Mscoree.dll
prgRestoreSpecs
@8{ t
wszTargetVolumeName && pullSizeUsedByBackup
p WAVAWH
H!]@H!]H!]0D
v L;v(r
pwszDrive
t_D8i
L$0D;
H!D$8E3
wszMappingVolumePath != NULL
pTable->CBLBVolumesTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"@8q
VlD8"uVH
Failed:
]HD9}X
base\stor\blb\blbimg\snapvol.cxx
WinSqmAddToStreamEx
H!t$0I
H;FLu
\$`I;
false && L"Unknown performance settings type"
NetShareDel
m_rgVolumeContext[iVolCtxt].volumeMap.wszBackupAccessPath == NULL
.tls$ZZZ
m_pVolumeCat != NULL
L9l$0t
!l$(E
pwszComputerName!=NULL
m_cApplication > 0
CoCreateInstance
xrD8}H
!CHUNKED(m_ulFeatures)
GetCommandLineW
*ppstrFilePath || ((hr == ((HRESULT)1L)) && (m_queuedDirectoryTree.IsEmpty()))
m_wszTargetName && *m_wszTargetName
prgCompHrDetailed
pA^A]A\_^[]
pAppRestoreContext->m_iCurrentComponent < cComp
!t$ I
"ExcludeDisk"="%d",
?base\stor\blb\dsm\dsmutils\dll\stringutils.cpp
\REGISTRY\MACHINE\SOFTWARE\Classes
uDD8M
GetWindowsAccountDomainSid
|$0H!t$(H
{ AWH
L9uHt
EHD8u@H
pwszDiskPath
Failed to set the USN journal size (volume handle = %x)
DsmutilDeleteDirectory((LPWSTR)ssPathToDelete.PeekStr(), DSM_DDO_IGNORE_DELETION_FAILURE | DSM_DDO_DELETE_ONLY_CONTENTS, pbRetryableError)
</AdditionalFiles>
m_ppBins != 0
L$(L#
GetFileAttributesW
D9uHH
GetLogicalDrives
t*D8i
pstrSnapshotPath == 0 || *pstrSnapshotPath
sdk\inc\atlmfc\atlcom.h
wcslen(wszPathToDirectory) + wcslen(x_wszGlobalCatalogName) + 1 < STRING_LEN(path)
m_bInitialized == FALSE
CompareFileTime
System Volume Information\SystemStateRestore\MetaDataFiles
L9d$`u
oeY<9
f9,Ku
phrResult
`A^_^
d$xfD
G 9C t
!pDependencyCtxt->m_wszRemoteMachineName
D9t$0v"
A9^$v#I
ppsUniqueId
pbWinPE
OHbase\stor\blb\dsm\dsmfs\dll\filesystemiterator.cpp
pVolMap
J;D1Du@H
xfB;l/Du
t"D8y
<FileSpec FilePath="%ws" FileName="%ws" IsRecursive="%ws" IsInclude="%ws" />
9k0v+H
uoL!d$8H
prgBag != NULL
.CRT$XIA
E8L0Tt0
<ComponentInfoItem WriterId="{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}" InstanceId="{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}" Name="%ws" LogicalPath="%ws" Caption="%ws" AppName="%ws" hResult="%d" hDetailedResult="%d" IsFullBackup="%d" FullBackupReason="%d" Size="%I64u" DataTransferred="%I64u" TotalNoOfFiles="%I64u" />
H!\$8L
ssFileSpec.Length() > 0
base\stor\blb\coresdk\smart\smartstr.hpp
RtlNtStatusToDosError
9}HtCH
val AppID = s '%APPID%'
pVolCtxt != NULL
<Volume Name="%ws" AccessPath="%ws" OriginalAccessPath="%ws" Label="%ws" OriginalLabel="%ws" >
|$(E3
DispatchMessageW
f9,wu
hA_A^A]A\_^][
wszBackupComponents != NULL
pbOldVhdsExist
wszValueName
D;v\r
USD9uPD
>*t@f
IsRecursive
H!\$@9_
H!|$@
Volume%ws
ppProperties
L9k0u2L;
ImpersonateLoggedOnUser
\$ VWATAVAWH
ResetEvent
@89uRA
sdk\inc\atlmfc\atlcoll.h
x UAVAWH
@8s!t
m_arrVssWMComponents.GetCount() == 0
GetSidSubAuthority
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
tt@8x
H;BHtJ
fB94Ju
XA_A^A]A\_^][
t$ UWATH
m_rgVolumeMap != NULL
t(D8y
H;BHt
??4CTraceProvider@@QEAAAEAV0@AEBV0@@Z
CoRevertToSelf
CSVFS
T$hH+T$`H
pwszDomainPart
FileDescription
sdk\inc\atlmfc\atlexcept.h
m_eMediaType == BLB_MT_FIXED || m_eMediaType == BLB_MT_YANKABLE || m_eMediaType == BLB_MT_NETWORK_SHARE
g_hInstance != NULL
\$ UVWH
SHA256
bsiCat.m_wszBootVolumeAccessPath != NULL
IsPresent
phToken
D$tE3
l$(L!t$
Catalog
;|$tr
H;K |r
eoD;}
SYSTEM\CurrentControlSet\Services\wbengine
F9|5P
pTableSource != NULL
pTemplate
wszSpecsXml
wszVolumeGuid != NULL
D$|fD
\$ VWAVH
WsbMountedVolumeFile%lu_%s
0A\_]
UWATAVAWH
x#L9c
D$8Ii
H;S v
pbDeleteSnapshot != NULL
%ws\%ws*
D$8L9F t
\$xL9l$pt
\Backup
m_cRowBlock > 0
'%APPID%' = s 'Service'
lDeletedSnapshots == 1
m_wszSpecsXML
vsimH
u-fD9C
ntdll.dll
<TimesList>
pbSystemState
base\stor\blb\engine\service\systemstaterestore.cpp
UVWAUAWH
IsGlobalCatalog()
}
System Volume Information\SystemStateRestore
D;lE;
F(huCH
DeviceIoControl
10.0.17763.1
D8t$1tE
H;C8uVH
pwszVhdPath
InitializeCriticalSection
iRow < cguidTemplateId
A_A^A\_^
pTable->CBLBBagsTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
HKEY_DYN_DATA
L$hE3
9\$4vxH
pRestoreFiles != NULL
xmL;t$Xr#L
.?AV_com_error@@
xQD8}P
\\?\Globalroot\Device\Harddisk%lu\Partition2
pTemplate->m_rgFileSpecs == NULL
Pu=Hc
H;C0u`H
!m_bIsCatalogLoadedFromTarget || (m_pTargetCatalogSystem != NULL)
UVWATAWH
fD9<~u
pullExpirationTime != NULL
$H;B@u
wszSnapshotName
wszTargetAccessPath
AdjustTokenPrivileges
ppstrLogicalFilePath != 0
T$@A;
(t$PL
l$0E3
A_A\_
fC9TE
D8|$pu
System\CurrentControlSet\Control\ProductOptions
IoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITING
Backup Target Type
|$\E;
FALSE
USWATAWH
fF9$zu
ExtractVolumePath(ssWorkingPath, ssVolumePath)
dwSkipVolumeIndex < cVolumesUsnInfo
D$(E3
H9_puRM
TraceEvent
pcguidTemplateId != NULL
CLSID
\%s%s_Components.xml
<%ws>
SetSecurityDescriptorGroup
uAM;S(
L$8A8
DisableCompaction
base\stor\blb\scheduler\scheduler.cpp
0A_A^_^]
T$8H9Q
t]8M
volumeId != GUID_NULL
D$0H!L$PH!M
)t$@H
wszOldDirectory != NULL
ConvertSidToStringSidW
H!uHH
pbRestorable
IsInclude
GetTickCount64
tT@8q
l$0D!l$PL!l$XD!l$@L!
BlbutilIsEspVolume(m_dwTargetVolumeFlags) == FALSE
ODSFLAGS
base\stor\blb\util\apputils.cpp
pwszTracingDirectory
xJ9\$HsBH
UWATH
tw@8y
\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}
pstrFileSpec && *pstrFileSpec
I!6E2
L$(E3
D;D$`r
H UATAUAVAWH
memmove_s
prgVolumes
pTemplate->m_bIsScheduledTemplate
H9D$x
Caption
.rdata$zETW9
\Backup*
L9g(M
D!u0L!u@3
D$XtZA
pTemplCat
cScheduleTime > 0
UVWAVAWH
H!|$HH!|$P!|$@
L$0E3
@0I;D
@8I;D
m_pAppBackupContext != NULL
cNumFailures < m_cVolume
wszFailureLogName
wszMountedVolume != NULL
fE9$Ku
L$8H3
t D8y
pbIsVolumeOnSharedDisk != NULL
D$ H+
rgVolumes && cVolumes
pbIsVolVirtual
pwszVolumeName != NULL
cSppBadWriters
!fRet
m_cRows == m_pTable->GetRowCount()
\Mb=Lk
pOldData->nAllocLength < nLength
UATAWH
A_A^A\_]
rZA9>L
D$pA;F(
9t$4v%H
pwszAppIdentifier != NULL
fE9$yu
InitiateShutdownW
??1CTraceProvider@@QEAA@XZ
wcslen(wszMultiVolumeList) >= 1
xM9\$HsEH
xv8L$0
cComponentSpecs == lLen
TerminateProcess
RtlFormatCurrentUserKeyPath
guidVolumeId != GUID_NULL
H!_8H
t'@8y
pwszLogFile
8\$Ht~H
DisableBackupToDisk
f9,Au
m_wszUserName
fA9LE
GetVolumeHandle(szSrcVol, &hVolume)
H!E M
?OdsEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z
H9kxt
m_wszMountedVolumePath != NULL
h VWATAVAWH
E`D9}P
</VolumeInfo>
L9/t"H
9u@v'
pSortPage != NULL
6MLs7
GetEnvironmentVariableW
QuickFormat
@SUVWAUAVH
pbsiCat
SetupDiDestroyDeviceInfoList
\$ A;
@8l$pt>H
D;~0r
fD9<zu
t-@8y
A_A^A]
USNSettings
m_hRemoteUserToken == INVALID_HANDLE_VALUE
fE9$Bu
L$XD;L$T
LastBackupDrive
T$PE2
fD9dE
pdwVHDDeviceDiskNumber
m_rgBagCat[m_cBags - 1].m_guidMediaId == m_rgMediaCat[m_cMedia -1].m_guidMediaId
BcdOpenSystemStore
SetupEnumPublishedInfW
L!7E3
D$`H+
D9 w4D9
L$pH!\$@H
@A_A^A]A\_^[
m_bValid
base\stor\blb\engine\helper\blbhelper.cpp
f9,Vu
VHDMountSettings
@USVWATAUAWH
` UAUAWH
base\stor\blb\wsbutil\wsbexclusionhelper.cpp
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
0A^A\_
fF94Bu
GetVirtualDiskPhysicalPath
yBF8D0ht;D9
BackupSettings
.text$x
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsBackup
H9Y8u
T$ E3
cVolumeSSB
pVhdContextForRemoval
_wtoi
A9m(v-I
RtlClearAllBits
pwszVolumePath != NULL
H9A u
tK;|$pr
prop.Obj.DiffArea.m_llAllocatedDiffSpace >= 0
SetFileAttributesW
F4D;FXuyH
ReplicationHandle
EHD9FP
wcstoul
@(ulPos < m_Size) && (ulPos >= 0)
|$ ATAVAWH
.xdata$x
t$ UWATAUAVH
WATAWH
L$HH3
ppstrPath && *ppstrPath == 0
CheckUnitSizeInMB
A^_^
GetModuleHandleW
pTemplCat->m_bSystemState == FALSE
LsaNtStatusToWinError
T$`H+T$xH
;t$4r
D$PI;
wszVolumeName
fD9$Su
FAILED(hr)
\%s%s.catalog
base\stor\blb\inc\blbutility.h
HashDigestLength
L$ E3
@USVWAUH
.CRT$XLZ
I9v(I
pTemplate->m_cFileSpecs == 0
E'H+E
pOldTemplate != NULL
M!4$H;
G edem
pAppRestoreContext->m_iCurrentComponent < pAppRestoreContext->m_cComponent
HGWd"
wcslen(wszPathBackup) + wcslen(x_wszBackupGlobalCatalogName) + wcslen (x_wszBLB_CATALOG) + 1 < STRING_LEN(wszPathBackup)
9y@vzA
m_pExclusionHandler
base\stor\blb\wsbutil\wsbutils.cpp
fD9,Nu
|$0 t
.giats
@8u`tCH
D$ H;
SystemTimeToFileTime
fD9<Fu
fD9|E
\$8H9
base\stor\blb\wsbutil\wsbvdshelperlibrary.cpp
@SUWATAVH
D8l$`
\REGISTRY\MACHINE
cDiskExtents == pExtents->NumberOfDiskExtents
m_BackupsetVerifier.Remove(wszLocalCatalogFile)
;D$`r
{
m_tBackupTime.dwHighDateTime || m_tBackupTime.dwLowDateTime
@A_A\_^]
L$8I;
D9gDv
D8l$StjH
H9i(tg
tF;~|r
pftEndTime
L9i H
0A_A^_
A]_^[]
D9i |
RtlUnlockBootStatusData
OriginalFilename
pKey->m_type == pCol->m_type
rK;s|r
@8|$@
\Backup %04u-%02u-%02u %02u%02u%02u
base\stor\blb\util\backupsetutils.cpp
t&@8q
bpPerformanceSettings
BCryptCreateHash
*wszTargetVolumeName
d$0E3
pResult
9D$Pt
pNextMediaCtxt
H!M(H
L$HH;
pstrFilePath != 0 && *pstrFilePath != 0
wszVhdFile && *wszVhdFile
uE@8t$xt>H
H9{ H
pBackupSpecs
FileTimeToSystemTime
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{
(!m_fInitialized && (m_strRootDirectoryFullPath.Length() == 0) && m_queuedDirectoryTree.IsEmpty()) || (m_fInitialized && (m_strRootDirectoryFullPath.Length() > 0) && m_rootDirectoryData.fSent)
BcdCloseStore
bsiCat.m_cTarget == 1
K;D1Du
t!D8a
H9{ uG
fE9<\u
L$0fD
u0L9?u
SystemStateBackup
.vhdx
fD9$Pu
fE9,Tu
pguidAppWriterId
fD94Au
A_A^A]_^][
((HANDLE)(LONG_PTR)-1) != hVolume
VWATH
pbsiCat != NULL
A_A^A\_^[]
m_pParentContext != NULL
arrExclusionElements.GetCount() == 0
H+A8D
pCrtMediaCtxt
\$8E3
)D$PH;
D$h@8
wszVhdFile
?m_errLogCriticalSection@CTraceProvider@@0U_RTL_CRITICAL_SECTION@@A
base\stor\blb\wsbutil\wsbnonwriterfiles.cpp
GetFullPathNameW
_resetstkoflw
0A_A^A\_^[]
m_iteratorState == NEXT_PARENT
m_cVolume > 0
x ATH
*.vhd
LBackup_Operations
fD9$zu
L9g0L
E;A@r
D$hD9x
Ev|;vFAILED(hResult)
L$XD;
>L9e`t
m_hCOMClientToken == INVALID_HANDLE_VALUE
m_pSSBContext != NULL
CreateVirtualDisk
L!eHL
guidBackupSetInLocalCatalog != GUID_NULL
pbToSave != NULL
E;f0r
wszVHDPath
bstrAlternateLocation.Length() == 0
UVWATAUAVAWH
pbSppBlob != NULL
I9<$t/I
8\$1u5H
t'D8a
u;fD9C
sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 || sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2
CloseHandle
tMH9{Pu
L$8E3
D89t+H
@A__^
iWriterComponent == rgWriterInfo[iWriterInfo].cComponentInfo
ReplicationContext->FirstBlock != NULL
fD9d$4
@.reloc
_vsnprintf
Frequency
fD9|}
m_rgVolumeContext
MI_Application_InitializeV1
I9v0I
wszSearchFileName
QueryDosDeviceW
CDirectoryStack::~CDirectoryStack
ARM64
t&@8y
0A_A]A\_^[]
0\Backup *
?terminate@@YAXXZ
cVolume> 0
0A_A^A]_^
HA_A^A]A\_^[]
8A^A]_^][
L!*L!j
pFileAsync
l$xE3
t$pH;
D$0I!
pErrorInfo->pstrDirectory == 0
wcslen(wszPathBackupCatalog) + wcslen(x_wszBackupGlobalCatalogName) + 1 < MAX_PATH
RegisterServiceCtrlHandlerW
ppv != 0
LoadResource
_purecall
`A^A]A\_]
T$(fA
pullPartialVolumeBackupSize
GetSystemTimeAsFileTime
pChangeDetected
pwszBagFile
pwszSlashTerminatedPath != NULL
phFind
m_wszBackupSetDirectory == NULL
RegEnumValueW
eH9_xt
ControlTraceW
SetWaitableTimer
SeShutdownPrivilege
u-H9G
H!|$
\$pL9m
(pPerformanceSettings->m_eOverallPerformanceSettingType == BLB_PST_ALWAYS_FULL) || (pPerformanceSettings->m_eOverallPerformanceSettingType == BLB_PST_ALWAYS_INCREMENTAL) || (pPerformanceSettings->m_eOverallPerformanceSettingType == BLB_PST_CUSTOM)
base\stor\blb\catalog\mediatbl.cpp
3Q9pBSIToSave != NULL
H!\$(H
pTable->IsGlobalCatalog()
U@A9V@ve
\%s%s_AdditionalFiles%s.xml
((DWORD)wcslen(wszVolumeAccessPath) > 2) && (wszVolumeAccessPath[(DWORD)wcslen(wszVolumeAccessPath) - 1] == '\\')
$+\$pH
H9}pu
SplitDirPath(strPath, strParent, strChild)
fD9:u
wer.dll
[traceprovider-trace] Failed: %ws: %#010x
volumeGuid != GUID_NULL
pulFlags
_batRelativeVolumePointer >= BLBIMGF_SECTOR_SIZE
|$HE3
D!eoE3
wcslen(wszPath) + wcslen(x_wszBLB_CATALOG) + 1 < MAX_PATH + 64
iVolume < cb/sizeof(GUID)
!pLatestDirectoryList->directoryList.IsEmpty()
L9d$xt
pIsOldVhdFormat
??0CTraceFunction@@QEAA@AEAVCTraceProvider@@PEBGH1PEBX@Z
9\$hv^H
D8g8u
CreateGroup
CharNextW
rgwszVolumes
1%s\%s{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}
u7H9C
base\stor\blb\wsbutil\wsbsystemstateutils.cpp
f9<Hu
wcslen(wszPathToDirectory) < MAX_PATH
D30I;
stVhdInfo.VirtualStorageType.DeviceId == VIRTUAL_STORAGE_TYPE_DEVICE_VHDX
SetUnhandledExceptionFilter
Failed to get directory metadata for path: %ws
guidTargetMediaId != GUID_NULL
wcscmp
%ws\%ws
]@H9}8t
PA^A]_^]
C8;C
f94Pu
\$hE3
pTable->CBLBBagsTable::m_signature == m_signature
<ComponentSpec WriterId="{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}" InstanceId="{%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}" ComponentName="%ws" LogicalPath="%ws" Caption="%ws" />
D$ E3
rgSppBadWriters
.text
RtlFreeHeap
RegLoadKeyW
fD9,Gu
t1E8B
D$lH;
9k@v*
d$(;\$4r
9*vkH
Version
hCryptHash
L$|f;
@8~TuDH
fD94Qu
H;q(|
pguidBootVolume
cVolume == dwVolumeGuid
RestoreTime
wszFailureLogFileName
pMetadata
pdwVolumeNumber
FAT32
9oPv&
pCatalog
Microsoft-Windows-WindowsBackup
.rdata$brc
fF9<wu
@USVWATAUAVH
wszDiskPath && *wszDiskPath
ControlService
wszPathToDirectory != NULL
t$ ATAUAWH
B(H;E
E'H;D
WAUAVH
{8H;{@
t$ AWH
L$`E3
pDiskExtent
m_pCtxtSppMetadata
D$xI;E
rgVolumeLocal
I;F ~
A^A]_
m_pOverflowFirst != NULL
pTable->CBLBMediaTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
WBEngine
\$t;_@u}H
currentRestoreContext
m_fInitialized
A_A^A]A\_[]
T$@!\$@
H!3H93
K$D9.u
d$pHk
BlbutilIsEspVolume(m_rgVolumeContext[m_iCurrentVolume].m_dwVolumeFlags)
pBackupSet != NULL
pstm != NULL
D$d+D$`
nBins > 0
LsaQueryInformationPolicy
A H;E
;EXr;I;
wszMountedVhdPath != NULL
CLUSAPI.dll
fE9tU
pbstType
m_pValuesLast != NULL
t$8I;
fF9<Su
H!|$PE3
len == _sectorSize
m_strCurrentPath.Length() == 0
cDisk > 0
LocalAlloc
f94Hu
pVhdHandle
.idata$4
ppstrStr != NULL
EnumDependentServicesW
DoNotDeleteFFBSnapshot
@8u@ulM
pContext->IsAborted()
!wszIteratorSnapshotFilePath
GetVirtualDiskInformation
CUsnJournalHelper::GetUsnMaxSize
fD9,pu
{@9{pv
NULL != pVolCtxt
!m_bAsyncInProgress
A_A^A]A\^[]
wszCatalogTargetVolume != NULL
PA^_]
D8%-O
wszVHDVolumeDevicePath
D;JPs$
iLastBackSlash >= 0
cVolumeMap
ppCatalog != NULL
pwszLogsDirectory
strAttributeName
.rdata$T$brc
??1CTraceFunction@@QEAA@XZ
m_dwIndexPosition <= m_dwIndexPositionHigh
SeTakeOwnershipPrivilege
`A_A^A]A\_^[
Component Categories
__dllonexit
rgBackupSets != NULL || cBackupSets ==0
pContext->m_pGroup->cVolumes > 0
!IsBuilt()
current != NULL
eReason == (EReasonForExclusion)eNone || eReason == (EReasonForExclusion)eSkippedInSnapshot
RegEnumKeyExW
fA9,Iu
9kLt?H
EMICROSOFT##SSEE
T$TE;
L9}Pt
&
volumeBlockOffsetBitLength >= bitsInvolumeStartOffset
_wcsicmp(pDiffArea->m_pwszVolumeName, wszVolumeName) == 0
GLJ;D
InitializeSecurityDescriptor
fA94G
DisableBackupToNetwork
H!l$ 3
m_pMetadata
;\$8|
AttachVirtualDisk
!pCatalog->m_bGlobalCatalog
fD9,Ct
@USWATAWH
A_A\_^]
m_nElements == 0
pwszTargetLogFileName
base\stor\blb\engine\service\bmr.cpp
pwszDisplayName
pEngine != NULL
m_wszSpecsXML == NULL
Microsoft.Windows.SystemImageBackup.Engine
rgSrcVolumeInfo
m_cIncludeFileSpecs || m_cExcludeFileSpecs
p WATAUH
nOa-Q
wszAppId && pbValid && pwszParsedAppId
A^A\_][
H9uou
pwszVolumeGlobalRootPath
L!u`E3
L!|$x
__C_specific_handler
@USVWAVAWH
f9<Au
base\stor\blb\dsm\dsmutils\dll\fsutils.cpp
m_ePosition == BLB_CP_ATBEGIN || m_ePosition == BLB_CP_ATEND || m_ePosition == BLB_CP_ONROW
cToSave > 0
cVolumeName == m_cVolume
rowID != ROWID_NULL
fF9<Fu
ReadHandle != INVALID_HANDLE_VALUE
iVolumeIndex > 0
TraceMessage
CreateClassMoniker
%ws: lVal : %S
wszVolumeAccessPath != NULL
8A^A]_^[]
D8e`unH
t9H!x H
tD@8sHt>H9
0A_A^A]A\_^]
T$@fA
@SUVWAUAVAWH
GetTempPathW
TEMPGlobalCatalog
pA_A^A\_]
t"@8y
t$PD;m
C(H9CXw
L9t$@t:L9t$Ht3A
u/L;k
_handle != NULL
A_A^_][
D9i<w+L
fD9,Ku
base\stor\blb\engine\service\verify.cpp
*ppstrLogicalFilePath == 0
WinSqmAddToStream
|$@E3
fD90t
ChkdskEx
fE9,$u
offset[i] < volumeSize
WerReportAddFile
!(* pStr)
m_cVolumeMap != 0
m4H+MPH
CreateEventW
wszSpecsXmlCurr
pOldNode == m_pHead
|$ AVH
\\?\Volume{
H!\$PH!\$XH
<AppInfoItem ComponentName="%ws" LogicalPath="%ws" Caption="%ws" HResult="%d" DetailedHResult="%d" NumBytesProcessed="%I64d" NumBytesToProcess="%I64d" ComponentRestoreState="%d" NoOfFilesFailed="%I64d" NoOfFilesProcessed="%I64d" WriterGuid="%ws" NoOfDepenedncies="%d" IsFailureInDependency="%d" >
RemoveDirectoryW
L$8H+O
H!\$0
[ UVWATAUAVAWH
pwszName != NULL
.text$mn$00
D$t=^
t$ WH
C 9G t
pstrDest != 0 && vt == VT_BSTR
pVolCat->m_bInBackup
CharUpperBuffW
CustomPerformanceSettings
8A_A^_[
D8xtt
ExpirationTime
SetLastError
</ComponentSpecs>
D$0 t
d$pI;
D9L$@rBH
H9]Ot
fA9,Su
pstrIteratorPath == 0
.rsrc$01
9o(v;H
m_wszSuccessLogFileName != NULL && m_wszFailureLogFileName != NULL
m_pGroupRestorer == NULL
H!\$8A
Y@H9;u%L
iVolumeUpdate == cVolumes
base\stor\blb\engine\service\systemstatebase.cpp
OM9f(~-H
wcscspn
pbValue != NULL
A_A^A]A\_^[]
RegDeleteValueW
D$pE3
L!eHE3
fF9,xu
uiAccess="false"/>
wszDevice
!|$HH
L$hA;
ppDataBlock != NULL
pwszDiskName
t6H9x
bFound
fD9$_u
fSfSfUfh
A_A^A]
]8H9}0t
pVolumeMap
base\stor\blb\engine\service\engine.h
pwszRestoreTargetFriendlyName
;D$ v
C@@80
m_apVssExamineWriterMetadata
base\stor\blb\engine\blbengutils\blbvhd.cpp
fE9,Ou
@A_A]A\_^[]
fD9$Wu
((HANDLE)(LONG_PTR)-1) == hVolume
H;A(~
8D$0t
InitializeAcl
CoTaskMemRealloc
NetApiBufferFree
COMPACT(m_ulFeatures) || !m_rules.m_bExcludeAudio && !m_rules.m_bExcludeVideo
j == pMediaCtxt->m_ulBagCount
phrError
GetSecurityDescriptorDacl
m_cRowBlock == 0
PercentageTrigger
uCurrentBit < HintSpaceBitmapSize
m_ssCurrentVolumePath.Compare(pstrDirectoryWin32Path, 0, m_ssCurrentVolumePath.Length()) == 0
NoRunNowBackup
f9.tyf
fD9,^u
cVolume
pullSizeToReclaim
GetTraceEnableLevel
BackupGlobalCatalog
|$4drJH
wszVolumeDevicePath && *wszVolumeDevicePath
Overall Detailed hr
H9=/:
wszDstPath
base\stor\blb\blbevents\publisher\blbpublisher.cpp
t)@8y
MwH+UwI
pwszSystemDevicePath
D$xfD
GetSystemWindowsDirectoryW
_CxxThrowException
\$4A;
!\$PH
t.QuadPart < restoreContext->VolumeSize
f9,Pu
L9yXu
pAppRestoreInfo
f9<Xu
wszComponentName
RtlAreBitsSet
</ComponentInfo>
wszTargetName
ulCurrentMedia < m_cMedia
m_hCheckPointEvent == NULL
m_spBackupItemsRoot
pwszBlbNetworkPath != NULL
LeaveCriticalSection
FindFirstVolumeW
qwszOriginalAccessPath != NULL
;|$8s
pA^A]_^]
D$4A;
wszVolume
NoRemove AppID
pTable->CBLBBackupSetTable::m_signature == m_signature
!\$pI
EgL;e
|$ AWH
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
wszVhdExtension != NULL
%SystemRoot%\Logs
L$ SVWH
GetTraceLoggerHandle
@A_A]A\_^][
EhH;EX
NoOfVolumesPartiallyBackedUp
fC94Ku
D$(H;
sGetFileInformationByHandleEx failed
H;y v
type=""/>
Microsoft Corporation. All rights reserved.
pos != 0
guidBootVolumeId != GUID_NULL
L$PH3
RtlInitializeBitMap
eName
rgSrcComponentInfo
t,H;s
H9D$@t
m_spVssBackupComponents
FullBackupSettings
rgwzSourcePath
L?PL;u
pcComponents
\$@9_P
wszTempFileName
rgComponent != NULL
?{uSH
D8!m_pCatalogChecksum
</BackupSpecs>
base\stor\blb\engine\service\async.h
L9mXt
.text$yd
SetEndOfFile
cVolume > 0
wszFile != NULL
wszCurrentTargetName != NULL
L$HD;
CreateDirectoryW
wszVolumePath
Operation Type
D8u`u~@
pstrFilePath && *pstrFilePath && pFindData
D9i$u
WATAVH
D;`E3
D$xH;
ppvObject != 0
PA_A^_^]
LcA<E3
t;D8y
_handle == NULL
ScheduledTargetType
8CHtIH
u(;}$
D8\$Xt
(fLoThreshold >= 0) && (fLoThreshold < fOptimalLoad)
@USVWAUAVAWH
BppTemplates
3Z((HANDLE)(LONG_PTR)-1) != hFile
iVolumeMap == cVolumeMap
Offline Files Cache
Wadvapi32.dll
hr == VDS_E_PACK_OFFLINE
base\stor\blb\util\systemutils.cpp
L9l$`t
spCurrentVolume
qH9{0u
fE9DU
t"D8i
fD9$su
m_pAsyncContext != NULL
fIsValidFile
L$XL!t$h
wszValue != NULL
H+E`u
pOutTargetCat
I!4$H
0 != pAllocationDeltaSize && 0 < (*pAllocationDeltaSize)
t6@8q
phService
H WATAUAVAWH
wszTargetBootVolume
@.rsrc
wszFileSpecsXML
blblog
EXH;EhtxH
<VolumeInfo>
D!D$
D9uHv0A
_wcsnicmp(ssActualFilePath.PeekStr(), m_pIncludeFiles->ssFilePath.PeekStr(), m_pIncludeFiles->ssFilePath.Length()) == 0
guidBootVolumeGuid != GUID_NULL
H;H8uhI
!m_pAsyncRef
t^D8i
u\I9~(t(H
L9v0t
pVolumeExclusions != NULL
fD9<wu
phVhd
FveCloseVolume
m_ulBagsProcessed <= m_cBags
rW;s|r
SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
IncludeFile
fD9,su
H;{X~
SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
pJournalId
`A_A^A]A\_^]
D;l$p
l$ E3
rdfD9C
L!m`E3
tmptmptmI
9s$vxH
fD9<Qu
E9MhvuA
RegUnLoadKeyW
CoDisconnectObject
H9ypu
SetFileInformationByHandle
LegalCopyright
9u@t>H
D$lL+L$hE
pcFileSpecs
prop.Obj.DiffArea.m_llUsedDiffSpace >= 0
nRefs != 0
WerReportSetParameter
m_bIsBuilt
ATL$__a
<ComponentSpecs>
pTargetCatalog != NULL
fHiThreshold > fOptimalLoad
l$8L!D$0
@A_A^A]_^][
base\stor\blb\catalog\table.cpp
%s\%s\%s
@USWATAUAVAWH
D8g0t
pcFiles
GetSystemTime
0 != lpstrFilePath
wszTargetName != NULL
8L$0u
pstDepInfo != NULL
D$ H!uPL
base\stor\blb\engine\service\async.cpp
CFuncTable::Uninitialize
prgCatComponentInfo
A_A]]
99w:L
pdwRegSizeInGBTrigger
?333333
'Service.EXE'
I;JLt
t$4r%H
H9_xt
!|$pH
lpszKey != 0 && lpszValue != 0
ebase\stor\blb\engine\blbengutils\blbvhdhelper.h
\\?\GLOBALROOT\Device\
D;nPI
L9gHt
(A8^
^7pstrFilePath && *pstrFilePath
p != 0
(D$ H
UAUAVH
A96vsH
cVolumeContext
RtlSetBits
m_iCurrentRestoreFiles < m_cRestoreFiles
wszRestoreTargetPath
@A]A\_^]
f9<Fu
base\stor\blb\engine\service\component.cpp
H!\$0D
D9d$`v"
H UVWATAUAVAWH
ppRequiredTarget
hKey != INVALID_HANDLE_VALUE
D$HH;
@A_A^A]A\_^]
wszAccessPath
1reagent.dll
pullTotalTargetFreeSpace
L$0H3
G tesbD
GetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))
pContext->m_pGroup->rgVolumes
phrDetailedResult
GetUserNameW
v0I;Z
rowid >= m_rgRowBlock[m_cRowBlock - 1].m_lowRowid
ActivateJournal(hVolume, pMaximumSize, pAllocationDeltaSize)
tExcludeSystemFiles
Registry
HeapDestroy
L9u@t
fD9<Bu
eventVol < eventInfo.cVolume
ppPerformanceSettings
pTable->CBLBRestorableComponentsTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
wszVolumeName && *wszVolumeName
|$pE;
.rdata$zzzdbg
NoRemove CLSID
D8gau&L;
|$2:u
fF;|*ju
f94Au
D$@E;
M9<$u$A
LoadStringW
l$XE3
?m_dwTraceMaxSize@CTraceProvider@@0KA
FHL;}
D;s\r
prgDstVolumeInfo
cVolumes > 0
WAVAWH
A__^
D*DI;
base\stor\blb\dsm\dsmfs\dll\directorystack.cpp
pwszBackupSpecsInfo
GetDriveTypeW
realloc
.rdata
|$XE3
t$h@8q!t
fB94ru
u>H9C
??1type_info@@UEAA@XZ
tGD8y
H!|$HH
D9s\vJH
H9)u4
RegDeleteKeyW
LcE@3
H9l$0t
cSrcComponents != 0
OpenSCManagerW
NoOfAppsInBackup
|$0H;
NetShareGetInfo
<AdditionalFiles>
wszBackupTargetVolume != NULL
H!]0H!]
readOffset.QuadPart/BLBIMGF_SECTOR_SIZE <= _maximumFileSize
base\stor\blb\catalog\volstbl.cpp
LMinFreeSpaceAvailableInMB
r H9{ H
S_OK != hr
wcsstr
\$pH;
BCryptFinishHash
L$ WH
`A^A]_^]
D$$I;
VOLUME_IS_BLOCKLEVEL(dwVolumeFlags)
%02d-%02d-%04d_%02d-%02d-%02d
fF9<Bu
GetStorageDependencyInformation
D;{hr
base\stor\blb\engine\service\component.h
L$TH9D$P
x AWH
fD9,Au
|$`;W@
pA_A^A]A\_^[
CompactVirtualDisk
D;sHr
ppSpec
H9]wu
RtlNumberOfClearBits
;xPu^D
u H!u
0A^A\_^]
m_pDsmCallback->SetDelayed(INFO_FILE_DELETE, wszIteratorFilePath, 0)
wszComponentName1
InstanceId
@8w8u
t$dD+t$`A
WaitForSingleObject
RtlInitUnicodeString
ProductType
pb != NULL && pcb != NULL && ppbReturn != NULL
@A_A]_^]
|$xE3
H+\$0H
m_rgVolumeContext == NULL
!pTable->IsGlobalCatalog()
wszVhdFilePath && *wszVhdFilePath
base\stor\blb\engine\service\restore.cpp
pcComponentSpecs
L$ UVWATAUAVAWH
GX;G\r
fE9<Du
pVhdContext->m_pCBlbVhd
pfailed
E_@8xPt
@VWAUAVAWH
OpenProcessToken
u!H;=
L!6L!v
wszLabel
D9g\vpE
@A_A^]
t+E8z
m_pBmrAsrRestore
0A^A]A\_^
PA_A^A\_^[]
prgVolumeSSB
H!;H9;
StartTraceW
MessageBoxW
SVWATAUAVAWH
SYSTEM\CurrentControlSet\Services\wbengine\SystemStateRestore
0A_A^A\
prop.Type == VSS_MGMT_OBJECT_DIFF_AREA
base\stor\blb\blbimg\backfile.cxx
ppGIT != 0
FindResourceExW
pdwValue
normal
t$8E3
x AVD
base\stor\blb\dsm\dsmfs\dll\exclusionhandler.cpp
ySM;S8
m_dwRef != -1L
pParentCtxt
ywszBackupMetadata
I!<$E3
GetVolumeHandle(wszVolumeName, &hVolume)
D$XI;D$
D$@Hk
pbClient
8D$\tDH
memcpy
base\stor\blb\engine\service\filebackup.cpp
H!\$
m4H+T$(M
XA_A^A]A\_^[]
L9l$Pt
u6H9t$Pu
H!\$0H
.idata$3
SYSTEM\CurrentControlSet\Services\wbengine\SystemStateBackup
SetVolumeMountPointW
<FileInfoItem Name="%ws" HResult="%d" DetailedHResult="%d" FileRestoreState="%d" NoOfFilesFailed="%lld" NoOfBytesProcessed="%lld" NoOfFilesProcessed="%lld" NoOfBytesToProcess="%lld" />
plastUsn
USERDOMAIN
t/@8q
PA]_]
prevBlock >= 0
base\stor\blb\engine\service\prune.cpp
iVolumeUsnInfo == cVolumeUsnInfo
nSubAuthorityCount
mid < (int) m_cRows && mid >= 0
base\stor\blb\engine\usn\base\lib\usnjournalhelper.cpp
_VerifyPadBytes(pb + 1, cbPad) == S_OK
Block Level Backup Engine Service EXE
SetErrorMode
8\$0uEH
H!\$ H
9k@v+H
IsValid()
pBsiCat != NULL
H;|$(
t5I9^Pt/I
wszLogicalPath
tNTFS
Failed to query usn journal for volume: %x
8^!u/
ExtractVolumePath(ssPath, ssVolumePath)
m_pCurrentRestoreContext
IgnorePartialVolumesBackupSize
A;wPr
m_pSppMetadata != NULL
wszFilePath
ulFetched == 1
wszSrcPath
ProcessAndAddExclusion(ssData)
M9l$ |BH
!m_pAsyncHelper
f94Ju
pTemplate != NULL
EGL9M@tMH
D9oXv
guidSourceSnapId != GUID_NULL
H9D$0t
9L$0v-H
fD9;u
cVolumeUpdateDone < cUpdatedVolume
@A_A^A]_^[]
ExpandEnvironmentStringsW
wszReason
ppVhdContext
\$ UVWAUAWH
@8{yH
CompactionSettings
dwRegVHDMountTimeOut != 0
VOLUME_IS_BACKUP_CRITICAL(pVolume->m_dwVolumeFlags) != FALSE
$L9l$8t
</AppInfo>
f9,Fu
D$XA;G\
(_^][
H!D$@H
t"E8}
pcFilesEnumInfo
/iwszNetworkShare
pwszVhdExtension
__setusermatherr
fA9<Nu
fD9"u
UATAUAVAWH
m_wszVhdFilePath && *m_wszVhdFilePath
phVolume != 0
HeapFree
UWATAUAVH
E/H+E
PA^_^[]
@A_A^A\_^
L$hE9yH
m_pFilesInfo != NULL
m_bGlobalCatalog
SeRestorePrivilege
D8mGu9
GetTickCount
fE9,Gu
m_cComponent > 0
wszOriginalAccessPath
fE9$Ou
T$PE3
pbIsCritical != NULL
pTarget
fA96u
fD9,_u
rgVolumeMap != NULL
L$@E3
fE9$@u
pstDepInfoType2MaxAncestor != NULL
pguidId != NULL
wszKeyName
H!u8D
.CRT$XIY
wszfilePath != NULL
A^A]A\_^
19|$xt
D8|$ptDH
GetVolumeInformationW
SAFEBOOT_OPTION
fD9t$`tCH
L$@H3
m_hDoneEvent == NULL
USWATAUAVAWH
cToSave == dwBytesWritten
wcstok_s
m_pfnCreateInstance != 0
MaximumSizeInMB
wszLastSlash != NULL
base\stor\blb\catalog\compare.cpp
parrList
rgScheduleTime != NULL
pbVhdOldVersion
E_OUTOFMEMORY
pbOverflow != NULL
<VolumeInfoItem Name="%ws" RecoveryTargetVolumeName="%ws" HResult="%d" DetailedHResult="%d" VolumeRestoreState="%d" NoOfBytesProcessed="%lld" NoOfBytesToProcess="%lld" Warnings="%lu" ChkDskHResult="%d" OriginalSectorSize="%lu" TargetSectorSize="%lu" BackupTargetUnreadableBytes="%I64d" RestoreTargetUnwritableBytes="%I64d" />
VWAUH
fE9dE
xML9mP
D$XH;
m_bPreRestoreCalled
_blockBitmap.SizeOfBitMap >= 1
(m_iteratorState == FIRST_FILE) || (m_iteratorState == NEXT_DIRECTORY)
D$pA9F(
D8|$@
fF9,Bu
H!u@3
h AWH
rgbValues != NULL
rgTarget
E9d. v.I
tPfD9'uJH;
RtlGetSetBootStatusData
wszVirtualSrcVolName && *wszVirtualSrcVolName
F@H9E
fE9$G
|$8I!u
SUVWATAUAWH
fF94Au
SetVirtualDiskInformation
T$`E3
UWAVH
u(8Y`t
m_bInitialized != NULL
MultiByteToWideChar
(D$`H
H!l$0A
\\?\GLOBALROOT%s
ATL$__m
T$08T$3tTD9U
`A_A^A]_^[]
wszFileSystem
base\stor\blb\util\stringutils.cpp
H!t$pH
A_A^A\
fF9<su
pllDiffAreaSize
prgTargetInfo != NULL
/fD;e
GetSecurityDescriptorSacl
\\?\Volume%s
prgComponent != NULL
EventSetInformation
wszBackupComponents
x%9_@vPH
iVolumeMap < cVolumeMap
<AllCritical IsPresent="%ws" />
RtlFindNextForwardRunClear
base\stor\blb\catalog\cursor.cpp
rgwszSourcePath != NULL
Temp_
UWAUAVAWH
!\$(E3
pwszSPPMetadataFilePath != NULL
D;e`s;
fA97u
fE9$Fu
OutputDebugStringW
D8t$@
D9uXv
D$0fD
9t$Ht
WriteHandle != INVALID_HANDLE_VALUE
pContext->m_pSSBContext
prgVolumeGuid
(m_cCurrentSubComponentIndex != -1) && (m_cCurrentSubComponentIndex < (int)m_arrVssWMComponents.GetCount())
;D$@}
L$ USVWATAVAWH
UnregisterTraceGuids
@A_A^A]_^
D8l$0
readBuffer != NULL
@SVWAVAWH
RestoreStatusResult
fD9$Qu
?m_dwTraceCurrSize@CTraceProvider@@0KA
_currentFilePointer <= _maximumFileSize
H!\$PH!_PD
pbFound != NULL
pbVal1 != NULL
H!\$0@2
dwlJournalId != BLB_INVALID_USN_JOURNAL_ID
%s.0.%s
StartServiceCtrlDispatcherW
o8L!o@H
H9}`u
pThis != 0
pcVolume
m_queuedDirectoryTree.IsEmpty()
pCtxt
sdk\inc\atlmfc\atlcore.h
"InjectDrivers"="%d"
ppwszVolumesInBackup
rgFilesSpecs != NULL
L$`H9
GetFileInformationByHandleEx(m_hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))
|$HL9d$pt
E9~Pv:
data.dat
D8t$pu
</TimesList>
H!l$X
pColdef->m_offset + length <= m_tabledef.m_cbRow
!_isCompactForm
D;uPt6A
wszAppName
m_iteratorState == NEXT_DIRECTORY
WpullTotalTargetSpace
@A^_]
T$tD9O@
D8gru
|$hE3
wszMountedVolume
cVolume == iVolume
H9\$8
m_rgdwOverflow == NULL
_batList[diskBlockOffset] != 0xFFFFFFFF
UseASR
A^A\]
D8}wu
m_strSid.IsEmpty()
GetVolumeHandle(pszVolumePath, &hVolume)
OverallHR
d$0H9~
8D$yt
D38I;
EpH!8
P0D;r
pVolCtxt == NULL || VOLUME_IS_BLOCKLEVEL(pVolCtxt->m_dwVolumeFlags) || VOLUME_IS_INCREMENTAL(pVolCtxt->m_dwVolumeFlags)
pdwRegMaxUSNSizeMB
m_pIncludeFiles->fIncludeParents
A^_^[
GetOverlappedResult
8T$1u
A;m(r
D9t$t
t)E8b
LastBackupLocation
pVolumeCat
t.D8a
H!MhH!MpH!Mx!
H!0!3
(|$0D
pwszVolumeName
\UNC\
9yPv1
fD94Ju
pstrFileSpec != NULL
|$@I;
pLocalCatalog != NULL
A]A\_^]
FSWrapperGetFileAttributes(hFile, pdwFileAttributes)
@SUVWATAVAWH
UWATAUAWH
SetFileShortNameW
WATAUAVAWH
VWATAUAVH
guidBootVolumeGuid!= GUID_NULL
base\stor\blb\catalog\index.hxx
base\stor\blb\catalog\tgtstbl.cpp
((DWORD)-1) != dwFileAttributes
wszFileSearchPath
NoOfVolumesFullyBackedUp
NtQueryKey
rgAllVolumesInfo
pTimeOfBackupSet
m_wszCurrentCompactionVolume
?SetTraceControlInfo@CTraceProvider@@QEAAX_N_KK@Z
UuidToStringW
pdwRegAlwaysRunCompaction
\%s*_RegistryExcludes.xml
EoL+EwI
fD9t]
L$ UH
guidTargetVolumeId != GUID_NULL
prgCompHr
USVWAUAVH
writerId != GUID_NULL
<SystemState IsPresent="%d" HResult="%d" DetailedHResult="%d" />
l$@u!H;-N@
pwszMetaDataDirPath
PercentageOfVolumeSize
t)D8i
J;D1Lu5H
A_A^A]A\_
|$ E3
\$ UWATAVAWH
pbHasSystemState
HRESULT_FROM_WIN32(error)
.CRT$XCAA
NtSetInformationKey
RtlAreBitsClear
\$@E3
MaxTriggerSizeInGB
WerReportCloseHandle
fD9$Vu
CExclusionHandler::ProcessAndAddExclusion
base\stor\blb\engine\helper\blbbackupstatupdater.cpp
\$ UH
t"D8a
pwszTaskSchedulerTimeString
NtQueryInformationFile
m_nLockCount > 0
pdwRegUSNSizePercent
ADVAPI32.dll
WsbMountedVolumes
H;O0t
@SWAVH
base\stor\blb\engine\service\appbackup.cpp
FileSpec
&H!\$ H!\$(H!\$0!\$8H
rgCatBackupSet[i].m_wszCurrentTargetName
K L9O t>H
pGlobalCatalogImpl->m_bInitialized
.00cfg
CreateThread
CoRevokeClassObject
t$ UWAUAVAWH
tTD8a
fD9,Fu
FALSE && "Unexpected error from ::WaitForSingleObject()"
!s_pFormatBackupContext
_wcsicmp
t$@fH
SPP.dll
ppstrFilePath != 0
H!]@H
wszSourcePath
D8t$Ht?
pdwlJournalId
m_iCurrentComponent < m_cComponent
FreeLibrary
pdwVolumeBackupFlags
@SUVWH
PA]A\_^]
m_nElements > 0
wszInputString
*ppstrSnapshotPath == 0
wcslen(wszPathOrgCatalog) + wcslen(x_wszGlobalCatalogName) + 1 < MAX_PATH
GetRunningObjectTable
L!t$0
@H!D$0H
pulClusterSize
root\microsoft\windows\deduplication
DoNotInjectDrivers
BMR hr
dwBytesRead == dwBytesToRead
Journal wrap detected (start usn:0x%016I64X, first usn:0x%016I64X)
Windows Server Backup Error
pguidBackupSetId != NULL
fD9<Cu
strValue.Length() != 0
T$0E3
L$XH9L$Pt
t$`D9t$Hu
vssSnapshotId != GUID_NULL
TotalBackupSizeMB
(cIncludedComponent == 0) == (rgIncludedComponent == NULL)
UVWATAVH
dwPos <= arrFiles.GetCount()
OpenThreadToken
ATAVAWH
Failed to get directory metadata for path:%ls
base\stor\blb\catalog\atomtbl.cpp
9sHvK
iDstComponents == cDstComponents
CompanyName
D$`I;
fD9du
f9,Zu
pstrTargetFilePath
fE94Ou
H!\$PH
@A_A^_
fD9$Hu
wszSourceFilePath != NULL
base\stor\blb\util\checksum.cpp
pullVHDFileSize
?EtwTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z
GetCurrentThreadId
m4H+U
ullReclaimSizeCheckPoint != 0
{3808876B-C176-4e48-B7AE-04046E6CC752}
;|$Xuv
readOffset.QuadPart%BLBIMGF_SECTOR_SIZE == 0
base\stor\blb\engine\service\deletebackup.cpp
L.8L+
cSkippedVolumes < iVolumeUsnInfo
InitializeParents()
bbase\stor\blb\engine\service\systemstatebackup.cpp
pVolCtxt->m_wszRestoreTargetPath
writeOffSet - Length + _lastBlockSize == _volumeSize
NT AUTHORITY\SYSTEM
cTarget == 1
m_pAsyncRef == NULL && m_eOperationType == BLB_OT_UNDEFINED
H;D$`
m_strDomain.IsEmpty()
UuidFromStringW
uPD!u@L!uHL
base\stor\blb\engine\blbengutils\blbbackuptargetutils.cpp
WindowsImageBackup
D;|$`
]`L9m
?m_errorTracingInBadState@CTraceProvider@@0_NA
u HcA<H
ValidSystemImageBackup
@SVWATAUAVAWH
NtQueryVolumeInformationFile
prgExcludeSpecs
ppbOverflowValue != NULL
tRD8m
T$xH+
cBackupSetsInTarget > 0
}
f9,su
%s-%d-%d-%04d-%02d.%02d-DVD%02d
D$`;P
calloc
CoRegisterClassObject
h VWATAUAWH
GetProcessHeap
tOL9/uJL9
wszPathToDirectory[wcslen(wszPathToDirectory) - 1] != L'\\'
fD9 u
t-@8q
pcIncludeSpecs
Sleep
D;t$Ts
H!|$0D
ppBackupSets
pA_A\_^]
G ttgt
%ws\%ws\%ws
GetFileSizeEx
GetComputerNameExW
QueryServiceStatus
HKEY_CLASSES_ROOT
D$nI+
fE9/u
pcTargetInfo != NULL
T$P;T$Ts
|$D+|$@
m_bDeleteFromTarget
FileName
Windows Server Backup Error Report
Pagefile.sys
setupapi.ev3
D$PH;A
pbIsFullVolume
Could not delete service
D$@!D$PH
pComponent != NULL
SetSecurityInfo
fD9<_u
GlobalFree
fD9*t
cMedia > 0
pwszDest
|$0{H
base\stor\blb\catalog\bagstbl.cpp
t$ UWATAVAWH
?m_errorFile@CTraceProvider@@0PEAU_iobuf@@EA
fD99u
D9b@u$I
m_pFailureLog
GetDiskFreeSpaceExW
T$PD9|$T
ys9] |)H
cVolumeMap > 0
DoNotResizeUSNJournal
H!\$8H
p WATAWH
)t$@3
0 != pstrVolumeName
prgVolumeInfo != NULL
?EtwEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z
(t$ H
Could not start service
\$TE3
m_arrVolumeExclusions.GetSize() != 0
{ AVH
BlbutilIsEspVolume(rgVolumesInBackup[0].m_dwVolumeFlags)
x AVL
guidAppWriterId != GUID_NULL
l$`E3
ppbValue != NULL && wszValueName != NULL && lpType != NULL && lpSize != NULL
fF9,@u
pProductType != NULL
D9A@vhA
<WriterInfo>
D;}Xr
_wtol
fD9DE
fD9$wu
D8MoH
GetVolumePathNamesForVolumeNameW
RegOpenKeyExW
pHandle != NULL
wszEntry != 0
H9D$xt
0A_A^A]
!}8!}0H!]@D
VWATAUAVAWH
pSpecCurr
l$@E3
TRUE == m_bPerformAppBackup
\$ UVWATAUH
pwszVolumeDevicePath
?Trace@CTraceProvider@@QEAAXW4TRACE_FLAG@@PEBGKPEBX1PEAD@Z
wcsncpy_s
GetFileInformationByHandleEx(hFile, FileAttributeTagInfo, &fileAttributeTagInfo, sizeof(FILE_ATTRIBUTE_TAG_INFO))
<ExcludeFile FilePath="%ws" FileSpec="%ws" IsRecursive="%ws" />
pfIsPathMountPoint
%PROCESSOR_ARCHITECTURE%
D;|$T
~ L;~(r
(((DWORD_PTR) &pb[cbPad + 1 + sizeof(DWORD)]) & 0x7) == 0
!m_bstrCurrentSubComponentName && !m_bstrCurrentFilePath
L!ePH
GetSidLengthRequired
__atl_condVal
_wcsnicmp
wszVolumeFriendlyName
FindFirstFileW
bPureSSB
FindFirstFileCaseSensitive(lpstrFilePath, pFindData, lpstrFileSpec)
E;d. r
pstrFilePath != NULL
wszServiceName
@UVWAUAVH
hm_eImpersonationType != BLB_IT_COM_CLIENT_CACHE_TOKEN
A!?A!}
fD9,Ju
PA_A^A]A\_^]
m_pMetadata == NULL
pUsnInfo
8\$Ct
fB94@u
D$8D;
0A_A\_
pbIsValid
SetSecurityDescriptorDacl
setupapi.ev1
l$ VWAVH
t2D8y
fD9<B
numMaxCharacters >= wcslen(wszMultiVolumeList)+1+2
pVolCtxt
prevLen == wcslen(wszVolumeName)
pstrPath && pstrPath[0]
base\stor\blb\dsm\dsmutils\dll\deletebase.cpp
D;uPs6H
`A_A^A\_^[]
wszSourceVolumePath
pSystemCatalogSystem != NULL
h VWAVH
Hu@A88tB
L9d$Xt
0 != pMapEntries->szData
nNewMax <= 0xffffffffffffffffui64/sizeof( E )
pdwRegPercentageTrigger
|$ UAUAVH
A^_^][
E@H!}@I
GetLongPathNameW
Cluster
pdwOSMajorVersion != NULL
fE9$Au
L$ H!\$(E3
@t&E3
SetSecurityDescriptorOwner
fA9,Bu
FormatEx2
rgWriterInfo
System Volume Information\SPP
t<@8y
|$8E3
L$ SUVWH
t$8H;
base\stor\blb\engine\blbengutils\blbsecurityutils.cpp
dwSnapshotCount == (DWORD)snapshotList.GetCount()
ppHeader
pbOnline
HyperVWriterId
I9<$w
lRes == 0L
pAtomTable != NULL
wszUserName
%s.%d.%s
m_cVolumeMap
pcNumbytes
base\stor\blb\engine\blbengutils\blbvolumemaputils.cpp
D9l$t}ID8m
x AUH
hFile != INVALID_HANDLE_VALUE
fF9<ju
FreeSpace
m_hKey != 0
wszVolumePath == NULL
processorArchitecture="amd64"
\Required Categories
T$P9P
m_includeFilesStack[i] != 0
pvReceived
\pagefile.sys
CheckTokenMembership
L$4Li
D$8H!\$0
SYSVOL
wcsrchr
[9T$`v
t$@D!t$8
Failed to wait for the USN journal notification (volume handle = %x)
fA9<Ou
wcslen(wszBuf) + wcslen(x_wszSPPMetadataDirectoryName) + 1 < MAX_PATH
fD9*u
PA^A\_^]
|$PH;
FindNextFileW(pFindData)
H;CHuTL;s
pguidVolumeId != NULL
_wgetenv
UATAVH
H9{Xu
dwType == REG_DWORD
D8uXu53
cRows <= m_cRows
D$PE3
L9f t
j == cVolumesInBackup
D$`H9L$`wND
guidBackedUpVolumeId != GUID_NULL
m_pLocalCatalog
m_cSortPages == 0
D9|$tt
pwszOutputString
NoBackupToOptical
\\?\Globalroot\Device\HarddiskVolume%lu
U'L!u
CUsnJournalHelper::ActivateJournal
T$hE3
L9;teH
0A^A]_^]
D;vPr
memmove
rgDisk != NULL
</security>
<ComponentStatusItem Name="%ws" LogicalPath="%ws" Caption="%ws" AppId="%ws" WriterId="{%ws}" InstanceId="{%ws}" ConsistencyCheckResult="%d" ConsistencyCheckResultDetailed="%d"/>
I;O0t
fD94Fu
D!uPH
wszFilePattern
\%s%s
}NULL
A_A]_
_callnewh
RPCRT4.dll
SetFileValidData
f94Bu
A\_^
|$Xhs;H
wszCatalogVolumeName[wcslen(wszCatalogVolumeName) - 1] == '\\'
pwszSppMetadataFilePath != NULL
A_A\_
f;D$P
8D$@u~8D$AuxH
f9:u.
::GetLengthSid(pSid) < (sizeof(SID) - sizeof(ULONG) + ((15) * sizeof(ULONG)))
dwcSppBlob != NULL
__set_app_type
StringFromGUID2
!m_pCatalogSystem
(iElement+nElements) <= m_nSize
fD9\A
iNumVolumeRepeats == 0
rgVolumeMountedVhdPaths
</trustInfo>
!(bDFSRWriter && bFRSWriter)
T$8E3
pbIsADWriterPresent != NULL
rgFilesInfo
GetVolumeNameForVolumeMountPointW
m_spVssAsync
pdwOSMinorVersion != NULL
m_spInclusionRoot
D$(fE
uED8yht?D9y |/
pSpecPrev
backupSetId != GUID_NULL
wszLogFileName
SCSIOP_MODE_SENSE
pbstr != 0
040904B0
0 != pFindData
SetupOverride
FSWrapperSetFileAttributes(hFile, dwFileAttributes)
base\stor\blb\engine\blbengutils\blbapputils.cpp
.rdata$zETW2
9N@vt
SizeofResource
fF9,Iu
rgguidVolumes
m_cRows >= cRowsWritten
A^_[
Active Directory
wszTargetVhdFilePath
pTable->CBLBMediaTable::m_signature == m_signature
;s(s=
ssFilePath.Length() > 0 && ssFilePath[0] == L'\\'
@USVWAVH
D9l$`
8_^[]
pbVal != NULL
u#H91t
_pwszSystemDrive
(D$@H
ExcludeFile
lstrcmpiW
%s,%u
fB94Su
\$pE3
GetParentPaths(m_pIncludeFiles->ssFilePath, arrstrParentPaths)
_compressionReadAheadBufferOverlapped.hEvent
ID Changed
SetupGetInfDriverStoreLocationW
WindowsBackup
INBOX
HcA<H
t)D8a
Missing operating system
A_A^A]A\_^]
@8t$xu
D;t$ht
D$8f;C\u
I!<$H
x^u6H
wszSuccessLogFileName
xOL9|$(
rFindNextFile failed in %ls with filespec %ls
o0H;o8r
A_A^]
fA9<Au
d$ L9a0t
cComponent != 0
pRestoreFileContext != NULL
l$HE3
9i$v?H
D;l$0
wszPath
<ComponentInfoSummary ComponentInfoArrayPresent="%d" TotalComponents="%d" SucceededComponents="%d" />
NoTargetSnapshot
base\stor\blb\wsbutil\wsbvdshelperlibrary.h
AllowSSBToAnyVolume
<VolumeInfoItem Name="%ws"/>
L$4E3
TranslateMessage
fE94Gu
m_pGlobalCatalog != NULL
<requestedPrivileges>
L7PD9e`
pb != NULL
RpcStringFreeW
WriterId
&I9X t
m_fileHandle != INVALID_HANDLE_VALUE
L;t$X
pwszBackupSpecsXmlFile
@A^A]_^]
pColdef->m_type == type
wszSPPMetadataPath != NULL
<SystemState IsPresent="%ws" />
WindowsBackupLinks
D;yPr
{ ATAVAWH
8L$pui
dwError != ERROR_SUCCESS
wcscat_s
LastSuccessfulBackupTime
cVolume < cMaxVolume
prgBackupMachineNames->IsEmpty()
E;}@r
@USVWAWH
EgL;x
ForceRemove
D8ylu
*ph != INVALID_HANDLE_VALUE
l$ WAVAWH
wszComponentName2
pwszDrive != NULL
!!(SUCCEEDED(hr)) == !!(NT_SUCCESS(ntStatus))
ReadFile
<WriterInfoItem Name="%ws" HResult="%d" NumOfComponents="%d" NoOfFilesProcessed="%lld" NoOfFilesFailed="%lld" NoOfBytesProcessed="%lld" TotalNumOfBytes="%lld" />
t&A8Z
pullDifference
GetAclInformation
m_rgSppGroup
nMax > 0
wszPath != NULL
D8mgu
!m_fInitialized
RegQueryValueExW
\$xE3
t$(E3
A_A^_^[
@SVWH
VWAUAVAWH
GetVolumeHandle(pstrVolumeName, &hVolume)
VarFileInfo
L9f0t
_fmode
E`;EPs
pGuidSnapshotId
A8U0uPH
m_spComponentNode
A_A\_^]
H;t$`
m_ssCurrentVolumePath.Length() > 0
m_sidnameuse == SidTypeInvalid
t$Pr$H
t$`fD9t$`t2H
fD94(t1
D$DL;d$@s'H
m_bLock
f9<pu
D;t$t
prgguidBackupSetId != NULL
CreateStreamOnHGlobal
9{,v#H
CoSuspendClassObjects
VWAWH
pbAllCritical
_vsnwprintf
l$ VWATAUAVH
SystemStateRestore_Error
D9rPvPH
pBackupSetInfo
@USWATAUH
m_rgpbEntries == NULL
U@H+UHH
D$@A;
D9t7 v*H
L%ws%ws\%ws\%ws\
|$@r!H
fD9$nu
d$pfD
pwszMessage
0A_A^A]_^][
D$pI;E
CreateFileW
x^H!|$0E3
pbLockable
GlobalAlloc
H9G8|
}@L96t
fB94Au
hKeyParent != 0
_newVhdFormat
SYSTEM\ControlSet001\Control\MiniNT
base\stor\blb\engine\service\wrapper.cpp
SSB hr
\$ UVW
H9]ou
D9gHu<3
m_bRecreatePath == TRUE
pwszSSBDir != NULL
m_pIncludeFiles != 0 && m_pDirectoryData == 0
base\stor\blb\coresdk\smart\smartregistry.hpp
!|$0H
cFileSpecs != 0
CopyFileW
<--%s
base\stor\blb\dsm\dsmutils\inc\functable.h
f94Xu
H!\$x3
T>pE3
nLength >= 0
RegGetValueW
H!|$0E3
@8o tZ
rgVolumesIn
prgwszFiles
USVWATAUAVH
L$PE3
Dk&*A
m_pSSBContext
m_iteratorState == NEXT_INCLUDE
pguidTemplateId
A^A]]
EwH!3H!0H
nResult == nConvertedLen
GetTimeZoneInformation
FormatMessageW
<ComponentStatus>
^hH9FP}
D8|$r
cFileSpecs == lLen
?@8{ tlH
InitializeCriticalSectionAndSpinCount
pRestoreFileContext->m_cNumberOfFilesProcessed > 0
hr == S_FALSE
m_hFile != NULL
@WAVAWH
<security>
metadata-2
t7D8y
\tTA8
m_state == CAN_ENUMERATE || m_state == CONTINUE_ENUMERATION
PA^A]_[]
guidBackupSetId != GUID_NULL
pwszVolumePath
CoUninitialize
L!|$(
<!-- Copyright (c) Microsoft Corporation -->
fD9u8u-
@8uWuwM
m_pGroup
LastSuccessfulBackupDrive
\\?\Globalroot\Device\Harddisk%lu\Partition1
m_rgBagCat
guidBackupBootVolumeId != GUID_NULL
pb && pwsz
BCryptOpenAlgorithmProvider
A_A^A]A\_
base\stor\blb\engine\blbengutils\blbwriterutils.cpp
10.0.17763.1 (WinBuild.160101.0800)
_currentBlockListNumber < _batBlockListLength
9L$HuZ
NoRemove
CLSID\
BackupSpecs.xml
t1D8y
F(L9y u
pbVal2 != NULL
Index < m_Size
ExcludeFolder
DeleteCriticalSection
dwType == REG_MULTI_SZ
;l$`uF;\$hu@H
fD9!t
wszTargetVolume != NULL
RaiseException
Fm_pGIT != 0
RtlNumberOfSetBits
\$ WH
H;H@u^I
fE9(u
m_cVolumes == 0
prgDstComponentInfo
RtlCaptureContext
RtlCompareMemory
xkL9m
A_A]A\
\$\A;
?OdsTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z
A]A\]
NETAPI32.dll
QueryDeviceInformation
D$@H9
t{@8o t9
d$8E3
ppBsiCat
x ATAVAWH
D9}Xv?H
97v4M
pcguidTemplate
PA_A]A\_^[]
Failed to open volume:%ls
base\stor\blb\scheduler\parsetime.cpp
pwszNewRestoreOptions
_wcsicmp(pDiffArea->m_pwszVolumeName, wszTargetVolumeName) == 0
l$ VWAWH
stVhdInfo.VirtualStorageType.VendorId == VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT
.CRT$XLA
D8d$@
RegistryExcludes
BLB_USN_E_CRC_ERROR
D$@I;
L$tE3
DisableSystemBackupUI
GetFileSize
*ppAsync != NULL
iVolumeSSB == cVolumeSSB
pwszMountedPath != NULL
0A^_]
SplitDirPath( ssDirPath, ssParentDir, ssDirName )
gXL9gX
(ssVolumeRelativePath.Length() > 0) && (ssVolumeRelativePath[0] == L'\\') && (ssVolumeRelativePath[ssVolumeRelativePath.Length()-1] == L'\\')
E<f9ELt.L
EqualSid
D8L$DtDH
ppVolumeMap != NULL
ObjectLength
D8zUumH
pbIsVolumeDedupOptimized
pcVolumeInfo != NULL
pExclusionHandler
(pstrIteratorPath != 0) || (hr == ((HRESULT)1L))
fF9,~u
fD9$xu
pLocalCatalog
base\stor\blb\engine\service\performancemanager.cpp
` UAVAWH
<FileInfo>
FORMAT_ON_WRITE_TYPE(eMediaType)
pComModule->m_hInstTypeLib != 0
CoResumeClassObjects
A^A]A\_^[]
TotalBackupTimeSeconds
HeapReAlloc
GetLengthSid
</WriterInfo>
u.I9^0t:H
L9m0t
componentDependency.m_guidDependantWriterId != GUID_NULL
fA9TM
base\stor\blb\wsbutil\wsbvolumeutils.cpp
pszVolumePath != 0
<AppInfo>
L$8D;
l$(E3
HKEY_LOCAL_MACHINE
!iteratorErrorInfo.pstrDirectory
D;D$4r
@SUVATAUH
cNumRestoredVolume >= 1
phTraceSession
NoOfVolumesWithBadClusters
H!}`3
pbPruningRequired
Software\Policies\Microsoft\Windows\Backup\Server
InprocServer32 = s '%MODULE%'
A_A^_
L9v(u
%windir%\System32\wbadmin.exe
g_cInitialized == 0
pParentContext
Invalid partition table
D99u>
f94Qu
CsvHacks
H;C8uWH
sdk\inc\atlmfc\atlalloc.h
prgWriterInfo
WriteFile
pcComponent != NULL
NtClose
(cbRet == sizeof(sadAdapterDesc)
prgBackupMachineNames
sdk\inc\atlmfc\atlsimpcoll.h
A(H;E
cRestorableComponentCount == cValidComponents
pStatus != NULL
L9t$8t,A
9shv%I
(eLogOperationType > BLB_LOG_OPTYPE_UNDEFINED) && (eLogOperationType <= BLB_LOG_OPTYPE_FILE_RESTORE)
prgComponents
|$ wdnitHH
A_A^A\
FveGetDescriptionW
guidMediaId != GUID_NULL && corruptBagRowId != ROWID_NULL
pcDstComponents
9t$4v'
pcMediaInfo != NULL
pstVhdInfo
0A_A]A\_^
hz.)1n
pguidSppGroupId
Volume
h<>:"/\|
Trigger %u
OnlySystemBackup
H!|$XE3
fD9$Ku
D$0H;
pwszOriginalAccessPath
base\stor\blb\engine\service\fileasync.cpp
!m_spVssAsync
@A_A^A\_^][
9wHvK
pszAccountName
x AUAVAWH
pvHash
base\stor\blb\blbimg\blbimg.cxx
@USVWATAVAWH
]XH9_
D;I<t
BcdForciblyUnloadStore
GetVolumePrefixLength failed for %ls
M!7L9u0t
(t$@H
_isCompactForm == FALSE
t+D8y
m_bResetTargetDiffArea == FALSE
%ws-%ws.log
wsbappres.dll
l$XH;
7fD;>u
D9g |
T$(E3
Ssdk\inc\atlmfc\atlconv.h
GetNextUsnInternal(hVolume, &queriedJournalId, &queriedNextUsn, pFirstUsn)
L$0L;
t}D8i
m_hFile != INVALID_HANDLE_VALUE
H9l$Pt
G tgab
wcslen(wcsPathCat) + wcslen(x_wszBLB_CATALOG) + wcslen(x_wszGlobalCatalogName) + 1 < STRING_LEN(wcsPathCat)
L9f(u
GlobalCatalog
B!\5PH
9{@v[H
|$@fA
pwszBaseString != NULL
d$HL!e
hr == S_OK
Error loading operating system
fF9<ru
|TaskID=%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X
@8w tFH
DoNotDeleteSourceSnapshot
tWfA;
A_A^A]_^
fF9$xu
TempFile.tmp
__wgetmainargs
ResizingVssDiffArea
A^A]_^]
x ATAUAVAWL
wbengine.pdb
{
pInfo
pBackupSpec
H9>t(H
cWriterInfo
pProgressReportCallbackContext
ApplicationRestore
wszVhdFileName
H;H0usI
9kPv+
t,@8y
L9g8t
y^}t5
u$L97t
m_rgVolumeMap && m_cVolumeMap
FpEntry->iType == 2
A;^Hr
pwszWriterMetaData
RtlLookupFunctionEntry
fD9,Su
H!t$p
base\stor\blb\engine\service\engine.cpp
guidBackupSetIdToDelete != GUID_NULL
pBackupSet
GetTraceEnableFlags
L$xH;
fG9te
m_pAsyncHelper
pstrFilePath && pstrFileSpec && *pstrFilePath && *pstrFileSpec
TCPAu2
LH;D1
fE9<tu
t(D9Q u
fF9<Qu
QueryPerformanceCounter
L$0H+
mwL9k
pVolumeMap != NULL
d$xA9
H!\$0I
pwszRootDir
wszNonWriterXMLData
K;D1Lt
t$0E3
T$XD;b@
pbRetryVolumeBackup
fF9$~u
m_wszBackupSpecs
3rd Party
@8t$@t
H!D$8
GD9sh
D$XI;
AllowSSRForOSMinorVersionMismatch
H!|$xE3
D-(E3
pRestoreGrp->GetNumberOfComponents() > 0
I9G8t
msvcrt.dll
m_bInitialized
\$ UVWATAUAVAWH
8K)tSH9M
StringFileInfo
_batBlockList[_currentBlockListNumber] != 0xFFFFFFFF
\$XL9l$Pt
t$ WAVAWH
eMediaType == BLB_MT_UNDEFINED || eMediaType == rgMediaCat[0].m_eMediaType
t$ UWATAUAWH
nNewLength >= 0
t%D8a
Software
0A_A^A]A\_
L9g(u
D*LI;D
D8u@H
ole32.dll
yVM;SP
(cVolumesInBackup == 0) == (rgVolumesInBackup == NULL)
prgguidTemplateId != NULL
\$ UWAVH
Application Backup hr
pwszDiffVhdFilePath && pwszVhdTempPath
pcNumMedia
BCryptHashData
status == RPC_S_OK
MSFT_DedupVolume
JournalId has changed since last replication (Old Journal ID: %016I64X, Current Journal ID:0x%016I64X)
M0D8uH
WerReportCreate
%%%%%u
fA94$
uND8yhtH
phFile != NULL
T$Qf9E,t-H
pTable != NULL
*ppstrFilePath
cVolumesIn
<Time Time="%04d-%02d-%02dT%02d:%02d:%02d.%03dZ" />
D$hL9xP
base\stor\blb\util\blbtrace.cpp
@A_A^A]
.text$mn
l$ VWAUAVAWH
pVolume != NULL
8L$0t
t(D8I
D$XE3
L$TD;
L$ SH
fG9Lu
T$tD;
pbCompactionRequired
LastSuccessfulBackupLocation
L$PD;
+MhL+
wszComponentLogicalPath
NoOfComponentsInBackup
DeleteVolumeMountPointW
l$0u!H;-
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
*_Writer*.xml
GlobalUnlock
m_iteratorState == NEXT_FILE
pIsVolumeOnDynamicDisk != NULL
]XL9mP
H;B@u
x ATAUAVH
A9L$\v,A
O9d0Pt
D9l$t|T
\$hD9_
fE9<Vu
LsaFreeMemory
mgL9mwu
T$hD9zH
L$|E3
pwszLocalCatalogFile
pVolumeVHDInfo != NULL
m_pIncludeFiles != 0 && m_pDirectoryData != 0
pwszDevicePath
Interface
ssVolumePath[ssVolumePath.Length() - 1] == L'\\'
%ws\%ws\%ws\%ws\
ForceFullBackup
SUVWATAUAVAWH
base\stor\blb\engine\usn\base\lib\usniterator.cpp
pPrev->m_pNext == pNode
fE9<@u
m_iCurrentApp < m_cApplication
L9t$Ht
wszVHDVolumeDevicePath && *wszVHDVolumeDevicePath
wszName != NULL
name="WBEngineRunAsInvoker"
GetFileSize failed for %ws
pGroup
ForceFileLevelBackup
wszMachineName
fE9,Fu
L9ePu
FileRestore
pwszReturnedString
t$XL;t$xs)
@UWAVH
t$XE3
X_^][
pSppMetadata
LsaOpenPolicy
t$0u7H
EventWriteTransfer
HyperV
fD9,Cu
Could not open service
E@HcM
D9yPw
XL;t$H
m4H+UHM
t+D8q
m_pFree != 0
blockNumberOnDisk != 0xFFFFFFFF
L9d$`t
H;O8t
SETUPAPI.dll
<!-- Identify the application security requirements. -->
D$XI;F
DSREPAIR
nElementSize > 0
{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
wszBackupSetDirectory
fA9>u
H!7H!w
D8|$@t9H
lpszReg != 0
9uHt>H
Fm_pEngine == NULL
pVolCtxt->m_wszMountedVhdPath == NULL
pcNumberOfFilesProcessed
fD9,ju
FveOpenVolumeW
setupapi.dev.log
LastInstance
I9G(~
pbIsFile
NtQueryValueKey
BcdImportStoreWithFlags
L$`H3
<description>The manifest for the Windows Backup Engine service </description>
fD9$Cu
L$@H9t$p
wszPath && wszPath[0]
D$@E3
H!L$@E3
base\stor\blb\engine\blbengutils\blbbackupitemsutils.cpp
|$`fD
wcslen(wszPathOrg) + wcslen(x_wszGlobalCatalogName) + wcslen (x_wszBLB_CATALOG) + 1 < STRING_LEN(wszPathOrg)
VssFreeSnapshotPropertiesInternal
GetFileInformationByHandle
pBag != NULL
Failure
t[D8a
not
m_arrDependentCompContext.GetCount() == 0
L$XH;
H!u8H
pbForceFull
wszBackupDir
N4D;NX
setupapi.ev2
A_A\]
$H;\$Xt
ppVolumeInfo
fD94^u
/@8l$xt(H
m_wszBackupSetDirectory
wszTargetPath
wszSource
pdwlUsnMaxSize
f@@8~8t
fG9du
x AVAWL
CRC error while reading USN
0A^_[
fB9<Au
fD9tE
k2iWD
GetSecurityDescriptorGroup
ppLocalCatalog
setupapi.app.log
L$ UWATAVAWH
G utes
(((HRESULT)(hrReason)) < 0)
TargetType
%ws\{%ws}
r1 == BlbimgSuccess
!\$(A
L.0L+
D$PL9
Microsoft\Windows\CurrentVersion\Reliability
base\stor\blb\engine\blbengutils\blbvhdhelper.cpp
System Volume Information
wszFileName != NULL
8A^_^[
UuidCreate
pbIsDsrmMode
fD9,yu
HA_A^A]A\_^][
D$xH9D$pt
D$LL;|$H
.rdata$zETW1
SetVolumeLabelW
result.m_high + 1 >= result.m_low
ppWriterInfo
A^A\_^]
L9uwt
@A_A^A\
Module_Raw
CoCreateGuid
D9{ |]
\%s%s_RegistryExcludes.xml
prgComponentSpecs
RtlVirtualUnwind
SppFreeBadWritersArray
_wcmdln
H;E0umI
base\stor\blb\engine\blbengutils\blbcatalogutils.cpp
yp@8u
pContext->m_pAppBackupContext
|$ UH
t,D8q
!t$pI
GetModuleFileNameW
@SVWATAUAVAW
cNonWriterMetaDataFiles == 1
pLogger != NULL
USVWAUAVAWH
(cComponents == 0) == (rgComponents == NULL)
fD;8ugH
cIncludeSpecs || cExcludeSpecs
pguidWriterId
fD9<Zu
D$$;BHtCL
@A^A]A\_^[]
pCatalogChecksum
wszFileFound == NULL
wszSrcFile
L$DfE9M
A_A^A]_^
pdwFlags
RPCSS
pVolCat != NULL
fE9$wu
9sHvM
L9gXH
fD9<Pu
H9]wt
fD9<Nu
wszSourceSPPMetadataCachePath != NULL
D$P8_!t
fD94Ou
VirtDisk.dll
ForceRemove {37734C4D-FFA8-4139-9AAC-60FBE55BF3DF} = s 'BlbEngine Class'
LogicalPath
%SystemRoot%\Logs\WindowsServerBackup\WBEngine.0.etl
pcVolumes
pPerformanceSettings->m_eOverallPerformanceSettingType == BLB_PST_CUSTOM
t!D8q
m_pOverflowFirst == NULL
@SUVWATH
wszMountedDeviceName && *wszMountedDeviceName
VSSAPI.DLL
m_spBackupItemsRoot == NULL
D8m0u9
LCsvTargetSupported
rShowWarning
j == 0
t&D8q
|$pH;
D90L;
A8_Ht!H
m_pParentBackupAsync
pwszBootVolume
!m_bInitialized
.CRT$XCA
GetSecurityInfo
val ThreadingModel = s 'Both'
pDsmCallback != NULL
wcslen(wszCatalogDir) + wcslen(x_wszSVIDirectoryName) < MAX_PATH
KERNEL32.dll
%ws_%ws_%ws
~HA8W(u
A^A]A\_]
conectix
spFileSpecsNode
|$DE3
base\stor\blb\engine\service\application.cpp
@8|$h
D;|$<
m_bIsRecoveryStarted
L9y@}
f;D$@
fD9tH
|$XH!|$`H!|$h!|$p3
D$HI;G
base\stor\blb\util\securityutils.cpp
L\\%s\%s\
ppRestoreFileSpec != NULL
tDf9+t?H
pA_A^A]A\_[]
0A_A^A]_]
m_arrComponents.GetCount() > 0
FindFirstFile failed
\REGISTRY\USER
)t$`H
m_p == 0
ssFilePath.Length() > 0
rSid.IsValid()
</ComponentStatus>
pLogFile
UnhandledExceptionFilter
T$P;z@
pwszMountedPath
pbAllowSourceSnapshotDeletion
pcguidBackupSetId != NULL
pMountDevId->UniqueIdLength < dwBufSize
pPartitionOffset
f9,Cu
t$@8y
GetWindowsDirectoryW
Could not open Service Manager
EventUnregister
wcslen(wszPath) + wcslen(x_wszBLB_CATALOG) + wcslen(wszFileName) + 1 < MAX_PATH + 64
LastBackupResultHr
r,9>L
base\stor\blb\engine\componenthelper\componentbackuphelper.cpp
;D$H}
u}H9\$0u
wcscpy_s
ppStorageDepInfo
E(H;B
WindowsServerBackup
base\stor\blb\engine\blbengutils\BlbSecurityUtils.h
GetVersionExW
ppstrReparsePtPath && (*ppstrReparsePtPath == 0)
@SUVWATAUAVAWH
t$D8i
wszAccessPath != NULL
A__^[]
H!u03
pVolStat
L$|I;
<IncludeFile FilePath="%ws" FileSpec="%ws" IsRecursive="%ws" />
D8kHt
D9|$tv
base\stor\blb\engine\componenthelper\vssutils.cpp
]HH9u@t
SetupDiGetClassDevsW
</%ws>
GetSystemDirectoryW
D$0L;
ProcessAndAddExclusion((CSmartStr)p)
pcScheduleTime
VS_VERSION_INFO
pvCalculated
m_pMetadata != NULL
lpDataToDump
9|$`v%H
t0L! L!`
\\?\GLOBALROOT
@A^A]_
pbHasBackngWim != NULL
x UATAUAVAWH
nLength-(size_t)( (ptrdiff_t)&(((ACCESS_ALLOWED_ACE *)0)->SidStart) ) >= m_sid.GetLength()
pvsstrace.dll
t$4fA;
A_A^_^]
fD94su
p UWATAVAWH
spVolume
.CRT$XCZ
(t$`H
m_pExclusionHandler == NULL
fmifs.dll
pNewTemplate != NULL
pwszNetShareName != NULL
pSourceGroup
;SX}}Hc{8H
f9,Bu
D$HI;F
H!t$`H
base\stor\blb\catalog\catalog.hxx
pcDstVolumes
H9}hu
u0M9.u
H!|$8E2
m_dwRef == 0
wcslen(wszPath) + wcslen(data.cFileName) + 2 < MAX_PATH * 2 + 1
fE9$Ju
\$ UVWATAVH
E!/L!(H
.idata$6
H9]Gt
fF9$pu
base\stor\blb\catalog\sorter.cpp
WerReportSubmit
L9uPvu
u`@8t$`uY@8t$buRH
D:AR(A;OICI;GA;;;BA)(A;OICI;GR;;;BO)
pbSystemWriter
cRestoreOptionStrLength > 1
\$PE3
GetFileAttributes() failed on:%ls
@8t$P
fF9LE
>M9&t
D8t$@u
GetNextUsnInternal(hVolume, pJournalId, pNextUsn, &firstUsn)
SeBackupPrivilege
pcBag != NULL
L$pE3
CompileRegistryFNTSExclude(p)
Additional Files To Exclude
LastBackupResultHrDetailed
false
base\stor\blb\engine\blbengutils\blbsystemstateutils.cpp
fD9lE
.data
pwszRestoreOptions
$AllVolumes$
rgBackupSet != NULL || cBackupSet ==0
ReplicationContext != NULL
GetVolumePathNameW
AllowSSEE
A_A^A]A\_^][
D8d$P
<BMR IsPresent="%d" HResult="%d" DetailedHResult="%d" />
T$pD+
wszGuid != NULL
D;l$x
\$ VWAWH
wbengine
}HH!}
t$XuQH
prgMediaInfo != NULL
m_pParentCtxt
L$pfF
BcdSetSystemStoreDevice
tl@8q
DIFFERENT
LogPath
EHD;FP
pwszSessionName
rK;sdr
InitializeSid
A\_]
L$8H;
pVhdContext
pdwRegSkipUSNResize
(((HRESULT)(hr)) >= 0)
(pPerformanceSettings->m_rgePerformanceSettingType[i] == BLB_PST_ALWAYS_FULL) || (pPerformanceSettings->m_rgePerformanceSettingType[i] == BLB_PST_ALWAYS_INCREMENTAL)
CreateVssBackupComponentsInternal
~8HcM
SleepEx
memset
0A_A^A\_^][
RegServer
fA94Au
|$hfD
_currentBitNumber == 0
<assemblyIdentity version="1.0.0.0"
D8OTtaD
L$xHi
98w+L
pwszFileName
\\?\Volume
L9g@t
pCurVolumeInfo
<pstrFilePath != 0
f;D$4u
mi.dll
t%@8q
\$ UVWAVAWH
\$PL9t$ht
KPL99t
m_apVssComponent || m_apVssWMComponent
GetProcAddress
prgIncludeSpecs
\hiberfil.sys
)D$ H;
bcrypt.dll
ProductName
|$(A^
dwLengthOfCurrentLine > 0
\%s%s_Writer%s.xml
TlsGetValue
UVAUH
DuplicateTokenEx
cbRet == sizeof(hotPlugInfo)
fD; t
%.4u-%.2u-%.2uT%.2u:%.2u:%.2u
StringCchCopyW(pstrLocal, dwLength, strStr.PeekStr())
fE9<Fu
rgVolumesIn && cVolumesIn
BCryptDestroyHash
D$0I9E0u
LBackup_Error
t,@8q
\$@L9e
]m_bRecreateDisks == FALSE
pwszWindowsTempPath
H+T$hH
l$0M;
fD9$Ju
fA9<Qu
pAtom != NULL
base\stor\blb\catalog\cmpnttbl.cpp
=I%{2
fA9LU
NULL != pSppMetadata
ClientLaunchType
t$`E3
D9l$x~7M
f9,Su
rW;sdr
wszSuccessLogName
@A\_]
pSortPage == NULL
DisableBackupToOptical
D$`E3
0A_A]_^]
MaximumWaitTimeInMins
ppbHashObject
m@uAH
Invalid parameter passed to C runtime function.
pwszSnapshotPath != NULL
@8l$pu
SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
H9_ht
@A_A^_^]
D$HE3
!m_hFmifs
m_pRestoreSystemState != NULL
!VOLUME_IS_INCREMENTAL(pVolumeContext->m_dwVolumeFlags)
AddAce
L$`Hc{8
wszTargetFilePath != NULL
LocalService
spp.dll
tA@8q
wszVHDFilePath && *wszVHDFilePath
Ev|;v
dwBytesWritten == sizeof(wchUnicodeBOM)
D+L$p
l$pH;
pbstrPath != 0 && ppTypeLib != 0
wsz != NULL
"SkipDiskRecreation"="%d","InjectDrivers"="%d","BootVolumeName"="%s","SystemVolumeName"="%s"
?m_dwTraceNextNum@CTraceProvider@@0KA
D8yht
0A^A]A\
pMediaCtxt->m_pBackupPtr == pBackupPtr
fF9<Cu
'$#=G
D9xxt$L
pwszReparsePointName
@A_A]A\
wszSpec
t$ UWAVH
ulIndex < m_Len
MoveFileW
DetachVirtualDisk
FileVersion
pStatus
pstrName != 0
HeapSize
0 != pMaximumSize && 0 < (*pMaximumSize)
</FileInfo>
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current
fD9$Au
VOLUME_IS_BACKUP_CRITICAL(rgVolume[j].m_dwVolumeFlags)
L$hH3
H!u_E3
fE9,wu
Dbase\stor\blb\dsm\dsmutils\dll\dsmfsenumerator.cpp
D;l$h
E`H;EPu
M9e(I
SVWAVH
IsValidSecurityDescriptor
p AWH
L$ SVWAVH
ppszReg != 0
CoImpersonateClient
H!;!|$PL
tHD8B)u
L9d$8t
wcslen(wszBuf) + wcslen(x_wszApplicationName) + 1 < MAX_PATH
Value
t$ E3
h AVH
fD94Xu
D;rPs
H9t$Ht
iVolumeLocal != cVolumeLocal
LogonUserExExW
t+H!l$0A
L9O0t!H
iCol < m_tabledef.m_cColumns
Start <= (m_Len + 1)
t+D8i
base\stor\blb\catalog\catglbl.cpp
1XZ8t
RtlDosPathNameToNtPathName_U
UAVAWH
A_A^_
memcpy_s
A_A^A\_]
guidBackupBootVolumeGuid != GUID_NULL
RtlFreeUnicodeString
Delete
D8t$@t@H
g_hIdleEngineTimer != NULL
m_iCurrentApp< m_cApplication
SetFilePointer
USVWATAVAWH
pwszComponentInfoSummary
wszVolumeName != NULL
9iPvmA
nAclLength > 0
H;k8v
base\stor\blb\inc\errorutils.h
l$xD9e
pCurrentListEntry->Length > 0
pTable->CBLBTargetsTable::m_signature == m_signature
iVolumeCat != pbsiCat->m_cVolume
CompareStringOrdinal
diskBlockOffset < _numberOfBatEntries
((HANDLE)(LONG_PTR)-1) != m_hFile
FileTimeToLocalFileTime
D$`H;
%windir%\system32\spp\store_test\2.0\
iRow == cguidTemplateId
0A_A^_^[
CoInitializeSecurity
h VWAUAVAWH
D$HL!|$8E3
fD9DU
fD9>u
PA^A\_][
t#@8p
|$@H;
(length == BLBIMGI_BYTES_PER_BLOCK) || isLastBlockInSource
fD9$Nu
!m_hCryptHash
base\stor\blb\engine\blbengutils\blbstructutils.cpp
RtlCreateSystemVolumeInformationFolder
WAUAWH
splitRead
pbCreateNewDir
wszMountedPath != NULL
A_A^A]A\]H
T$@9ZPvPL
pguidBackupSetId
D9|$t
wszFileSpec
pstrPath != 0
wbengine.exe
fE9<Hu
UXH+U
xA_A^A]A\_^[]
D$@!D$@E3
pbFloppy
D8l$p
f9<Qu
!l$(D
0 != pdwFileAttributes
base\stor\blb\engine\blbengutils\blbregsettingsutils.cpp
MakeAbsoluteSD
L9mPt
m_pAsyncContext
pDisk->m_bVolumeInformationUnavailable == FALSE
\Implemented Categories
m_pOverflowLast == NULL
SetupDiGetDeviceRegistryPropertyW
fF9$@u
%ws\%ws-%ws.log
E@A;F@r
CoTaskMemAlloc
D$HD9
t$ WATAWH
pBackupInfo
pTable->CBLBTargetsTable::m_tabledef.m_cColumns == m_tabledef.m_cColumns
xDD8e8H
fOptimalLoad > 0
o`9*t
m_pSppGroupProp != NULL
iCurrentComp == cComponents
EventRegister
fveapi.dll
@80u?A
D$hA;
m_rgMediaCat
m_guidWriterId == pComponent->m_guidWriterGuid
rgChecksum
ulFetched == 0
GlobalLock
HRESULT_FROM_WIN32(GetLastError())
wszVolumePath != NULL
D9d$H
A_A^_^]
;|$|r
D8uot
wszSystemPartition != NULL
L$ USVWATAUAVAWH
ulSectorSize != 0
DeleteFileW
D9|$|v
CoInitializeEx
WindowsLicensing
pTemplate->m_cTarget == 1
H!] 3
FindNextVolumeW
H;|$X
D$tH;
L$ H;
O:%wsD:AR(A;OICI;FA;;;BA)(A;OICI;FA;;;BO)(A;OICI;FA;;;CO)(A;OICI;FA;;;%ws)
t#D8x
pVolumeInfo != NULL
D8t$@t
HeapAlloc
A_A^A\_^
,ubase\stor\blb\catalog\catsys.cpp
0A]A\_[]
H!t$0E3
pAppCLSID != NULL
(*pcVolumes == 0) == (*prgVolumes == NULL)
A_A^A]A\[
L$$8A t
0A__^
T$pE3
base\stor\blb\catalog\catalog.cpp
EFI\Microsoft\Boot\BCD
VOLUME_IS_BLOCKLEVEL(pVolCtxt->m_dwVolumeFlags) || VOLUME_IS_INCREMENTAL(pVolCtxt->m_dwVolumeFlags)
|$ UATAVH
9{Hv2
SVWAVAWH
l$HfD
A^A]A\_^][
k|D9o$
saSecurityAttributes
Failed to read next USN record (delta USN: %016I64X)
9kHtMH
L9ugt
?H;~`
H9\$0t
prgFilesEnumInfo
L!t$8H
D$`D;|$@s>H
pRestoreFiles
\$PI;
.data$brc
this->m_handle == NULL
L$pH3
t#@8y
cb + sizeof(BYTE *) <= m_cbLeft
readOffset.QuadPart/BLBIMGF_SECTOR_SIZE >= _firstBlockSector
C`;Cd
ppbOverflowEntry != NULL
CLOCK$
D9l$p
EHH;E
base\stor\blb\coresdk\smart\smartarray.hpp
H3E H3E
InternalName
m_pValuesLast == NULL
pVolInfo
m_wszBackupSpecs != NULL
H!|$h
Wrapped
s\tFAILED(hrResult)
fD9,Xu
base\stor\blb\util\blbutility.cpp
m_strCurrentPath.Compare(pstrFilePath, m_fCaseSensitive, m_strCurrentPath.Length()) == 0
spAllCriticalNode
Software\Microsoft\Windows\CurrentVersion\Windows Block Level Backup
m_wszSourceVolumePath != NULL
malloc
t&E8z
fA94@u
HKEY_CURRENT_CONFIG
prgFileSpecs
pFindData != 0
fD9&u
D8t$0
base\stor\blb\engine\blbengutils\filelogger.cpp
WsbMountedVolumeFile*
H!|$`E2
pComponent
fE9LE
?L9e0t
GetNextUsnInternal(hVolume, &queriedJournalId, &queriedNextUsn, &queriedFirstUsn)
wszVhdExtension
0A]A\]
BCryptCloseAlgorithmProvider
NtOpenKey
pDetailedHResult
H+EhH
wszVhdFileName && *wszVhdFileName
GetNextFilePathEx(ppstrFilePath, ppstrSnapshotPath, pFindData, pErrorInfo)
.rsrc$02
pguidVolumeId != GUID_NULL
]wL9mgt
CreateWaitableTimerW
\$ UVWATAUAVAW
wszDeviceName != NULL
Path %S is invalid as it contains a '.' or '..', hr=0x%08x
_unlock
%ProgramData%\Microsoft\Windows\DRM\
]HL96t
pMediaCtxt->m_ulBagCount > pInitialMediaCtxt->m_ulBagCount
base\stor\blb\engine\service\restorefiles.cpp
D;p@r
L$ A;
r.D8u@H
%ws%ws\%ws
wszDstFile
m_pParentCtxt != NULL
SeManageVolumePrivilege
en-US
wszTargetFilePath
EnableTrace
pcWriter
cb == sizeof(GUID)
l$0I;
FindNextFileW
wszMountedVolumePathNoSlash && *wszMountedVolumePathNoSlash
Service
OLEAUT32.dll
cFileSpecs
kernel32.dll
wcsPath
BackupFileName != NULL
A]_^
nNewSize > m_nSize
ulNumLogs >= 2
9\$@udM
D$XI!73
r;!\$0H
m_rgpOrderedComponentContexts.GetCount() == m_cComponent
pImpersonator
BCryptGetProperty
NoBackupToNetwork
%ws%ws\%ws\%ws
.text$di
H!7E3
pullAllocatedDiffAreaSize || pullUsedDiffAreaSize || pllMaxDiffAreaSize
u4fD9C
GetParentPaths(ssPath, arrstrPaths)
09q$vND
FindClose
t/L9e`u
OpenVirtualDisk
EoH!0H
REGISTRY
UATAUH
.edata
A9FHv4
D8t$AuaL
FileRestore_Error
pCatalog->m_bGlobalCatalog
r%H9C
H;W(s
uh@8}
L9|$pt
D8yhu
VWATAVAWH
UVWATAUH
</requestedPrivileges>
SeSecurityPrivilege
uXD;e\
pwszComponentInfo
SUVWAWH
E_INVALIDARG
A9wPv{H
D9cXu
!m_bGlobalCatalog
RtlGetLastNtStatus
M9<$t
H9|$pt
ssPath.Length() > 0
\$xL9m
UnregisterClassA
Pbase\stor\blb\wsbutil\wsbfsutils.cpp
|$`E3
wszWriterMetadataXML
\$0E3
D!uP3
GetCurrentProcessId
irow <= m_cRows
L$XH3
RegCreateKeyExW
H!|$@E3
@A^_^[]
t$0H#
fC9<Cu
base\stor\blb\dsm\dsmutils\dll\stringutils.cpp
}1Lc
.rdata$zETW0
@A_A\_[]
\Microsoft\Windows
L$0H!\$0
A_A^A]A\_^
CsvSourceSupported
k8,aP+N
m_pComponentBackupHelper
ppbNewValue != NULL
D$h;{
Hardware
SUCCEEDED(pVolCtxt->m_hrResult)
pb && pguid
pwszBackupSpecsXML
pullBackupSize
wszRootPath
wszBackupSetDir
\$ UVWAUAVH
fG9,wu
?m_isCriticalSectionIntialized@CTraceProvider@@0_NA
base\stor\blb\engine\blbengutils\blbresutils.cpp
H9]ot
m_pAsyncContext == NULL
m_nSize <= (0xffffffffffffffffui64/sizeof( E ))
saDesiredAccess
0A^_^][
pwszRestoreTarget
&SmartStr != this
L$Xu(E3
NULL != wszVolumeName
nRefs > 0
m_iteratorState == FIRST_FILE
fE9<Au
m_pCatalogSystem
pComponentInfo
?m_dwTraceMaxNum@CTraceProvider@@0KA
T$hD9BH
WaitForSingleObjectEx
Overall hr
d$(E3
(m_pPerformanceSetting->m_eOverallPerformanceSettingType == BLB_PST_ALWAYS_FULL) || (m_pPerformanceSetting->m_eOverallPerformanceSettingType == BLB_PST_ALWAYS_INCREMENTAL) || (m_pPerformanceSetting->m_eOverallPerformanceSettingType == BLB_PST_CUSTOM)
D9gXu
nIndex >= 0 && nIndex < m_nSize
kOs#N
t(@8y
D:AR(A;OICI;FA;;;BA)(A;OICI;FA;;;BO)(A;OICI;FA;;;CO)
u&L9k
fE9$~u
Module
fE9$Iu
wszKeyValue != NULL && wszSubKeyPath != NULL && wszSubKeyName != NULL && lpType != NULL
fD9$yu
pbIsComponentIncluded
D$RE3
EtwTraceMessage
pSysInfo->SystemPartition.Length % sizeof(WCHAR) == 0
H+L$(3
IsAborted()
(this->m_pPerformanceSetting->m_rgePerformanceSettingType[i] == BLB_PST_ALWAYS_FULL) || (this->m_pPerformanceSetting->m_rgePerformanceSettingType[i] == BLB_PST_ALWAYS_INCREMENTAL)
CharUpperW
I;JDu
uW@8sHt
MhD!uP
software\microsoft\windows nt\currentversion\windowsserverbackup\Application Support
::GetVolumeNameForVolumeMountPointW(pstrNewLongPath, wszVolumeGuidName, 260)
Failed to parse path:%ls
AdditionalFiles
;S\}}Hc{8H
base\stor\blb\catalog\atomtbl.hxx
@USWH
D;t7 r
@USVWH
CoTaskMemFree
*_AdditionalFiles*.xml
fE9,Du
0A]A\_^]
rgClient
PostThreadMessageW
D!uXH
9;v H
m_cRows == 0
L$`I;
.CRT$XIZ
|$hH;
sdk\inc\atlmfc\atlsimpstr.h
pbSizeChanged
wcslen(wszCatalogDir) + wcslen(x_wszApplicationName) + 1 < MAX_PATH
wszDiskName
L9t$Xt
bcd.dll
T$XD9b@
m_strCurrentPath.Compare(m_strRootDirectoryFullPath, m_fCaseSensitive, m_strCurrentPath.Length()) == 0
H9\$pt
m_eMediaType != BLB_MT_SHINY
H!\$0A
s\D;E
H9K w
SPPMetadataCache
ppSystem
VSS Default Provider
length > 0
PA__^
l$`;|$0
!This program cannot be run in DOS mode.
wszWriterMetadata
<FileSpecs>
pftStartTime
fA9<Gu
0A_A]_
pwszBlbWindowsDirectoryPath != NULL
@A^_^
A_A^A]_^[]
pbRecomputeNeeded
?QueryTaskId@CTraceProvider@@SA?AU_GUID@@XZ
Software\Policies\Microsoft\Windows\Backup\Client
CFileSystemIterator::GetNextFilePathEx: Directory search error
pStats != NULL
CreateServiceW
fA9<Fu
r.D9e
@8s(t
!>A!>
FALSE && L"value table has overflowed!"
UTF-16
SXM;K
H9Y8t
k@8}0teH
d$ AVH
SystemStateRestore
Exclude
A_A^A]A\_^[
tQD8e
T$hfH
t$@E3
pTable->CBLBRestorableComponentsTable::m_signature == m_signature
index == cNumSuccessful
@SATAUAVAWH
D$xE3
L$(A;
base\stor\blb\engine\service\sppmetadatamanager.cpp
A^_^[]
@A^A\_
pdwVolumeMapIndex
_currentFilePointer < _maximumFileSize
EApplicationRestore_Error
)base\stor\blb\catalog\catlocal.cpp
t=D!h
OHL91u
wszNonWriterMetadata
USER32.dll
GetCurrentThread
L9t$Pt
pcExcludeSpecs
D8n)u
H;E8ucH
x D8uwu
wcslen(wszFilePath) > 0
H!D$8L
A^A\_
OpenServiceW
wszTargetVolName && *wszTargetVolName
x UATAVH
USVATAUAVAWH
*ppstrFilePath == 0
m_spAutoPlaySuppressor == NULL
_wcsnicmp(pstrIteratorPath, m_pIncludeFiles->ssFilePath.PeekStr(), wcslen(pstrIteratorPath)) == 0
pOldPrivileges
L$TE3
{ UAVAWI
Success
u6fD9d$2u.A
SystemImageBackupComplete
\\?\Volume%ws\
Microsoft\Windows\CurrentVersion\WindowsBackup
D$TL;
E9f0vXI
pwszTimesString
t2E8z
wszFilePath != NULL
t"H9;I
L$pA9I@v,A
path != NULL
fD9!u
VWATAUAWH
GetUserGeoID
\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%d
wszVolumeGuid
H!-Eo
CreateXmlReaderInputWithEncodingName
t%D8q
HeapSetInformation
;L$0s
\$(E3
!\$ H
;|$0r
f9H\u
EnterCriticalSection
AddProcessedExclusion(ssFilePath, ssFileSpec, fRecursive)
fG9<Fu
wszMachineName != NULL
.CRT$XCU
RegDeleteKeyExW
\$ E3
t @8y
ConvertStringSecurityDescriptorToSecurityDescriptorW
pcVolumeSSB
strStr != NULL
L$`A!
0x%08x
_errno
D9}Xv
f9<Ht
pbIsReparsePoint != NULL
@8~Ht
t$0I;
D;IHsCA
;Wbengine(PID:%ld,TID:%ld) Assertion Failed: %s(%d): %s
Software\Microsoft\Windows\CurrentVersion\Setup
K L;O utH
LookupAccountNameW
wszSourcePath != NULL
D8o8u
ibase\stor\blb\engine\blbengutils\blbdeviceutils.cpp
|$pmotatFH
UoH+UwH
!\$0!
pwszParentDir != NULL
D$ wdniH
fA94Nu
@A__^][
m_hVhd != INVALID_HANDLE_VALUE
t$hL9e
fB9,Gu
?TraceMessage@CTraceFailureHelper@@QEAAXPEBGZZ
H!D$8A
;s(sU
t(9{Pv
t$ UWAWH
E;uhs0
8A_A^A]A\_^[]
A9D$$u
t$ WAUAVH
(A_A^_^[]
D$HH!D$@
H!L$`I
!rgVolumeUsnInfo[iVolume].m_bValid
iRow >= 0 && iRow < (int) m_cRows
`A_A^_^]
pRow1 > pRow2
wszNewDirectory != NULL
m_pSuccessLog
HKEY_CURRENT_USER
GetCurrentProcess
\$0Hi
wszTargetVolume
ohI;opr
9w8v1
D$ ;E
wszTargetSPPMetadataCachePath != NULL
8\$Bt
_hImpersonationToken != INVALID_HANDLE_VALUE
!\$8E3
wszVolumeAccessPath
pErrorInfo->pstrDirectory == NULL
O:BAG:BAD:P(A;CIOI;GA;;;BA)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BO)
T$PD9b@
H;GLt
?TraceMessage@CTraceHelper@@QEAAXW4TRACE_FLAG@@PEBGZZ
CreateFile unsuccessful for %ws
H;GDu
OfflineSoftwareHive
L$H@"
m_strAccountName.IsEmpty()
FilePath
guidWriterId != GUID_NULL
DriverStoreOfflineAddDriverPackageW
O:%wsD:AR(A;OICI;FA;;;BA)(A;OICI;FA;;;BO)(A;OICI;FA;;;CO)
</FileSpecs>
_scwprintf
tu@8~8t
pdwlUsnSize
fD9#u
D9yxu
LastBackupTime
LocalFree
PA_A\_[]
spCompSpecsRoot
pbIsDynamic
wcslen(wszBuf) + wcslen(x_wszSVIDirectoryName) < MAX_PATH
CreateVssExamineWriterMetadataInternal
D$8E3
fD92u*
;\u{f
fE9,Wu
</assembly>
9oDvKL
fE9$Nu
NtCreateFile
AdExcludeFiles failed for FilePath: %ls, FileSpec: %ls, Recursive: %ls
pNextUsn
t(A8r
ProcessAndAddExclusion((CSmartStr)wszEntry)
fD9<Ju
y|=D$
Translation
@8w8t
A_A^A]A\_^]
t$0uHH
H;J0t
D9wHvo3
D8D$S
pPrev != 0
L$ VWAWH
D;|$Ps1H
cVolume != 0
T@t\H
m_bstrCurrentSubComponentName
LanmanNt
ATL$__z
u+L;&t:H
(A_A^A]A\_^][
D8yit
fE9$Gu
wszMountedDeviceName
\MediaId
base\stor\blb\engine\service\backup.cpp
F_pAtlModule == 0
_currentFileSize >= _existingFileSize
m_pSppMetadata->pwszBackupComponents != NULL
pbIsReadonly
base\stor\blb\dsm\dsmfs\dll\volumeexclusions.cpp
I;O8t
cb > BLB_CAT_CHECKSUM_SIZE
A;Fpu
sdk\inc\atlmfc\atlsecurity.inl
D$DE;
??_V@YAXPEAX@Z
u'L!D$@E3
H!\$X
rowid1 != rowid2
diskOffset >= volumeStartOffset
offsetInDiskBlock % BLBIMGI_BYTES_PER_BLOCK == 0
sdk\inc\atlmfc\statreg.h
RegisterTraceGuidsW
base\stor\blb\engine\service\service.cpp
pwszFailureLogName
0 != pFileAttributes
wcsncmp
0A\_^][
P+f9Q`u'
fD9<Gu
pEntries->pFunc == ((ATL::_ATL_CREATORARGFUNC*)1)
FileType
D$0H+
f9{pt
E{(E3
L$0H;
L$pD8T$ t
pCatBackupSet->m_cTarget == 1
pTargetFound != NULL
??0CTraceProvider@@QEAA@W4COMPONENT_CODE@@@Z
D8L1Tt
prgScheduleTime
ulReadSize > 0
FlushFileBuffers
L9mwt
pbIsReadOnly
l$8D8
phrStatus
is NOT
L9l$Ht
fD90u
d$bE3
9nDvgH
f94Cu
0A^A]A\_^[]
rgbChecksum
ppVolumeMap
*pguidMediaId != GUID_NULL
tv@8r)um
H;N8t
l$p@8o u
|$(A_
fD94zt
wnL9}
F;l>H
ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'
pNumberSets
__CxxFrameHandler3
8_!tC
pRight >= pLeft
H+A0u
IsValidSid
@A^A]^][
_onexit
pMediaCtxt->m_iVolume <= m_cVolume
NoBackupToDisk
setupapi.offline.log
` UAUAVH
pwstrKeyName
9kPvuH
cTarget < cMaxTarget
.CRT$XIAA
@A_A^A\_^[]
ppDependencyInfo
fD9<Au
!bBlind
FveGetStatusW
wszCriticalVolumeName
pDirectoryInfo
M%windir%\system32\spp\store\2.0\
L;7}?L
L9d$@t
OVERWRITE(m_ulFeatures)
D9t$0v)H
base\stor\blb\util\vssfilereadhelper.cpp
A_A^A\_^[]
LsaClose
` AVH
Windows
D9>vsA
amd64
H9\$(
t$(I;
SUVWATAVAWH
Could not stop service
m_rgVolumeContext[iVolume].volumeMap.wszRestoreAccessPath
o8H!t$@H
@A]A\_
pbPerformFullBackup
D$0E3
fD9$Yu
H WATAWH
=L9o<
guidLocalBootVolumeId != GUID_NULL
SystemImageBackup
cbHash == BLB_CHECKSUM_SIZE
FindNextFile failed in %ls with filespec %ls, hr=0x%08x
!IsListEmpty(&diffsInSource)
rgVolume
.idata$2
D9{ |
A8^Hu
isMasterBootRecord
x AVH
D$@A9
|$0H;;t%H
tcH9E
.CRT$XCL
D8cHu:H
RtlSetAllBits
base\stor\blb\util\networkutils.cpp
`A_A]A\_^[]
ComponentName
SUVAUAVH
tdD8a
|$PE3
wszTempCustomPerformanceSetting == (wszCustomPerformanceSetting + dwcCustomPerformanceSetting -1)
<ComponentInfo>
dwWritten == sizeof(rgChecksum)
SYSTEM
t H9{
wcslen(wszCatalogDir) + wcslen(x_wszBLB_CATALOG) + 1 < MAX_PATH
pbCLSIDFound != NULL
wszStringToAppend != NULL
wszTargetVolume != NULL || guidBootVolumeId != GUID_NULL
L9m`t
MPD8u@H
f9|$ u
ssDirPath.Length() != 0
.tls$
@UAVAWH
fD94Cu
{XH;{`r
D8ytt
pwszMappedPath != NULL
pwszGuidVolumeId
pTable->CBLBVolumesTable::m_signature == m_signature
base\stor\blb\engine\blbengutils\blbautoplay.cpp
HKEY_USERS
T$pH;
H;K8t
9uHv
!bFound
`A_A^A\^]
LookupPrivilegeValueW
@USWAUAVH
.xdata
u.L;{
9{Dv?H
base\stor\blb\catalog\index.cpp
.gfids
\$(A_A^A]A\
!\$(H
Single Instance Storage
L9mHt
\$`H;
Stopped
wszStringNewline
9VPv!L
fD9<Xu
t$xI;
H!t$XE3
t,@8s
*pwszComputerName!=NULL
t$xH!u
FindVolumeClose
XmlLite.dll
rowid < m_cRows
fB9<fu
base\stor\blb\dsm\dsmutils\inc\deletebase.h
Operating System
D$8I9E8u
^uHD;v
L!eP3
m_pGlobalCatalog->m_bInitialized
SetFileInformationByHandle failed
not a
pRow != NULL
TypeLib
MICROSOFT\WINDOWS NT\CurrentVersion\ASR\RestoreSession
wszVolumeLabel
fA9<Ru
AlwaysRunCompaction
D;t$0
L!eXE3
@SUVAUAVH
t0D8p
pCatalogSystem
pwszUserPart
H+M H
@tJI;
fD9?u
_cexit
E@D;h@s]3
D$hD9
D8D$AtR
x UATAUH
r9A8>H
GetSecurityDescriptorOwner
m_pbsiCat == NULL
GetLocalTime
MhL99u
@VWAWH
llSpaceRequired > 0
!m_spVssBackupComponents
fG9$wu
SetFilePointerEx
<requestedExecutionLevel level="asInvoker"
u\8D$0t
L!`8D!`@L!`HD!`0D
|$0E3
pA_A^A\_^[]
M9l$ |;H
UVWAUAVH
E;t$\r
L9}`u
pBsiCat
fB9<ru
m_wszApplicationId
m4H+M@H
D9|$hu
L9|$8t
D$$E3
m_pIncludeFiles != NULL
\$@H9
qAZf4[a
t$ WATAUAVAWH
\%s*.catalog
fD9<Su
pbTargetFailure
GetLastError
@USVWATAUAVAWH
UWAWH
pBadClusExtentsBeforeRecovery
pbIsWriteCapable
\$@H;
D;D$$
peMediaType
pFileDesc != NULL
_commode
Application Identifier
\%s*_AdditionalFiles%s.xml
drvstore.dll
EventWrite
G tlov
pcWriterInfo
SWAVAWH
fA9Lm
m_ppBins[iBin] == pNode
!\$HI
G8H;C
fD9$Gu
ProcessAndAddExclusion(ssAppend)
3awszVHDFileName && *wszVHDFileName
_amsg_exit
p WATAUAVAWH
D$pmota
pMedia->m_eMediaType == BLB_MT_SHINY || pMedia->m_eMediaType == BLB_MT_REMOVABLE
fD9,F
fA94Du
A_A]A\_]
t-D8y
u\9n8t
p AVH
wszDeleteFile
wszWindowsImageBackupDirectory
pwszDescription != NULL
AUAVAWH
t$8L;5T@
AllowAppRecFromPartialBackup
pcComponents && prgComponents
SystemImageBackupTwoTBWarning
succeeded
}PH9>u
eblbres.dll
\System Volume Information\
base\stor\blb\wsbutil\vssrestore.cpp
EPL! E!'E3
L>HE3
]H9]X
fD94Ku
|$ UAVAWH
H!|$HL
EpH;u
\$HE3
D!l$ H
SetFileSecurityW
\\?\UNC\
base\stor\blb\engine\blbengutils\blbspputils.cpp
fD94Gu
0A_A^A]A\^
this != &aSrc
ppstrFilePath && ppstrSnapshotPath
GetFileInformationByHandleEx
H!|$(H
@A]A\^][
!m_pSecurityDescriptor
RestoredVolumes
IsValidSecurityDescriptor( (PSECURITY_DESCRIPTOR)sd.GetPSECURITY_DESCRIPTOR()) && "Invalid security descriptor"
MAD:e@
D9v\v]H
Invalid path:%ls
\$hE2
pCompStatus
GetNodeClusterState
D;t$4
|$PH9l$`t
fD9?u)H;
m_ppBins[iBin] != 0
EventEnabled
pA_A^A]A\_^]
CancelIoEx
DeleteService
EK E3
0 == m_pbBuffer
C;\,D
UseSameVssContext
sdk\inc\atlmfc\atlbase.h
B@kon|
t=D8y
H!\$8E3
D9d$`
L$@E;
u"H!G@H
A_A^A]A\]
A_A^A]_]
)t$pH
H!t$P
L$8H!
m_bSystemState
L;t$Xr#L
op == BLB_IO_GE || op == BLB_IO_LE || op == BLB_IO_EQ
!>I!}
pbDVD
CopySid
GetSystemInfo
D8g`uAL;
dwVolumeFlags & (BLB_VI_BLOCK | BLB_VI_HAS_FILES | BLB_VI_HAS_SYSTEMSTATE)
NetShareAdd
E;aHA
wszRegXML
`.rdata
A;V$r
f9<Bu
t&D8y
H!L$8E3
nNewMax >= m_nMaxSize
5base\stor\blb\engine\blbengutils\blbdiffareautils.cpp
m_pOverflowLast != NULL
9T7 |f8U
WsbMountedVolumeFile%lu
!_isReadInitialized
m_bBackupOperation
D$@H;
l$ WH
D9t$x
rgFileSpecs
VOLUME_HAS_SYSTEMSTATE(pVolCtxt->m_dwVolumeFlags)
E@H;E
base\stor\blb\engine\blbengutils\blbfsutils.cpp
RegQueryInfoKeyW
RegCloseKey
SetupDiEnumDeviceInterfaces
0A_A^A\_]
GetFileAttributesExW
D8ugt
D$`9X@v<L
\%s*_Components.xml
\Windows\System32\config\Software
fD9$^u
pszVolumePath && pszVolumePath[0]
|$ UATAUAVAWH
9kxv3I
Errors during registy enumeration
GetVirtualDiskOperationProgress
D$pfD
m_pAsyncHelper == NULL && m_pAsyncRef == NULL
\\%ws\%ws
<VolumeInfoItem Name="%ws" OriginalAccessPath="%ws" State="%d" HResult="%d" DetailedHResult="%d" PreviousState="%d" IsCritical="%d" IsIncremental="%d" BlockLevel="%d" HasFiles="%d" HasSystemState="%d" IsCompacted="%d" IsPruned="%d" IsRecreateVhd="%d" FullBackupReason="%d" DataTransferred="%I64u" NumUnreadableBytes="%I64i" TotalSize="%I64u" TotalNoOfFiles="%I64u" Flags="%lu" BackupTypeDetermined="%d" SSBTotalNoOfFiles="%I64u" SSBTotalSizeOnDisk="%I64u" />
pbVhdCorrupt
GetFileInformationByHandle(hFile, &fileInfo)
pullCurrentBackupSize
LastAliveStamp
D$pu:H
D$8fD
iElement < m_nSize
base\stor\blb\engine\service\restore.h
pSystemTime
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Exported DLL Name |
|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x00140410 | 0x0017f8d1 | 0x0017f8d1 | 10.0 | wbengine.pdb | 1982-01-08 12:22:01 | d5a2b84d352aa4650498c09cf2f108a8 | wbengine.exe |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Microsoftรยฎ Block Level Backup Engine Service EXE |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | wbengine.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | wbengine.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00142afc | 0x00142c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.50 |
| .rdata | 0x00143000 | 0x00144000 | 0x0002abf2 | 0x0002ac00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.42 |
| .data | 0x0016dc00 | 0x0016f000 | 0x00002614 | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.22 |
| .pdata | 0x0016ea00 | 0x00172000 | 0x00007728 | 0x00007800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.08 |
| .rsrc | 0x00176200 | 0x0017a000 | 0x00000ab8 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.25 |
| .reloc | 0x00176e00 | 0x0017b000 | 0x000006ec | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.14 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0017a9e0 | 0x000000d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.86 | None |
| REGISTRY | 0x0017a868 | 0x000000cc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.22 | None |
| REGISTRY | 0x0017a938 | 0x000000a1 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.71 | None |
| RT_VERSION | 0x0017a490 | 0x000003d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
| RT_MANIFEST | 0x0017a180 | 0x0000030d | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.77 | None |
Imports
| Name | Address |
|---|---|
| UnregisterClassA | 0x140146578 |
| CharNextW | 0x140146580 |
| LoadStringW | 0x140146588 |
| GetMessageW | 0x140146590 |
| TranslateMessage | 0x140146598 |
| DispatchMessageW | 0x1401465a0 |
| PostThreadMessageW | 0x1401465a8 |
| CharUpperW | 0x1401465b0 |
| MessageBoxW | 0x1401465b8 |
| CharUpperBuffW | 0x1401465c0 |
| Name | Address |
|---|---|
| swscanf_s | 0x1401466d0 |
| ??_V@YAXPEAX@Z | 0x1401466d8 |
| _XcptFilter | 0x1401466e0 |
| _amsg_exit | 0x1401466e8 |
| __wgetmainargs | 0x1401466f0 |
| __set_app_type | 0x1401466f8 |
| memcpy | 0x140146700 |
| wcsstr | 0x140146708 |
| wcsrchr | 0x140146710 |
| wcscspn | 0x140146718 |
| towlower | 0x140146720 |
| _wgetenv | 0x140146728 |
| _wtol | 0x140146730 |
| _wtoi | 0x140146738 |
| wcscpy_s | 0x140146740 |
| wcstok_s | 0x140146748 |
| _wcsicmp | 0x140146750 |
| _vsnwprintf | 0x140146758 |
| memmove_s | 0x140146760 |
| calloc | 0x140146768 |
| memmove | 0x140146770 |
| _wcsnicmp | 0x140146778 |
| wcsncmp | 0x140146780 |
| _exit | 0x140146788 |
| wcscmp | 0x140146790 |
| _cexit | 0x140146798 |
| __setusermatherr | 0x1401467a0 |
| _initterm | 0x1401467a8 |
| _wcmdln | 0x1401467b0 |
| _fmode | 0x1401467b8 |
| _commode | 0x1401467c0 |
| _errno | 0x1401467c8 |
| ?terminate@@YAXXZ | 0x1401467d0 |
| realloc | 0x1401467d8 |
| wcscat_s | 0x1401467e0 |
| _scwprintf | 0x1401467e8 |
| wcschr | 0x1401467f0 |
| wcstoul | 0x1401467f8 |
| _callnewh | 0x140146800 |
| _wcstoi64 | 0x140146808 |
| _resetstkoflw | 0x140146810 |
| _lock | 0x140146818 |
| _unlock | 0x140146820 |
| __dllonexit | 0x140146828 |
| memset | 0x140146830 |
| _onexit | 0x140146838 |
| ??1type_info@@UEAA@XZ | 0x140146840 |
| wcsncpy_s | 0x140146848 |
| malloc | 0x140146850 |
| free | 0x140146858 |
| _purecall | 0x140146860 |
| memcpy_s | 0x140146868 |
| __C_specific_handler | 0x140146870 |
| __CxxFrameHandler3 | 0x140146878 |
| memcmp | 0x140146880 |
| _vsnprintf | 0x140146888 |
| _CxxThrowException | 0x140146890 |
| exit | 0x140146898 |
| Name | Address |
|---|---|
| CoInitializeEx | 0x1401469d0 |
| CoUninitialize | 0x1401469d8 |
| CoInitializeSecurity | 0x1401469e0 |
| StringFromGUID2 | 0x1401469e8 |
| CoTaskMemRealloc | 0x1401469f0 |
| CoTaskMemFree | 0x1401469f8 |
| CoTaskMemAlloc | 0x140146a00 |
| CoCreateInstance | 0x140146a08 |
| CoRegisterClassObject | 0x140146a10 |
| CoResumeClassObjects | 0x140146a18 |
| CoRevokeClassObject | 0x140146a20 |
| CoSuspendClassObjects | 0x140146a28 |
| CreateClassMoniker | 0x140146a30 |
| CreateStreamOnHGlobal | 0x140146a38 |
| CoCreateGuid | 0x140146a40 |
| CLSIDFromString | 0x140146a48 |
| CoImpersonateClient | 0x140146a50 |
| CoRevertToSelf | 0x140146a58 |
| CoDisconnectObject | 0x140146a60 |
| GetRunningObjectTable | 0x140146a68 |
| Name | Address |
|---|---|
| SysStringByteLen | 0x140146478 |
| SysAllocStringByteLen | 0x140146480 |
| VariantClear | 0x140146488 |
| SysAllocString | 0x140146490 |
| VariantInit | 0x140146498 |
| VarBstrCmp | 0x1401464a0 |
| RegisterTypeLib | 0x1401464a8 |
| SysFreeString | 0x1401464b0 |
| VarUI4FromStr | 0x1401464b8 |
| SystemTimeToVariantTime | 0x1401464c0 |
| VariantCopy | 0x1401464c8 |
| SysStringLen | 0x1401464d0 |
| LoadTypeLib | 0x1401464d8 |
| UnRegisterTypeLib | 0x1401464e0 |
| SysAllocStringLen | 0x1401464e8 |
| VarBstrCat | 0x1401464f0 |
| Name | Address |
|---|---|
| RpcStringFreeW | 0x140146500 |
| UuidToStringW | 0x140146508 |
| UuidCreate | 0x140146510 |
| UuidFromStringW | 0x140146518 |
| Name | Address |
|---|---|
| CreateVssBackupComponentsInternal | 0x1401465d0 |
| VssFreeSnapshotPropertiesInternal | 0x1401465d8 |
| CreateVssExamineWriterMetadataInternal | 0x1401465e0 |
| Name | Address |
|---|---|
| DetachVirtualDisk | 0x1401465f0 |
| CreateVirtualDisk | 0x1401465f8 |
| SetVirtualDiskInformation | 0x140146600 |
| GetVirtualDiskPhysicalPath | 0x140146608 |
| OpenVirtualDisk | 0x140146610 |
| GetStorageDependencyInformation | 0x140146618 |
| AttachVirtualDisk | 0x140146620 |
| GetVirtualDiskInformation | 0x140146628 |
| GetVirtualDiskOperationProgress | 0x140146630 |
| CompactVirtualDisk | 0x140146638 |
| Name | Address |
|---|---|
| BcdSetSystemStoreDevice | 0x140146660 |
| BcdOpenSystemStore | 0x140146668 |
| BcdForciblyUnloadStore | 0x140146670 |
| BcdCloseStore | 0x140146678 |
| BcdImportStoreWithFlags | 0x140146680 |
| Name | Address |
|---|---|
| SetupDiEnumDeviceInterfaces | 0x140146528 |
| SetupDiDestroyDeviceInfoList | 0x140146530 |
| SetupGetInfDriverStoreLocationW | 0x140146538 |
| SetupDiGetClassDevsW | 0x140146540 |
| SetupDiGetDeviceInterfaceDetailW | 0x140146548 |
| SetupEnumPublishedInfW | 0x140146550 |
| SetupDiGetDeviceRegistryPropertyW | 0x140146558 |
| Name | Address |
|---|---|
| SppFreeBadWritersArray | 0x140146568 |
| Name | Address |
|---|---|
| NetShareAdd | 0x140146450 |
| NetShareDel | 0x140146458 |
| NetShareGetInfo | 0x140146460 |
| NetApiBufferFree | 0x140146468 |
| Name | Address |
|---|---|
| CreateXmlReaderInputWithEncodingName | 0x140146648 |
| CreateXmlReader | 0x140146650 |
| Name | Address |
|---|---|
| BCryptGetProperty | 0x140146690 |
| BCryptFinishHash | 0x140146698 |
| BCryptCloseAlgorithmProvider | 0x1401466a0 |
| BCryptDestroyHash | 0x1401466a8 |
| BCryptHashData | 0x1401466b0 |
| BCryptCreateHash | 0x1401466b8 |
| BCryptOpenAlgorithmProvider | 0x1401466c0 |
| Name | Address |
|---|---|
| GetNodeClusterState | 0x140146040 |
| Name | Address |
|---|---|
| WerReportSubmit | 0x140146a78 |
| WerReportCreate | 0x140146a80 |
| WerReportSetParameter | 0x140146a88 |
| WerReportCloseHandle | 0x140146a90 |
| WerReportAddFile | 0x140146a98 |
Exports
| Name | Address | Ordinal |
|---|---|---|
| ??0CTraceFailureHelper@@QEAA@AEAVCTraceProvider@@JPEBGKPEBX@Z | 0x1400df0b0 | 1 |
| ??0CTraceFunction@@QEAA@AEAVCTraceProvider@@PEBGH1PEBX@Z | 0x1400def00 | 2 |
| ??0CTraceHelper@@QEAA@AEAVCTraceProvider@@PEBGKPEBX@Z | 0x1400deee0 | 3 |
| ??0CTraceProvider@@QEAA@W4COMPONENT_CODE@@@Z | 0x14013cb80 | 4 |
| ??1CTraceFunction@@QEAA@XZ | 0x1400dedf0 | 5 |
| ??1CTraceProvider@@QEAA@XZ | 0x14013cca0 | 6 |
| ??4CTraceProvider@@QEAAAEAV0@AEBV0@@Z | 0x14013d550 | 7 |
| ?EtwEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z | 0x1400dee40 | 8 |
| ?EtwTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z | 0x14013cf70 | 9 |
| ?OdsEnabled@CTraceProvider@@QEAA_NW4TRACE_FLAG@@@Z | 0x1400dee60 | 10 |
| ?OdsTrace@CTraceProvider@@QEAAXAEBUDLS_TRACE_EVENT@@@Z | 0x14013d0e0 | 11 |
| ?QueryTaskId@CTraceProvider@@SA?AU_GUID@@XZ | 0x14013d3d0 | 12 |
| ?SetTraceControlInfo@CTraceProvider@@QEAAX_N_KK@Z | 0x14013d3b0 | 13 |
| ?Trace@CTraceProvider@@QEAAXW4TRACE_FLAG@@PEBGKPEBX1PEAD@Z | 0x14013ccc0 | 14 |
| ?TraceMessage@CTraceFailureHelper@@QEAAXPEBGZZ | 0x14013d490 | 15 |
| ?TraceMessage@CTraceHelper@@QEAAXW4TRACE_FLAG@@PEBGZZ | 0x1400dee80 | 16 |
| ?m_dwTraceCurrSize@CTraceProvider@@0KA | 0x1401714e0 | 17 |
| ?m_dwTraceLevel@CTraceProvider@@0KA | 0x14016fc64 | 18 |
| ?m_dwTraceMaxNum@CTraceProvider@@0KA | 0x1401714dc | 19 |
| ?m_dwTraceMaxSize@CTraceProvider@@0KA | 0x1401714d8 | 20 |
| ?m_dwTraceNextNum@CTraceProvider@@0KA | 0x1401714d4 | 21 |
| ?m_errLogCriticalSection@CTraceProvider@@0U_RTL_CRITICAL_SECTION@@A | 0x140170300 | 22 |
| ?m_errorFile@CTraceProvider@@0PEAU_iobuf@@EA | 0x1401714e8 | 23 |
| ?m_errorTracingInBadState@CTraceProvider@@0_NA | 0x14016fc68 | 24 |
| ?m_isCriticalSectionIntialized@CTraceProvider@@0_NA | 0x1401714e4 | 25 |
Usage
Processing ( 11.91 seconds )
- 10.477 ProcessMemory
- 1.408 CAPE
- 0.018 AnalysisInfo
- 0.008 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.006 antiav_detectreg
- 0.005 antianalysis_detectfile
- 0.005 ransomware_extensions
- 0.003 territorial_disputes_sigs
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_bitcoin
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.006 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: wbengine.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: wbengine.exe, PID 2448
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 2448 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\wbengine.exe
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\wbengine.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODSFLAGS
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CLASSES_ROOT\AppID
HKEY_CURRENT_USER\Software\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}\LocalService
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wbengine
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODSFLAGS
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CLASSES_ROOT\AppID
HKEY_CURRENT_USER\Software\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}\LocalService
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODSFLAGS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wbengine\ODSFLAGS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C3B65D83-FB15-4e3f-BA04-097D1E2B5AC1}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.