Windows 10 IoT Terminal Deployment – Part 2 – Protect the Hard Disk ? – Deploy Write Filter !

| yagmoth555

Hi everyone !

In the second part of my article on how to deploy some thin client that run Windows 10 IoT I will talk on the write filter.

It exist three way to manage it that I know that exist;

1 – HP Write Filter (Shipping inside that terminal model as it’s a HP’s brand)

2 – Microsoft Unified Write Filter. That is new a new feature that come from EWF. (Shipped inside the terminal, as the Windows IoT is an Enterprise’s build)

3 – DeepFreeze (not free)

Today I will talk about HPWF and how to deploy the settings to the terminals.

To make the initial configuration to deploy, you must login inside one terminal to configure the overlay exception. We will capture the change after to deploy that.

We right click the HPWF management icon in the systray; it’s the green lock.

hpwf02

A side note; The green icon mean the overlay usage is ok, if it turn yellow or red, it mean it’s now in a critical state. To explain it, the overlay is stored inside the RAM, and each file change is stored inside of that buffer, it’s how the system can revert back the change after a reboot.

hpwf03

Let’s go back to our settings, when we will click the icon we will see which write filter is used;

hpwf01

Inside that windows we can click the More Settings to see which exception is set, and what use the overlay;

hpwf04

I put in red some exception that I did, as some default’s exception exist. The exception I really suggest to enable is for;

  • Your Antivirus product.
    • In that case I added TrendMicro and Windows Defender
  • The user profile if you intend to not use roaming profile, and that you want permanent settings for the user.
  • Chrome there, as the default behaviour of Chrome is to auto-update (which is not bad if you want to be secure in the long term)
  • I suggest too the Windows LogFiles folder.

The exception will allows our Antivirus to update in a day to day routine, while most of the program files and system folder will revert back.

I suggest to target a test user and test the terminal to see if the overlay cache stay in a consistent state. The goal is if the user write a lot of data to the hard-drive for a reason X, we need to know why.

With the why, we can try to push an needed application to a RDS server in example to prevent HDD usage, or if really needed we can make new exception.

Now to push the settings we need HPDM, which I talk more in detail in the part 3, but I will show you the task to do;

We need to capture the settings, and after we push the captured settings back to our terminals.

The two task w e need to know is:

 _Capture Write Filter Exclusion List

This template captures the FBWF/UWF exclusion list from a device running a Windows operating system with FBWF or UWF.

_Deploy Write Filter Exclusion List

This template deploys the write filter exclusion list to devices running a Windows operating system with FBWF or UWF

 

Thanks everyone for reading, stay tuned for the part 3 soon !

 

Windows 10 IoT Terminal Deployment – Part 1 – Introduction

 

Advertisement

7 thoughts on “Windows 10 IoT Terminal Deployment – Part 2 – Protect the Hard Disk ? – Deploy Write Filter !

  1. Hi Phil,

    This is the post what i was looking for.

    In my environment i have HP thin client model t620 Windows 10 IOT 4 GB RAM and 32 GB ROM.

    I am using UWF in my environemnt, Is there any benefit of using HPWF? i guess you can’t set more than default overlay size like 671 MB in this but i am not sure.

    I am using Microsoft UWF with overlay size 1024 MB, our setup is configured in Kiosk mode where user has only two
    apps one is chrome browser and other is Horizon client.

    But the thing is both chrome and Horizon is not excluded in UWF and all the writes are form these two apps, so system buffer memory gets full around 25 to 30 days then after system needs to reboot and memory we can monitor through monitoring system.

    My question is for excluding chrome and Horizon, we need to exclude both in File and Registry exclusion, which may be
    as follows or you can guide:

    System is in kiosk and always connected by user mode and following locations user has apps startup set.

    File Path:
    C:\Program Files (x86)\VMware\VMware Horiozn View Client\vmware-view.exe – this location is pointed in the user app

    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe – this location is pointed in the user app

    Registry Path:

    HKLM\Software\Google\Chrome
    HKLM\Software\VMware\Horizon

    Thanks in advance.

    Like

    Reply

  2. Following are the exclusion list except chrome and Horizon in our setup:
    What’s your opinion on this ?

    File Exclusion:

    C:\Program Files\Windows Defender
    C:\Program Files (x86)\Windows Defender
    C:\Program Data\Microsoft\Windows Defender
    C:\Windows\WindowsUpdate\log
    C:\Windows\Temp\MpCmdRun.log
    C:\Windows\System32\spp\store
    C:\Windows\bootstat.dat
    C:\Windows\xpeagent
    C:\Windows\WinSxs
    C:\Windows\servicing
    C:\Windows\Logs\CBS
    C:\Windows\DISM
    C:\Windows\System32\winevt\Logs\Setup.evtx

    Registry Exclusion:

    HKLM\SYSTEM\CurrentControlSet\Services\HPCache\Parameters
    HKLM\SOFTWARE\Microsoft\Windows Defender
    HKLM\SOFTWARE\Microsoft\Windows NT\Currentverison\Time Zones
    HKLM\SYSTEM\WPA
    HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
    HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ComponentbasedServicing
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
    HKLM\COMPONENTS\CanonicaData
    HKLM\COMPONENTS\ccpinterface
    HKLM\COMPONENTS\DerivedData
    HKLM\COMPONENTS\Drivers
    HKLM\COMPONENTS\Installers
    HKLM\COMPONENTS\NonCanonicalData
    HKLM\COMPONENTS\ServicingStackversions
    HKLM\COMPONENTS\TransfromerRollbackData
    HKLM\SYSTEM\CurrentControlSet\services\W32Time\Parameters\NtpServer

    Thanks in advance.

    Liked by 1 person

    Reply

    1. Thanks for the feedback. The exclusion seem ok. My first test I would do is to query your overlay cache to be sure what file is using the most cache.

      I see the user profile is protected, so I would ask where the Chrome cache is in your case (appdata redirected?)

      If it’s local I would think it’s maybe there that you loose the cache.

      To be sure please run that powershell script; it will list where your overlay is active.

      $wmiobject = get-wmiobject -Namespace “root\standardcimv2\embedded” -Class UWF_Overlay
      $files = $wmiobject.GetOverlayFiles(“c:”)
      $files.OverlayFiles | select-object -Property FileName,FileSize | export-csv -Path D:\output.csv

      Let me know what you find in the overlay cache

      Thanks

      Liked by 1 person

      Reply

  3. Hi Thanks too for your review and reply.

    As i can see user profile is protected in my case, C:\Users folder is not excluded but you have excluded in your exclusion list.

    Should we also exclude also C:\Users – Isn’t keep filling storage if we exclude, its good user activity is flush out if its protected also good for security point of view, if user need some setting we can disabled UWF and change setting and Enabled UWF back. In my case user has less privilege.

    Chrome cache is not redirected, its in the same user appdata location:

    “C\Users\User\AppData\Local\Google\Chrome\User Data\Default\Cache (So It’s local i think)

    The output of the above commands created data of 1195 rows.Its large data.
    How do we filter with column 1?

    Best Regards

    Liked by 1 person

    Reply
  4. #TYPE Selected.System.Management.ManagementBaseObject “FileName”,”FileSize” “$BitMap::$DATA”,”266240″ “$Extend$ObjId:$O:$INDEX_ALLOCATION”,”4096″ “$Extend$RmMetadata$TxfLog$TxfLog.blf::$DATA”,”65536″ “$Extend$RmMetadata$TxfLog$TxfLogContainer00000000000000000001::$DATA”,”16384″ “$Extend$UsnJrnl:$J:$DATA”,”204800″ “$LogFile::$DATA”,”3612672″ “$Mft::$BITMAP”,”16384″ “$Mft::$DATA”,”1970176″ “$Recycle.Bin:$I30:$INDEX_ALLOCATION”,”4096″ “$Recycle.BinS-1-5-21-3717794714-1304214083-2058911587-1001:$I30:$INDEX_ALLOCATION”,”4096″ “$Secure:$SDH:$INDEX_ALLOCATION”,”8192″ “$Secure:$SDS:$DATA”,”24576″ “$Secure:$SII:$INDEX_ALLOCATION”,”24576″ “:$I30:$INDEX_ALLOCATION”,”12288″ “Program Files (x86)CitrixICA ClientAuthManagerresources:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)CitrixICA ClientMFComponents.dll::$DATA”,”4096″ “Program Files (x86)CitrixICA ClientPseudoContainer.exe::$DATA”,”4096″ “Program Files (x86)CitrixICA ClientSelfServicePluginja:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)CitrixICA Clientconcentr.exe::$DATA”,”4096″ “Program Files (x86)CitrixICA Clientmfc140chs.dll::$DATA”,”4096″ “Program Files (x86)Common FilesVMwareUSBvnetlib64.exe::$DATA”,”8192″ “Program Files (x86)Foxit PhantomPDFFoxitPhantomPDF.exe::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication71.0.3578.98Localesam.pak::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication71.0.3578.98Localesbg.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98Localescs.pak::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication71.0.3578.98Localesel.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98Localesth.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98chrome.dll::$DATA”,”16384″ “Program Files (x86)GoogleChromeApplication71.0.3578.98chrome_child.dll::$ATTRIBUTE_LIST”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98chrome_child.dll::$DATA”,”20480″ “Program Files (x86)GoogleChromeApplication71.0.3578.98libegl.dll::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98nacl_irt_x86_64.nexe::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication71.0.3578.98swiftshaderlibglesv2.dll::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Installerchrome.7z::$DATA”,”12288″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Installersetup.exe::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localesfil.pak::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localeskn.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localespt-BR.pak::$DATA”,”12288″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localesru.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localessk.pak::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localesth.pak::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100Localeszh-TW.pak::$DATA”,”8192″ “Program Files (x86)GoogleChromeApplication76.0.3809.100chrome.dll::$DATA”,”12288″ “Program Files (x86)GoogleChromeApplication76.0.3809.100chrome_child.dll::$DATA”,”4096″ “Program Files (x86)GoogleChromeApplication76.0.3809.100d3dcompiler_47.dll::$DATA”,”4096″ “Program Files (x86)GoogleUpdateGoogleUpdate.exe::$DATA”,”4096″ “Program Files (x86)InstallShield Installation Information{8833FFB6-5B0C-4764-81AA-06DFEED9A476}setup.exe::$DATA”,”4096″ “Program Files (x86)Microsoft Silverlight5.1.30514.0System.Xml.ni.dll::$DATA”,”4096″ “Program Files (x86)Microsoft Silverlight5.1.30514.0svsystem.resources.dll::$DATA”,”4096″ “Program Files (x86)Microsoft Silverlight5.1.30514.0thmscorlib.resources.dll::$DATA”,”4096″ “Program Files (x86)VMwareVMware Horizon View Clientx64ceflibcef.dll::$DATA”,”4096″ “Program Files (x86)check_mk:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)check_mkbin:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)check_mkbinOpenHardwareMonitorLib.sys::$DATA”,”12288″ “Program Files (x86)check_mkconfig:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)check_mkplugins.cap::$DATA”,”8192″ “Program Files (x86)check_mkstate:$I30:$INDEX_ALLOCATION”,”4096″ “Program Files (x86)check_mktempcmk-update-agent.exe::$DATA”,”12189696″ “Program FilesAMDamdkmpfdamdkmpfd.stz::$DATA”,”4096″ “Program FilesBroadcomBluetooth DriversBCM20702A1_001.002.014.1443.1447.hex::$DATA”,”4096″ “Program FilesBroadcomBluetooth DriversBCM20702A1_001.002.014.1443.1449.hex::$DATA”,”4096″ “Program FilesBroadcomBluetooth DriversBCM20702A1_001.002.014.1443.1450.hex::$DATA”,”4096″ “Program FilesBroadcomBluetooth DriversBCM20702A1_001.002.014.1443.1459.hex::$DATA”,”8192″ “Program FilesBroadcomBluetooth DriversBCM20702A1_001.002.014.1443.1460.hex::$DATA”,”4096″ “Program FilesBroadcomBluetooth Driversbcbtums-win8x64-brcm.inf::$DATA”,”4096″ “Program FilesBroadcomBluetooth Driversbtwampfl.sys::$DATA”,”4096″ “Program FilesBroadcomBroadcom 802.11 Network AdapterDriverbcmwl63.sys::$DATA”,”16384″ “Program FilesCommon FilesVMwareThinPrint:$I30:$INDEX_ALLOCATION”,”4096″ “Program FilesCommon Filesmicrosoft sharedStationeryRoses.jpg::$DATA”,”4096″ “Program FilesCommon Filesmicrosoft sharedinkfsdefinitionsinsertinsertbase.xml::$DATA”,”4096″ “Program FilesHPHP Easy ShellPluginsVMWARESystem.Windows.Interactivity.dll::$DATA”,”4096″ “Program FilesHPHP ThinUpdateUFDbootfontschs_boot.ttf::$DATA”,”4096″ “Program FilesHPHP ThinUpdateUFDbootfontscht_boot.ttf::$DATA”,”8192″ “Program FilesHPHP ThinUpdateUFDbootfontsjpn_boot.ttf::$DATA”,”8192″ “Program FilesHPHP ThinUpdateUFDsourcesboot.wim::$DATA”,”45056″ “Program FilesHPHP Write ManagerHPUpdateCheck.exe::$DATA”,”4096″ “Program FilesHPHP Write ManagerHPWFConfig.exe::$DATA”,”24576″ “Program FilesHPHP Write ManagerHPWFWMIInstaller.exe::$DATA”,”4096″ “Program FilesHPHP Write ManagerHPWriteFSvc.exe::$DATA”,”4096″ “Program FilesHPHP Write ManagerHPWriteFSvcMgr.exe::$DATA”,”4096″ “Program FilesHPHP Write ManagerHpWriteFSvcInstaller.exe::$DATA”,”4096″ “Program FilesHPHP Write ManagerMicrosoft.Diagnostics.Tracing.TraceEvent.DLL::$DATA”,”4096″ “Program FilesHPHP Write ManagerSystem.IO.Compression.dll::$DATA”,”4096″ “Program FilesInternet Exploreriediagcmd.exe::$DATA”,”4096″ “Program FilesInternet Explorerielowutil.exe::$DATA”,”8192″ “Program FilesMicrosoft Policy PlatformFileFolder.mof::$DATA”,”4096″ “Program FilesRealtekAudioHDARAVCpl64.exe::$DATA”,”8192″ “Program FilesRealtekAudioHDARtkNGUI64.exe::$DATA”,”4096″ “Program FilesVMwareVMware Horizon Media EngineVMWMediaProvider.dll::$DATA”,”8192″ “Program FilesWindows Defender:$I30:$INDEX_ALLOCATION”,”8192″ “ProgramDataCitrixCitrix Receiver 4.11GenericUSB.msi::$DATA”,”4096″ “ProgramDataCitrixCitrix Receiver 4.11SSONWrapper.msi::$DATA”,”4096″ “ProgramDataCitrixCitrix Receiver 4.11dsetup32.dll::$DATA”,”4096″ “ProgramDataHPMsiCacheHP VelocityHPVelocity_3.2.0.24960.exe::$DATA”,”4096″ “ProgramDataMicrosoftDiagnosis:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftDiagnosisETLLogsAutoLoggerAutoLogger-Diagtrack-Listener.etl::$DATA”,”16384″ “ProgramDataMicrosoftDiagnosisEvents_CostDeferred.rbs::$DATA”,”4096″ “ProgramDataMicrosoftDiagnosisEvents_Normal.rbs::$DATA”,”65536″ “ProgramDataMicrosoftDiagnosisEvents_NormalCritical.rbs::$DATA”,”45056″ “ProgramDataMicrosoftDiagnosisEvents_Realtime.rbs::$DATA”,”20480″ “ProgramDataMicrosoftNetworkDownloaderqmgr0.dat::$DATA”,”8192″ “ProgramDataMicrosoftNetworkDownloaderqmgr1.dat::$DATA”,”8192″ “ProgramDataMicrosoftUEVInboxTemplatesEaseOfAccessSettings2013.xml::$DATA”,”4096″ “ProgramDataMicrosoftWindows Defender:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderDefinition Updates:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderDefinition UpdatesDefault:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderDefinition Updates{C6A42715-26E9-43FD-B746-7B04FB76755F}:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderNetwork Inspection SystemSupportNisLog.txt::$DATA”,”40960″ “ProgramDataMicrosoftWindows DefenderScans:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistory:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryCacheManager:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryCacheManagerE6864982-4411-4EC0-9DDC-04D68FA6E9FA-0.bin::$DATA”,”8192″ “ProgramDataMicrosoftWindows DefenderScansHistoryMputMputHistory:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryResultsResource:$I30:$INDEX_ALLOCATION”,”12288″ “ProgramDataMicrosoftWindows DefenderScansHistoryResultsResource{B0631807-5F62-482C-AB80-39F51D681980}::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryResultsResource{D06B259D-6DFC-4674-9CDF-9715066F4ADE}::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryResultsResource{D24EBC05-46DA-478B-B077-967B907600A8}::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryResultsResource{DF74230F-017F-483C-BCE1-3C7D0F927ED7}::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderScansHistoryStore:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansMetaStore1:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansMetaStore2:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansMetaStore4:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindows DefenderScansmpcache-01287DAF5316DFCD47F46CE50B3290F3734F276A.bin.67::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderScansmpcache-01287DAF5316DFCD47F46CE50B3290F3734F276A.bin.7C::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupport:$I30:$INDEX_ALLOCATION”,”16384″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-04152019-175423-00000003-ffffffff.bin::$DATA”,”8192″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-06032019-172545-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07102019-171210-00000003-ffffffff.bin::$DATA”,”8192″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07122019-080843-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07152019-175916-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07162019-173836-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07172019-172016-00000003-ffffffff.bin::$DATA”,”8192″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-07182019-171903-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-08282019-091137-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-10082019-181705-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-10222019-155320-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-11142019-074454-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindows DefenderSupportMpWppTracing-11152019-120014-00000003-ffffffff.bin::$DATA”,”4096″ “ProgramDataMicrosoftWindowsAppRepository:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindowsAppRepositoryMicrosoft.Windows.ContentDeliveryManager_10.0.14393.0_neutral_neutral_cw5n1h2txyewy.xml::$DATA”,”4096″ “ProgramDataMicrosoftWindowsAppRepositoryPackagesMicrosoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewyActivationStore.dat.LOG1::$DATA”,”4096″ “ProgramDataMicrosoftWindowsAppRepositoryPackagesMicrosoft.Windows.ParentalControls_1000.14393.0.0_neutral_neutral_cw5n1h2txyewyActivationStore.dat::$DATA”,”4096″ “ProgramDataMicrosoftWindowsSystemDataS-1-5-18ReadOnlyLockScreen_Z:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataMicrosoftWindowsSystemDataS-1-5-18ReadOnlyLockScreen_ZLockScreen___1612_1067_notdimmed.jpg::$DATA”,”237568″ “ProgramDataMicrosoftWindowsWERReportQueue:$I30:$INDEX_ALLOCATION”,”24576″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_atiesrxx.exe_23cf72a62f3a6fce921d4c7a7e5d0177cc882e_e132c610_031fbb4aReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_0ee1bd01Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_0f45d617Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_10d9ced4Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_12660584Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_12fde068Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_1331b9e5Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_140db11bReport.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_14a1f5c5Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_14f9d210Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_1601c01eReport.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_1659c33bReport.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_16a5f279Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_1741e932Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_174de5d7Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_1785fc8bReport.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_17a5f920Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_5fc916f292b33c15052a0e191d5b8bd448ef74_f59c766f_17e9cba7Report.wer::$DATA”,”8192″ “ProgramDataMicrosoftWindowsWERReportQueueAppCrash_explorer.exe_872b35ac7a5a1d030899dca8f57a5963ec476_f59c766f_00b94936Report.wer::$DATA”,”12288″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_20dfdf987cdf76c52541d4ea3ad17b2963031d8_00000000_03b4f79eReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_20dfdf987cdf76c52541d4ea3ad17b2963031d8_00000000_03e0efedReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_25b05a81a83140f3d7de8d9f47c0afe17239c39_00000000_03b4f7aeReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_25b05a81a83140f3d7de8d9f47c0afe17239c39_00000000_03e0eec5Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_66d9eb871ee8ede890c8165fb4d25fd51813f6b8_00000000_0c27a9a4Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_66ed7ad935ea3bac30c19116425360cde56c9d_00000000_03b4fa4eReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_66ed7ad935ea3bac30c19116425360cde56c9d_00000000_03e0ef03Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_6e19d5d46fd035d03a8251585e1de16962fb683_00000000_03b4f84aReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_6e19d5d46fd035d03a8251585e1de16962fb683_00000000_03e0efafReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_94eaa24d1a34ccce8c1ae3bb472ead4eeb28751_00000000_03b4f983Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_94eaa24d1a34ccce8c1ae3bb472ead4eeb28751_00000000_03e0ef80Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_96a393fb125ee7c4c834c3f9253ef68d542e890_00000000_03b4f9d1Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_96a393fb125ee7c4c834c3f9253ef68d542e890_00000000_03e0eeb5Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_aad41cd64ab6bd8e24f9437419d52868c31e3f_00000000_03b4f83aReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_aad41cd64ab6bd8e24f9437419d52868c31e3f_00000000_03e0ef03Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_d425fa5acb4ec6d7d4b865851bcd56be3365d4a1_00000000_03b4f8a8Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_d425fa5acb4ec6d7d4b865851bcd56be3365d4a1_00000000_03e0efceReport.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_ee34eebec5a40586a718c7da564ea4cc4d571a_00000000_03b4f925Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowsWERReportQueueNonCritical_x64_ee34eebec5a40586a718c7da564ea4cc4d571a_00000000_03e0ef51Report.wer::$DATA”,”4096″ “ProgramDataMicrosoftWindowswfpwfpdiag.etl::$DATA”,”8192″ “ProgramDataPackage Cache{C03981A8-C592-4470-A1B8-1233C6B112B5}v7.0.711.511Setup.msi::$DATA”,”12288″ “ProgramDataUSOPrivateUpdateStore:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataUSOPrivateUpdateStoreupdatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml::$DATA”,”4096″ “ProgramDataUSOSharedLogs:$I30:$INDEX_ALLOCATION”,”49152″ “ProgramDataUSOSharedLogsUpdateSessionOrchestration.001.etl::$DATA”,”4096″ “ProgramDataVMwareVDMlogs:$I30:$INDEX_ALLOCATION”,”4096″ “ProgramDataVMwareVDMlogsScanner-scanmgr-2020-02-25-135825.txt::$DATA”,”4096″ “ProgramDataVMwareVDMlogsSerial-vmwsprrdpwks-2020-02-25-135825.txt::$DATA”,”4096″ “ProgramDataVMwareVDMlogsdebug-2017-10-26-004914.txt::$DATA”,”12288″ “ProgramDataVMwareVDMlogslog-2020-02-25.txt::$DATA”,”8192″ “SWSETUPDRVAudioRealtekHDAudio6.0srcVista64DDPD64A.dll::$DATA”,”4096″ “SWSETUPDRVAudioRealtekHDAudio6.0srcVista64HDXLC.CAT::$DATA”,”4096″ “SWSETUPDRVAudioRealtekHDAudio6.0srcVista64RCORES64.dat::$DATA”,”4096″ “SWSETUPDRVAudioRealtekHDAudio6.0srcVista64RCoInstII64.dll::$DATA”,”4096″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958amdkmpfd.stz::$DATA”,”4096″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958amdocl.dll::$DATA”,”4096″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958amdocl12cl64.dll::$DATA”,”8192″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958amdxc64.dll::$DATA”,”4096″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958atidxx32.dll::$DATA”,”4096″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958atioglxx.dll::$DATA”,”8192″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958atiumd6a.dll::$DATA”,”8192″ “SWSETUPDRVGraphicsAMDGraphic15.xsrcPackagesDriversDisplayWT6A_INFB188958mantleaxl32.dll::$DATA”,”4096″ “SWSETUPDRVNetworkBroadcomBroadcomW_KKVQB27.35.308.0srcHP_DriverOnlybcmwl63a.sys::$DATA”,”4096″ “SWSETUPDRVNetworkREALTEKRealtekEt_LLK8B210.12.1007.2016srcdata1.cab::$DATA”,”12288″ “SWSETUPDRVNetworkREALTEKRealtekEt_LLK8B210.12.1007.2016srcsetup.ini::$DATA”,”4096″ “SWSETUPSW_VER:$I30:$INDEX_ALLOCATION”,”4096″ “Temp:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdmin:$I30:$INDEX_ALLOCATION”,”8192″ “UsersAdminAppDataLocalCitrixReceiver:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalCitrixReceiverErrorLog.xml::$DATA”,”4096″ “UsersAdminAppDataLocalConnectedDevicesPlatformCDPTraces.log::$DATA”,”12288″ “UsersAdminAppDataLocalDiagnostics4609110902018032214.00076B56C7E-E6D2-49F8-8D95-4053E91DA815.Diagnose.0.etl::$DATA”,”4096″ “UsersAdminAppDataLocalGoogleChromeUser DataDefaultBudgetDatabase:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0UsageLogs:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0UsageLogsAppPlugin.exe.log::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0UsageLogsHPEasyShell.exe.log::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0UsageLogsHPEasyShellAdmin.exe.log::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0_32UsageLogs:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0_32UsageLogsConfigurationWizard.exe.log::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftCLR_v4.0_32UsageLogsSelfServicePlugin.exe.log::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftWindows:$I30:$INDEX_ALLOCATION”,”8192″ “UsersAdminAppDataLocalMicrosoftWindowsCaches:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsCachescversions.3.db::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsCaches{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000002f.db::$DATA”,”40960″ “UsersAdminAppDataLocalMicrosoftWindowsExplorer:$I30:$INDEX_ALLOCATION”,”8192″ “UsersAdminAppDataLocalMicrosoftWindowsExplorerExplorerStartupLog_RunOnce.etl::$DATA”,”8192″ “UsersAdminAppDataLocalMicrosoftWindowsNotifications:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsNotificationswpndatabase.db-wal::$DATA”,”16384″ “UsersAdminAppDataLocalMicrosoftWindowsPRICache:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsUPPSUPPS.bin::$DATA”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsUsrClass.dat.LOG1::$DATA”,”409600″ “UsersAdminAppDataLocalMicrosoftWindowsUsrClass.dat::$DATA”,”479232″ “UsersAdminAppDataLocalMicrosoftWindowsWebCache:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalMicrosoftWindowsWebCacheV01.log::$DATA”,”12288″ “UsersAdminAppDataLocalMicrosoftWindowsWebCacheWebCacheV01.dat::$DATA”,”106496″ “UsersAdminAppDataLocalMicrosoftWindowsWebCacheWebCacheV01.jfm::$DATA”,”12288″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyACMicrosoftInternet ExplorerDOMStore73WRWD85microsoft.windows[1].xml::$DATA”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyACTempStructuredQuery.log::$DATA”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyAppDataIndexed DB:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyAppDataIndexed DBIndexedDB.edb::$DATA”,”139264″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyAppDataIndexed DBIndexedDB.jfm::$DATA”,”16384″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyAppDataIndexed DBedb.chk::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyAppDataIndexed DBedb.log::$DATA”,”28672″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalState:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateAppIconCache100:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndex:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{1f80601a-3986-43b9-be56-3b64d30cb5c3}:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{1f80601a-3986-43b9-be56-3b64d30cb5c3}.0.filtertrie.intermediate.txt::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{1f80601a-3986-43b9-be56-3b64d30cb5c3}Apps.data::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{1f80601a-3986-43b9-be56-3b64d30cb5c3}Apps.ft::$DATA”,”12288″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{1f80601a-3986-43b9-be56-3b64d30cb5c3}Apps.index::$DATA”,”57344″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{2349fd20-b332-4c67-b3cd-b8594bb1f223}:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{2349fd20-b332-4c67-b3cd-b8594bb1f223}.0.filtertrie.intermediate.txt::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{2349fd20-b332-4c67-b3cd-b8594bb1f223}Apps.data::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{2349fd20-b332-4c67-b3cd-b8594bb1f223}Apps.ft::$DATA”,”12288″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexApps_{2349fd20-b332-4c67-b3cd-b8594bb1f223}Apps.index::$DATA”,”57344″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateConstraintIndexInput_{8422dfa2-4c81-41a5-93a1-266fdf2afe14}:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewyLocalStateDeviceSearchCache:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewySettingssettings.dat.LOG1::$DATA”,”28672″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.Cortana_cw5n1h2txyewySettingssettings.dat::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.ParentalControls_cw5n1h2txyewyAC:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.ShellExperienceHost_cw5n1h2txyewySettingssettings.dat.LOG1::$DATA”,”8192″ “UsersAdminAppDataLocalPackagesMicrosoft.Windows.ShellExperienceHost_cw5n1h2txyewySettingssettings.dat::$DATA”,”8192″ “UsersAdminAppDataLocalTileDataLayerDatabase:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataLocalTileDataLayerDatabaseEDB.log::$DATA”,”86016″ “UsersAdminAppDataLocalTileDataLayerDatabasevedatamodel.edb::$DATA”,”12288″ “UsersAdminAppDataLocalTileDataLayerDatabasevedatamodel.jfm::$DATA”,”12288″ “UsersAdminAppDataRoamingICAClientAPPSRV.INI::$DATA”,”4096″ “UsersAdminAppDataRoamingMicrosoftWindowsStart MenuProgramsWindows PowerShell:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataRoamingMicrosoftWindowsStart MenuProgramsWindows PowerShellWindows PowerShell ISE (x86).lnk::$DATA”,”4096″ “UsersAdminAppDataRoamingMicrosoftWindowsStart MenuProgramsWindows PowerShellWindows PowerShell.lnk::$DATA”,”4096″ “UsersAdminAppDataRoamingMicrosoftWindowsThemesCachedFiles:$I30:$INDEX_ALLOCATION”,”4096″ “UsersAdminAppDataRoamingMicrosoftWindowsThemesCachedFilesCachedImage_1612_1067_POS4.jpg::$DATA”,”159744″ “UsersAdminNTUSER.DAT::$DATA”,”585728″ “UsersAdminntuser.dat.LOG1::$DATA”,”512000″ “UsersDefaultAppDataLocalCommsUnistoreDB:$I30:$INDEX_ALLOCATION”,”4096″ “UsersPublicFoxit SoftwareFoxit PhantomPDFStartPageStarthk_cnimagesFoxitCloud.png::$DATA”,”4096″ “UsersUser:$I30:$INDEX_ALLOCATION”,”8192″ “UsersUserAppDataLocalCitrixReceiver:$I30:$INDEX_ALLOCATION”,”4096″ “UsersUserAppDataLocalCitrixReceiverErrorLog.xml::$DATA”,”4096″ “UsersUserAppDataLocalConnectedDevicesPlatformCDPTraces.log::$DATA”,”16384″ “UsersUserAppDataLocalGoogleChromeUser DataDefaultCachef_000018::$DATA”,”4096″ “UsersUserAppDataLocalMicrosoftOneDrivelogsPersonal:$I30:$INDEX_ALLOCATION”,”4096″ “UsersUserAppDataLocalMicrosoftOneDrivelogsPersonalTraceCurrent.6381.0405.etl::$DATA”,”4096″ “UsersUserAppDataLocalMicrosoftWindowsUPPSUPPS.bin::$DATA”,”4096″ “UsersUserAppDataLocalPackageswindows.immersivecontrolpanel_cw5n1h2txyewyLocalStateIndexedSettingsen-USAAA_SettingsGroupDataSenseMainPageOverview.settingcontent-ms::$DATA”,”4096″ “UsersUserAppDataLocalPackageswindows.immersivecontrolpanel_cw5n1h2txyewyLocalStateIndexedSettingsen-USAAA_SettingsGroupFamilyUsers.settingcontent-ms::$DATA”,”4096″ “UsersUserAppDataLocalPackageswindows.immersivecontrolpanel_cw5n1h2txyewyLocalStateIndexedSettingsen-USAAA_SettingsGroupPowerAndSleepSleep.settingcontent-ms::$DATA”,”4096″ “UsersUserAppDataLocalPackageswindows.immersivecontrolpanel_cw5n1h2txyewyLocalStateIndexedSettingsen-USAAA_SettingsPagePCSystemDevices-2.settingcontent-ms::$DATA”,”4096″ “UsersUserAppDataLocalVMwareVDMlogs:$I30:$INDEX_ALLOCATION”,”4096″ “UsersUserAppDataLocalVMwareVDMlogsvmware-horizon-viewclient-2020-02-25-145251.txt::$DATA”,”12288″ “UsersUserAppDataRoamingICAClientAPPSRV.INI::$DATA”,”4096″ “UsersUserAppDataRoamingMicrosoftInternet ExplorerQuick LaunchGoogle Chrome.lnk::$DATA”,”4096″ “UsersUserAppDataRoamingMicrosoftWindowsRecentCustomDestinations:$I30:$INDEX_ALLOCATION”,”4096″ “UsersUserAppDataRoamingMicrosoftWindowsRecentCustomDestinations5c1432bf8ef3c674.customDestinations-ms::$DATA”,”4096″ “UsersUserAppDataRoamingVMwareVMware Horizon View Client:$I30:$INDEX_ALLOCATION”,”4096″ “UsersUserNTUSER.DAT::$DATA”,”299008″ “UsersUserntuser.dat.LOG1::$DATA”,”262144″ “Windows:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsBootPCATfi-FIbootmgr.exe.mui::$DATA”,”4096″ “WindowsCCM:$I30:$INDEX_ALLOCATION”,”45056″ “WindowsCCMAssetAdvisor.dll::$DATA”,”4096″ “WindowsCCMCcmStore.log::$DATA”,”4096″ “WindowsCCMCertEnrollmentStore.log::$DATA”,”4096″ “WindowsCCMInventoryAgentSchema.mof::$DATA”,”4096″ “WindowsCCMInventoryStore.log::$DATA”,”4096″ “WindowsCCMLogs:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsCCMLogsCcmExec.log::$DATA”,”16384″ “WindowsCCMLogsCcmMessaging-20200225-145148.log::$DATA”,”61440″ “WindowsCCMLogsCcmMessaging.log::$DATA”,”4096″ “WindowsCCMLogsCcmRepair.log::$DATA”,”16384″ “WindowsCCMLogsCertificateMaintenance.log::$DATA”,”4096″ “WindowsCCMLogsClientIDManagerStartup.log::$DATA”,”16384″ “WindowsCCMLogsClientLocation.log::$DATA”,”4096″ “WindowsCCMLogsLocationServices.log::$DATA”,”12288″ “WindowsCCMLogsPolicyAgentProvider.log::$DATA”,”8192″ “WindowsCCMLogsStatusAgent.log::$DATA”,”12288″ “WindowsCCMLogspwrmgmt.log::$DATA”,”8192″ “WindowsCCMStateMessageStore.log::$DATA”,”4096″ “WindowsCCMUserAffinityStore.log::$DATA”,”4096″ “WindowsCCMUserAffinityStore.sdf::$DATA”,”4096″ “WindowsCCMWUAHandler.dll::$DATA”,”4096″ “WindowsCCMWakePrxy.msi::$DATA”,”4096″ “WindowsINF:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsINFoem5.PNF::$DATA”,”28672″ “WindowsInstaller2878b0.msi::$DATA”,”24576″ “WindowsInstallerb9f01.msi::$DATA”,”4096″ “WindowsInstallerde109.msi::$DATA”,”4096″ “WindowsLogs:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsLogsMeasuredBoot:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsLogsMeasuredBoot000000070-0000000000.log::$DATA”,”24576″ “WindowsLogsNetSetupservice.0.etl::$DATA”,”12288″ “WindowsLogsdosvc:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsLogsdosvcdosvc.20200225_135428_217.etl::$DATA”,”4096″ “WindowsMedia:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsPantherUnattendGCdiagerr.xml::$DATA”,”12288″ “WindowsPantherUnattendGCdiagwrn.xml::$DATA”,”12288″ “WindowsPantherUnattendGCsetupact.log::$DATA”,”16384″ “WindowsServiceProfilesLocalServiceAppDataLocal:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsServiceProfilesLocalServiceAppDataLocalFontCache:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsServiceProfilesLocalServiceAppDataLocalFontCache~FontCache-S-1-5-18.dat::$DATA”,”8192″ “WindowsServiceProfilesLocalServiceAppDataLocalFontCache~FontCache-S-1-5-21-3717794714-1304214083-2058911587-1001.dat::$DATA”,”4096″ “WindowsServiceProfilesLocalServiceAppDataLocallastalive0.dat::$DATA”,”4096″ “WindowsServiceProfilesLocalServiceAppDataLocallastalive1.dat::$DATA”,”4096″ “WindowsServiceProfilesLocalServiceNTUSER.DAT.LOG1::$DATA”,”28672″ “WindowsServiceProfilesLocalServiceNTUSER.DAT::$DATA”,”8192″ “WindowsServiceProfilesNetworkServiceAppDataLocalMicrosoftWindowsWinXGroup25 – Task Manager.lnk::$DATA”,”4096″ “WindowsServiceProfilesNetworkServiceAppDataLocalTemp:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsServiceProfilesNetworkServiceAppDataLocalTempMpCmdRun.log::$DATA”,”8192″ “WindowsServiceProfilesNetworkServiceNTUSER.DAT.LOG1::$DATA”,”61440″ “WindowsServiceProfilesNetworkServiceNTUSER.DAT::$DATA”,”8192″ “WindowsServiceProfilesNetworkServicedebugNetSetup.LOG::$DATA”,”4096″ “WindowsSysWOW64:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsSysWOW64NuiFaceAnalysisColor.mdl::$DATA”,”4096″ “WindowsSysWOW64adsnt.dll::$DATA”,”8192″ “WindowsSysWOW64mstscax.dll::$DATA”,”4096″ “WindowsSystem32:$I30:$INDEX_ALLOCATION”,”114688″ “WindowsSystem32BtwRSupportService.exe::$DATA”,”16384″ “WindowsSystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsSystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}oem9.CAT::$DATA”,”4096″ “WindowsSystem32DDORes.dll::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositorybcbtums-win8x64-brcm.inf_amd64_2705035d8bdc4013BCM20702A1_001.002.014.1443.1478.hex::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositorybcbtums-win8x64-brcm.inf_amd64_497ea83c5e72f693:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32DriverStoreFileRepositorybcbtums-win8x64-brcm.inf_amd64_497ea83c5e72f693BCM43142A0_001.001.011.0311.0327.hex::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositorybcmwdi.inf_amd64_5639078771b06c1dbcmihvui64.dll::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryc0189240.inf_amd64_11313a2e6aa0c990B188958AMDh264Enc64.dll::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryc0189240.inf_amd64_11313a2e6aa0c990B188958amdocl.dll::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryc0189240.inf_amd64_11313a2e6aa0c990B188958amdxc32.dll::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryhdxhpbpc.inf_amd64_4cc6b3776124f193RCoRes64.dat::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryhp640x64.inf_amd64_12f4b4034ddadb46rt640x64.cat::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositorynetwew01.inf_amd64_8f61163a2a2bddf8NETwew01.sys::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositoryprnbrcl1.inf_amd64_27262c292cd27de8BRIBMF07.dpb::$DATA”,”4096″ “WindowsSystem32DriverStoreFileRepositorywiadl003.inf_amd64_4a99ce93f2544c9famd64DL2145.icc::$DATA”,”4096″ “WindowsSystem32F12MemoryAnalyzer.dll::$DATA”,”4096″ “WindowsSystem32LogFilesWMI:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32LogFilesWMIRtBackup:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32LogFilesWMIRtBackupEtwRTDiagLog.etl::$DATA”,”4096″ “WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-Application.etl::$DATA”,”4096″ “WindowsSystem32LogFilesWMIRtBackupEtwRTEventLog-System.etl::$DATA”,”4096″ “WindowsSystem32RCoRes64.dat::$DATA”,”12288″ “WindowsSystem32SecureTimeAggregator.dll::$DATA”,”4096″ “WindowsSystem32SleepStudy:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32SleepStudyUserNotPresentSession.etl::$DATA”,”4096″ “WindowsSystem32Tasks:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32TasksCreateExplorerShellUnelevatedTask::$DATA”,”4096″ “WindowsSystem32TasksMicrosoftWindowsSoftwareProtectionPlatform:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32TasksMicrosoftWindowsSoftwareProtectionPlatformSvcRestartTask::$DATA”,”4096″ “WindowsSystem32TasksMicrosoftWindowsUpdateOrchestrator:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32TasksMicrosoftWindowsUpdateOrchestratorResume On Boot::$DATA”,”4096″ “WindowsSystem32TasksMicrosoftWindowsUpdateOrchestratorSchedule Scan::$DATA”,”4096″ “WindowsSystem32WDI:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32WDIBootPerformanceDiagnostics_SystemData.bin::$DATA”,”20480″ “WindowsSystem32WDILogFiles:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32WDILogFilesBootCKCL.etl::$DATA”,”6467584″ “WindowsSystem32WDILogFilesSecondaryLogonCKCL.etl::$DATA”,”11378688″ “WindowsSystem32WDILogFilesShutdownCKCL.etl::$DATA”,”4096″ “WindowsSystem32WDILogFilesStartupInfo:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32WDILogFilesWdiContextLog.etl.001::$DATA”,”118784″ “WindowsSystem32WDIShutdownPerformanceDiagnostics_SystemData.bin::$DATA”,”8192″ “WindowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}S-1-5-21-3717794714-1304214083-2058911587-1000_UserData.bin::$DATA”,”4096″ “WindowsSystem32WDI{86432a0b-3c7d-4ddf-a89c-172faa90485d}{2366e4fe-ce19-4a10-9eae-e12a30acf10d}snapshot.etl::$DATA”,”81920″ “WindowsSystem32WDI{9f41811a-0429-42aa-81b7-cfd4d968411f}:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsSystem32WDI{9f41811a-0429-42aa-81b7-cfd4d968411f}{965d70d1-73b9-4137-a1cd-fb16eb06ca9c}snapshot.etl::$DATA”,”118784″ “WindowsSystem32WindowsPowerShellv1.0Modules:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32atiadlxx.dll::$DATA”,”4096″ “WindowsSystem32ativvaxy_vi_nd.dat::$DATA”,”4096″ “WindowsSystem32catroot2:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32catroot2edb.chk::$DATA”,”8192″ “WindowsSystem32catroot2edb.log::$DATA”,”2097152″ “WindowsSystem32catroot2edbtmp.log::$DATA”,”1970176″ “WindowsSystem32catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}catdb.jfm::$DATA”,”12288″ “WindowsSystem32catroot2{127D0A1D-4EF2-11D1-8608-00C04FC295EE}catdb::$DATA”,”12288″ “WindowsSystem32catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb.jfm::$DATA”,”12288″ “WindowsSystem32catroot2{F750E6C3-38EE-11D1-85E5-00C04FC295EE}catdb::$DATA”,”12288″ “WindowsSystem32config:$I30:$INDEX_ALLOCATION”,”24576″ “WindowsSystem32configBBI.LOG1::$DATA”,”45056″ “WindowsSystem32configBBI::$DATA”,”8192″ “WindowsSystem32configDEFAULT.LOG1::$DATA”,”311296″ “WindowsSystem32configDEFAULT::$DATA”,”208896″ “WindowsSystem32configDRIVERS.LOG1::$DATA”,”40960″ “WindowsSystem32configDRIVERS::$DATA”,”8192″ “WindowsSystem32configSAM.LOG1::$DATA”,”16384″ “WindowsSystem32configSAM.LOG2::$DATA”,”24576″ “WindowsSystem32configSAM::$DATA”,”28672″ “WindowsSystem32configSECURITY.LOG1::$DATA”,”20480″ “WindowsSystem32configSECURITY::$DATA”,”12288″ “WindowsSystem32configSOFTWARE.LOG1::$DATA”,”11776000″ “WindowsSystem32configSOFTWARE::$DATA”,”12288″ “WindowsSystem32configSYSTEM.LOG1::$DATA”,”4481024″ “WindowsSystem32configSYSTEM.LOG2::$DATA”,”483328″ “WindowsSystem32configSYSTEM::$DATA”,”4022272″ “WindowsSystem32configTxR{b6646a8d-4b5d-11e6-80d2-90b11c2689d2}.TxR.6.regtrans-ms::$DATA”,”20480″ “WindowsSystem32configTxR{b6646a8d-4b5d-11e6-80d2-90b11c2689d2}.TxR.blf::$DATA”,”32768″ “WindowsSystem32configTxR{b6646a8e-4b5d-11e6-80d2-90b11c2689d2}.TM.blf::$DATA”,”4096″ “WindowsSystem32configsystemprofileAppDataLocalMicrosoftWindowsPowerShellStartupProfileData-NonInteractive::$DATA”,”4096″ “WindowsSystem32configsystemprofileAppDataLocalTempvmware-SYSTEM:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32configsystemprofileAppDataLocalTempvmware-SYSTEMvmware-usbarb-2736.log::$DATA”,”4096″ “WindowsSystem32configsystemprofileAppDataRoamingTightVNC:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32en-US:$I30:$INDEX_ALLOCATION”,”69632″ “WindowsSystem32en-USdmdskres2.dll.mui::$DATA”,”4096″ “WindowsSystem32en-USesrb.rs.mui::$DATA”,”4096″ “WindowsSystem32en-USfsutil.exe.mui::$DATA”,”4096″ “WindowsSystem32en-USmmsys.cpl.mui::$DATA”,”4096″ “WindowsSystem32en-USusbui.dll.mui::$DATA”,”4096″ “WindowsSystem32en-USxrWCtmg2.dll.mui::$DATA”,”4096″ “WindowsSystem32es-MXWindows.Media.Speech.UXRes.dll.mui::$DATA”,”4096″ “WindowsSystem32he-ILmsimsg.dll.mui::$DATA”,”4096″ “WindowsSystem32imageres.dll::$DATA”,”4096″ “WindowsSystem32lv-LV:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32migrationAppManMigrationPlugin.dll::$DATA”,”4096″ “WindowsSystem32migwizSFLISTRS1.dat::$DATA”,”4096″ “WindowsSystem32migwizSFLISTWT.dat::$DATA”,”4096″ “WindowsSystem32migwizSFLISTXP.dat::$DATA”,”4096″ “WindowsSystem32sc.exe::$DATA”,”4096″ “WindowsSystem32spooldriversx64{CE014E7E-D5C9-4179-A429-1DAF47ABADB1}PrintConfig.dll::$DATA”,”4096″ “WindowsSystem32sru:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32sruSRU.chk::$DATA”,”8192″ “WindowsSystem32sruSRU.log::$DATA”,”65536″ “WindowsSystem32sruSRU00083.log::$DATA”,”8192″ “WindowsSystem32sruSRUDB.dat::$DATA”,”12288″ “WindowsSystem32sruSRUDB.jfm::$DATA”,”12288″ “WindowsSystem32wbem:$I30:$INDEX_ALLOCATION”,”12288″ “WindowsSystem32wbemAutoRecover4E7F1C45E98E1E6D1ADED58D64C4D872.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecover6317F4B515BD547512FF3AE3ACD81242.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecover654F3EE19891AE21317F7E0B522ED575.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecoverBAE93F9B141EC7983B2E3379E3E9119E.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecoverBBDEA425479C2F0C48DA20C11BB1401B.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecoverBD557D61619F268BDCEA21C2BDB91514.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecoverBD818313E410FD46A9F63786A32AEE23.mof::$DATA”,”12288″ “WindowsSystem32wbemAutoRecoverD8CE7E7C19BB55741CB37A3F1C7C4939.mof::$DATA”,”4096″ “WindowsSystem32wbemAutoRecoverE6D5CBEDFC8BB0E64BCBD55168BF7118.mof::$DATA”,”4096″ “WindowsSystem32wbemPerformanceWmiApRpl.h::$DATA”,”4096″ “WindowsSystem32wbemrepository.001INDEX.BTR::$DATA”,”4096″ “WindowsSystem32wbemrepository:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystem32wbemrepositoryINDEX.BTR::$DATA”,”401408″ “WindowsSystem32wbemrepositoryMAPPING1.MAP::$DATA”,”180224″ “WindowsSystem32wbemrepositoryMAPPING2.MAP::$DATA”,”8192″ “WindowsSystem32wbemrepositoryMAPPING3.MAP::$DATA”,”12288″ “WindowsSystem32wbemrepositoryOBJECTS.DATA::$DATA”,”184320″ “WindowsSystem32winevtLogs:$I30:$INDEX_ALLOCATION”,”73728″ “WindowsSystem32winevtLogsMicrosoft-Client-Licensing-Platform%4Admin.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-AppXDeploymentServer%4Operational.evtx::$DATA”,”61440″ “WindowsSystem32winevtLogsMicrosoft-Windows-Application-Experience%4Program-Telemetry.evtx::$DATA”,”28672″ “WindowsSystem32winevtLogsMicrosoft-Windows-Audio%4PlaybackManager.evtx::$DATA”,”36864″ “WindowsSystem32winevtLogsMicrosoft-Windows-Biometrics%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-BitLocker%4BitLocker Management.evtx::$DATA”,”8192″ “WindowsSystem32winevtLogsMicrosoft-Windows-Bits-Client%4Operational.evtx::$DATA”,”49152″ “WindowsSystem32winevtLogsMicrosoft-Windows-CodeIntegrity%4Operational.evtx::$DATA”,”16384″ “WindowsSystem32winevtLogsMicrosoft-Windows-Containers-Wcifs%4Operational.evtx::$DATA”,”12288″ “WindowsSystem32winevtLogsMicrosoft-Windows-DeviceSetupManager%4Admin.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-DeviceSetupManager%4Operational.evtx::$DATA”,”20480″ “WindowsSystem32winevtLogsMicrosoft-Windows-Diagnosis-DPS%4Operational.evtx::$DATA”,”28672″ “WindowsSystem32winevtLogsMicrosoft-Windows-Diagnostics-Performance%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-GroupPolicy%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-Kernel-PnP%4Configuration.evtx::$DATA”,”49152″ “WindowsSystem32winevtLogsMicrosoft-Windows-Kernel-ShimEngine%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-Kernel-WHEA%4Operational.evtx::$DATA”,”24576″ “WindowsSystem32winevtLogsMicrosoft-Windows-Known Folders API Service.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-LiveId%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-NetworkProfile%4Operational.evtx::$DATA”,”32768″ “WindowsSystem32winevtLogsMicrosoft-Windows-Ntfs%4Operational.evtx::$DATA”,”32768″ “WindowsSystem32winevtLogsMicrosoft-Windows-Ntfs%4WHC.evtx::$DATA”,”12288″ “WindowsSystem32winevtLogsMicrosoft-Windows-PowerShell%4Operational.evtx::$DATA”,”53248″ “WindowsSystem32winevtLogsMicrosoft-Windows-PushNotification-Platform%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx::$DATA”,”69632″ “WindowsSystem32winevtLogsMicrosoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-SMBServer%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx::$DATA”,”24576″ “WindowsSystem32winevtLogsMicrosoft-Windows-SettingSync%4Debug.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-Shell-Core%4AppDefaults.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-Shell-Core%4Operational.evtx::$DATA”,”73728″ “WindowsSystem32winevtLogsMicrosoft-Windows-SmartCard-DeviceEnum%4Operational.evtx::$DATA”,”8192″ “WindowsSystem32winevtLogsMicrosoft-Windows-SmbClient%4Connectivity.evtx::$DATA”,”32768″ “WindowsSystem32winevtLogsMicrosoft-Windows-StateRepository%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-Storage-ClassPnP%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-Storage-Storport%4Operational.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-Store%4Operational.evtx::$DATA”,”77824″ “WindowsSystem32winevtLogsMicrosoft-Windows-TWinUI%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-TaskScheduler%4Maintenance.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx::$DATA”,”49152″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-PnPDevices%4Admin.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-RDPClient%4Operational.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-TerminalServices-ServerUSBDevices%4Admin.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-UnifiedWriteFilter%4Admin.evtx::$DATA”,”4096″ “WindowsSystem32winevtLogsMicrosoft-Windows-UniversalTelemetryClient%4Operational.evtx::$DATA”,”32768″ “WindowsSystem32winevtLogsMicrosoft-Windows-User Profile Service%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-VolumeSnapshot-Driver%4Operational.evtx::$DATA”,”24576″ “WindowsSystem32winevtLogsMicrosoft-Windows-WMI-Activity%4Operational.evtx::$DATA”,”139264″ “WindowsSystem32winevtLogsMicrosoft-Windows-Wcmsvc%4Operational.evtx::$DATA”,”45056″ “WindowsSystem32winevtLogsMicrosoft-Windows-WinRM%4Operational.evtx::$DATA”,”32768″ “WindowsSystem32winevtLogsMicrosoft-Windows-Windows Defender%4Operational.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-Windows Defender%4WHC.evtx::$DATA”,”40960″ “WindowsSystem32winevtLogsMicrosoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx::$DATA”,”53248″ “WindowsSystem32winevtLogsWindows PowerShell.evtx::$DATA”,”69632″ “WindowsSystemAppsMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystemAppsMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewyViews:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsSystemResources:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSBackupwow64_microsoft-windows-rasbase_31bf3856ad364e35_10.0.14393.0_none_45a97daec582ab7b_pppmenu.scp_74b84d65::$DATA”,”4096″ “WindowsWinSxSCatalogsbd55e9e8cd084d9fb5770403b53adfb2aa26f87fb0d8a4b0de7a9b922f3df92b.cat::$DATA”,”4096″ “WindowsWinSxSManifestCached6807e9eee51fde5_blobs.bin::$DATA”,”4096″ “WindowsWinSxSamd64_adobe-flash-for-windows_31bf3856ad364e35_10.0.14393.0_none_59144f8180423830Flash.ocx::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-a..ntscontrol.appxmain_31bf3856ad364e35_10.0.14393.187_none_c7d729a2dc0184eaAccountsControlUI.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-aero_31bf3856ad364e35_10.0.14393.0_none_d9577d06301c3ab0aero.msstyles::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.14393.1378_none_50be9361091d8eb8:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSamd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.14393.1378_none_50be9361091d8eb8Cortana.SPA.winmd::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-font-truetype-yugothic_31bf3856ad364e35_10.0.14393.82_none_2b75beb2544be2f8YuGothR.ttc::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-i..codepage-additional_31bf3856ad364e35_10.0.14393.0_none_82d1cf1356a1336cC_1026.NLS::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1532_none_867de26e0f845142iismig.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-m..elmanifests-inetsrv_31bf3856ad364e35_10.0.14393.1532_none_eabf3d64a0f0b919iismig.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-m..mentmanifests-shell_31bf3856ad364e35_10.0.14393.0_none_eda070d4b576c4af:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSamd64_microsoft-windows-p..alcontrols.appxmain_31bf3856ad364e35_10.0.14393.0_none_d0e28872424a59a6:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSamd64_microsoft-windows-rpc-local_31bf3856ad364e35_10.0.14393.1378_none_29a827109fb31095rpcrt4.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-s..gementwmi.resources_31bf3856ad364e35_10.0.14393.1198_en-us_ef6c7526a39015f4storagewmi.mfl::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-s..settings-searchdata_31bf3856ad364e35_10.0.14393.0_none_bb1fc3c1adc6ecc6AAA_SettingsGroupWebAccounts.settingcontent-ms::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-smartcardsubsystem_31bf3856ad364e35_10.0.14393.1480_none_8da1ae3bc49811d8ScDeviceEnum.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.14393.1715_none_c31e0c46654c4ede:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSamd64_microsoft-windows-windowscodecraw_31bf3856ad364e35_10.0.14393.1715_none_0a71fc961280cff8WindowsCodecsRaw.dll::$DATA”,”4096″ “WindowsWinSxSamd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.14393.0_cs-cz_1406bb749169a7aecomctl32.dll.mui::$DATA”,”4096″ “WindowsWinSxSamd64_windowssearchengine_31bf3856ad364e35_7.0.14393.1715_none_089e201c66d180f7SearchProtocolHost.exe::$DATA”,”4096″ “WindowsWinSxSwow64_microsoft-windows-accessibilitycpl_31bf3856ad364e35_10.0.14393.0_none_9126d6a09eeef6ddaccessibilitycpl.dll::$DATA”,”12288″ “WindowsWinSxSwow64_microsoft-windows-cdosys_31bf3856ad364e35_10.0.14393.0_none_560f15ed7077c3c3cdosys.dll::$DATA”,”4096″ “WindowsWinSxSwow64_microsoft-windows-n..orking-connectivity_31bf3856ad364e35_10.0.14393.0_none_6a444cd57177fb76:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsWinSxSwow64_microsoft-windows-s..ementwmi-powershell_31bf3856ad364e35_10.0.14393.1198_none_6963c28716a18a58DiskImage.cdxml::$DATA”,”4096″ “WindowsWinSxSwow64_microsoft-windows-twinui_31bf3856ad364e35_10.0.14393.1715_none_f378ace8488637aatwinui.dll::$DATA”,”4096″ “WindowsWinSxSwow64_microsoft-windows-w..indowsuiinputinking_31bf3856ad364e35_10.0.14393.1198_none_6f886256721401cfWindows.UI.Input.Inking.dll::$DATA”,”4096″ “WindowsWinSxSwow64_microsoft.powershell.dscresources_31bf3856ad364e35_10.0.14393.0_none_d237c98de8adb955ServiceSet.Schema.psm1::$DATA”,”4096″ “WindowsappcompatPrograms:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsappcompatProgramsAmcache.hve.LOG1::$DATA”,”3088384″ “WindowsappcompatProgramsAmcache.hve::$DATA”,”3375104″ “Windowsappcompatappraiser:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsappcompatappraiserAPPRAISER_FileInventory.xml::$DATA”,”24576″ “WindowsassemblyGAC_32PresentationCore3.0.0.0__31bf3856ad364e35wpfgfx_v0300.dll::$DATA”,”8192″ “WindowsassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sortkey.nlp::$DATA”,”4096″ “WindowsassemblyNativeImages_v4.0.30319_64System.Manaa57fc8cc#6ddad87e88d187e293e1df983f81be0fSystem.Management.Automation.ni.dll::$DATA”,”4096″ “WindowsassemblyNativeImages_v4.0.30319_64System.ServiceModeld4ea309176ef1858349a774bafeab98eSystem.ServiceModel.ni.dll::$DATA”,”4096″ “Windowsbootstat.dat::$DATA”,”8192″ “WindowsdebugWIAwiatrace.log::$DATA”,”20480″ “WindowsservicingPackages:$I30:$INDEX_ALLOCATION”,”4096″ “WindowsservicingPackagesMicrosoft-OneCore-Connectivity-Keyboard-Package~31bf3856ad364e35~amd64~en-US~10.0.14393.0.mum::$DATA”,”4096″ “Windowsxpeagent:$I30:$INDEX_ALLOCATION”,”8192″ “WindowsxpeagentTPM:$I30:$INDEX_ALLOCATION”,”4096″ “Windowsxpeagentagent.log::$DATA”,”12288″ “Windowsxpeagentdiscovery.log::$DATA”,”12288″ “Windowsxpeagentlibssl-1_1-x64.dll::$DATA”,”4096″ “Windowsxpeagentmfc100u.dll::$DATA”,”32768″ “Windowsxpeagentmsvcp100.dll::$DATA”,”4096″ LikeLike
    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s