SBIE2224 Sandboxed ASF crashes on launch (WindowsCryptographicException)

NewKidOnTheBlock commented 3 years ago

Description I've run ASF in Sandboxie for years, but now it crashes on launch. Thankfully I've captured logfiles before and after.

Reproduction steps

Go to https://github.com/JustArchiNET/ArchiSteamFarm/releases
Download ASF-win-x64.zip
Try to run ArchiSteamFarm.exe in Sandboxie -> SBIE2224 Crash

Here is the log (31st March 2021):

2021-03-31 14:00:53|ArchiSteamFarm-12100|INFO|ASF|InitCore() ArchiSteamFarm V5.0.4.3 (win-x64/90abcec0-aa84-4c10-8355-a8bccb207d68 | Microsoft Windows 10.0.19042)
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|ASF|InitPlugins() Initializing Plugins...
2021-03-31 14:00:55|ArchiSteamFarm-12100|DEBUG|ASF|InitPlugins() Initializing ArchiSteamFarm.OfficialPlugins.SteamTokenDumper, Version=5.0.4.3, Culture=neutral, PublicKeyToken=null...
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|ASF|InitPlugins() Loading SteamTokenDumperPlugin V5.0.4.3...
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|ASF|InitPlugins() SteamTokenDumperPlugin has been loaded successfully!
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|ASF|OnASFInit() SteamTokenDumperPlugin is currently disabled. If you'd like to help SteamDB in data submission, check out our wiki for SteamTokenDumperPlugin.
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|ASF|StartInteractiveConsole() Interactive console is now active, type 'c' in order to enter command mode.
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|***|Start() Starting...
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|***|Connect() Connecting...
2021-03-31 14:00:55|ArchiSteamFarm-12100|INFO|***|Start() Starting...
2021-03-31 14:00:56|ArchiSteamFarm-12100|INFO|***|OnConnected() Connected to Steam!
2021-03-31 14:00:56|ArchiSteamFarm-12100|INFO|***|OnConnected() Logging in...
2021-03-31 14:00:57|ArchiSteamFarm-12100|INFO|***|OnLoggedOn() Successfully logged on as ***/***.
2021-03-31 14:00:57|ArchiSteamFarm-12100|FATAL|ASF|OnUnhandledException() System.TypeInitializationException: The type initializer for 'System.Security.Cryptography.CngKeyLite' threw an exception.
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Das Stub erhielt falsche Daten.
   at System.Security.Cryptography.CngKeyLite.OpenNCryptProvider(String providerName)
   at System.Security.Cryptography.CngKeyLite..cctor()
   --- End of inner exception stack trace ---
   at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, ReadOnlySpan`1 keyBlob, Boolean encrypted, ReadOnlySpan`1 password)
   at System.Security.Cryptography.RSAImplementation.RSACng.ImportKeyBlob(Byte[] rsaBlob, Boolean includePrivate)
   at System.Security.Cryptography.RSAImplementation.RSACng.ImportParameters(RSAParameters parameters)
   at SteamKit2.RSACrypto..ctor(Byte[] key)
   at ArchiSteamFarm.ArchiWebHandler.Init(UInt64 steamID, EUniverse universe, String webAPIUserNonce, String parentalCode)
   at ArchiSteamFarm.Bot.OnLoggedOn(LoggedOnCallback callback)
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__140_1(Object state)
   at System.Threading.QueueUserWorkItemCallbackDefaultContext.Execute()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
2021-03-31 14:00:57|ArchiSteamFarm-12100|ERROR|ASF|Exit() Exiting with nonzero error code!
2021-03-31 14:00:57|ArchiSteamFarm-12100|INFO|***|Stop() Stopping...
2021-03-31 14:00:57|ArchiSteamFarm-12100|INFO|***|Stop() Stopping...
2021-03-31 14:00:57|ArchiSteamFarm-12100|INFO|***|OnDisconnected() Disconnected from Steam!

Expected behavior This is how the log should look from the last time it worked (March 4th 2021)

2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|InitCore() ArchiSteamFarm V5.0.4.3 (win-x64/90abcec0-aa84-4c10-8355-a8bccb207d68 | Microsoft Windows 10.0.19042)
2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|InitPlugins() Initializing Plugins...
2021-03-04 08:06:40|ArchiSteamFarm-3040|DEBUG|ASF|InitPlugins() Initializing ArchiSteamFarm.OfficialPlugins.SteamTokenDumper, Version=5.0.4.3, Culture=neutral, PublicKeyToken=null...
2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|InitPlugins() Loading SteamTokenDumperPlugin V5.0.4.3...
2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|InitPlugins() SteamTokenDumperPlugin has been loaded successfully!
2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|UpdateAndRestart() ASF will automatically check for new versions every 1 day.
2021-03-04 08:06:40|ArchiSteamFarm-3040|INFO|ASF|Update() Cleaning up old files after update...
2021-03-04 08:06:45|ArchiSteamFarm-3040|INFO|ASF|Update() Done!
2021-03-04 08:06:45|ArchiSteamFarm-3040|INFO|ASF|Update() Checking for new version...
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|ASF|Update() Local version: 5.0.4.3 | Remote version: 5.0.4.3
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|ASF|OnASFInit() SteamTokenDumperPlugin is currently disabled. If you'd like to help SteamDB in data submission, check out our wiki for SteamTokenDumperPlugin.
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|ASF|StartInteractiveConsole() Interactive console is now active, type 'c' in order to enter command mode.
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|***|Start() Starting...
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|***|Connect() Connecting...
2021-03-04 08:06:46|ArchiSteamFarm-3040|INFO|***|Start() Starting...
2021-03-04 08:06:47|ArchiSteamFarm-3040|INFO|***|OnConnected() Connected to Steam!
2021-03-04 08:06:47|ArchiSteamFarm-3040|INFO|***|OnConnected() Logging in...
2021-03-04 08:06:47|ArchiSteamFarm-3040|INFO|***|OnLoggedOn() Successfully logged on as ***/***.
2021-03-04 08:06:47|ArchiSteamFarm-3040|INFO|***|Init() Logging in to ISteamUserAuth...
2021-03-04 08:06:48|ArchiSteamFarm-3040|INFO|***|Init() Success!
2021-03-04 08:06:50|ArchiSteamFarm-3040|INFO|***|IsAnythingToFarm() Checking first badge page...
2021-03-04 08:06:51|ArchiSteamFarm-3040|INFO|***|IsAnythingToFarm() Checking other badge pages...
2021-03-04 08:06:52|ArchiSteamFarm-3040|INFO|***|Farm() We have a total of 3 games (8 cards) left to idle (~7 hours remaining)...
2021-03-04 08:06:52|ArchiSteamFarm-3040|INFO|***|Farm() Chosen idling algorithm: Complex
2021-03-04 08:06:54|ArchiSteamFarm-3040|INFO|***|FarmMultiple() Now idling: 690640, 870780, 537800
2021-03-04 08:06:54|ArchiSteamFarm-3040|INFO|***|FarmHours() Still idling: 690640, 870780, 537800
2021-03-04 08:06:56|ArchiSteamFarm-3040|INFO|***|Connect() Connecting...
2021-03-04 08:06:57|ArchiSteamFarm-3040|INFO|***|OnConnected() Connected to Steam!
2021-03-04 08:06:57|ArchiSteamFarm-3040|INFO|***|OnConnected() Logging in...
2021-03-04 08:06:57|ArchiSteamFarm-3040|INFO|***|OnLoggedOn() Successfully logged on as ***
2021-03-04 08:06:57|ArchiSteamFarm-3040|INFO|***|Init() Logging in to ISteamUserAuth...
2021-03-04 08:06:57|ArchiSteamFarm-3040|INFO|***|IsAnythingToFarm() Checking first badge page...
2021-03-04 08:06:59|ArchiSteamFarm-3040|INFO|***|Init() Success!
2021-03-04 08:07:00|ArchiSteamFarm-3040|INFO|***|Farm() We have a total of 1 games (4 cards) left to idle (~5 hours remaining)...
2021-03-04 08:07:00|ArchiSteamFarm-3040|INFO|***|Farm() Chosen idling algorithm: Complex
2021-03-04 08:07:01|ArchiSteamFarm-3040|INFO|***|FarmMultiple() Now idling: 537800
2021-03-04 08:07:01|ArchiSteamFarm-3040|INFO|***|FarmHours() Still idling: 537800
2021-03-04 08:08:27|ArchiSteamFarm-3040|INFO|***|Stop() Stopping...
2021-03-04 08:08:27|ArchiSteamFarm-3040|INFO|***|Stop() Stopping...

System and installed software (please provide the following information): Windows 10 20H2 64bit Sandoxie Classic 5.49.5 ASF 5.0.5.6

Additional context This part specifically seems to be what causes the problem:

FATAL|ASF|OnUnhandledException() System.TypeInitializationException: The type initializer for '**System.Security.Cryptography.CngKeyLite**' threw an exception.
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Das Stub erhielt falsche Daten.
   at System.Security.Cryptography.CngKeyLite.OpenNCryptProvider(String providerName)
   at System.Security.Cryptography.CngKeyLite..cctor()
   --- End of inner exception stack trace ---
   at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, ReadOnlySpan`1 keyBlob, Boolean encrypted, ReadOnlySpan`1 password)
   at System.Security.Cryptography.RSAImplementation.RSACng.ImportKeyBlob(Byte[] rsaBlob, Boolean includePrivate)
   at System.Security.Cryptography.RSAImplementation.RSACng.ImportParameters(RSAParameters parameters)
   at SteamKit2.RSACrypto..ctor(Byte[] key)
   at ArchiSteamFarm.ArchiWebHandler.Init(UInt64 steamID, EUniverse universe, String webAPIUserNonce, String parentalCode)
   at ArchiSteamFarm.Bot.OnLoggedOn(LoggedOnCallback callback)
   at System.Threading.Tasks.Task.<>c.<ThrowAsync>b__140_1(Object state)
   at System.Threading.QueueUserWorkItemCallbackDefaultContext.Execute()
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
ERROR|ASF|Exit() Exiting with nonzero error code!

Afaik Sandboxie denies ASF access to the "CNG Key Isolation" Windows Service.

DavidXanatos commented 3 years ago

how do i configure it to do something? starting without config works

NewKidOnTheBlock commented 3 years ago

You need to generate 2 json files for it to work.

First the ASF.json

Head here: https://justarchinet.github.io/ASF-WebConfigGenerator/#/asf Fill in your SteamID64 (you can find it out here) Download the file and place it in the ASF\config\ folder

Then your Bot.json

Head here: https://justarchinet.github.io/ASF-WebConfigGenerator/#/bot Fill in a Name, your SteamLogin (you can leave SteamPassword empty if you like) and switch to Enabled. Download the file and place it in ASF\config\ folder as well.

-> Launch ASF in Sandboxie

DavidXanatos commented 3 years ago

can you provide a working config file with some dummy account?

NewKidOnTheBlock commented 3 years ago

The goal of ASF is to farm the trading cards from your steam account in the background. The games don't even need to be installed. ASF is way more efficient than manually idling those games in the background.

Here comes the crux: If I provided my ASF config here, that would mean publicly posting my Steam login name and password. Not a good idea. Besides, Steam insists on 2-Factor-Authentication. So even with the account name and password, you wouldn't be able to successfully run ASF.

@ Sandboxie Users Does nobody else use ASF?

NewKidOnTheBlock commented 3 years ago

The ASF crash only happens if you have set up your accounts and try to connect

I've found someone with the same issue on the Steam forums. He got a reply from Archi himself:

Technical issue, not ASF bug. Start from simple things such as setting up ASF from scratch (including downloading latest version and generating configs once again), while ensuring that you have all windows updates installed and restarting the PC.

If it doesn't solve itself, check if you have CNG service running - https://computerstepbystep.com/cng_key_isolation_service.html

It should have manual activation and be running.

If all else fails, you can always reinstall PC, since this is basically your OS not being capable to provide basic cryptography for ASF needs. That could be caused by anything, from your AV removing/touching core ASF .dll files, through your own modifications on OS level, ending with viruses and other malicious things hooking there.

There are a couple other people with the same crash log on the steam forum. All of them needed to make sure that the CNG Key Isolation windows service was up and running.

Does Sandboxie block this service?

Edit: I triple-checked that the service is running. cng

isaak654 commented 3 years ago

There are a couple other people with the same crash log on the steam forum. All of them needed to make sure that the CNG Key Isolation windows service was up and running.

Does Sandboxie block this service?

Try this on your sandbox: OpenPipePath=\Device\CNG

NewKidOnTheBlock commented 3 years ago

Thanks for the suggestion. I put the line into the Sandbox's config and reloaded. The error remains the same.

NewKidOnTheBlock commented 3 years ago

I did some digging. Since I was absolutely positive that it worked before, I uninstalled SB 5.49.5 and reverted back to 5.47.1 --> now ASF can log in and farm as intended!

So we can narrow it down: It must have been something to do with the big security changes that were introduced with SB 5.48.0+ ...which also broke a couple of games -> #584

Edit: Installed 5.48.0 and found that my guess was correct. Starting with 5.48.0, SB causes ASF to crash when trying to connect to steam

DavidXanatos commented 3 years ago

try 5.48.0 with the following options: OpenSamEndpoint=y OpenDevCMApi=y AllowRawDiskRead=y

they disable all the security fixes

NewKidOnTheBlock commented 3 years ago

Aye. I used 5.49.5 and put all three lines into the Sandbox's config -> ASF works

Then I tried to narrow it down with trial & error: Just OpenDevCMApi=y -> fails Just AllowRawDiskRead=y -> fails Just OpenSamEndpoint=y -> works

--> OpenSamEndpoint is the culprit!

DavidXanatos commented 3 years ago

halleluja!!! now we just must find out what exactly is the problem, please add IpcTrace=* to your sandboxie ini and remove the OpenSamEndpoint=y such that if fails again than enable logging/"resource access monitor" and run the program

we are looking for entries saying: \RPC Control\samss lpc Msg: ... to be exact the numbers after Msg tell me what operations were performed.

Once I know what opcodes cause the issue I can check if its safe to allow this particular operation generally.

Usually when blocking operations I tent to stay on the safe side, better to break something than to leave a gaping hole open, once I know where its failing I can examine that particular operation closer and research if it safe to open or no.

Cheers David

NewKidOnTheBlock commented 3 years ago

Is the log safe to post here? It's got 448 lines.

DavidXanatos commented 3 years ago

the only thing it may leak is your windows user name in file paths, you can find and replace it if you are worried.

DavidXanatos commented 3 years ago

Did you add IpcTrace=* and removed OpenSamEndpoint=y

because the log is missing the required entries, also i have never testes if the old UI proeprly shows the new log types, could you use the plus UI to capture the log please.

isaak654 commented 3 years ago

also i have never testes if the old UI proeprly shows the new log types

IpcTrace=* produces a lot of syscalls, so it worked for me on Classic 5.49.5.

NewKidOnTheBlock commented 3 years ago

Forgot to add IpcTrace :/ Is this correct now? Never used Resource Monitor before.

(Drive) \Device\HarddiskVolume10; PID: 10708 (Drive) \Device\HarddiskVolume10; PID: 3012 (Drive) \Device\HarddiskVolume10; PID: 5024 (Drive) \Device\HarddiskVolume10; PID: 5368 (Drive) \Device\HarddiskVolume10; PID: 6876 (Drive) \Device\HarddiskVolume10; PID: 9900 (Drive) \Device\HarddiskVolume4; PID: 10708 (Drive) \Device\HarddiskVolume4; PID: 3012 (Drive) \Device\HarddiskVolume4; PID: 5024 (Drive) \Device\HarddiskVolume4; PID: 5368 (Drive) \Device\HarddiskVolume4; PID: 6876 (Drive) \Device\HarddiskVolume4; PID: 9900 (Drive) \Device\HarddiskVolume6; PID: 10708 (Drive) \Device\HarddiskVolume6; PID: 3012 (Drive) \Device\HarddiskVolume6; PID: 5024 (Drive) \Device\HarddiskVolume6; PID: 5368 (Drive) \Device\HarddiskVolume6; PID: 6876 (Drive) \Device\HarddiskVolume6; PID: 9900 (Drive) \Device\HarddiskVolume8; PID: 10708 (Drive) \Device\HarddiskVolume8; PID: 3012 (Drive) \Device\HarddiskVolume8; PID: 5024 (Drive) \Device\HarddiskVolume8; PID: 5368 (Drive) \Device\HarddiskVolume8; PID: 6876 (Drive) \Device\HarddiskVolume8; PID: 9900 Clsid ------------------------------- Clsid {C2F03A33-21F5-47FA-B4BB-156362A2F239} Immersive Shell; PID: 3012 Clsid unknown; PID: 10708 Clsid Windows.Foundation.PropertyValue; PID: 3012 Clsid Windows.Internal.StateRepository.FileTypeAssociation; PID: 3012 Clsid Windows.System.Profile.EducationSettings; PID: 9900 Clsid X unknown; PID: 10708 File ------------------------------- File X \Device\HarddiskVolume4\WINDOWS\SYSTEM32\apphelp.dll; PID: 3012 File X \Device\HarddiskVolume4\WINDOWS\system32\apphelp.dll; PID: 3012 File X \Device\HarddiskVolume4\WINDOWS\System32\apphelp.dll; PID: 3012 Image ------------------------------- Ipc ------------------------------- Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 10708 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 3012 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 5024 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 5368 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 9900 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro; PID: 3012 Ipc (IA) 00000004 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:*Users***AppDataLocalMicrosoftWindowsCaches*cversions.3.ro; PID: 3012 Ipc (IA) 00000006 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 3012 Ipc (IA) 00000006 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 5024 Ipc (IA) 00000006 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 6876 Ipc (IA) 00000006 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 9900 Ipc (IA) 000F0005 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db; PID: 3012 Ipc (IA) 000F0005 \Sandbox\\Steam\Session_1\Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000007.db; PID: 3012 Ipc (IA) 000F0005 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCachescversions.2.ro; PID: 3012 Ipc (IA) 000F0005 \Sandbox\\Steam\Session_1\Sessions\1\BaseNamedObjects\C:*Users**AppDataLocalMicrosoftWindowsCaches{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000719.db; PID: 3012 Ipc (IA) 000F0005 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:*Users**AppDataLocalMicrosoftWindowsCaches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000260.db; PID: 3012 Ipc (IA) 000F0005 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:*Users**AppDataLocalMicrosoftWindowsCachescversions.1.ro; PID: 3012 Ipc (IA) 000F0005 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\C:*Users**AppDataLocalMicrosoftWindowsCachescversions.3.ro; PID: 3012 Ipc (IA) 000F0007 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects__ComCatalogCache__; PID: 5368 Ipc (IA) 000F0007 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}; PID: 5368 Ipc (IA) 000F0007 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\ComPlusCOMRegTable; PID: 5024 Ipc (IA) 000F0007 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\RotHintTable; PID: 5368 Ipc (IA) 000F0007 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 5024 Ipc (IA) 00100000 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SC_AutoStartComplete; PID: 5024 Ipc (IA) 00100001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SyncRootManager; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\actkernel; PID: 5368 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 5024 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 6876 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\keysvc; PID: 10708 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\RPC Control\OLE407E710D5094075DD29AA59BB2EA; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}; PID: 5368 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\ArchiSteamFarm-SingleInstance-EDC19B6A49FB45D3C84DB1EE23132747121E47587586F5460425EFBE60AB3398; PID: 6876 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\ArchiSteamFarm-SingleInstance-EDC19B6A49FB45D3C84DB1EE23132747121E47587586F5460425EFBE60AB3398; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\c0f941f7-a798-466f-9731-09f1c05f8b44; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceCrypto_Mutex1; PID: 10708 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_Mutex1; PID: 5024 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:10708:304:WilStaging_02; PID: 10708 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:120:WilError_03; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:304:WilStaging_02; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:120:WilError_03; PID: 5024 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:304:WilStaging_02; PID: 5024 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:120:WilError_03; PID: 5368 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:304:WilStaging_02; PID: 5368 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03; PID: 6876 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02; PID: 6876 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:120:WilError_03; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:304:WilStaging_02; PID: 9900 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SyncRootManager; PID: 3012 Ipc (IA) 001F0001 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\WERReportingForProcess6876; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_10708; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_3012; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_5024; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_5368; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_6876; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_DummyEvent_9900; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_RPCSS_SXS_READY; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_RPCSS_SXS_READY; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_cryptsvc; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_cryptsvc; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_cryptsvc; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_DcomLaunch; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcEptMapper; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_RpcSs; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SboxSession; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SC_AutoStartComplete; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\ScmCreatedEvent; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:10708:304:WilStaging_02_p0; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:10708:304:WilStaging_02_p0h; PID: 10708 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:120:WilError_03_p0; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:120:WilError_03_p0h; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:304:WilStaging_02_p0; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:3012:304:WilStaging_02_p0h; PID: 3012 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:120:WilError_03_p0; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:120:WilError_03_p0h; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:304:WilStaging_02_p0; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5024:304:WilStaging_02_p0h; PID: 5024 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:120:WilError_03_p0; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:120:WilError_03_p0h; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:304:WilStaging_02_p0; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:5368:304:WilStaging_02_p0h; PID: 5368 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03_p0; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03_p0; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03_p0h; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:120:WilError_03_p0h; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02_p0; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02_p0; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02_p0h; PID: 6876 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:6876:304:WilStaging_02_p0h; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:120:WilError_03_p0; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:120:WilError_03_p0h; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:304:WilStaging_02_p0; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\SM0:9900:304:WilStaging_02_p0h; PID: 9900 Ipc (IA) 001F0003 \Sandbox*\Steam\Session_1\Sessions\1\BaseNamedObjects\WERReportingForProcessComplete6876; PID: 9900 Ipc (PA) 00001000 003012 ; PID: 3012 Ipc (PA) 00001000 003012 ; PID: 5368 Ipc (PA) 00001000 006876 ; PID: 6876 Ipc (PA) 00001040 003012 ; PID: 5024 Ipc (PA) 00001040 005024 ; PID: 5368 Ipc (PA) 00001400 003012 ; PID: 3012 Ipc (PA) 00001400 004840 ; PID: 9900 Ipc (PA) 00001400 008900 ; PID: 6876 Ipc (PA) 00001410 003012 ; PID: 9900 Ipc (PA) 00001410 006876 ; PID: 6876 Ipc (PA) 00100000 003012 ; PID: 5024 Ipc (PA) 00100000 005024 ; PID: 5024 Ipc (PA) 00100000 005024 ; PID: 5368 Ipc (PA) 00100000 005368 ; PID: 5024 Ipc (PA) 00100000 006876 ; PID: 5024 Ipc (PA) 00100000 009900 ; PID: 5024 Ipc (PA) 00100000 010708 ; PID: 5024 Ipc (PA) 001FFFFF 005024 ; PID: 5368 Ipc (PA) 001FFFFF 006876 ; PID: 6876 Ipc (PA) 001FFFFF 006876 ; PID: 9900 Ipc (PA) 001FFFFF 009900 ; PID: 9900 Ipc (TA) 00000010 006876 ; PID: 6876 Ipc (TA) 00000840 010708 ; PID: 10708 Ipc (TA) 00100000 006876 ; PID: 6876 Ipc (TA) 00100000 006876 ; PID: 9900 Ipc (TA) 001FFFFF 003012 ; PID: 3012 Ipc (TA) 001FFFFF 005024 ; PID: 5024 Ipc (TA) 001FFFFF 005368 ; PID: 5368 Ipc (TA) 001FFFFF 006876 ; PID: 6876 Ipc (TA) 001FFFFF 006876 ; PID: 9900 Ipc (TA) 001FFFFF 009900 ; PID: 9900 Ipc (TA) 001FFFFF 010708 ; PID: 10708 Ipc [syscall] AlpcAcceptConnectPort, status = 0x0, handle = 1754F9E0; ; PID: 3012 Ipc [syscall] AlpcAcceptConnectPort, status = 0x0, handle = 5D0A88C0; ; PID: 5368 Ipc [syscall] AlpcAcceptConnectPort, status = 0x0, handle = 9B540990; ; PID: 5024 Ipc [syscall] AlpcConnectPort, status = 0x0, handle = 36C; \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 3012 Ipc [syscall] AlpcConnectPort, status = 0x0, handle = 44C; \RPC Control\LSARPC_ENDPOINT; PID: 6876 Ipc [syscall] AlpcConnectPort, status = 0x0, handle = 5F8; \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 6876 Ipc [syscall] AlpcConnectPort, status = 0x0, handle = 698; \RPC Control\LRPC-2d4e01746aa8fbe72f; PID: 6876 Ipc [syscall] AlpcConnectPort, status = 0x0, handle = 9EC; \RPC Control\samss lpc; PID: 6876 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 124; \RPC Control\samss lpc; PID: 10708 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 128; \RPC Control\lsapolicylookup; PID: 10708 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 17C; \RPC Control\lsapolicylookup; PID: 5368 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 1BC; \RPC Control\lsasspirpc; PID: 5024 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 1C0; \RPC Control\lsasspirpc; PID: 5368 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 238; \RPC Control\lsapolicylookup; PID: 5024 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 2D4; \RPC Control\lsapolicylookup; PID: 3012 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 31C; \Sandbox*\Steam\Session_1\RPC Control\actkernel; PID: 5024 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 3C8; \Sandbox*\Steam\Session_1\RPC Control\OLE407E710D5094075DD29AA59BB2EA; PID: 5024 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 434; \RPC Control\lsasspirpc; PID: 3012 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 5EC; \RPC Control\dhcpcsvc6; PID: 6876 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 5F4; \RPC Control\dhcpcsvc; PID: 6876 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 6C0; \RPC Control\DNSResolver; PID: 6876 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 6D0; \RPC Control\lsapolicylookup; PID: 6876 Ipc [syscall] AlpcConnectPortEx, status = 0x0, handle = 7A8; \RPC Control\lsasspirpc; PID: 6876 Ipc [syscall] AlpcCreatePort, status = 0x0, handle = 148; \Sandbox*\Steam\Session_1\RPC Control\keysvc; PID: 10708 Ipc [syscall] AlpcCreatePort, status = 0x0, handle = 1C0; \Sandbox*\Steam\Session_1\RPC Control\epmapper; PID: 5024 Ipc [syscall] AlpcCreatePort, status = 0x0, handle = 208; \Sandbox*\Steam\Session_1\RPC Control\actkernel; PID: 5368 Ipc [syscall] AlpcCreatePort, status = 0x0, handle = 370; \Sandbox*\Steam\Session_1\RPC Control\OLE407E710D5094075DD29AA59BB2EA; PID: 3012 Ipc [syscall] AlpcCreatePortSection, status = 0x0, handle = 36C; ; PID: 3012 Ipc [syscall] AlpcSendWaitReceivePort, status = 0xC0000022, handle = 9EC; ; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 14C; \RPC Control\SbieSvcPort; PID: 5368 Ipc [syscall] ConnectPort, status = 0x0, handle = 16C; \RPC Control\SbieSvcPort; PID: 5024 Ipc [syscall] ConnectPort, status = 0x0, handle = 194; \ThemeApiPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 1C4; \RPC Control\SbieSvcPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 1D4; \ThemeApiPort; PID: 3012 Ipc [syscall] ConnectPort, status = 0x0, handle = 1F0; \RPC Control\SbieSvcPort; PID: 10708 Ipc [syscall] ConnectPort, status = 0x0, handle = 210; \ThemeApiPort; PID: 9900 Ipc [syscall] ConnectPort, status = 0x0, handle = 218; \RPC Control\SbieSvcPort; PID: 5024 Ipc [syscall] ConnectPort, status = 0x0, handle = 26C; \RPC Control\SbieSvcPort; PID: 3012 Ipc [syscall] ConnectPort, status = 0x0, handle = 350; \ThemeApiPort; PID: 5024 Ipc [syscall] ConnectPort, status = 0x0, handle = 444; \RPC Control\SbieSvcPort; PID: 5024 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 10708 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 3012 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 5024 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 5368 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 50; \Sessions\1\Windows\ApiPort; PID: 9900 Ipc [syscall] ConnectPort, status = 0x0, handle = 64; \RPC Control\SbieSvcPort; PID: 10708 Ipc [syscall] ConnectPort, status = 0x0, handle = 64; \RPC Control\SbieSvcPort; PID: 3012 Ipc [syscall] ConnectPort, status = 0x0, handle = 64; \RPC Control\SbieSvcPort; PID: 5368 Ipc [syscall] ConnectPort, status = 0x0, handle = 64; \RPC Control\SbieSvcPort; PID: 9900 Ipc [syscall] ConnectPort, status = 0x0, handle = 664; \RPC Control\SbieSvcPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 68; \RPC Control\SbieSvcPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 68C; \RPC Control\SbieSvcPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = 6BC; \RPC Control\SbieSvcPort; PID: 6876 Ipc [syscall] ConnectPort, status = 0x0, handle = AC; \RPC Control\SbieSvcPort; PID: 5024 Ipc [syscall] RequestWaitReplyPort, status = 0xC0, handle = AC; ; PID: 5024 Ipc \BaseNamedObjects__ComCatalogCache; PID: 10708 Ipc \BaseNamedObjects\ComCatalogCache; PID: 3012 Ipc \BaseNamedObjects\ComCatalogCache; PID: 5024 Ipc \BaseNamedObjects\ComCatalogCache; PID: 5368 Ipc \BaseNamedObjects\ComCatalogCache__; PID: 9900 Ipc \BaseNamedObjects{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}; PID: 5368 Ipc \BaseNamedObjects{A64C7F33-DA35-459b-96CA-63B51FB0CDB9}; PID: 5368 Ipc \BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db; PID: 3012 Ipc \BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000007.db; PID: 3012 Ipc \BaseNamedObjects\C:ProgramDataMicrosoftWindowsCachescversions.2.ro; PID: 3012 Ipc \BaseNamedObjects\RotHintTable; PID: 5368 Ipc \BaseNamedObjects\SC_AutoStartComplete; PID: 5024 Ipc \BaseNamedObjects\windows_shell_global_counters; PID: 3012 Ipc \RPC Control\actkernel; PID: 5024 Ipc \RPC Control\actkernel; PID: 5368 Ipc \RPC Control\epmapper; PID: 10708 Ipc \RPC Control\epmapper; PID: 3012 Ipc \RPC Control\epmapper; PID: 5024 Ipc \RPC Control\epmapper; PID: 5368 Ipc \RPC Control\epmapper; PID: 6876 Ipc \RPC Control\epmapper; PID: 9900 Ipc \RPC Control\keysvc; PID: 10708 Ipc \RPC Control\LRPC-2d4e01746aa8fbe72f; PID: 6876 Ipc \Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000007.db; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCachescversions.2.ro; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\C:*Users***AppDataLocalMicrosoftWindowsCaches{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000719.db; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\C:Users***AppDataLocalMicrosoftWindowsCaches*cversions.3.ro; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 3012 Ipc \Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 5024 Ipc \Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 6876 Ipc \Sessions\1\BaseNamedObjects\windows_shell_global_counters; PID: 9900 Ipc \WindowsErrorReportingServicePort; PID: 6876 Ipc \WindowsErrorReportingServicePort; PID: 9900 Ipc Calling Ndr64AsyncClientCall UUID = {3473DD4D-2E88-4006-9CBA-22570909DD10}, 5.1, caller = 'winhttp.dll'; PID: 6876 Ipc Calling Ndr64AsyncClientCall UUID = {7EA70BCF-48AF-4F6A-8968-6A440754D5FA}, 1.0, caller = 'WINNSI.DLL'; PID: 6876 Ipc Calling Ndr64AsyncClientCall UUID = {E1AF8308-5D1F-11C9-91A4-08002B14A0FA}, 3.0, caller = 'RPCRT4.dll'; PID: 6876 Ipc Calling NdrClientCall2 UUID = {9B8699AE-0E44-47B1-8E7F-86A461D7ECDC}, 0.0, caller = 'rpcss.dll'; PID: 5024 Ipc Calling NdrClientCall2 UUID = {E60C73E6-88F9-11CF-9AF1-0020AF6E72F4}, 2.0, caller = 'combase.dll'; PID: 3012 Ipc Calling NdrClientCall3 UUID = {12345778-1234-ABCD-EF00-0123456789AB}, 0.0, caller = 'ADVAPI32.dll'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {12345778-1234-ABCD-EF00-0123456789AC}, 1.0, caller = 'SAMLIB.dll'; PID: 10708 Ipc Calling NdrClientCall3 UUID = {3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5}, 1.0, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6}, 1.0, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {45776B01-5956-4485-9F80-F428F7D60129}, 2.0, caller = 'DNSAPI.dll'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {4F32ADC8-6052-4A04-8701-293CCF2096F0}, 1.0, caller = 'SspiCli.dll'; PID: 3012 Ipc Calling NdrClientCall3 UUID = {4F32ADC8-6052-4A04-8701-293CCF2096F0}, 1.0, caller = 'sspicli.dll'; PID: 5024 Ipc Calling NdrClientCall3 UUID = {4F32ADC8-6052-4A04-8701-293CCF2096F0}, 1.0, caller = 'SspiCli.dll'; PID: 5368 Ipc Calling NdrClientCall3 UUID = {4F32ADC8-6052-4A04-8701-293CCF2096F0}, 1.0, caller = 'sspicli.dll'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {B25A52BF-E5DD-4F4A-AEA6-8CA7272A0E86}, 2.0, caller = 'ncryptprov.dll'; PID: 6876 Ipc Calling NdrClientCall3 UUID = {FB8A0729-2D04-4658-BE93-27B4AD553FAC}, 1.0, caller = 'sechost.dll'; PID: 10708 Ipc Calling NdrClientCall3 UUID = {FB8A0729-2D04-4658-BE93-27B4AD553FAC}, 1.0, caller = 'sechost.dll'; PID: 3012 Ipc Calling NdrClientCall3 UUID = {FB8A0729-2D04-4658-BE93-27B4AD553FAC}, 1.0, caller = 'sechost.dll'; PID: 5024 Ipc Calling NdrClientCall3 UUID = {FB8A0729-2D04-4658-BE93-27B4AD553FAC}, 1.0, caller = 'sechost.dll'; PID: 5368 Ipc Calling NdrClientCall3 UUID = {FB8A0729-2D04-4658-BE93-27B4AD553FAC}, 1.0, caller = 'sechost.dll'; PID: 6876 Ipc Endpoint = 'actkernel', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'rpcss.dll'; PID: 5024 Ipc Endpoint = 'DNSResolver', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'DNSAPI.dll'; PID: 6876 Ipc Endpoint = 'epmapper', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'combase.dll'; PID: 3012 Ipc Endpoint = 'epmapper', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'RPCRT4.dll'; PID: 6876 Ipc Endpoint = 'epmapper', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000057, timeout = 1, caller = 'RPCRT4.dll'; PID: 6876 Ipc Endpoint = 'LSARPC_ENDPOINT', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'ADVAPI32.dll'; PID: 6876 Ipc Endpoint = 'null', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'fwpuclnt.dll'; PID: 6876 Ipc Endpoint = 'OLE407E710D5094075DD29AA59BB2EA', UUID = 00000000-0000-0000-0000-000000000000, status = 0x00000000, timeout = 1, caller = 'rpcss.dll'; PID: 5024 Ipc Endpoint = 'samss lpc', UUID = 906b0ce0-c70b-1067-b317-00dd010662da, status = 0x00000000, timeout = 1, caller = 'ncryptprov.dll'; PID: 6876 Ipc Resolved dynamic port: WPAD; endpoint: \RPC Control\LRPC-2d4e01746aa8fbe72f; PID: 6876 Ipc StringBinding = 'ncalrpc:', wstrPortName = 'ncalrpc:[LRPC-2d4e01746aa8fbe72f]', BindingHandle = 0x35DBB5B0, status = 0x00000000, timeout = 1, caller = 'winhttp.dll'; PID: 6876 Ipc StringBinding = 'ncalrpc:[,Security=Impersonation Dynamic True]', wstrPortName = '', BindingHandle = 0x35DBC540, status = 0x00000000, timeout = 0, caller = 'WINNSI.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBA7E0, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBA850, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBB4E0, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBB550, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627D820, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627D890, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627DA10, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627DA80, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627E0B0, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627E120, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBA780, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBB480, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x35DBBC10, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627D7C0, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627D9B0, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627DF50, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627E050, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[dhcpcsvc6,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x3627E140, status = 0x00000000, timeout = 1, caller = 'dhcpcsvc6.DLL'; PID: 6876 Ipc StringBinding = 'ncalrpc:[epmapper,Security=Impersonation Dynamic False]', wstrPortName = '', BindingHandle = 0x17548970, status = 0x00000000, timeout = 1, caller = 'combase.dll'; PID: 3012 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x35DB8F38, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 6876 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x4E9FF1E8, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 5368 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x4E9FF428, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 5368 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x65DCB0D8, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 3012 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x65DCC238, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 3012 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x943FEF88, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 10708 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x945FC1B8, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 10708 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0x945FC3A8, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 10708 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0xF35FEE18, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 5024 Ipc StringBinding = 'ncalrpc:[lsapolicylookup]', wstrPortName = '', BindingHandle = 0xF35FF058, status = 0x00000000, timeout = 1, caller = 'sechost.dll'; PID: 5024 Ipc StringBinding = 'ncalrpc:[lsasspirpc]', wstrPortName = '', BindingHandle = 0x35F7D290, status = 0x00000000, timeout = 1, caller = 'sspicli.dll'; PID: 6876 Ipc StringBinding = 'ncalrpc:[lsasspirpc]', wstrPortName = '', BindingHandle = 0x4E9FF8D0, status = 0x00000000, timeout = 1, caller = 'SspiCli.dll'; PID: 5368 Ipc StringBinding = 'ncalrpc:[lsasspirpc]', wstrPortName = '', BindingHandle = 0x65DCCE30, status = 0x00000000, timeout = 1, caller = 'SspiCli.dll'; PID: 3012 Ipc StringBinding = 'ncalrpc:[lsasspirpc]', wstrPortName = '', BindingHandle = 0xF35FF240, status = 0x00000000, timeout = 1, caller = 'sspicli.dll'; PID: 5024 Ipc StringBinding = 'ncalrpc:[samss lpc]', wstrPortName = '', BindingHandle = 0x945FC0C8, status = 0x00000000, timeout = 1, caller = 'SAMLIB.dll'; PID: 10708 Ipc O (IA) 00000001 \KernelObjects\MemoryErrors; PID: 9900 Ipc O (IA) 00000001 \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 3012 Ipc O (IA) 00000001 \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 5024 Ipc O (IA) 00000001 \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 5368 Ipc O (IA) 00000001 \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 6876 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 10708 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 3012 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 5024 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 5368 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 6876 Ipc O (IA) 00000004 \Sessions\1\Windows\SharedSection; PID: 9900 Ipc O (IA) 00000004 \Sessions\1\Windows\Theme2483701618; PID: 3012 Ipc O (IA) 00000004 \Sessions\1\Windows\Theme2483701618; PID: 5024 Ipc O (IA) 00000004 \Sessions\1\Windows\Theme2483701618; PID: 6876 Ipc O (IA) 00000004 \Sessions\1\Windows\Theme2483701618; PID: 9900 Ipc O (IA) 00000004 \Sessions\1\Windows\ThemeSection; PID: 3012 Ipc O (IA) 00000004 \Sessions\1\Windows\ThemeSection; PID: 5024 Ipc O (IA) 00000004 \Sessions\1\Windows\ThemeSection; PID: 6876 Ipc O (IA) 00000004 \Sessions\1\Windows\ThemeSection; PID: 9900 Ipc O (IA) 00000004 \Windows\Theme2732417997; PID: 3012 Ipc O (IA) 00000004 \Windows\Theme2732417997; PID: 5024 Ipc O (IA) 00000004 \Windows\Theme2732417997; PID: 6876 Ipc O (IA) 00000004 \Windows\Theme2732417997; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\advapi32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\bcrypt.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\bcryptPrimitives.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\cfgmgr32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\cfgmgr32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\clbcatq.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\clbcatq.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\clbcatq.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\clbcatq.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\clbcatq.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\combase.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\COMDLG32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\CRYPT32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\CRYPT32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\CRYPT32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\gdi32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\gdi32full.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\IMAGEHLP.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\IMM32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\kernel32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\kernelbase.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\MSCTF.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\MSCTF.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\MSCTF.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\msvcp_win.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\MSVCRT.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\NSI.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\ole32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\ole32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\ole32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\ole32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\OLEAUT32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\PSAPI.DLL; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\rpcrt4.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\sechost.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\SHCORE.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\SHCORE.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\SHCORE.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\SHCORE.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\SHELL32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\SHELL32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\SHELL32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\SHELL32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\SHLWAPI.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\SHLWAPI.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\SHLWAPI.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\SHLWAPI.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\ucrtbase.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\user32.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 3012 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 5368 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 6876 Ipc O (IA) 0000000D \KnownDlls\win32u.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\WINTRUST.dll; PID: 9900 Ipc O (IA) 0000000D \KnownDlls\WS2_32.dll; PID: 10708 Ipc O (IA) 0000000D \KnownDlls\WS2_32.dll; PID: 5024 Ipc O (IA) 0000000D \KnownDlls\WS2_32.dll; PID: 6876 Ipc O (IA) 00100001 \KernelObjects\LowMemoryCondition; PID: 10708 Ipc O (IA) 00100001 \KernelObjects\LowMemoryCondition; PID: 6876 Ipc O (IA) 00100001 \KernelObjects\LowMemoryCondition; PID: 9900 Ipc O (IA) 00100001 \KernelObjects\MaximumCommitCondition; PID: 10708 Ipc O (IA) 00100001 \KernelObjects\MaximumCommitCondition; PID: 3012 Ipc O (IA) 00100001 \KernelObjects\MaximumCommitCondition; PID: 5024 Ipc O (IA) 00100001 \KernelObjects\MaximumCommitCondition; PID: 5368 Ipc O (IA) 00100001 \KernelObjects\MaximumCommitCondition; PID: 9900 Ipc O (IA) 00100001 \KernelObjects\SystemErrorPortReady; PID: 6876 Ipc O (IA) 00100001 \KernelObjects\SystemErrorPortReady; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\dhcpcsvc; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\dhcpcsvc6; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\DNSResolver; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\LRPC-2d4e01746aa8fbe72f; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\lsapolicylookup; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\LSARPC_ENDPOINT; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\lsasspirpc; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\samss lpc; PID: 9900 Ipc O (IA) 001F0000 \RPC Control\SbieSvcPort; PID: 9900 Ipc O (IA) 001F0000 \Sessions\1\Windows\ApiPort; PID: 9900 Ipc O (IA) 001F0000 \ThemeApiPort; PID: 9900 Ipc O (IA) 001F0001 \RPC Control\LRPC-2d4e01746aa8fbe72f; PID: 6876 Ipc O (IA) 001F0001 \RPC Control\LSARPC_ENDPOINT; PID: 6876 Ipc O (IA) 001F0001 \RPC Control\samss lpc; PID: 6876 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 10708 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 3012 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 5024 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 5368 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 6876 Ipc O (IA) 001F0001 \RPC Control\SbieSvcPort; PID: 9900 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 10708 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 3012 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 5024 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 5368 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 6876 Ipc O (IA) 001F0001 \Sessions\1\Windows\ApiPort; PID: 9900 Ipc O (IA) 001F0001 \ThemeApiPort; PID: 3012 Ipc O (IA) 001F0001 \ThemeApiPort; PID: 5024 Ipc O (IA) 001F0001 \ThemeApiPort; PID: 6876 Ipc O (IA) 001F0001 \ThemeApiPort; PID: 9900 Ipc O \Device\DeviceApi\CMApi Func: 201; PID: 3012 Ipc O \Device\DeviceApi\CMApi Func: 201; PID: 6876 Ipc O \KernelObjects\LowMemoryCondition; PID: 10708 Ipc O \KernelObjects\LowMemoryCondition; PID: 6876 Ipc O \KernelObjects\MaximumCommitCondition; PID: 10708 Ipc O \KernelObjects\MaximumCommitCondition; PID: 3012 Ipc O \KernelObjects\MaximumCommitCondition; PID: 5024 Ipc O \KernelObjects\MaximumCommitCondition; PID: 5368 Ipc O \KernelObjects\MaximumCommitCondition; PID: 9900 Ipc O \KernelObjects\MemoryErrors; PID: 9900 Ipc O \KernelObjects\SystemErrorPortReady; PID: 6876 Ipc O \KernelObjects\SystemErrorPortReady; PID: 9900 Ipc O \RPC Control\dhcpcsvc; PID: 6876 Ipc O \RPC Control\dhcpcsvc6; PID: 6876 Ipc O \RPC Control\DNSResolver; PID: 6876 Ipc O \RPC Control\lsapolicylookup; PID: 10708 Ipc O \RPC Control\lsapolicylookup; PID: 3012 Ipc O \RPC Control\lsapolicylookup; PID: 5024 Ipc O \RPC Control\lsapolicylookup; PID: 5368 Ipc O \RPC Control\lsapolicylookup; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT Msg: 00; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT Msg: 1F; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT Msg: 2C; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT Msg: 2E; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT Msg: EF; PID: 6876 Ipc O \RPC Control\LSARPC_ENDPOINT; PID: 6876 Ipc O \RPC Control\lsasspirpc; PID: 3012 Ipc O \RPC Control\lsasspirpc; PID: 5024 Ipc O \RPC Control\lsasspirpc; PID: 5368 Ipc O \RPC Control\lsasspirpc; PID: 6876 Ipc O \RPC Control\samss lpc Msg: 00; PID: 6876 Ipc O \RPC Control\samss lpc Msg: 01; PID: 10708 Ipc O \RPC Control\samss lpc Msg: 07; PID: 10708 Ipc O \RPC Control\samss lpc Msg: 11; PID: 10708 Ipc O \RPC Control\samss lpc Msg: 1B; PID: 10708 Ipc O \RPC Control\samss lpc Msg: 21; PID: 10708 Ipc O \RPC Control\samss lpc Msg: 40; PID: 10708 Ipc O \RPC Control\samss lpc Msg: AE; PID: 6876 Ipc O \RPC Control\samss lpc Msg: EF; PID: 10708 Ipc O \RPC Control\samss lpc; PID: 10708 Ipc O \RPC Control\samss lpc; PID: 6876 Ipc O \RPC Control\SbieSvcPort; PID: 10708 Ipc O \RPC Control\SbieSvcPort; PID: 3012 Ipc O \RPC Control\SbieSvcPort; PID: 5024 Ipc O \RPC Control\SbieSvcPort; PID: 5368 Ipc O \RPC Control\SbieSvcPort; PID: 6876 Ipc O \RPC Control\SbieSvcPort; PID: 9900 Ipc O \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 3012 Ipc O \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 5024 Ipc O \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 5368 Ipc O \Security\LSA_AUTHENTICATION_INITIALIZED; PID: 6876 Ipc O \Sessions\1\Windows\Theme2483701618; PID: 3012 Ipc O \Sessions\1\Windows\Theme2483701618; PID: 5024 Ipc O \Sessions\1\Windows\Theme2483701618; PID: 6876 Ipc O \Sessions\1\Windows\Theme2483701618; PID: 9900 Ipc O \Sessions\1\Windows\ThemeSection; PID: 3012 Ipc O \Sessions\1\Windows\ThemeSection; PID: 5024 Ipc O \Sessions\1\Windows\ThemeSection; PID: 6876 Ipc O \Sessions\1\Windows\ThemeSection; PID: 9900 Ipc O \ThemeApiPort; PID: 3012 Ipc O \ThemeApiPort; PID: 5024 Ipc O \ThemeApiPort; PID: 6876 Ipc O \ThemeApiPort; PID: 9900 Ipc O \Windows\Theme2732417997; PID: 3012 Ipc O \Windows\Theme2732417997; PID: 5024 Ipc O \Windows\Theme2732417997; PID: 6876 Ipc O \Windows\Theme2732417997; PID: 9900 Ipc X \RPC Control\samss lpc Msg: 02; PID: 6876 Key ------------------------------- Other CreateProcess: C:\Software\Sandboxie\SandboxieCrypto.exe ("C:\Software\Sandboxie\SandboxieCrypto.exe"); err=0; PID: 6876 Other CreateProcess: C:\Software\Sandboxie\SandboxieDcomLaunch.exe ("C:\Software\Sandboxie\SandboxieDcomLaunch.exe"); err=0; PID: 5024 Other CreateProcess: C:\Windows\System32\WerFault.exe (C:\WINDOWS\system32\WerFault.exe -u -p 6876 -s 2608); err=0; PID: 6876 Other CreateProcess: C:\Windows\System32\WerFault.exe (C:\WINDOWS\system32\WerFault.exe -u -p 6876 -s 2608); err=1314; PID: 6876 Other CreateProcess: F:\ASF\ArchiSteamFarm.exe ("F:\ASF\ArchiSteamFarm.exe" --process-required --system-required); err=0; PID: 3012 Other ServiceMainThread; begin; PID: 10708 Other ServiceMainThread; end; PID: 10708 Other SetServiceStatus; status: <00000002>; PID: 10708 Other SetServiceStatus; status: <00000002>; PID: 6876 Other SetServiceStatus; status: <00000004>; PID: 10708 Other StartBoxedService; name: 'cryptsvc'; PID: 6876 Other StartServiceCtrlDispatcher; name: 'CryptSvc'; PID: 10708 Pipe ------------------------------- Pipe ?; PID: 6876 Pipe \Device\CNG; PID: 10708 Pipe \Device\CNG; PID: 3012 Pipe \Device\CNG; PID: 5024 Pipe \Device\CNG; PID: 5368 Pipe \Device\CNG; PID: 6876 Pipe \Device\CNG; PID: 9900 Pipe \Device\DeviceApi; PID: 3012 Pipe \Device\DeviceApi; PID: 6876 Pipe \Device\Harddisk2\DR2; PID: 10708 Pipe \Device\Harddisk2\DR2; PID: 6876 Pipe \Device\HarddiskVolume1; PID: 3012 Pipe \Device\HarddiskVolume10; PID: 3012 Pipe \Device\HarddiskVolume2; PID: 3012 Pipe \Device\HarddiskVolume4; PID: 10708 Pipe \Device\HarddiskVolume4; PID: 3012 Pipe \Device\HarddiskVolume4; PID: 6876 Pipe \Device\HarddiskVolume6; PID: 3012 Pipe \Device\HarddiskVolume8; PID: 3012 Pipe \Device\KsecDD; PID: 10708 Pipe \Device\KsecDD; PID: 3012 Pipe \Device\KsecDD; PID: 5024 Pipe \Device\KsecDD; PID: 5368 Pipe \Device\KsecDD; PID: 6876 Pipe \Device\KsecDD; PID: 9900 Pipe \Device\MountPointManager; PID: 10708 Pipe \Device\MountPointManager; PID: 3012 Pipe \Device\NamedPipe\dotnet-diagnostic-6876; PID: 6876 Pipe \Device\NamedPipe\dotnet-diagnostic-6876; PID: 9900 Pipe \Device\Ndis; PID: 5024 Pipe \Device\NDMP1; PID: 5024 Pipe \Device\NDMP12; PID: 5024 Pipe \Device\NDMP2; PID: 5024 Pipe \Device\NDMP3; PID: 5024 Pipe \Device\NDMP4; PID: 5024 Pipe \Device\NDMP5; PID: 5024 Pipe \Device\NDMP6; PID: 5024 Pipe \Device\NDMP7; PID: 5024 Pipe \Device\NDMP8; PID: 5024 Pipe \Device\NDMP9; PID: 5024 Pipe O \Device\Afd; PID: 6876 Pipe O \Device\Afd; PID: 9900 Pipe O \Device\NetBTTcpip{275A0C7A-9747-444E-80EB-6CD4AB21EAF1}; PID: 6876 Pipe O \Device\NetBTTcpip{AE569171-A391-FC98-4420-3654BB213BAC}; PID: 6876 Pipe O \Device\Nsi; PID: 6876 WinCls ------------------------------- WinCls $:explorer.exe; PID: 9900 WinCls $:SbieSvc.exe; PID: 6876 WinCls ConsoleWindowClass; PID: 6876 WinCls Progman; PID: 9900 WinCls Sandboxie_DDE_ProxyClass1; PID: 5024 WinCls TreeviewToolTipClass; PID: 9900 WinCls WerFaultWndClass; PID: 9900 WinCls O Shell_TrayWnd; PID: 5024 WinCls O Shell_TrayWnd; PID: 9900 WinCls X Progman; PID: 9900

DavidXanatos commented 3 years ago

Ipc X \RPC Control\samss lpc Msg: 02; PID: 6876 // SamSetSecurityObject <- that's the problematic call Its issued by SandboxieCrypto.exe as a result of some call to it that ASF initiates.

Unfortunately SamSetSecurityObject is not documented, and as far as I can tell based on what little I found https://github.com/metoo10987/OpenNT-4.5/blob/98bd914d250dd72a85e351da1ec3aa88433aac35/nt/private/windows/setup/syssetup/samupgrd.c#L347 it seams not safe to allow this call by default.

Although it being issued by SandboxieCrypto.exe which is not elevated indicates that in this particular case its harmless.

A potential improvement to the situation could be to filter these RPC calls only for elevated processes, but for now I would say for your use case just keep using OpenSamEndpoint=y

diversenok commented 3 years ago

Unfortunately SamSetSecurityObject is not documented

@DavidXanatos, I have a lifehack for you. You can use the official protocol specifications to lookup Sam-, Lsa-, Audit-, WinStation- and other functions that rely on RPC. SamSetSecurityObject, for example, is merely a wrapper around SamrSetSecurityObject, which is well-documented.

Some useful specifications:

[MS-LSAD] - LSA policy, accounts, secrets, and trust domains
[MS-LSAT] - SID lookup with LSA
[MS-SAMR] - Everything related to SAM
[MS-TSTS] - WinStation- functions (a layer below WTS- functions)

DavidXanatos commented 3 years ago

@diversenok thanks thats very helpful, it says "The SamrSetSecurityObject method sets the access control on a server, domain, user, group, or alias object." So allowing that call generally does not seam like a great idea

but having a workaround in form of OpenSamEndpoint=y seams good enough for this use case so I'll close this issue

sandboxie-plus / Sandboxie

SBIE2224 Sandboxed ASF crashes on launch (WindowsCryptographicException) #740

First the ASF.json

Then your Bot.json