Artifacts

Archive for July, 2012


Forensic Artefacts FrostWire

Posted by:  /  Tags: ,  /  Comments: 1

Vee

FrostWire Version b5

[root]User/xxx/FrostWire
This folder contains five subfolders that contain the actual .torrent files and the actual media that has been downloaded. The subfolders contained within the abovementioned folder are:

•Incomplete: Within this folder, the temporary tracker of the media is saved while in the process of being downloaded, this is the metaphorical bookmark that enables the software to stop and start as the user wishes.
•Saved: This folder contains the artifacts of .torrent files that the user wishes to save- to be able to download at another time.
•Shared: This folder contains all the .torrent trackers that the user has uploaded or created. FrostWirev.5 enables the creation of .torrent trackers.
•Torrent Data: Possibly one of the most important folders, this is where the software saves the actual downloaded media.This is a system automated process, which remains standard.
•Torrent: This folder contains the actual .torrent tracker file, which is the tracker and that is created to download the requested item. For each item downloaded, two entries are created -A .torrent file is created that contain the creation time, the SHA 1 value of the downloaded item, and from where it was downloaded. The second entry created is in unallocated space, which contains the exact same information.
[root]user/xxx/AppData/Roaming/FrostWire

This folder essentially contains a few very important artifacts, which contain important evidentiary information on what was downloaded.

•Createtimes.cache: This cache file contains the SHA-1 value that is assigned to all uploaded media when a .torrent file is created and uploaded to the distribution websites. The SHA-1 value is that of the whole file when it was originally uploaded.This is verified once the item has been downloaded to ensure that the right and complete item has been downloaded.
•Download.dat: This database file contains all the names, identification SHA-1 values of all the files and media downloaded by the user using FrostWire v.5. This can be used to identify what was downloaded when the actual physical items are no longer on the machine.
•Fileurns.cache & Fileurns.bak: These two files essentially contain the same information. When a download is started the software logs the SHA-1 value of the file to ensure that the completed file is downloaded. The SHA-1 value can be used to identify whether a certain item matched the online version of the said file.
•FrostWire.props: This property file contains the selection made by the user upon installation. Here you can determine what changes have been made to the default settings of FrostWire v.5.
•Hostiles.txt: This contains a log of all subnet Masks currently running on the FrostWire v.5 network.
•Library.dat: This database is of all media that is saved by the user to the FrostWire v.5 library, even if it was not physically downloaded onto the machine.

Identifying Searches Done Using FrostWire v.5:
When a user searches for a specific item to download, that search is stored in various places on the local machine:

1.[root]/$Logfile: Contains the search term searched for, where it was found along with the SHA-1 identification hash value.
2.[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr: The header information contained within this gather log, is the search term and how the system and the software communicated.This information is gathered by the two tracing protocols mentioned early Rasapi 32 and RASMANCS.
3.[root]users/xxx/.FrostWire/search_db.h2.db :This is the database that FrostWire v.5 uses to record all searches done by the users.The information recorded is the following:

i. URL Details, where the .torrent file is residing.
ii. The search term searched.
iii. The magnet link and corresponding SHA-1 hash value.
iv. The creation date in Unix that .torrent tracker was created.
4.[root]users/xxx/.FrostWire/search_db/search_db/_28.tii: This is the actual entry in the database for each search term done by the user.This contained what the search term was and the corresponding file ID.
5.[root]users/xxx/.FrostWire/search_db_searchdb__28.tis:This is a record of the search results for the particular search term, meaning that for every .tii file a corresponding .tis file can be found.

Examining a .torrent File and the Artifacts Found:

The file header for .torrent files in hex is:

0x64 38 3A 61 6E 6E 6F 6F 63 65 35 39 (As viewed in hex)

d8:announce59 (As viewed in text)

Contained in this .torrent file is the following information:
File Meaning
http://tracker.torrentbox.com The website that the .torrent file was uploaded to and stored on
2710 The initial port used to communicate to the website initially.
77.247.176.132:80 The IP address communicated with along with the port used for downloading.
1238229350 Unix creation date of the torrent.
Linux Books The name of the item downloaded.
31C8D8C7748C9CC8090C4C2A Identification SHA-1 hash value.

The registry keys SOFTWARE, SECURITY,SYSTEM and the Ntuser.dat were examined and the following artifacts or changes were identified:

1.HKEY/LOCAL MACHINE/SOFTWARE/Current Version: (These changes can be seen in the NTUSER.DAT as well)
This contained the following relevant information of the software FrostWire v.5:
i. Display Name
ii. Publisher
iii. Help Link
iv. URL
v. URL Info
vi. Display Version
vii. Uninstall Command
2.HKEY/LOCAL MACHINE/SOFTWARE/Classes:
This contained the following relevant information of the software FrostWire v.5:
i. FrostWire Toolbar
ii. FrostWire.exe files location.
3. HKEY/LOCAL MACHINE/SOFTWARE/FrostWire:
This contained the following relevant information of the software FrostWire v.5:

i.The executable command used to access and run FrostWire v.5.

4.HKEY/LOCAL MACHINE/SOFTWARE/Tracing:

This contained the following relevant information of the software FrostWire v.5:

i.This contains two tracing mechanisms that Microsoft uses to manage and monitor software, which is the Rasapi 32 command and the RASMANCS command. The information saved is saved in [root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr:

5.HKEY/LOCAL MACHINE/SYSTEM:
For FrostWire v.5 to be able to function, a change has to be made within how the system operates:

i.When installing FrostWire v.5, the software automatically change the FireWall policy to create an exception to allow communication from FrostWire v.5 and the downloading servers, thus bypassing the firewall completely.
6.HKEY/LOCAL MACHINE/SECURITY:
No changes could be identified within this registry key.

[root]User/xxx/FrostWire
[root]user/xxx/AppData/Roaming/FrostWire
[root]/$Logfile
[root]/ProgramData/Microsoft/Search/Data/Applications/Windows/GatherLogs/SystemIndex/SystemIndex.gthr
[root]users/xxx/.FrostWire/search_db.h2.db
[root]users/xxx/.FrostWire/search_db/search_db/_28.tii
[root]users/xxx/.FrostWire/search_db_searchdb__28.tis

http://articles.forensicfocus.com/2012/07/19/forensic-examination-of-frostwire-version-5/

FTK
FTK Imager
Raptor
SIFT
RegRipper

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/Forensic-Examination-of-FrostWire-Version-5_VSchmitt.pdf

Using Apple Time Capsule with Microsoft Windows

Posted by:  /  Tags: , , , ,

John Lukach

AirPort Utility 5.6.1 for Windows

The AirPort Utility for Windows allows Microsoft computers using Bonjour to access the Apple Time Capsule hard disk. The drive is available as a network share through UNC mapping on your PC. The binary data stored in HKEY_Users\S-1-5-1234567890-1234567890-123456789-1000\Software\AppleInc.\Preferences\com.apple.airport.diskagent will provide confirmation of which volume is associated with your Apple Time Capsule. An external USB connection is available so you could have two volumes listed.

If the end-user setup Windows Backups than you will be able to gain additional insight into the size of the disk with the free space available that may be beneficial in identifying the external USB drive.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\Rules\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\PresentableName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\ScheduledParams\UniqueName

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\TargetDevices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsBackup\UserDataExclusions

User defined inclusions are listed as numbered keys under the Rules folder containing specific paths.

NTUSER Trust Records

Posted by:  /  Tags: , , ,  /  Comments: 1

Andrew Case

Office

The TrustRecord field inside of Office’s NTUSER holds the full path to documents that were downloaded from untrusted places (e.g. a web browser download), and that the user had to explicitly tell Office to trust. This “trust” prompt is shown when the user wants to edit the document or run macros inside of it.

The artifact is interesting because it holds not only the full path in a MRU listing, but the value of the particular name/value is the time it was trusted.

Software\Microsoft\Office\14.0\PowerPoint\Security\Trusted Documents\TrustRecords

The path part after “Office” will differ per-version of Office, but the rest of the path is the same.

NTUSER hive

RegExtract – http://www.woanware.co.uk/?page_id=209 – The “OfficeDocuments” plugin will extract this information

PsTools Artifacts

Posted by:  /  Tags: , ,  /  Comments: 1

John Lukach

PsTools Suite 2.44

PsTools are a common resource used to manage remote systems. During execution of PsExec, PsFile, PsGetSID, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutDown, and PsSuspend the EULA software license agreement must be accepted. A registry entry is created allowing you to determine which tools have been used on a specific machine. I used the RegRipper framework by Harlan Carvey to create a new plugin that will be available at: http://regripper.wordpress.com to harvest these artifacts.

\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsExec\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsFile\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsGetSID\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsInfo\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsKill\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLoggedOn\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsLogList\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsPasswd\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsService\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsShutDown\EulaAccepted
\registry\users\S-1-5-1234567890-1234567890-123456789-1000\Software\SysInternals\PsSuspend\EulaAccepted

http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx

http://forensicartifacts.com/wp-content/uploads/gravity_forms/3-b56c65f0d638cb782e8f437e4b2147cf/2012/07/PsTools-Plugin.jpg

Google Drive

Posted by:  /  Tags:  /  Comments: 2

Matt Nelson

Google Drive artifacts based on a default install. The Google Drive install is really noisy on the registry entries.

Per Google:

With Google Drive, you can:
Create and collaborate. Google Docs is built right into Google Drive, so you can work with others in real time on documents, spreadsheets and presentations. Once you choose to share content with others, you can add and reply to comments on anything (PDF, image, video file, etc.) and receive notifications when other people comment on shared items.

Store everything safely and access it anywhere (especially while on the go). All your stuff is just… there. You can access your stuff from anywhere—on the web, in your home, at the office, while running errands and from all of your devices. You can install Drive on your Mac or PC and can download the Drive app to your Android phone or tablet. We’re also working hard on a Drive app for your iOS devices. And regardless of platform, blind users can access Drive with a screen reader.

Google Drive sync folder:
C:\Documents and Settings\[username]\My Documents\Google Drive

HKLM\SOFTWARE\Classes\AppID\GoogleUpdate.exe

HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3

HKLM\SOFTWARE\Classes\Google.OneClickCtrl.9
HKLM\SOFTWARE\Classes\Google.OneClickCtrl.9\CLSID
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine\CLSID
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine\CurVer
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine.1.0
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine.1.0\CLSID
HKLM\SOFTWARE\Classes\Google.Update3WebControl.3
HKLM\SOFTWARE\Classes\Google.Update3WebControl.3\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass.1
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass.1
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass.1\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\CLSID
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\CurVer
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc.1.0
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc.1.0\CLSID
HKLM\SOFTWARE\Microsoft\ESENT\Process\googledrivesync
HKLM\SOFTWARE\Microsoft\ESENT\Process\googledrivesync\DEBUG

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveBlacklistedOverlay
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSyncedOverlay
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSyncingOverlay

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=3\MimeTypes\application/x-vnd.google.update3webcontrol.3
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes
HKLM\SOFTWARE\MozillaPlugins\@tools.google.com/Google Update;version=9\MimeTypes\application/x-vnd.google.oneclickctrl.9
HKLM\SOFTWARE\Google
HKLM\SOFTWARE\Google\Drive
HKLM\SOFTWARE\Google\Update
HKLM\SOFTWARE\Google\Update\Clients
HKLM\SOFTWARE\Google\Update\Clients\{3C122445-AECE-4309-90B7-85A6AEF42AC0}
HKLM\SOFTWARE\Google\Update\Clients\{430FD4D0-B729-4F61-AA34-91526481799D}
HKLM\SOFTWARE\Google\Update\ClientState
HKLM\SOFTWARE\Google\Update\ClientState\{3C122445-AECE-4309-90B7-85A6AEF42AC0}
HKLM\SOFTWARE\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}
HKLM\SOFTWARE\Google\Update\ClientStateMedium
HKLM\SOFTWARE\Google\Update\ClientStateMedium\{3C122445-AECE-4309-90B7-85A6AEF42AC0}
HKLM\SOFTWARE\Google\Update\network
HKLM\SOFTWARE\Google\Update\network\secure
HKLM\SOFTWARE\Google\Update\uid
HKLM\SOFTWARE\Google\Update\UsageStats
HKLM\SOFTWARE\Google\Update\UsageStats\Daily
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gdoc
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gdraw
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gform
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.glink
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gsheet
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gslides
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gtable
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings\Software
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings\Software\Microsoft
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings\Software\Microsoft\Windows
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Cloud Connect for Microsoft Office
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Cloud Connect for Microsoft Office\2.0
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Drive
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update\ClientState
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update\ClientState\{3C122445-AECE-4309-90B7-85A6AEF42AC0}
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update\proxy
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gdoc
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gdraw
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gform
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.glink
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gsheet
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gslides
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gtable
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\shell\open\command
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\DefaultIcon
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\shell
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\shell\open
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\shell\open\command

HKLM\SOFTWARE\Classes\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VersionIndependentProgID\: “GoogleUpdate.CredentialDialogMachine”
HKLM\SOFTWARE\Classes\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID\: “GoogleUpdate.CredentialDialogMachine.1.0”
HKLM\SOFTWARE\Classes\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe””
HKLM\SOFTWARE\Classes\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\: “GoogleUpdate CredentialDialog”
HKLM\SOFTWARE\Classes\CLSID\{4AD5D8BA-976D-42BE-A47F-ADBC15F82D3C}\InprocHandler32\: “C:\Program Files\Google\Update\1.3.21.111\psmachine.dll”
HKLM\SOFTWARE\Classes\CLSID\{4AD5D8BA-976D-42BE-A47F-ADBC15F82D3C}\InprocHandler32\ThreadingModel: “Both”
HKLM\SOFTWARE\Classes\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\VersionIndependentProgID\: “GoogleUpdate.Update3COMClassService”
HKLM\SOFTWARE\Classes\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\ProgID\: “GoogleUpdate.Update3COMClassService.1.0”
HKLM\SOFTWARE\Classes\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\: “Update3COMClass”
HKLM\SOFTWARE\Classes\CLSID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\AppID: “{4EB61BAC-A3B6-4760-9581-655041EF4D69}”
HKLM\SOFTWARE\Classes\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID\: “GoogleUpdate.Update3WebSvc”
HKLM\SOFTWARE\Classes\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID\: “GoogleUpdate.Update3WebSvc.1.0”
HKLM\SOFTWARE\Classes\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Classes\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\AppID: “{9465B4B4-5216-4042-9A2C-754D3BCDC410}”
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID\: “GoogleUpdate.Update3WebMachineFallback”
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID\: “GoogleUpdate.Update3WebMachineFallback.1.0”
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe””
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation\Enabled: 0x00000001
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation\IconReference: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-1004”
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Classes\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\LocalizedString: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-3000”
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID\: “GoogleUpdate.OnDemandCOMClassMachine”
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID\: “GoogleUpdate.OnDemandCOMClassMachine.1.0”
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateBroker.exe””
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation\Enabled: 0x00000001
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\Elevation\IconReference: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-1004”
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalizedString: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-3000”
HKLM\SOFTWARE\Classes\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VersionIndependentProgID\: “GoogleUpdate.CoCreateAsync”
HKLM\SOFTWARE\Classes\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\ProgID\: “GoogleUpdate.CoCreateAsync.1.0”
HKLM\SOFTWARE\Classes\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateBroker.exe””
HKLM\SOFTWARE\Classes\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\: “CoCreateAsync”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\InProcServer32\: “C:\Program Files\Google\Drive\googledrivesync32.dll”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\InProcServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\: “Google Drive Shell extension”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}\InProcServer32\: “C:\Program Files\Google\Drive\googledrivesync32.dll”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}\InProcServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}\: “Google Drive Shell extension”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}\InProcServer32\: “C:\Program Files\Google\Drive\googledrivesync32.dll”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}\InProcServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}\: “Google Drive Shell extension”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}\InProcServer32\: “C:\Program Files\Google\Drive\googledrivesync32.dll”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}\InProcServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}\: “Google Drive Shell extension”
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID\: “GoogleUpdate.Update3WebMachine”
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID\: “GoogleUpdate.Update3WebMachine.1.0”
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateBroker.exe””
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\Enabled: 0x00000001
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\IconReference: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-1004”
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalizedString: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-3000”
HKLM\SOFTWARE\Classes\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VersionIndependentProgID\: “GoogleUpdate.OnDemandCOMClassSvc”
HKLM\SOFTWARE\Classes\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ProgID\: “GoogleUpdate.OnDemandCOMClassSvc.1.0”
HKLM\SOFTWARE\Classes\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\AppID: “{9465B4B4-5216-4042-9A2C-754D3BCDC410}”
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VersionIndependentProgID\: “GoogleUpdate.CoreMachineClass”
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID\: “GoogleUpdate.CoreMachineClass.1”
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe””
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation\Enabled: 0x00000001
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\Elevation\IconReference: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-1004”
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\LocalizedString: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-3000”
HKLM\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\: “C:\Program Files\Google\Update\1.3.21.111\psmachine.dll”
HKLM\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel: “Both”
HKLM\SOFTWARE\Classes\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\VersionIndependentProgID\: “Google.OneClickProcessLauncherMachine”
HKLM\SOFTWARE\Classes\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\ProgID\: “Google.OneClickProcessLauncherMachine.1.0”
HKLM\SOFTWARE\Classes\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateBroker.exe””
HKLM\SOFTWARE\Classes\CLSID\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\: “Google.OneClickProcessLauncher”
HKLM\SOFTWARE\Classes\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID\: “GoogleUpdate.ProcessLauncher”
HKLM\SOFTWARE\Classes\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\ProgID\: “GoogleUpdate.ProcessLauncher.1.0”
HKLM\SOFTWARE\Classes\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe””
HKLM\SOFTWARE\Classes\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\: “Google Update Process Launcher Class”
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\VersionIndependentProgID\: “GoogleUpdate.OnDemandCOMClassMachineFallback”
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\ProgID\: “GoogleUpdate.OnDemandCOMClassMachineFallback.1.0”
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalServer32\: “”C:\Program Files\Google\Update\1.3.21.111\GoogleUpdateOnDemand.exe””
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\Enabled: 0x00000001
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\IconReference: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-1004”
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\LocalizedString: “@C:\Program Files\Google\Update\1.3.21.111\goopdate.dll,-3000”
HKLM\SOFTWARE\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\ProgID\: “Google.Update3WebControl.3”
HKLM\SOFTWARE\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32\: “C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll”
HKLM\SOFTWARE\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\: “Google Update Plugin”
HKLM\SOFTWARE\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\ProgID\: “Google.OneClickCtrl.9”
HKLM\SOFTWARE\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32\: “C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll”
HKLM\SOFTWARE\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32\ThreadingModel: “Apartment”
HKLM\SOFTWARE\Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\: “Google Update Plugin”
HKLM\SOFTWARE\Classes\CLSID\{E0730E95-4D82-4716-BF23-4F3AB3EF790D}\InProcServer32\: “C:\Program Files\Google\Update\1.3.21.111\psmachine.dll”
HKLM\SOFTWARE\Classes\CLSID\{E0730E95-4D82-4716-BF23-4F3AB3EF790D}\InProcServer32\ThreadingModel: “Both”
HKLM\SOFTWARE\Classes\CLSID\{E0730E95-4D82-4716-BF23-4F3AB3EF790D}\: “PSFactoryBuffer”
HKLM\SOFTWARE\Classes\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID\: “GoogleUpdate.CoreClass”
HKLM\SOFTWARE\Classes\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\ProgID\: “GoogleUpdate.CoreClass.1”
HKLM\SOFTWARE\Classes\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\AppID: “{9465B4B4-5216-4042-9A2C-754D3BCDC410}”
HKLM\SOFTWARE\Classes\Installer\Features\5281A6F1F47442140961118674D148B7\GoogleDriveSync: “”
HKLM\SOFTWARE\Classes\Installer\Features\93BAD29AC2E44034A96BCB446EB8552E\Complete: “”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\SourceList\Net\1: “C:\Program Files\Google\Update\Install\{D7F3AEF7-4BC5-4983-A5AF-E1B25064D94D}\”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\SourceList\Media\1: “;”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\SourceList\PackageName: “gsync.msi”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\SourceList\LastUsedSource: “n;1;C:\Program Files\Google\Update\Install\{D7F3AEF7-4BC5-4983-A5AF-E1B25064D94D}\”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\ProductName: “Google Drive”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\PackageCode: “1D98BDEE05D181240AC61326179C69CA”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\Language: 0x00000409
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\Version: 0x01020C33
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\Assignment: 0x00000001
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\AdvertiseFlags: 0x00000184
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\ProductIcon: “C:\WINDOWS\Installer\{1F6A1825-474F-4124-9016-1168471D847B}\DriveIcon”
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\InstanceType: 0x00000000
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\AuthorizedLUAApp: 0x00000000
HKLM\SOFTWARE\Classes\Installer\Products\5281A6F1F47442140961118674D148B7\Clients: ‘:’
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\SourceList\Net\1: “C:\Program Files\Google\Update\1.3.21.111\”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\SourceList\Media\1: “;”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\SourceList\PackageName: “GoogleUpdateHelper.msi”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\SourceList\LastUsedSource: “n;1;C:\Program Files\Google\Update\1.3.21.111\”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\ProductName: “Google Update Helper”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\PackageCode: “B3F59421B85A8E143AD1AFD59FFD1016”
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\Language: 0x00000409
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\Version: 0x01030015
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\Assignment: 0x00000001
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\AdvertiseFlags: 0x00000184
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\InstanceType: 0x00000000
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\AuthorizedLUAApp: 0x00000000
HKLM\SOFTWARE\Classes\Installer\Products\93BAD29AC2E44034A96BCB446EB8552E\Clients: ‘:’
HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\DBFF5159BA0409649B38F48A1EE47E5F\93BAD29AC2E44034A96BCB446EB8552E: “”
HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\FB7EA8B9DDE3A0B48A2BB7CED13E83EA\5281A6F1F47442140961118674D148B7: “”
HKLM\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods\: “10”
HKLM\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\: “IAppVersionWeb”
HKLM\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\NumMethods\: “6”
HKLM\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\: “IProcessLauncher”
HKLM\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods\: “9”
HKLM\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\: “IProgressWndEvents”
HKLM\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods\: “24”
HKLM\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\: “ICurrentState”
HKLM\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\: “IGoogleUpdate3WebSecurity”
HKLM\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\NumMethods\: “10”
HKLM\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\: “ICoCreateAsyncStatus”
HKLM\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\: “5”
HKLM\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\: “IGoogleUpdate”
HKLM\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\NumMethods\: “8”
HKLM\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\: “IGoogleUpdate3Web”
HKLM\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\: “13”
HKLM\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\: “IJobObserver”
HKLM\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods\: “8”
HKLM\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\: “IRegistrationUpdateHook”
HKLM\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\: “IBrowserHttpRequest2”
HKLM\SOFTWARE\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{5CCCB0EF-7073-4516-8028-4C628D0C8AAB}\: “IOneClickProcessLauncher”
HKLM\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\: “10”
HKLM\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\: “IGoogleUpdate3”
HKLM\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\: “IGoogleUpdateCore”
HKLM\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\: “ICredentialDialog”
HKLM\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\: “10”
HKLM\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\: “IAppVersion”
HKLM\SOFTWARE\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\NumMethods\: “14”
HKLM\SOFTWARE\Classes\Interface\{C6398F88-69CE-44AC-B6A7-1D3E2AA46679}\: “IAppWeb”
HKLM\SOFTWARE\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\NumMethods\: “40”
HKLM\SOFTWARE\Classes\Interface\{D999CE21-98B3-4894-BACB-A49A1D50848F}\: “IApp”
HKLM\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\NumMethods\: “4”
HKLM\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\: “ICoCreateAsync”
HKLM\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\: “10”
HKLM\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\: “IPackage”
HKLM\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods\: “24”
HKLM\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\: “IAppBundleWeb”
HKLM\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\: “{E0730E95-4D82-4716-BF23-4F3AB3EF790D}”
HKLM\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\: “41”
HKLM\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\: “IAppBundle”
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.google.oneclickctrl.9\CLSID: “{C442AC41-9200-4770-8CC0-7CDB4F245C55}”
HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vnd.google.update3webcontrol.3\CLSID: “{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}”
HKLM\SOFTWARE\Classes\Google.OneClickCtrl.9\CLSID\: “{C442AC41-9200-4770-8CC0-7CDB4F245C55}”
HKLM\SOFTWARE\Classes\Google.OneClickCtrl.9\: “Google Update Plugin”
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine\CurVer\: “Google.OneClickProcessLauncherMachine.1.0”
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine\CLSID\: “{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}”
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine\: “Google.OneClickProcessLauncher”
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine.1.0\CLSID\: “{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}”
HKLM\SOFTWARE\Classes\Google.OneClickProcessLauncherMachine.1.0\: “Google.OneClickProcessLauncher”
HKLM\SOFTWARE\Classes\Google.Update3WebControl.3\CLSID\: “{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}”
HKLM\SOFTWARE\Classes\Google.Update3WebControl.3\: “Google Update Plugin”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CurVer\: “GoogleUpdate.CoCreateAsync.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\CLSID\: “{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync\: “CoCreateAsync”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\CLSID\: “{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoCreateAsync.1.0\: “CoCreateAsync”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass\CurVer\: “GoogleUpdate.CoreClass.1”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass\CLSID\: “{E225E692-4B47-4777-9BED-4FD7FE257F0E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\CLSID\: “{E225E692-4B47-4777-9BED-4FD7FE257F0E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreClass.1\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\CurVer\: “GoogleUpdate.CoreMachineClass.1”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\CLSID\: “{9B2340A0-4068-43D6-B404-32E27217859D}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass.1\CLSID\: “{9B2340A0-4068-43D6-B404-32E27217859D}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CoreMachineClass.1\: “Google Update Core Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CurVer\: “GoogleUpdate.CredentialDialogMachine.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\CLSID\: “{25461599-633D-42B1-84FB-7CD68D026E53}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine\: “GoogleUpdate CredentialDialog”
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\CLSID\: “{25461599-633D-42B1-84FB-7CD68D026E53}”
HKLM\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\: “GoogleUpdate CredentialDialog”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\CurVer\: “GoogleUpdate.OnDemandCOMClassMachine.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\CLSID\: “{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0\CLSID\: “{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachine.1.0\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer\: “GoogleUpdate.OnDemandCOMClassMachineFallback.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CLSID\: “{B3D28DBD-0DFA-40E4-8071-520767BADC7E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\CLSID\: “{B3D28DBD-0DFA-40E4-8071-520767BADC7E}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback.1.0\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\: “GoogleUpdate.OnDemandCOMClassSvc.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CLSID\: “{9465B4B4-5216-4042-9A2C-754D3BCDC410}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\CLSID\: “{9465B4B4-5216-4042-9A2C-754D3BCDC410}”
HKLM\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc.1.0\: “Google Update Legacy On Demand”
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\CurVer\: “GoogleUpdate.ProcessLauncher.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\CLSID\: “{ABC01078-F197-4B0B-ADBC-CFE684B39C82}”
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher\: “Google Update Process Launcher Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0\CLSID\: “{ABC01078-F197-4B0B-ADBC-CFE684B39C82}”
HKLM\SOFTWARE\Classes\GoogleUpdate.ProcessLauncher.1.0\: “Google Update Process Launcher Class”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CurVer\: “GoogleUpdate.Update3COMClassService.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CLSID\: “{4EB61BAC-A3B6-4760-9581-655041EF4D69}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\: “Update3COMClass”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService.1.0\CLSID\: “{4EB61BAC-A3B6-4760-9581-655041EF4D69}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService.1.0\: “Update3COMClass”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CurVer\: “GoogleUpdate.Update3WebMachine.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\CLSID\: “{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine.1.0\CLSID\: “{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine.1.0\: “Google Update Broker Class Factory”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CurVer\: “GoogleUpdate.Update3WebMachineFallback.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\CLSID\: “{598FE0E5-E02D-465D-9A9D-37974A28FD42}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback.1.0\CLSID\: “{598FE0E5-E02D-465D-9A9D-37974A28FD42}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebMachineFallback.1.0\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\CurVer\: “GoogleUpdate.Update3WebSvc.1.0”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\CLSID\: “{534F5323-3569-4F42-919D-1E1CF93E5BF6}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc.1.0\CLSID\: “{534F5323-3569-4F42-919D-1E1CF93E5BF6}”
HKLM\SOFTWARE\Classes\GoogleUpdate.Update3WebSvc.1.0\: “GoogleUpdate Update3Web”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\CLSID: “{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AAD4AE2E-D834-46D4-8B09-490FAC9C722B}\Policy: 0x00000003
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppName: “GoogleUpdateBroker.exe”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\AppPath: “C:\Program Files\Google\Update\1.3.21.111”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\Policy: 0x00000003
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppName: “GoogleUpdate.exe”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\AppPath: “C:\Program Files\Google\Update”
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\Policy: 0x00000003
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun: DC 07 06 00 02 00 1A 00 16 00 2B 00 01 00 00 00

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveBlacklistedOverlay\: “{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay\: “{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSyncedOverlay\: “{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSyncingOverlay\: “{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Google\Drive\: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive\: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{1F6A1825-474F-4124-9016-1168471D847B}\: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\DBFF5159BA0409649B38F48A1EE47E5F\93BAD29AC2E44034A96BCB446EB8552E: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\FB7EA8B9DDE3A0B48A2BB7CED13E83EA\5281A6F1F47442140961118674D148B7: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\31147057103B8FC40BC00441A364B1E9\5281A6F1F47442140961118674D148B7: “02:\Software\Google\Drive\InstallLocation”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\696B2AABC05D0E11D8D98044844210B9\5281A6F1F47442140961118674D148B7: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9507B717889AF294FAB1CD7FB08E90BA\93BAD29AC2E44034A96BCB446EB8552E: “02:\SOFTWARE\Google\Update\MsiStubRun”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9719419FE6AD44144B828FFA74467B4C\5281A6F1F47442140961118674D148B7: “02:\Software\Google\Update\Clients\{3C122445-AECE-4309-90B7-85A6AEF42AC0}\pv”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD5429927288CB546839F6191C48B96B\5281A6F1F47442140961118674D148B7: “01:\Software\Google\Drive\Installed”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DC2B796210505EB4B8D7F0D0961CE138\5281A6F1F47442140961118674D148B7: “01:\Software\Google\Drive\Installed”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED128963B05D0E1199E00524844210B9\5281A6F1F47442140961118674D148B7: “C:\Program Files\Google\Drive\googledrivesync32.dll”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\Patches\AllPatches: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\LocalPackage: “C:\WINDOWS\Installer\480de6.msi”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\AuthorizedCDFPrefix: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Comments: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Contact: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\DisplayVersion: “1.2.3123.250”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\HelpLink: “http://www.google.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\HelpTelephone: “http://www.google.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\InstallDate: “20120626”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\InstallLocation: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\InstallSource: “C:\Program Files\Google\Update\Install\{D7F3AEF7-4BC5-4983-A5AF-E1B25064D94D}\”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\ModifyPath: “MsiExec.exe /X{1F6A1825-474F-4124-9016-1168471D847B}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\NoRepair: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Publisher: “Google, Inc.”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Readme: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Size: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\EstimatedSize: 0x0000307B
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\UninstallString: “MsiExec.exe /X{1F6A1825-474F-4124-9016-1168471D847B}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\URLInfoAbout: “http://www.google.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\URLUpdateInfo: “http://www.google.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\VersionMajor: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\VersionMinor: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\WindowsInstaller: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Version: 0x01020C33
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\Language: 0x00000409
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\InstallProperties\DisplayName: “Google Drive”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5281A6F1F47442140961118674D148B7\Features\GoogleDriveSync: “N5*]Mxxjg@5+6S)c0AnZLbNV5P4Kh(c2ZB9,lVnY!`b}dQ4Kh(JF[r9,lVnYA{Z’yLM)}8XU@WaP?)7h[0cF1*M-K=CN0hVlz^ccg&BJ0`CFI@Mtl4’Jr’0R”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\Patches\AllPatches: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\LocalPackage: “C:\WINDOWS\Installer\480de0.msi”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\AuthorizedCDFPrefix: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Comments: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Contact: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\DisplayVersion: “1.3.21.111”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\HelpLink: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\HelpTelephone: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\InstallDate: “20120626”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\InstallLocation: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\InstallSource: “C:\Program Files\Google\Update\1.3.21.111\”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\ModifyPath: “MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Publisher: “Google Inc.”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Readme: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Size: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\EstimatedSize: 0x0000001C
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\SystemComponent: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\UninstallString: “MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\URLInfoAbout: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\URLUpdateInfo: “”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\VersionMajor: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\VersionMinor: 0x00000003
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\WindowsInstaller: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Version: 0x01030015
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\Language: 0x00000409
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\93BAD29AC2E44034A96BCB446EB8552E\InstallProperties\DisplayName: “Google Update Helper”

HKLM\SYSTEM\ControlSet001\Services\gupdate\Type: 0x00000010
HKLM\SYSTEM\ControlSet001\Services\gupdate\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\gupdate\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\gupdate\ImagePath: “”C:\Program Files\Google\Update\GoogleUpdate.exe” /svc”
HKLM\SYSTEM\ControlSet001\Services\gupdate\DisplayName: “Google Update Service (gupdate)”
HKLM\SYSTEM\ControlSet001\Services\gupdate\DependOnService: ‘RPCSS’
HKLM\SYSTEM\ControlSet001\Services\gupdate\DependOnGroup: 00
HKLM\SYSTEM\ControlSet001\Services\gupdate\ObjectName: “LocalSystem”
HKLM\SYSTEM\ControlSet001\Services\gupdate\Description: “Keeps your Google software up to date. If this service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This service uninstalls itself when there is no Google software using it.”

HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gdoc\: “GoogleDrive.gdoc”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gdraw\: “GoogleDrive.gdraw”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gform\: “GoogleDrive.gform”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.glink\: “GoogleDrive.glink”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gsheet\: “GoogleDrive.gsheet”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gslides\: “GoogleDrive.gslides”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\.gtable\: “GoogleDrive.gtable”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-1”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdoc\: “Google document”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-2”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gdraw\: “Google drawing”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-3”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gform\: “Google form”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-4”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.glink\: “Google Drive link”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-5”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gsheet\: “Google spreadsheet”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-6”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gslides\: “Google presentation”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-7”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Classes\GoogleDrive.gtable\: “Google table”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update\ClientState\{3C122445-AECE-4309-90B7-85A6AEF42AC0}\dr: “0”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Update\proxy\source: “direct”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Drive\Installed: “True”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003\Software\Google\Drive\OAuthToken: “xuNPWQPf/0WVf+24HY5jhJ/vMZrescsTk+ZBYzZi6zm/x4nr3wGqolr1GPiwi/mmf+IR/xvqmCI9IrHQ1p7B2QXSgwAfc7vaErDrTDcn+0UfbvoWwxjNZLtZ7WDPIFPLTPHIrOxNLYsCzY3v1PVSqCnDptSBxKP/eZhLjYrAerv+0Rqdt+fJbgGLlJrdYZBCyW91AAt4cqzSSqb7HXGc8eRXc7s6Gyct3LVt6uVwYZAqnxeZuKuSeUTVRVP0eVv7ksFQPicKOBur1hPsBi0/Jr/fryMfpTrHCFjzeRH5R+5c1LQQ07NweMf0SQ+IYqIbNzfM2bemp……………………………………”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gdoc\: “GoogleDrive.gdoc”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gdraw\: “GoogleDrive.gdraw”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gform\: “GoogleDrive.gform”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.glink\: “GoogleDrive.glink”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gsheet\: “GoogleDrive.gsheet”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gslides\: “GoogleDrive.gslides”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\.gtable\: “GoogleDrive.gtable”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-1”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdoc\: “Google document”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-2”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gdraw\: “Google drawing”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-3”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gform\: “Google form”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-4”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.glink\: “Google Drive link”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-5”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gsheet\: “Google spreadsheet”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-6”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gslides\: “Google presentation”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\shell\open\command\: “”C:\Program Files\Google\Drive\googledrivesync.exe” –file=”%1″”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\DefaultIcon\: “C:\Program Files\Google\Drive\googledrivesync.exe,-7”
HKU\S-1-5-21-1993962763-1482476501-839522115-1003_Classes\GoogleDrive.gtable\: “Google table”

Google Drive sync folder:
C:\Documents and Settings\[username]\My Documents\Google Drive

Google Drive sync executable folder:
C:\Program Files\Google\Drive\googledrivesync.exe

Google Update executable folder:
C:\Program Files\Google\Update\GoogleUpdate.exe

http://googleblog.blogspot.com/2012/04/introducing-google-drive-yes-really.html

Regshot, ProcessHacker

Network particulars:

Google Drive connects to Google servers via SSL (TCP 443) encrypted. You are likely to see multiple googlesyncdrive.exe (pid) connected out.

googledrivesync.exe (pid1), computer.here.xxx >> ord08s05-in-f6.1e100.net, 443, TCP, Established
googledrivesync.exe (pid2), computer.here.xxx >> ord08s05-in-f6.1e100.net, 443, TCP, Established

Dumping the memory will allow you see the Google Account used for syncing.

Cloud-based Forensic Artifacts: Mozy Home and Mozy Stash

Posted by:  /  Tags: , , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Mozy Home 2.12, Mozy Stash 0.11

Description
Mozy is known for its online backup service. It’s recently added synchronization via Stash (still in beta). Runs on Windows, Mac, iOS, and Android.

A sample of artifacts from the installation and use of Mozy Home 2.12 and Mozy Stash 0.11 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Mozy Inc, \ControlSet001\Enum\Root\LEGACY_MOZYFILTER\0000

File Locations
Application Data Files: Program Files\MozyHome\Data
AppData\Local\Stash

Application Executable Files: Program Files\MozyHome – MozyBackup.exe, MozyStat.exe
Program Files (x86)\Mozy\Stash – Stash.exe

Sync/Backup Files: Any
%User%\Stash

Files of Interest

cache.dat, changes.dat, filter_raw.log.1, local_backup.dat, manifest.dat, mozy.log, resume.dat, scancache.dat, state.dat, metrics.dat, Stash.log, state.dat

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: Carbonite

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
Carbonite 5.2

Description
Online backup storage solution. Runs on Windows, Mac, iPhone, Android, and Blackberry. No synchronization, or collaboration, but you can share files via email (at least from mobile devices).

A sample of artifacts from the installation and use of Carbonite 5.2 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Classes\Applications\CarboniteUI.exe
\ControlSet001\Services\EventLog\Application\CarboniteService

File Locations
Application Data Files: ProgramData\Carbonite

Application Executable Files: Program Files (x86)\Carbonite\Carbonite Backup\ – CarboniteUI.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Carbonite.log, CarboniteConfig.dat, CarboniteDelta.dat, CarboniteFiles.dat, CarboniteNSE.log, CarbonitePossibleUpgrade.exe, CarboniteRestores.dat, CarboniteUI.log, CarboniteVersions.dat

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: ADrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
ADrive 1.5

Description
Provides backup, synchronization, and sharing on Windows, Mac, Linux, and Android. Provides the ability to use FTP, remote file transfer (from other sites directly to your account), collaboration, concurrent logins, and online editing (via Zoho).

Paid versions offer SSL (not available with free), FTP up/down, 16GB file transfers, remote transfer (internet to internet).
Free version can only be used through browser, no local client, w/50GB!
ADrive Desktop (local client) is written in AdobeAIR.

A sample of artifacts from the installation and use of ADrive 1.5 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Wow6432Node\Microsoft\Tracing\ADrive Desktop_RASAPI32
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\1

File Locations
Application Data Files: AppData\Roaming\com.adrive.ADriveDesktop.9E1195EE779B0F966F518632F3A0F64E53222DC6.1

Application Executable Files: Program Files (x86)\ADrive Desktop\ – ADrive Desktop.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

Adrive.db, install.log (Adobe AIR)

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: TeamDrive

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
TeamDrive 2.4

Description
Synchronize files to the cloud and other designated computers. Backup functionality provided through automated synchronization to cloud. Rather than sharing, provides for collaboration on files. Runs on Windows, Mac, and Linux.

Can sync to their cloud, or your own server.

A sample of artifacts from the installation and use of TeamDrive 2.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QTextCodecFactoryInterface:\C:\Program Files (x86)\TeamDrive2.0
\ControlSet001\Services\EventLog\Application\MySQL
\ControlSet002\Services\EventLog\Application\MySQL

File Locations
Application Data Files: AppData\Roaming\TeamDrive

Application Executable Files: Program Files (x86)\TeamDrive2.0\ – TeamDrive2.exe, TeamDrive2Database.exe

Sync/Backup Files: %User%\TeamDrive Spaces

Files of Interest

WebDAVSettings.xml, DirWatcher_log.log, FileWatcher_log.log, log.log, old_20120513_162655_logs.zip, general_log.CSV, slow_log.CSV, db.opt, username_TeamDrive_13.05.2012.pss, Default_username.sakh, desktop.ini, target.lnk

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm

 

Cloud-based Forensic Artifacts: SpiderOak

Posted by:  /  Tags: , ,

Author Name
Frank McClain

Artifact Name
Client Application Artifacts

Artifact/Program Version
SpiderOak 4.4

Description
Cloud-based backup, synchronization, and sharing platform. You can set up and schedule backups of different directories or file types, synchronize files to designated computers, and share with others. Runs on Windows, Mac, Linux, iOS, Android, and Maemo (N900).

A sample of artifacts from the installation and use of SpiderOak 4.4 on a system. This is not exhaustive, but intended to serve as an example of the types of evidence/data that can be found.

Registry Keys
\Software\COMODO\Firewall Pro\Configurations\0\firewall\Policy\34

File Locations
Application Data Files: AppData\Roaming\SpiderOak

Application Executable Files: Program Files (x86)\SpiderOak\ – SpiderOak.exe, windows_dir_watcher.exe

Sync/Backup Files: Any, User-Defined, File Type

Files of Interest

1336254748.22.port, config.dat, config.txt, device_1a.dat, device_2a.dat, dirhash.db, downloads.db, exclude.txt, fs_queue.db, local.dat, oak_20120505145242.log, oak_20120505165227.log, prefs.dat, snapshot.db, Spider_20120505145242.log, Spider_20120505165227.log, Test-skipfilter.db, test.db, test.log, tss_external_orphans_fixed_pandora_sqliite_database, tss_external_orphans_fixed_snapshot.db

Research Links
http://forensicaliente.blogspot.com/2012/07/sans-dfir-summit-2012-thoughts-links.html

Forensic Programs of Use
ProcessHacker – http://processhacker.sourceforge.net/
CurrPorts – http://www.nirsoft.net/utils/cports.html
Wireshark – http://www.wireshark.org/
FileInfo – http://www.gaijin.at/en/dlfileinfo.php
RegShot – http://sourceforge.net/projects/regshot/
Registry Decoder – http://www.digitalforensicssolutions.com/registrydecoder/
NetWitness Investigator – http://netwitness.com/products-services/investigator-freeware
Notepad++ – http://notepad-plus-plus.org/
SQLiteDBBrowser – http://sqlitebrowser.sourceforge.net/
HxD – http://mh-nexus.de/en/hxd/
HEX Editor – http://www.mitec.cz/hex.html
Encoder – http://www.woanware.co.uk/?page_id=82
DCode – http://www.digital-detective.co.uk/freetools/decode.asp
DbVisualizer – http://www.dbvis.com/
TrID – http://mark0.net/soft-trid-e.html
File – http://gnuwin32.sourceforge.net/packages/file.htm