2022-11-08 13:26:33, Info DISM PID=10984 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Manager: PID=10984 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM.EXE:
2022-11-08 13:26:33, Info DISM DISM.EXE: <----- Starting Dism.exe session ----->
2022-11-08 13:26:33, Info DISM DISM.EXE:
2022-11-08 13:26:33, Info DISM DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=amd64, Number of processors=4
2022-11-08 13:26:33, Info DISM DISM.EXE: Executing command line: dism
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Getting the collection of providers from a local provider store type. - CDISMProviderStore::GetProviderCollection
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Loading Provider from location C:\Windows\System32\Dism\WimProvider.dll - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Connecting to the provider located at C:\Windows\System32\Dism\WimProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Loading Provider from location C:\Windows\System32\Dism\CompatProvider.dll - CDISMProviderStore::Internal_GetProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Connecting to the provider located at C:\Windows\System32\Dism\CompatProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2022-11-08 13:26:33, Info DISM DISM.EXE: Got the collection of providers. Now enumerating them to build the command table.
2022-11-08 13:26:33, Info DISM DISM.EXE: Attempting to add the commands from provider: WimManager
2022-11-08 13:26:33, Info DISM DISM.EXE: Getting the help information collection for the provider: WimManager.
2022-11-08 13:26:33, Info DISM DISM.EXE: Registering information from the help collection from provider: WimManager.
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(wimcommands) and category(localtoplevelhelp) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(cleanup-wim) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(remount-wim) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(mount-wim) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(unmount-wim) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(commit-wim) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(get-wiminfo) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Succesfully registered the Help Item with topic(get-mountedwiminfo) and category(wimcommands) for the provider(WimManager).
2022-11-08 13:26:33, Info DISM DISM.EXE: Attempting to add the commands from provider: FolderManager
2022-11-08 13:26:33, Info DISM DISM.EXE: Attempting to add the commands from provider: DISM Log Provider
2022-11-08 13:26:33, Info DISM DISM.EXE: Attempting to add the commands from provider: Compatibility Manager
2022-11-08 13:26:33, Info DISM DISM.EXE: Getting the help information collection for the provider: Compatibility Manager.
2022-11-08 13:26:33, Info DISM DISM.EXE: Image session has been closed. Reboot required=no.
2022-11-08 13:26:33, Info DISM DISM.EXE:
2022-11-08 13:26:33, Info DISM DISM.EXE: <----- Ending Dism.exe session ----->
2022-11-08 13:26:33, Info DISM DISM.EXE:
2022-11-08 13:26:33, Info DISM DISM Image Session: PID=10984 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Disconnecting Provider: WimManager - CDISMProviderStore::Internal_DisconnectProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Disconnecting Provider: Compatibility Manager - CDISMProviderStore::Internal_DisconnectProvider
2022-11-08 13:26:33, Info DISM DISM Provider Store: PID=10984 Releasing the local reference to DISMLogger. Stop logging. - CDISMProviderStore::Internal_DisconnectProvider
2022-11-08 14:38:00, Info DISM PID=9188 Scratch directory set to 'C:\Users\ADMINI~1\AppData\Local\Temp\1\'. - CDISMManager::put_ScratchDir
2022-11-08 14:38:00, Info DISM PID=9188 Successfully loaded the ImageSession at "C:\Windows\System32\Dism" - CDISMManager::LoadImageSession
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Found and Initialized the DISM Logger. - CDISMProviderStore::Internal_InitializeLogger
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Failed to get and initialize the PE Provider. Continuing by assuming that it is not a WinPE image. - CDISMProviderStore::Final_OnConnect
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Finished initializing the Provider Map. - CDISMProviderStore::Final_OnConnect
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:00, Info DISM DISM Manager: PID=9188 Successfully created the local image session and provider store. - CDISMManager::CreateLocalImageSession
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Getting Provider DISMLogger - CDISMProviderStore::GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:00, Info DISM DISM.EXE:
2022-11-08 14:38:00, Info DISM DISM.EXE: <----- Starting Dism.exe session ----->
2022-11-08 14:38:00, Info DISM DISM.EXE:
2022-11-08 14:38:00, Info DISM DISM.EXE: Host machine information: OS Version=6.1.7601, Running architecture=amd64, Number of processors=4
2022-11-08 14:38:00, Info DISM DISM.EXE: Executing command line: dism /online /cleanup-image /scanhealth
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Getting Provider FolderManager - CDISMProviderStore::GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Loading Provider from location C:\Windows\System32\Dism\FolderProvider.dll - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Connecting to the provider located at C:\Windows\System32\Dism\FolderProvider.dll. - CDISMProviderStore::Internal_LoadProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Getting Provider FolderManager - CDISMProviderStore::GetProvider
2022-11-08 14:38:00, Info DISM DISM Provider Store: PID=9188 Provider has previously been initialized. Returning the existing instance. - CDISMProviderStore::Internal_GetProvider
2022-11-08 14:38:02, Error DISM DismHostLib: Failed to create dismhost.exe servicing process.
2022-11-08 14:38:02, Error DISM DISM Manager: PID=9188 Failed to create Dism Image Session in host. - CDISMManager::LoadImageSession(hr:0x80070005)
2022-11-08 14:38:02, Warning DISM DISM Manager: PID=9188 A problem ocurred loading the image session. Retrying... - CDISMManager::CreateImageSession(hr:0x80070005)
2022-11-08 14:38:02, Error DISM DismHostLib: Failed to create dismhost.exe servicing process.
2022-11-08 14:38:02, Error DISM DISM Manager: PID=9188 Failed to create Dism Image Session in host. - CDISMManager::LoadImageSession(hr:0x80070005)
2022-11-08 14:38:02, Error DISM DISM Manager: PID=9188 Failed to load the image session from the temporary location: C:\Users\ADMINI~1\AppData\Local\Temp\1\A1B98AE2-C718-43E8-A597-F3E1B7CF099C - CDISMManager::CreateImageSession(hr:0x80070005)
2022-11-08 14:38:02, Error DISM DISM.EXE: Could not load the image session. HRESULT=80070005
2022-11-08 14:38:02, Error DISM DISM.EXE: Unable to start the servicing process for the image at 'C:\'. HRESULT=80070005
2022-11-08 14:38:02, Info DISM DISM.EXE: Image session has been closed. Reboot required=no.
2022-11-08 14:38:02, Info DISM DISM.EXE:
2022-11-08 14:38:02, Info DISM DISM.EXE: <----- Ending Dism.exe session ----->
2022-11-08 14:38:02, Info DISM DISM.EXE:
2022-11-08 14:38:02, Info DISM DISM Image Session: PID=9188 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
2022-11-08 14:38:02, Info DISM DISM Provider Store: PID=9188 Disconnecting Provider: FolderManager - CDISMProviderStore::Internal_DisconnectProvider
2022-11-08 14:38:02, Info DISM DISM Provider Store: PID=9188 Found the OSServices. Waiting to finalize it until all other providers are unloaded. - CDISMProviderStore::Final_OnDisconnect
2022-11-08 14:38:02, Info DISM DISM Provider Store: PID=9188 Releasing the local reference to DISMLogger. Stop logging. - CDISMProviderStore::Internal_DisconnectProvider

2.Locate the following registry subkey, and then click it:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv

3.In the details pane, right-click ImagePath , and then click Modify .
4.In the Value data box, type the following registry value, and then click OK :

%SystemRoot%\System32\svchost.exe -k NetworkService

Note: If NetworkService does not appear in the %SystemRoot%\System32\svchost.exe -k NetworkService registry value, the problem that is described in the "Symptoms" section may occur.

5.Exit Registry Editor, and then restart the computer.

Please make sure that the account that you use to run the command “w32tm /resync /computer:client1” is member of the group Administrators on the client1 machine.



If the account is member of the group Administrators, I suggest checking:



· The state of the port 123 is LISTENING.

· The status of Server service is started.

· Open the local group policy editor to ensure that the SERVICE account has the User Right Assignment for “Impersonate a Client After Authentication”.
(Computer Configuration\Windows Settings\Security Setting\Local Policies\User Right Assignment)



In addition, please logon client1 with this account and run the command “w32tm /resync” to check the result.

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"17:09:29.7226551","CNABHSWD.EXE","7528","FileSystemControl","\\magnum\pipe\CanonCAPT40","SUCCESS"," Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1*024, ReadLength: 228"
"17:09:29.7456873","BATReport.exe","9656","Thread Exit","","SUCCESS","Thread ID: 12836, User Time: 0.0000000, Kernel Time: 0.0000000"
"17:09:30.5565169","mfevtps.exe","2496","Thread Exit","","SUCCESS","Thread ID: 12428, User Time: 0.0000000, Kernel Time: 0.0000000"
"17:09:30.6635484","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"17:09:30.6635735","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: Name"
"17:09:30.6636030","VsTskMgr.exe","2140","RegOpenKey","HKLM\Software\Wow6432Node","SUCCESS","Des ired Access: Read/Write"
"17:09:30.6637088","VsTskMgr.exe","2140","RegSetInfoKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS","KeyS etInformationClass: KeySetHandleTagsInformation, Length: 0"
"17:09:30.6637297","VsTskMgr.exe","2140","RegCloseKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS",""
"17:09:30.6637497","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: HandleTags, HandleTags: 0x0"
"17:09:30.6637651","VsTskMgr.exe","2140","RegQueryKey","HKLM","SUCCESS","Query: Name"
"17:09:30.6637873","VsTskMgr.exe","2140","RegOpenKey","HKLM\Software\Wow6432Node","SUCCESS","Des ired Access: Read/Write"
"17:09:30.6638389","VsTskMgr.exe","2140","RegSetInfoKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS","KeyS etInformationClass: KeySetHandleTagsInformation, Length: 0"
"17:09:30.6638577","VsTskMgr.exe","2140","RegCloseKey","HKLM\SOFTWARE\Wow6432Node","SUCCESS",""
"17:09:30.7291490","mfevtps.exe","2496","CreateFile","C:\Windows\System32\dhcpcore.dll","SUCCESS","D esired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:30.7293149","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7293636","mfevtps.exe","2496","CreateFileMapping","C:\Windows\System32\dhcpcore.dll"," FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:30.7293909","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7295842","mfevtps.exe","2496","Thread Create","","SUCCESS","Thread ID: 11920"
"17:09:30.7298414","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","REPARSE","Desired Access: Read"
"17:09:30.7298943","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","SUCCESS","Desired Access: Read"
"17:09:30.7299408","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Providers","SUCCESS",""
"17:09:30.7299746","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","REPARSE","Desired Access: Read"
"17:09:30.7300100","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","SUCCESS","Desired Access: Read"
"17:09:30.7300488","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Configuration","SUCCESS",""
"17:09:30.7301094","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","REPARSE","Desired Access: Read"
"17:09:30.7301461","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Providers","SUCCESS","Desired Access: Read"
"17:09:30.7301845","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Providers","SUCCESS",""
"17:09:30.7302169","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","REPARSE","Desired Access: Read"
"17:09:30.7302510","mfevtps.exe","2496","RegOpenKey","HKLM\System\CurrentControlSet\Control\Cryptogr aphy\Configuration","SUCCESS","Desired Access: Read"
"17:09:30.7302881","mfevtps.exe","2496","RegCloseKey","HKLM\System\CurrentControlSet\Control\Cryptog raphy\Configuration","SUCCESS",""
"17:09:30.7303385","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7303654","mfevtps.exe","2496","CreateFileMapping","C:\Windows\System32\dhcpcore.dll"," FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:30.7303927","mfevtps.exe","2496","QueryStandardInformationFile","C:\Windows\System32\dhcpcore .dll","SUCCESS","AllocationSize: 319*488, EndOfFile: 318*976, NumberOfLinks: 4, DeletePending: False, Directory: False"
"17:09:30.7317811","mfevtps.exe","2496","CloseFile","C:\Windows\System32\dhcpcore.dll","SUCCESS" ,""
"17:09:30.7425603","CNABHSWD.EXE","7528","FileSystemControl","\\magnum\pipe\CanonCAPT40","SUCCESS"," Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1*024, ReadLength: 228"
"17:09:31.3571145","cmd.exe","6700","ReadFile","C:\Windows\System32\cmd.exe","SUCCESS","Offset: 300*032, Length: 10*240, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"17:09:31.3691025","cmd.exe","6700","ReadFile","C:\Windows\System32\cmd.exe","SUCCESS","Offset: 173*568, Length: 6*656, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal"
"17:09:31.3806319","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3807548","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.*","SUCCESS","Filter : w32tm.*, 1: w32tm.exe"
"17:09:31.3808077","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3809519","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3810185","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.COM","NO SUCH FILE","Filter: w32tm.COM"
"17:09:31.3810466","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3811614","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3812258","cmd.exe","6700","QueryDirectory","C:\Windows\System32\w32tm.EXE","SUCCESS","Filt er: w32tm.EXE, 1: w32tm.exe"
"17:09:31.3812578","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3815637","cmd.exe","6700","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3816162","cmd.exe","6700","QueryBasicInformationFile","C:\Windows\System32","SUCCESS","Cre ationTime: 14.07.2009 5:20:10, LastAccessTime: 09.11.2022 2:26:50, LastWriteTime: 09.11.2022 2:26:50, ChangeTime: 09.11.2022 2:26:50, FileAttributes: D"
"17:09:31.3816375","cmd.exe","6700","CloseFile","C:\Windows\System32","SUCCESS",""
"17:09:31.3817818","cmd.exe","6700","CreateFile","C:\Windows\System32\w32tm.exe","SUCCESS","Desi red Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3820924","cmd.exe","6700","CreateFileMapping","C:\Windows\System32\w32tm.exe","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "
"17:09:31.3821922","cmd.exe","6700","CreateFileMapping","C:\Windows\System32\w32tm.exe","SUCCESS","S yncType: SyncTypeOther"
"17:09:31.3822566","cmd.exe","6700","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32tm.exe","NAME NOT FOUND","Desired Access: Query Value, Enumerate Sub Keys"
"17:09:31.3822997","cmd.exe","6700","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS","I nformation: Label"
"17:09:31.3825523","cmd.exe","6700","Process Create","C:\Windows\System32\w32tm.exe","SUCCESS","PID: 10892, Command line: w32tm /query /status"
"17:09:31.3825651","w32tm.exe","10892","Process Start","","SUCCESS","Parent PID: 6700, Command line: w32tm /query /status, Current directory: C:\Windows\System32\, Environment:
; =C:=C:\Windows\System32
; =ExitCode=80070005
; ALLUSERSPROFILE=C:\ProgramData
; APPDATA=C:\Users\Administrator\AppData\Roaming
; CLIENTNAME=ADMIN
; CommonProgramFiles=C:\Program Files\Common Files
; CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
; CommonProgramW6432=C:\Program Files\Common Files
; COMPUTERNAME=SERVER
; ComSpec=C:\Windows\system32\cmd.exe
; DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; FP_NO_HOST_CHECK=NO
; HOMEDRIVE=C:
; HOMEPATH=\Users\Administrator
; Isuser=C:\Users\ADMINI~1\AppData\Local\Temp\2\{B735D97E-0710-4FF9-8164-F61CC3A2E9FE}\{BCE9F441-9027-4911-82E0-5FB28057897D}\_isuser_0x0409.dll
; LOCALAPPDATA=C:\Users\Administrator\AppData\Local
; LOGONSERVER=\\SERVER
; MPosPath=C:\MPos3\
; NUMBER_OF_PROCESSORS=4
; OS=Windows_NT
; Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v 1.0\
; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
; PROCESSOR_ARCHITECTURE=AMD64
; PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 30 Stepping 5, GenuineIntel
; PROCESSOR_LEVEL=6
; PROCESSOR_REVISION=1e05
; ProgramData=C:\ProgramData
; ProgramFiles=C:\Program Files
; ProgramFiles(x86)=C:\Program Files (x86)
; ProgramW6432=C:\Program Files
; PROMPT=$P$G
; PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
; PUBLIC=C:\Users\Public
; SESSIONNAME=ts#5
; SystemDrive=C:
; SystemRoot=C:\Windows
; TEMP=C:\Users\ADMINI~1\AppData\Local\Temp\1
; TMP=C:\Users\ADMINI~1\AppData\Local\Temp\1
; USERDNSDOMAIN=SYSTEMA.IF
; USERDOMAIN=SYSTEMA
; USERDOMAIN_ROAMINGPROFILE=SYSTEMA
; USERNAME=admin5
; USERPROFILE=C:\Users\Administrator
; VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; windir=C:\Windows
; windows_tracing_flags=3
; windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log"
"17:09:31.3825775","w32tm.exe","10892","Thread Create","","SUCCESS","Thread ID: 12616"
"17:09:31.3829094","cmd.exe","6700","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS","I nformation: Owner, Group, DACL, SACL, Label"
"17:09:31.3829338","cmd.exe","6700","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SUC CESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3829636","cmd.exe","6700","RegOpenKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS","Desired Access: Query Value"
"17:09:31.3830007","cmd.exe","6700","RegQueryValue","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Windows\System32\w32tm.exe","NAME NOT FOUND","Length: 16"
"17:09:31.3830212","cmd.exe","6700","RegCloseKey","HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","SUCCESS",""
"17:09:31.3830425","cmd.exe","6700","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\w32tm.exe","NAME NOT FOUND","Desired Access: Query Value"
"17:09:31.3830750","cmd.exe","6700","RegOpenKey","HKLM\Software\Microsoft\Windows\CurrentVersion\Sid eBySide","SUCCESS","Desired Access: Read"
"17:09:31.3830997","cmd.exe","6700","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ SideBySide\PreferExternalManifest","NAME NOT FOUND","Length: 20"
"17:09:31.3831168","cmd.exe","6700","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Si deBySide","SUCCESS",""
"17:09:31.3832448","csrss.exe","592","QuerySecurityFile","C:\Windows\System32\w32tm.exe","SUCCESS"," Information: Owner, Group, DACL, SACL, Label"
"17:09:31.3832670","csrss.exe","592","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SU CCESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3833647","csrss.exe","592","CreateFile","C:\Windows\System32\w32tm.exe.Config","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: SYSTEMA\admin5"
"17:09:31.3834402","csrss.exe","592","QueryBasicInformationFile","C:\Windows\System32\w32tm.exe","SU CCESS","CreationTime: 05.09.2020 22:34:45, LastAccessTime: 05.09.2020 22:34:45, LastWriteTime: 05.09.2020 22:34:45, ChangeTime: 05.09.2020 22:47:47, FileAttributes: A"
"17:09:31.3834577","csrss.exe","592","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \SideBySide\PublisherPolicyChangeTime","SUCCESS","Type: REG_QWORD, Length: 8, Data: "
"17:09:31.3835912","cmd.exe","6700","CloseFile","C:\Windows\System32\w32tm.exe","SUCCESS",""
"17:09:31.3836066","w32tm.exe","10892","QueryNameInformationFile","C:\Windows\System32\w32tm.exe","S UCCESS","Name: \Windows\System32\w32tm.exe"
"17:09:31.3837291","w32tm.exe","10892","Load Image","C:\Windows\System32\w32tm.exe","SUCCESS","Image Base: 0xff880000, Image Size: 0x17000"
"17:09:31.3838302","w32tm.exe","10892","Load Image","C:\Windows\System32\ntdll.dll","SUCCESS","Image Base: 0x77430000, Image Size: 0x19f000"
"17:09:31.3839185","w32tm.exe","10892","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS","Desired Access: Query Value, Enumerate Sub Keys"
"17:09:31.3839539","w32tm.exe","10892","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisableUserModeCallbackFilter","NAME NOT FOUND","Length: 1*024"
"17:09:31.3839795","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Sessi on Manager","REPARSE","Desired Access: Read"
"17:09:31.3840043","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Sessi on Manager","SUCCESS","Desired Access: Read"
"17:09:31.3840243","w32tm.exe","10892","RegQueryValue","HKLM\System\CurrentControlSet\Control\SESSIO N MANAGER\CWDIllegalInDLLSearch","NAME NOT FOUND","Length: 1*024"
"17:09:31.3840414","w32tm.exe","10892","RegCloseKey","HKLM\System\CurrentControlSet\Control\SESS ION MANAGER","SUCCESS",""
"17:09:31.3843089","w32tm.exe","10892","CreateFile","C:\Windows\System32","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"17:09:31.3846617","w32tm.exe","10892","Load Image","C:\Windows\System32\kernel32.dll","SUCCESS","Image Base: 0x77310000, Image Size: 0x11f000"
"17:09:31.3849843","w32tm.exe","10892","Load Image","C:\Windows\System32\KernelBase.dll","SUCCESS","Image Base: 0x7fefd4b0000, Image Size: 0x6a000"
"17:09:31.3861158","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\ Option","REPARSE","Desired Access: Query Value, Set Value"
"17:09:31.3861713","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\SafeBoot\ Option","NAME NOT FOUND","Desired Access: Query Value, Set Value"
"17:09:31.3862105","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DL L","REPARSE","Desired Access: Read"
"17:09:31.3862310","w32tm.exe","10892","RegOpenKey","HKLM\System\CurrentControlSet\Control\Srp\GP\DL L","NAME NOT FOUND","Desired Access: Read"
"17:09:31.3862511","w32tm.exe","10892","RegOpenKey","HKLM\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers","SUCCESS","Desired Access: Query Value"
"17:09:31.3862733","w32tm.exe","10892","RegQueryValue","HKLM\SOFTWARE\Policies\Microsoft\Windows\saf er\codeidentifiers\TransparentEnabled","NAME NOT FOUND","Length: 80"
"17:09:31.3862890","w32tm.exe","10892","RegCloseKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\safer \codeidentifiers","SUCCESS",""
"17:09:31.3863215","w32tm.exe","10892","RegOpenKey","HKCU\Software\Policies\Microsoft\Windows\Safer\ CodeIdentifiers","NAME NOT FOUND","Desired Access: Query Value"
"17:09:31.3864584","w32tm.exe","10892","Load Image","C:\Windows\System32\advapi32.dll","SUCCESS","Image Base: 0x7fefeb00000, Image Size: 0xdb000"
"17:09:31.3866543","w32tm.exe","10892","Load Image","C:\Windows\System32\msvcrt.dll","SUCCESS","Image Base: 0x7fefd580000, Image Size: 0x9f000"
"17:09:31.3869755","w32tm.exe","10892","CreateFile","C:\Windows\System32\sechost.dll","SUCCESS","Des ired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
....