MZ@ !L!This program cannot be run in DOS mode. $?,cQcQcQP~cQcPcQR~cQU~cQQ~cQY~cQcQS~cQRichcQPEL w! &PP- @@AD(0z,0 ()p8.text `.data@ @.idata @@.rsrc0@@.reloc 0l@Bp\   \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\@ @*8HDuL*<-@-P-22 3P7=>0?P?@APApB0D0EEEpFF`HHHH0I@I KkPmpmmrsy0pp`0`0`0 `@P0\\//ntdll.dllLdrGetProcedureAddressForCallerRtlAllocateHeapRtlReAllocateHeapRtlFreeHeapLdrGetProcedureAddressLdrGetProcedureAddressExCreateProcessWCreateProcessACreateProcessInternalWCreateProcessInternalAGetProcAddressVerifierGetPropertyValueByNamekernel32.dllverifier.dllPropagateAutoClr{E5DCDFAA-3B35-46A8-B370-9D3575A68E53}Coreonecore\base\avrf\avrf30\vrfcore\vrfcore.cpp_DllMainAVRF: Verifier Provider failed to initialized itself for DLL_PROCESS_VERIFIER. Process will be terminated.AVRF: NtQueryVirtualMemory failed, error code: %u AVRF: Verifier!AvrfpProvider : %p AVRF: ERROR - Only found %i Verifier!AvrfpProvider, %i should exist %sStop-%08X-ErrorReportStop-%08X-SeverityStop-%08X-FlavorAVRF: Duplicate hooking tables for dll [%ws] found. Will chain the hooks. AVRF: Duplicate [%ws!%s] (@ %p)[ %p %p ] <= (@ %p)[ %p %p ] VerifierIsAddressInAnyPageHeapAVRF: Couldn't read %s @ %p AVRF: Read just %Ix out of %Ix bytes of %s @ %p StopProcessingstop codeAVRF: failed to allocated a verifier TLS slot. Expected Thread IDThread IDExpected TEB addressTEB addressCorrupted TLS structureAVRF: verifier log file %ws kept open for too long (status %X) AVRF: failed to open verifier log file %ws (status %X) AVRF: Wait for pending write I/O operation failed with %X AVRF: failed to write into verifier log file %ws (status %X) {ApplicationVerifierGlobalSettings}ProtectedProcessLogPathVERIFIER_LOG_PATHUSERPROFILETEMPAVRF: Failed to determine the parent directory for the logs (status %X) \AppVerifierLogsAVRF: Failed to translate file name %S (status %X) AVRF: Failed to create logging directory %ws (status %X) AVRF: Created logging directory %ws %ws\%ws.%u.datAVRF: Failed to convert to an NT path the verifier log path. AVRF: failed to create verifier log file %ws (status %X) AVRF:bogus string length, overflow AVRF:Failed to save message into stop list LogToFileonecore\base\avrf\avrf30\vrfcore\breaks.cppVfCoreRegisterBreaks%ws-%wsGlobalFlagVerifierFlagsVerifierDlls 0x%XAVRF: VfCoreFindMostRecentThunk => searching provider (%p) AVRF: VfCoreFindMostRecentThunk => searching thunks for %ws AVRF: VfCoreFindMostRecentThunk => searching for %p in thunk %s [ %p %p ] AVRF: VfCoreFindMostRecentThunk => %p (hook chain length %u) AVRF: VfCoreFindMostRecentThunk => %p (hook chain length %u) is not hooked by any verifier provider AVRF: failed to make R/W old verifier stop function @ %p (%X) AVRF: failed to revert protection of old verifier stop function @ %p (%X) VerifierRedirectStopFunctionsVerifierStopMessageRtlApplicationVerifierStopPageHeapSizeRangeStartPageHeapSizeRangeEndPageHeapDllRangeStartPageHeapDllRangeEndPageHeapTargetDllsPageHeapFaultProbabilityPageHeapFaultTimeOutPageHeapRandomProbabilityDelayFreeSizeMB{4D056CEB-D8E3-4b85-B148-B543D56D9BDE}HeapsBasics{7CF16601-5646-4ecf-ACAF-D8B5872A0291}RPCForceDllUnloadUnloadPeriodMsSecuritySettingsEventRemoveCheckAggresiveMTATesting{91067D4F-67E6-4768-BEA4-2565236FDCBE}COMLocksHandlesStacksTLSMemoryExceptionsDirtyStacksDangerousAPIsRaceDeadLockLowResThreadpoolInputOutputLeakSRWLock0x%xPageHeapFlagsonecore\base\avrf\avrf30\vrfcore\base.cppVfRegisterBaseLayersVfUnregisterBaseLayersAVRF: VerifierIsLayerEnabled failed for %ws TlsAllocTlsFreeTlsGetValueTlsSetValueSHSMP.DLLsmartcpu.dllTTDRecordCPU.dllTTTraceWriter.dllTTDWriter.dllvfbasics.dllAVRF: %ws: null entry point. AVRF: %ws @ %p: entry point @ %p . AVRF: low memory: will not verify entry point for %ws . AVRF: hooked dll entry point for dll %ws AVRF: Failed to roll back all the hookings AVRF: Failed to snap provider's IAT AVRF: dll entry @ %p (%ws, %x) AVRF: Failed to resnap provider %ws . AVRF: Could not find the section that owns the Delay Import Directory. delayloaded dll %s for %ws. AVRF: low memory: Failed to allocate dll info node for %ws . AVRF: cretae delay load dll node %ws . AVRF: Provider (%p - %p) AVRF: Unable to unprotect IAT to modify thunks (status %08X). AVRF: Rollback (%ws: %p) with (%p). AVRF: internal error: New thunk for %s is null. AVRF: Snapped (%ws: %s) with (%ws: %p). AVRF: fault injecting call made from %p AVRF:FINJ: invalid fault injection class %X w$* w + w$, w-!Pd*P*8{yϽ.8[H)-`XݻXRSDS@DEq"9Mvrfcore.pdbGCTLH.rdata$brcHX.gfids .rdata)@.rdata$CastGuardVftablesA*@.rdata$CastGuardVftablesC@* .rdata$sxdataL*.rdata$voltmd*$.rdata$zzzdbg-H.text$mnX.xdata$x.edata.data$brc .data.bss8.idata$58 .00cfgD.idata$2X.idata$3l8.idata$44.idata$6P .rsrc$01Pv.rsrc$02 @DEq"9M #q=j# wU=t M3B0] ̋U} u jjjuU M ] ̋U SV3W3F+<++++9}u;5F <0 3Ad0T5QLz y5F*y5F=3EPh3WWx-EPWhux333d0( f9u pEpny5F<3y5FHEPSy5FSEPp pp0fhpSny5FcdWy5FoB9'y5F{ vy`5F=L  0whWj] hj _^[9=t'9=t'9=uщ5THG y.5F 07=y5Fǻ9=tt)U)y2 A  0Wh-WyH5F Q1y5F%! TWh:t#5F 39=t =|\h u`h5T;t5FX\t5Fceh9= 0k5Fw̋U}|3"E;Xt;\t M'OuE]̋UV5W}Wuu u8֋xj7uu_^]̋UV5Wu}Wuu u8֋xj7uu4_^]̋U<3ʼnESVWjY}53ƉE;jjMċQ%jPjE}t}@t uuQ>,uLF;EsD;r>z_^[] ̋USVWuru 3VW$x;wu z3fw_^[] ̋UMVC1%^]hhX}E(3ۉ$;9\;p Ӊ49tÍ 0;E DGkL90u쉕4uSSSSShhsj XBB tZj@Y9pE9PE,hP]h`Sh  jY E u5EEE3fx49G8E$Pw8Qx y.5hSj]ztDž$ ?DžX0Pxj0t00X u=`t(@$u ) Åt $=,=$(wHP,4G@G<hH(u5PTEX\E`dEhl,tQj@Xj=Y=LFQhHPj@Dw`dD   G tx(Dž |(,`u G CG0O(W wd (hxPuQuRuVuVWS475hhX@ 0P3ۋËӋˉ;0։ ;0sW;NX9huXPhSj] ;0s ;WƋp3ۈW9hu!hXhSj] 4u4,@d 0yu&=pu=PutH̋4G GE]u]GE]EE]G E]EEĉ]ȋG(Ẻ]ЋEEԉ]؋G0E܉]Džuj X^Y]̋USV3EWG Et ؅ujwEP<EPuESjPudyj^j=4YESCu9t0?t(j:u9u9 u9߃u9w C Pwր j^S j X_^[̋UQQeVuWtI} tBhU1ׅt=hu MH}t uLj X_^̋UQ}Vt*u t#tvt>tVuLu3j X^]̋U$3ʼnESVu 3W}f96hSPjYu F6hSPu F6h(SPUu F 3j XM_^3[őU 3ʼnESVu 3W}fia9Y~j[tn6hhPFt Džf~tj6hhPFt Džuu~ th6h(hPF t Dž3j XM_^3[>n̋UQE Vt8ut1}u @d3%MQPuu u3@3j X^ ̋U SVW3t|FtutC9~tf9~ tajZPEDPM<v EvuWPS\j"YH$PEP<EPSDy =4tj'_j X_^[̋UQQVW}3D$ tdu t]9FtX>t 9FtK9F tFhT$-օt=hu L$ F|$ t t$ Lj X_^]̋UM3U f3Ʌj*ZHʋ]̃=t4=`t3@áddxt@t;u3@`3̋V3=tuNut^̡t̋UQS‹VWEp;srA06,YYu ~ M1PTYYt u;sr EË3_^[̋UVuv>?S^W]P6,YYtu=Xt6hPjj]{MW!E3ɋM]P6,YYun][ `P7TYYuN}CMu}GA=Xt+sɋsESppP76hjj],] uEEpE]t Mt@A ?%]>_[^̋Uuuu uZ3҅jYIʋ]d0@htȅt 39A 3t @3̋UEt&3@EptlEthd@4W3]̡l̋U} tj X M3]̋UQVWEPjuWQHy}tDWuhjj],}t&}tWujuhjj]A_^ ̋UES] VWM3ҁ8Uu^hP׍E+HQPE}+=HEh`QMǀPx^EWEPhXRRx@Qu4x+ + HU99B v9B s_^[̋UQQSjjE3PjQC0x$}ujjEPjj0x39]Ë[̋UQMeVuu6U EMW}PWxMu ?AUt _^jY)̉I jY)̋9JuA9u ;‰BjY)̋9HtjY)JP̋UtwhuQWt3f]̋UuWhuQ]̋Ut&w} vWu uQWt3f]̋UVW3t f99tu3WEȋEt t+08_^]3tvW̋UVt#E M+Wt<0ft f>Iu_3ɸzENE3^f] d0Qjpl̋Uud0jp]jhxr3ɉM܉MMMEPQjtEd0@ @ p0uEƋMd Y_^[Ëu}t ujjhtr3ɈM E܉MtJtFMd0x EPQjtM;t;Xu(@0eEE܋Md Y_^[ËˊMt ujjhq3ɈME MMd0x EPQjt]7;t(v0h,YYu5FF eEE܋Md Y_^[6믊]t uj̋UQVWsGMESPx3EuփxE +ω0E 3[_^ ̋U 3ʼnEESVWEE 3ۉEEPjE]P]BEVU]px1SEPuVxut ;t@|M_^3[bEt/E0jWp t SVS3f_E83몸̋VjYu^3ҋhB.^̋ULD$SVWPhjZ V|PD$\$TD$Phj{$j-Xf9Ff9F f9F&f9F0f~J}W3fNEfN:fN ЈU)fNfN  ЈU fN fN ЈUfj_ ЈUfNffN ЈUf ЈUfNffN ЈUufk ЈUfNXfNfN ЈU:f0 ЈUfNfj_ ЈUfNf ЈUfNf ЈUfNf ЈUfNffL> ЈUf >u ЈU3_M^3[s[̋SVd50dW3xWjv@ȃuhlWj] LC$ 9PtjY)PDŽ_^[̃=u3d ̃=td̋VjIu_3ɸzENE3^f] ̋USVWuru 3VW$x ;wt z3fwMt1_^[] ̋UA;MC%]̋U t3#xQQx]̋U<=SVWډL$m=`=SL$$3D$ igD$0D$4D$<@D$8D$@D$D3PPPjPhPD$4PD$PPhD$8PC;uD$ PjGrCy8;uP5h V5h8jj]3D$(WPSt$ D$(|$(PWWWt$0|$@|$L|$PuWWt$Ȑx5t$yV5hWj]t$LyVhpWj]뾸_^[]̋U 3ʼnEdWefEEVrf E@ EEP(jZMM35ŰU 3ʼnEVWPjPcG G G$PDžPDžoM_3^T̋U 3fSVnyFEPjhu2EEPuE8]E`uu3^[d0@ @ @0̋UDSVW3hhډ]fEP<EPEWPfEjf]}hEP<EWPEfEPjf]}yNhEP<EWPfEEf]3PS}yVhSj]3ۋUhWĐSSEPWuVWh Sj]SSh!@ jjjEEEȍESPE]PhEE@P]Љ]ud 0SqyVhhTSj]3hhSj]uL3_^[̋Ud0$@ SVW@ X03WShhhh`VVhhVVVjVhVEEPE܉uPjEE@PEuu5uhG3eyV5hjj]!uLhVj] _^[̋UQ SC ;v] C ;ctVWp;rcF E3;v E;w{t(hx֋2y5h|hTY{ tF+ȃ 5j{Y9HtjY)KX_^[̋SV5W]3VG3ɋ;uIr=u==u4=u+=u"~tvhx,YYt63;u_^[̸3ɣh    ̋UQQE u^VWVP09xuF9Au? yEEhPEPj;uVXV_^jY)̋UQQV1uFvFeEjhPjEEPjxREEp E9QtjY)PAME A^̋VW3u3)FSZ;FvBF [;NwN_^̍B)A̋U 3ɍEAPQhM2u*jYEMEEPuEMuD39E̋Uj^SX9<9yuG98uAjY)3VVVVVhhj X_^[]̸h3h3̋UQS3VW9Qu3O9PtyH9xwqDX ;މups =uRWuSVhhU_^[̋U,SVWhEU3MP<EEE܍EPu E}PE@}}ԐyjXuuuEPܐyjSEE܋EE؍EPu uԐ=4u"3C9]u&E}PWWWEPu uy tj!j _VL_^[̋U<3ʼnEESVWu3E߉U PtjXhWPP hhPKPP<DžPuDž@Ԑ=4u/} u-PWWWPu3Cy{VLNjM_^3["A̋UVWt*QwLMwnEMu j/GwuU3m~t!QwLMv3EMt9F~t!QwLMv EMtFk>u\j+ Sj,j X_^̋US] V3uj XZWhP t!Ut ;;sAĉ Gu3FhX}u;_#^[]̋USVWU3ۉ]EPhVjW̐~3j\WfLFEYY3j\WfEYYtphP=tLEE_sPYYu?Eu!uM3uM3BDʉMhXV39E_^E[̋Ut3ʼnEE3S] VWuj XuujhP5FSp,YYt 6u3FhXu j3F担5S@L,YYt5Vtj%QPjVh3P<PhPjPdj^y!=4tLVH9t1jPPؐ3Ƀ A jY h0P<PWPjPdy=4tj^9u苅 ˉQ hLP<PWPjPdȅy 4t j넃񋝬Wff;u+3j ZffftSf;tcj Xf;t[WS uC{3f;tj Zf;tj Yf;u)Džfj Zfufy`;t S=jwȍft-j [j ^f;tf;ufu䋝j^ft%j Xf;tj Xf;tȋfuft*3fBPif 3fhhH:S-ftWhhӍPhhS̍3ۍQff;u+MPPjSPS\yjjXDhP<u V3PVJjY3}hlEjP註M܃Q3ff;u+MPEP3@PWPS\fh0P<VPVWPS\4Pu uLƋM_^3[~8̋UL3ĉ$HE 3ɉD$$L$ L$S]\$VWuj XuE؉\$$ujhP5t$0^s\$ ,YYt#6u܋hXjD$ uhX3M5t$4,YYtm53D$tMD$^sLpL,YYu!D$PSt$, |$D$t ;tGD$6us |$ 3CD|$ \$7D$xLD$Pjt$,|$,'hD$,P<D$4PhD$@PjD$8Pt$$djy3=4YEH^9t$}}uFEEE0jE|XE|螳xh@$lP<tPjPEPjlPSdy =4uj[.}t%}tj-XQjE}PEPؐ ]=|39#wv,YYt}u܋xM_^3[%ËWB&$>uGE}Bu"#V>uGE}Bt 6>jYu||MEJeu}39t\Etc%g>jYu|M3qff;u+ɉM9}t t녁똋Mжh uӉE3PӋEE0jE|XEΉ|뚐ӌ`̋VWt!3f97t4W,YYt Fr3_^Ë̋ Thj^t83A A \$ $03hh5Tt83A A \$ $03̋VWj ^tth #Q,YYu38_^̋U$S]V5\WD$tSuu u8=%u\MT$d$puBt$t:vt3jY|$j_u v,YYt!WD$PV;u۸%_^[]F ;D$wPvu1F 3։#̋U$d$SVW3ۅujX9D$PhW谳tWh$jj]9\$hP5Ft~(tvWjXD؋6uhXtdD$PhW蔭uPL$T$@D$D$D$D$D$ D$$RL$T$D$=t$3_^[]̋SVWջt7jSVjW0x j\vYYuFV豻_^[̋U=MV5tWSW},Wu(كu$u DQuuuu u8֋tDu Sw_[&u,u(u$u Quuuu u8^](̋U=M V5t]SWu4}0Wu,كu(u$DQuuuuu u8֋tu Sw_[,u4u0u,u(u$Quuuuu u8^]0̋U=MV5tWSW},Wu(كu$u DQuuuu u8֋tu Sw_[&u,u(u$u Quuuu u8^](̋U=M V5t]SWu4}0Wu,كu(u$DQuuuuu u8֋tNu Sw_[,u4u0u,u(u$Quuuuu u8^]0̋UVhE3Pu<EPEPVV9uh$EPhTVEPux|h$EPhLVEPuxVh$EPhPVEPux0h%EPhHVEPux 3@D3^̃=DVuu^Ë5T8^̋Q=DVWu t5LW8_^Y̋U=Du tV5Pu8^]̋U=Du YtVu 5Hu8^]̋U S]VW}Wh%,YYu/d0@8u3VVVVVh h֠Wh(%,YYuCXWhD%,YYuCXWhh%,YYuC\Wh%,YYuC\Wh%,Y3Yu @5|9su'DWh%Vj]-tssWh%Vj]hxP d*A EM9p$uHjC,MPQtlMduj+D$FD|$ts0Wh`'jj]=x ~ uth'jj] 3_^[]̋USVWQEPjEPEP؉]85ll6C,j,PEPt;u=ddaxWPC8u hd910HhWXNj?xujPEP;ujI3ۅt4;B rBB 9Er E(C;rFB JMuJu '3ME _^[̋U(eeEu ÍMQUVuu3SW}EPjEuPE}Pj؉]؅y,DSh(jj], ؉]EH[ Ce[@E8ȋ@ 3҉E܉U9tsȋ;AuVAtOt!qEq@p0hD(jj]EtJEHpt8UMBk Uȃ9uME@E8iB]؍EPuEPEPj_[^̋SVWًj^tBt>hxP ll 9X$t9x$t;u3F3hxX_^[̋U(eƒeEMSVWc[EPULuu3>}EPjEuPE}Pj؉]؅y%tSh(YY}39EӉ]9ȋG E]9to؋ȋ;CuKCt3hl(jj]tsE73p0h(jj]ME@k Eك;uM3ۋUBU9q}}C]؍EPuEPEPj _^[̋SW3ۅu MVhxP5l#N$;t$HuWN,(؅x 6luhxX^_[̋UQSVhx3P5;t@W>ƉE;t"VO$R؅x?;uE@6;Tt;u_hxX^[̡SVWxS3P5 F;TtN$xKx 6uSX_^[̋UMMUVtlSWB3ɉMx}9tBUNjX e;tM9PupAk Ã8u}MAMǃ8uƋURuUuM_[3;E^̋UVu 5u8^]̋UVu 5u8֋Ct ^]̋UQQhy %3SVW39=uWEPEt3=tV3WWCfsh"VWhsVWhVWh!hWh#ƀWjht5HWjhzWjh~Wjh53WVh|WVhzWVhvnHWVhx_h@Vh3O5|33_^[̋Vt+3zt94~u 9 tw;w @=r3^3@^̋Vt+3t94vu 9 |w;w @=r3^x3@^3V@|@hj3Vw jVj j@^̋UV3953ujXVW} uj XHS]Ã@vjX2hP @w  j^hX[_^]̋UQQ=3SVWu;539"9ttBEP(tSj RPc}+=sM s;|{;vutM `t` tUht3ҹ@B;"s09stu h(Sj]S3@ !3_^[̋Ud0V@htX=3tOu;5rVh(jj]j .WWP@B9E WFE "X3_jX^]̋U=uEt3]̋UV3953ujX(ED>@E D>DED>HED>L3fD>*GPPj j@fu3@fD>*ED>PfD>*^[t uX_; uj̋U} ux3@] ̋U} u[u3@] ̋Uuh j-]̋UQQ 5=ff fff%f-EEE jXkǀjXk LjX Lhh j:̋Uj]̋UhjEE jXkMhu]̋UQhEE } v }ue } vE HE E @jXkMeE@EE;E sEMU h̋U=t =N@u hYУ]̋U153EME8t E8N@u EO@]̀@s sË3Ҁ33%%%% %%%%% ̋UVuW} t N3 8%FN 3 8_^]̋USVW} EEG_3SPEuCE w @fu`EEEEGtofDMFF<HEtMxHMuɄt. EthSSuE_^[]ËM yE 9p thS֋~E Sux MӋI'%$%(%,%0%4%8%<%@%D%H%L%P%T%X%\%`%d%h%l%p%t%x%|%%%%%%%%%%%%%%%%%%Đ%Ȑ%̐%А%Ԑ%ؐ%ܐ%%%%%%%%%%%% %%%%% SVWT$D$L$URPQQhd53ĉD$d%D$0XL$,3p t;T$4t;v.4v\ H {uhCC$d_^[ËL$At3D$H36Uhp pp> ]D$T$ËUt$L$)qqq( ]UVWS33333[_^]Ðj`33333IUSVWjjhQd_^[]ËUl$RQt$ ]d̋UE]̋UE]̋UE**++;w]̋UE**++;wjAY)]̋UE**++;w=<t<]]̋U=<t<]]̋UE**++;@]̋UM+E -)@;Ev**++;w]̋UM+E -)@;Ev**++;wjAY)]̋UE+E -)@;Ev)M**++;w=<t u<Y]̋UE+E -)@9E]̋UE@]̋U8=0td E;Ar;Avj Y)]̋U8=0t;dUJ;Hr;Hvj Y)=@tV5@jr8^]̋U8=0tIM Vd5W}W8U Y;Fr;Fvj Y)=@t5@jw8_^]̋ 830USVWUjjhu%]_^[]ËL$At2D$H36UhP(RP$R]D$T$SVWD$UPjhd53PD$dD$(Xp t:|$,t;t$,v-4v L$ H |uhDID_뷋L$d _^[3d yuQ R 9QuSQ SQL$ KCk UQPXY]Y[%(̋D$L$ ȋL$ u D$S؋D$d$؋D$[hPd5D$l$l$+SVW1E3PeuEEEEdËMd Y__^[]QhPd5D$l$l$+SVW1E3ʼnEPeuEEEEdËM3(%,%$%0=M~N&O^ w--(2 KEF0?H>y0 skEpF0IHH0D`H=@IPAAP?@rPmpm0`pB0EP70m(Ie'?j 7Tk-Ko:Pi  !"#$%&'()*+,vrfcore.dllAVrfAPILookupCallbackVerifierGetInfoForExceptionVerifierAreStaticDllsInitializedVerifierChainDuplicateHooksVerifierCloseLayerPropertiesVerifierConfigureStopOptionsVerifierCreateLayerPropertiesVerifierDisableFaultInjectionExclusionRangeVerifierDisableFaultInjectionTargetRangeVerifierDisableLayerVerifierDisableVerifierVerifierEnableFaultInjectionExclusionRangeVerifierEnableFaultInjectionTargetRangeVerifierEnableLayerVerifierGetAppCallerAddressVerifierGetLoggingDirectoryVerifierGetRecursionTlsSlotVerifierHandleVerifierStopExceptionVerifierIsDllEntryActiveVerifierIsInsideVerifierStopVerifierIsLayerEnabledVerifierLdrGetProcedureAddressVerifierOpenLayerPropertiesVerifierQueryGlobalPropertiesVerifierQueryLayerBreakVerifierQueryLayerBreaksVerifierQueryLayerPropertiesVerifierQueryLayerPropertyVerifierQueryRegisteredLayersVerifierRegisterFaultInjectProviderVerifierRegisterLayerVerifierRegisterLayerExVerifierRegisterProviderVerifierResetFaultInjectionAddressRangesVerifierSetAPIClassNameVerifierSetFaultInjectionProbabilityVerifierSetFaultInjectionSeedVerifierSetLayerBreakVerifierSetLayerPropertyVerifierShouldFaultInjectVerifierStopMessageExVerifierSuspendFaultInjectionVerifierTlsGetValueVerifierTlsSetValueVerifierUnregisterLayerxXp@2, 3P@QF`RGpSHPTIU,0@-HXh`` p(xX!!(!!"!" #H!!(#4#D#" #T# \# l##@#####@$$ $$|    "@"$`"d" "! T  de@0f0tghDvi8j(kl$8m op<q\r@<s,ht4uwyx P8!  (  @ ????    ?? ?$%&'()*?./01234?89:;<=> ?BCDEFGH ?LMNOPQR ?VWXYZ[\???????  ? ? !"#$%& ?*+,-./0 ?456789: ?>?@ABCD ?HIJKLMN?RSTUVWX?\]^_`ab?fghijkl?pqrstuv?z{|}~???(#)#*#+#,#-#.#?2#3#4#5#6#7#8#?<#=#>#?#@#A#B#?F#G#H#I#J#K#L#?P#Q#R#S#T#U#V#?Z#[#\#]#^#_#`#?d#e#f#g#h#i#j#?n#o#p#q#r#s#t#?x#y#z#{#|#}#~# ?####### ?####### ?####### ?####### ?#######?#######?#######?#######?#######?#######?#######?#######?######$?$$$$$ $ $?$$$$$$$?$$$$$$$?"$#$$$%$&$'$($?,$-$.$/$0$1$2$?6$7$8$9$:$;$<$!?@$A$B$C$D$E$F$"?J$K$L$M$N$O$P$#?T$U$V$W$X$Y$Z$$?^$_$`$a$b$c$d$%?h$i$j$k$l$m$n$&?r$s$t$u$v$w$x$'?|$}$~$$$$$(?$$$$$$$)?$$$$$$$*?$$$$$$$+?$$$$$$$,?$$$$$$$-?$$$$$$$.?$$$$$$$ '''''''N@D ̒*DPftΓ,6P\vʔܔ8F\vЕޕ.Hh|Ζ2FP^hzԗ(4PrĘΘ0l̒*DPftΓ,6P\vʔܔ8F\vЕޕ.Hh|Ζ2FP^hzԗ(4PrĘΘLdrGetProcedureAddress#DbgPrintExNtQueryVirtualMemoryRtlDllShutdownInProgressLdrLoadDllqLdrEnumerateLoadedModulessLdrFindEntryForAddress4 _wcsnicmpNtTerminateProcess. _vsnwprintfNtQuerySystemTime1 _wcsicmpNtQueryInformationProcessLdrUnloadDll, _vsnprintfzRtlInitUnicodeString RtlCaptureStackBackTraceXNtDeleteValueKey NtReadVirtualMemoryNtCloseRtlEnterCriticalSection _stricmpRtlLeaveCriticalSection}NtSetValueKeyaRtlRaiseExceptionNtQueryValueKeyRtlApplicationVerifierStopRtlAllocateHeapvLdrFindResource_ULdrLockLoaderLockRtlAcquirePebLockRtlUnicodeStringToAnsiStringRtlFreeHeapLdrUnlockLoaderLockRtlFindClearBitsAndSetzRtlReleasePebLockfLdrAccessResourceRtlDeleteCriticalSectionwNtFreeVirtualMemoryNtWriteFileRtlFreeUnicodeStringRtlDosPathNameToNtPathName_UIRtlCopyUnicodeStringNtAllocateVirtualMemory6RtlQueryEnvironmentVariable_UPNtDelayExecutionRtlInitializeCriticalSection#NtCreateFile"DbgPrintRtlDoesFileExists_UNtWaitForSingleObjectNtQueryKeyUNtDeleteKeyNtOpenKey wcstoul{RtlInitUnicodeStringExmRtlInitAnsiString wcsstr)NtCreateKey wcsrchrzLdrGetDllHandleNtProtectVirtualMemory%RtlCompareMemory<NtResumeThread(RtlCompareUnicodeStringRtlAnsiStringToUnicodeStringeRtlImageDirectoryEntryToDatafRtlImageNtHeadercRtlRandomNtQueryPerformanceCounteroLdrDisableThreadCalloutsForDll RtlCaptureContext RtlUnhandledExceptionFilterntdll.dll'RtlUnwinde memcpyg memmovei memset :0H`x 9?@A B8CPDhEF~(@Xp345607H8`9x:;<=>?@ A8BPChDEFGHIJK(L@MXrp           0 @ P ` p               0  @  P  `  p                        0  @  P  `  p                        0  @ 0xbP8db>rPZvXdb 6X@<(!#+h-x.v1A Na| k u` Њ,^ `>(Hp( pb tPF prB hpPP4VS_VERSION_INFO Le Le?<StringFileInfo040904B0LCompanyNameMicrosoft Corporation:FileDescriptionApplication Verifier Provider - Core Verification and SDKn'FileVersion10.0.26100.3916 (WinBuild.160101.0800)8 InternalNamevrfcore.dll.LegalCopyright Microsoft Corporation. All rights reserved.@ OriginalFilenamevrfcore.dllj%ProductNameMicrosoft Windows Operating SystemDProductVersion10.0.26100.3916DVarFileInfo$Translation <AVRF: Terminate process after verifier stop failed with %X kThis verifier stop is not continuable. Process will be terminated when you use the `go' debugger command. LThis verifier stop is continuable. After debugging it use `go' to continue. 9AVRF: Formatting message failed in VerifierStopMessageEx LAVRF: Noncontinuable verifier stop %p encountered. Terminating process ... ======================================= VERIFIER STOP %p: pid 0x%X: %S %p : %S %p : %S %p : %S %p : %S %S ======================================= %S ======================================= ======================================= VERIFIER STOP %p: pid 0x%X: %s %p : %s %p : %s %p : %s %p : %s %s ======================================= %s ======================================= AutoDisableStopLoggingWithLocksHeldExceptionOnStopMinimumMemoryOverheadlPropagate verifier settings from parent process to child process. Note that not all tests can be propagated.[After specified image starts to run, the verified image will clear the settings for itself.:Verifier will only complain once for the same issue found.The dll load/unload event will be logged. Verifier is doing I/O when the loaderlock is held, which can cause the app to stop responding to input.QFor each verifier reported stop, exception will be raised instead of debug break.QReduce memory overhead by disabling some of the features used just for debugging.FullDllsSize SizeStartSizeEndRandRateBackwardUnalignTracesProtectNoSyncNoLockFaults FaultRateTimeOutAddr AddrStartAddrEndRandomUseLFHGuardPagesDelayFreeSizeInMBInPlaceShrinkAlloc4TRUE for full page heap. FALSE for normal page heap.iPage heap allocations for target dlls only. Name of the binaries with extension (.dll or something else).%Page heap allocations for size range.Beginning of the size range.Ending of the size range.uDecimal integer in range [0..100] representing probability to make page heap allocation vs. a normal heap allocation.Catch backwards overruns.No alignment for allocations.Collect stack tracescProtect heap internal structures. Can be used to detect random corruptions but execution is slower.LCheck for unsynchronized access. Do not use this flag for an MPheap process."Disable critical section verifier.Fault injection.Probability (1..10000) for heap calls failuresQTime during process initialization (in milliseconds) when faults are not allowed.'Page heap allocations for address rangeBeginning of the address rangeEnding of the address range'Page heap allocations with probability.Use LFH guard pages.=Maximum amount of memory to use for delayed free list (in MB)VAllows in-place shrinking re-alloc to succeed (valid only when LFH guard pages is on).ForceDllUnloadREnables aggressive Dll unload on certain events in COM framework and periodically.UnloadPeriodMs+Forceful Dll Unload Period in milliseconds.SecuritySettingsjChecks if security blanket settings (per-process, per-interface etc) are at or above recommended minimums.EventRemoveCheck5Checks for bad patterns in COM+ Event remove queries.AgressiveMTATesting>Enables aggressive MTA testing ensuring MTA are uninitialized.Checks that applications and components use RPC correctly. Common mistakes and problems while using RPC are flagged. A debugger is required to see the test results.Checks that applications and components use COM correctly. Common mistakes and problems while using COM are flagged. A debugger is required to see the test results.GChecks the heap errors. A debugger is required to see the test results.7VerifierRegisterLayer called with an invalid parameter. Not used. Not used. Not used. Not used.\This stop is issued if a verifier layers passes invalid parameters to VerifierRegisterLayer.9VerifierUnregisterLayer called with an invalid parameter. Not used. Not used. Not used. Not used.^This stop is issued if a verifier layers passes invalid parameters to VerifierUnregisterLayer.7VerifierStopMessageEx called with an invalid parameter.Layer descriptor address. Not used. Not used. Not used.mThis stop is usually issued if a verifier layer calls VerifierStopMEssageEx with an invalid layer descriptor.;VerifierStopMessageEx called with a non-existent stop code. Stop code. Not used. Not used. Not used.This stop is usually issued if a verifier layer calls VerifierStopMessageEx with a stop code that was not registered by any of the layers.3Another verification layer uses the same stop code.Min code in first range.Max code in first range.Min code in second range.Max code in second range.This stop is issued if another verifier provider already has a stop code with the same value. All codes should be distinct in order to avoid confusion in error processing.GMore than 128 (current limit) verification layers have been registered. Not used. Not used. Not used. Not used.This stop is issued if more than 128 (current limit) verification layers have been registered with the verifier infrastructure.LThe registering layer used the SAMPLE name or the GUID from the sample code. Not used. Not used. Not used. Not used.The layer code was copy pasted from the sample code and there was no new GUID generated (they must be unique) or the SAMPLE name was used for the verification layer.7The registering layer used an invalid layer descriptor. Not used. Not used. Not used. Not used.NA field from the layer descriptor has not been filled or has an invalid value.6VerifierIsLayerEnabled called with invalid parameters. Not used. Not used. Not used. Not used.oVerifierIsLayerEnabled is called for a layer that is not registered or the layer descriptor has invalid fields.7This error code is issued for old style stop functions. Code used.First parameter.Second parameter.Third parameter.Getting this stop means there is an error in converting old stop codes to new codes. All of them should have been converted and reported as belonging to appropriate verification layers (heaps, locks, etc.).7This error code is issued for old style stop functions. Code used.First parameter.Second parameter.Third parameter.Getting this stop means there is an error in converting old stop codes to new codes. All of them should have been converted and reported as belonging to appropriate verification layers (heaps, locks, etc.).'SmartHeap (shsmp.dll) is not supported. Not used. Not used. Not used. Not used.7Heap managers other then the NT heap are not supported.Unknown error.Not usedNot usedNot usedNot usedlThis message can happen if the error encountered cannot be classified in any other way. Not used right now.Access violation exception.%Invalid address causing the exception)Code address executing the invalid accessException recordContext recordThis is the most common application verifier stop. Typically it is caused by a buffer overrun error. The heap verifier places a non-accessible page at the end of a heap allocation and a buffer overrun will cause an exception by touching this page. To debug this stop identify the access address that caused the exception and then use the following debugger command: !heap -p -a ACCESS_ADDRESS This command will give details about the nature of the error and what heap block is overrun. It will also give the stack trace for the block allocation. There are several other causes for this stop. For example accessing a heap block after being freed. The same debugger command will be useful for this case too.CMultithreaded access in a heap created with HEAP_NO_SERIALIZE flag. Heap in which operation happens.9Thread ID for current owner of the heap critical section.5Thread ID of current thread trying to enter the heap.Not usedA heap created with HEAP_NO_SERIALIZE flag is not supposed to be accessed simultaneously from two threads. If such a situation is detected you will get this message. The typical way this situation creeps into a program is by linking with a single-threaded version of the C-runtime. Visual C++ can for instance link statically such a library when proper flags are used. Then people forget about this detail and use multiple threads. The bug is very difficult to debug in real life because it will show up as mysterious data corruptions.Extreme size request. Heap in which operation happens.Size requestedNot usedNot usedThis message will be generated if in a HeapAlloc() or HeapReAlloc() operation the size of the block is above any reasonable value. Typically this value is 0x80000000 on 32-bit platforms and significantly bigger on 64-bit platforms.%Heap handle with incorrect signature.0Heap handle used in the call to a heap interfaceNot usedNot usedNot usedThe heap structures are tagged with a magic value. If the heap handle used in the call to a heap interface does not have this pattern then this stop will be generated. This bug can happen if somehow the internal heap structure got corrupted (random corruption) or simply a bogus value is used as a heap handle. To get a list of valid heap handle values use the following debugger commands: !heap -p Note that if you just switch a valid heap handle with another valid one in a heap operation you will not get this stop (the handle looks valid after all). However the heap verifier detects this situation and reports it with SWITCHED_HEAP_HANDLE stop.+Corrupted heap pointer or using wrong heap.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.*Heap where block was originally allocated. Typically this happens if a block gets allocated in one heap and freed in another. Use !heap -p command to get a list of all valid heap handle values. The most common example is a msvcrt allocation using malloc() paired with a kernel32 deallocation using HeapFree().Heap block already freed.*Heap handle for the heap owning the block.Heap block being freed again.Size of the heap block.Not usedThis situation happens if the block is freed twice. Freed blocks are marked in a special way and are kept around for a while in a delayed free queue. If a buggy program tries to free the block again this will be caught assuming the block was not dequeued from delayed free queue and its memory reused for other allocations. The depth of the delay free queue is in the order of thousands of blocks therefore there are good chances that most double frees will be caught.Corrupted heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.ReservedqThis is a generic error issued if the corruption in the heap block cannot be placed in a more specific category. Attempt to destroy process heap."Heap handle used with HeapDestroy.Not usedNot usedNot usedlIt is an error to try to destroy the default process heap (the one returned by GetProcessHeap() interface).AUnexpected exception raised while executing heap management code.Heap involved in the operation.Exception record.Context record.,Exception code (C0000005 - access violation)This stop is generated if while executing the heap manager code an access violation is raised in illegitimate situations. There are very few situations where this is ok, for example when calling HeapValidate() or HeapSize(). The exception record information (third parameter) can be used to find the exact context of the exception. Use the following debugger commands for this: $ .exr STOP-PARAMETER-2 $ .cxr STOP-PARAMETER-3 Usually this stop can happen if there is some random corruption in the internal heap structures.7Exception raised while verifying the heap block header.*Heap handle for the heap owning the block.Heap block that is corrupted.7Size of the block or zero if size cannot be determined. Not used.This situation happens if we really cannot determine any particular type of corruption for the block. Most likely this stop will happen when the heap block address passed to a heap free points to a non-accesible memory area (corrupted pointer, uninitialized pointer, etc.).0Exception raised while verifying the heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block. Reserved.This situation happens if we really cannot determine any particular type of corruption for the block. For instance you will get this if during a heap free operation you pass an address that points to a non-accessible memory area. This can also happen for double free situations if we do not find the block among full page heap blocks and we probe it as a light page heap block.'Heap block corrupted after being freed.*Heap handle for the heap owning the block.Heap block that is corrupted.7Size of the block or zero if size cannot be determined. Not used.LThis situation happens if a block of memory is written to after being freed.-Corrupted infix pattern for freed heap block.*Heap handle for the heap owning the block.Heap block being freed.Size of the heap block.Corruption address.Freed blocks are sometimes marked non-accessible and a program touching them will access violate (different verifier stop). In other cases (light page heap) the block is marked with a magic pattern and will be kept for a while. Eventually in a FIFO fashion the blocks get really freed. At this moment the infix pattern is checked and if it has been modified you will get this break. Use !heap -p -a HEAP_BLOCK_ADDRESS to get the stack at the time the block was freed.(Corrupted suffix pattern for heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.Corruption address.EMost typically this happens for buffer overrun errors. Sometimes the application verifier places non-accessible pages at the end of the allocation and buffer overruns will cause an access violation and sometimes the heap block is followed by a magic pattern. If this pattern is changed when the block gets freed you will get this break. These breaks can be quite difficult to debug because you do not have the actual moment when corruption happened. You just have access to the free moment (stop happened here) and the allocation stack trace (!heap -p -a HEAP_BLOCK_ADDRESS)%Corrupted start stamp for heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.Corrupted stamp value."This happens for buffer underruns.#Corrupted end stamp for heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.Corrupted stamp value."This happens for buffer underruns.(Corrupted prefix pattern for heap block.Heap handle used in the call.%Heap block involved in the operation.Size of the heap block.Corruption address."This happens for buffer underruns.6First chance access violation for current stack trace.&Invalid address causing the exception.*Code address executing the invalid access.Exception record.Context record.This is the most common application verifier stop. Typically it is caused by a buffer overrun error. The heap verifier places a non-accessible page at the end of a heap allocation and a buffer overrun will cause an exception by touching this page. To debug this stop identify the access address that caused the exception and then use the following debugger command: !heap -p -a ACCESS_ADDRESS This command will give details about the nature of the error and what heap block is overrun. It will also give the stack trace for the block allocation. There are several other causes for this stop. For example accessing a heap block after being freed. The same debugger command will be useful for this case too. Invalid process heap list count.Actual heap count.Page heap count.Not usedNot usedThis message can happen if while calling GetProcessHeaps the page heap manager detects some internal inconsistencies. This can be caused by some random corruption in the process space..OLE32 library has been unloaded and re-loaded. Not used. Not used. Not used. Not used.&Ole32 has been unloaded and re-loaded.%COM API or Proxy called from DllMain. Not used. Not used. Not used. Not used.This stop is generated when a COM Proxy or a dangerous COM API is called with the loader lock held. To debug this run a simple `kb' to get the stack of the misbehaving DLL. The DLL should remove its call to the COM API in question. Unhandled exception in COM call.!Exception pointers for exception.Object being called on.Pointer to IID being called on.Method number being called on.dThis stop is generated if, while processing a COM call, the object being invoked raises an exception. The exception record information (first parameter) can be used to find the exact context of the exception. Use the following debugger commands for this: $ dd parameter1 L2 $ .exr first_dword $ .cxr second_dword Sometimes we know the exact object we called into that raised the error. In these cases, the second parameter will point to the interface pointer we tried to call on. The third and fourth parameters will indicate which interface and method we think we called on, as well.?Unbalanced CoInitialize/CoUninitialize calls on current thread.4Current number of CoInitialize calls on this thread.5Previous number of CoInitialize calls on this thread.Stack traces of CoInitialize calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).Stack traces of CoUninitialize calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).This stop is generated when COM detects that there has been an unbalanced call to CoInitialize on this thread. Causes for this include exiting a thread with outstanding CoInitialize calls on it, calling CoInitialize without calling CoUninitialize, or calling CoUninitialize without calling CoInitialize. The stacks of the most recent CoInitialize and CoUninitialize calls may be present in the third and fourth parameters. If they exist (non-zero), they may help to locate the culprit. The following example shows how to manually dump these stacks: Assume the parameter value is addr. Use the following debugger commands: For 32-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" addr For 64-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -8) l 0n32" addrAUnbalanced OleInitialize/OleUninitialize calls on current thread.5Current number of OleInitialize calls on this thread.6Previous number of OleInitialize calls on this thread.Stack traces of OleInitialize calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).Stack traces of OleUninitialize calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).%This stop is generated when COM detects that there has been an unbalanced call to OleInitialize on this thread. Causes for this include exiting a thread with outstanding OleInitialize calls on it, calling OleInitialize without calling OleUninitialize, or calling OleUninitialize without calling OleInitialize. The stacks of the most recent OleInitialize and OleUninitialize calls may be present in the third and fourth parameters. If they exist (non-zero), they may help to locate the culprit. The following example shows how to manually dump these stacks: Assume the parameter value is addr. Use the following debugger commands: For 32-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" addr For 64-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -8) l 0n32" addrMUnbalanced CoEnterServiceDomain/CoLeaveServiceDomain calls on current thread.Current COM object context.Stack traces of CoEnterServiceDomain calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).Stack traces of CoLeaveServiceDomain calls on this thread. If non-zero, do !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" param (use -8 for x64).Not usedXThis stop is generated when COM detects that there has been an unbalanced call to CoEnterServiceDomain on this thread. Causes for this include exiting a thread with outstanding CoEnterServiceDomain calls on it, calling CoEnterServiceDomain without calling CoLeaveServiceDomain, or calling CoLeaveServiceDomain without calling CoEnterServiceDomain. The stacks of the most recent CoEnterServiceDomain and CoLeaveServiceDomain calls may be present in the second and third parameters. If they exist (non-zero), they may help to locate the culprit. The following example shows how to manually dump these stacks: Assume the parameter value is addr. Use the following debugger commands: For 32-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -4) l 0n32" addr For 64-bit: !list -t ntdll!_LIST_ENTRY.Flink -x "dps poi(" -a " -8) l 0n32" addr.Calling CoInitializeSecurity with a NULL DACL.;Security Descriptor that was used for CoInitializeSecurity. Not used. Not used. Not used./This stop is generated when COM detects that DCOM security is being initialized with a security descriptor containing a NULL DACL. A NULL DACL for COM means that anybody can call any of your objects. While not functionally different from supplying no security descriptor at all, the rationale behind this stop is that if you went through all the trouble to create a security descriptor with a NULL DACL, you must think you're getting something you're not. To debug this, look at the call stack. The security descriptor can come from one of the following places: 1. The calling code could pass it in directly. If the security descriptor is being supplied directly by the function calling CoInitializeSecurity, then that code needs to be corrected. 2. CoInitializeSecurity could be reading the values out of the AppID key specified in the call to CoInitializeSecurity. In this case, the specific application configuration needs to be fixed. 3. CoInitializeSecurity could be reading the values out of the AppID key associated with the current EXE. Again, the specific application configuration needs to be fixed. 4. CoInitializeSecurity could be using the global default access permissions. This indicates a machine-wide misconfiguration. The administrator should fix the machine-wide settings.OSYSTEM Process initialized DCOM security with impersonation allowed by default.Process token.Default impersonation level. Not used. Not used.This stop is generated when COM detects that a process running as SYSTEM is initializing DCOM security with an impersonation level of RPC_C_IMP_LEVEL_IMPERSONATE or better. This means that, by default, any COM call made grants the callee the right to impersonate SYSTEM. To debug this, look at the call stack. Either the caller is passing the unsafe impersonation level directly to CoInitializeSecurity, or the impersonation level is being read out of the registry, from the AppID key associated with the current process./A COM+ Proxy was called from the wrong context.,Pointer to IID of interface being called on.Method number being called. Not used.,Pointer to the COM+ proxy that was smuggled.This stop is generated when COM detects that a user has tried to call a COM+ proxy from the wrong object context. In general, COM+ proxies have affinity to the context that they were unmarshalled in, and must only be called from those contexts. To debug, look at the call stack. The caller of the proxy (the code before ole32.dll) needs to check to make sure that they correctly unmarshalled that interface pointer into the current context..A COM Proxy was called from the wrong context.,Pointer to IID of interface being called on.Method number being called.)The apartment that the proxy is valid in.The current apartment.This stop is generated when COM detects that a user has tried to call a COM proxy from the wrong apartment or context. In general, COM objects have affinity to the apartment and context that they were unmarshalled in, and must only be called from those places. To debug, look at the call stack, and parameters three and four. Parameter three indicates the apartment that the proxy is valid in, and parameter four indicates the apartment that the current call stack is in. The apartment values are interpreted as follows: - If the number is 0, then the apartment is the MTA. - If the number is 0xFFFFFFFF, then the apartment is the NA. - Otherwise, the number is the thread ID of an STA. If the numbers match, this indicates that the proxy was smuggled to a different COM+ object context. In this case, treat this stop as a COM_SMUGGLED_WRAPPER stop. The most common cause of this error is putting an interface pointer into a global variable and using it from more than one thread.=A class factory has returned success, but with a NULL object.Pointer to the class factory.#Pointer to the CLSID being created.#Pointer to the IID being requested.The HRESULT returned.This stop is generated when COM detects that a class factory has returned a success HRESULT from IClassFactory::CreateInstance(), but has returned NULL in the ppv argument. This is always a bug in the implementation of the class factory. To debug, examine the implementation of the class factory. Information about which class and interface were being requested is available from the second and third parameters. The first parameter is the pointer that ole called on, so you can dump that to examine the state of the class factory in question. Finally, the HRESULT might be something strange when it was supposed to be an error-the fourth parameter will tell you what was actually returned from the class factory.IA call to DllGetClassObject has returned success, but with a NULL object.2Name of the DLL whose DllGetClassObject we called.#Pointer to the CLSID being created.#Pointer to the IID being requested.The HRESULT returned.]This stop is generated when COM detects that a call to DllGetClassObject has returned a success HRESULT, but a NULL class factory. This is always a bug in the implementation of the DllGetClassObject function. To debug, examine the implementation of the DllGetClassObject function in the DLL named by parameter 1. Information about which class and interface were being requested is available from the second and third parameters. Finally, the HRESULT might be something strange when it was supposed to be an error-the fourth parameter will tell you what was actually returned from the function./Freeing memory containing marshaled COM object.1Pointer to the COM object in the block of memory.5Pointer to the start of the memory block being freed.Size of the memory block. Not used.This stop is generated when COM detects that a block of memory is being freed that contains a COM object. This is generally the result of freeing a COM object that still has outstanding marshaled references to it (i.e., COM is still holding a stub alive for the object). It indicates a reference counting bug for the object in question. To debug, use 'ln poi PARAM1' to identify the VTBL of the COM object being freed. Examine the implementation and clients of the COM object for obvious reference counting problems. Unfortunately, debugging reference counting problems is difficult, as it generally requires putting a breakpoint on the AddRef() and Release() implementations for this kind of object and reproducing the problem.0Unloading a DLL containing marshaled COM object.1Pointer to the COM object in the block of memory. The name of the DLL being freed.The base address of the DLL. Not used.VThis stop is generated when COM detects that a DLL is being unloaded which contains a COM object. As this stop is only issued when unmapping a DLL from memory, the COM object in question is almost always a global object or a singleton. Therefore, this stop indicates a bug in the DLLs DllCanUnloadNow implementation. To debug, use 'ln poi PARAM1' to identify the VTBL of the COM object being freed, and 'du PARAM2' to identify the DLL. Examine the implementation of the DLL's DllCanUnloadNow function, and make sure that the DLL always returns S_FALSE when there are still active objects in the DLL. The other possible cause of this is a DLL handle reference counting bug. If the current stack does not indicate that ole32 is unloading the DLL, then check to make sure that the code unloading the DLL actually has a valid module handle.AFreeing memory containing implementation of marshaled COM object.The object VTBL.-The address of the start of the memory block.The size of the memory block. Not used.This stop is generated when COM detects that a block of memory is being freed which contains a VTBL (i.e., the implementation) for a COM object. This is extremely rare-in general, it only happens when code is generated dynamically into memory, or code is mapped into memory with a mechanism other than LoadLibrary(). As such, this stop usually indicates a problem in a runtime (i.e., in a VM) that is implementing the COM object. To debug, dump the memory block and see if it has useful information in it. If this is hit, and you know the code in question is using the CLR or JVM, then probably the page heap information on the block will give the best information for debugging this.DUnloading a DLL containing implementation of a marshaled COM object.The object VTBL. The name of the DLL being freed.The base address of the DLL. Not used.This stop is generated when COM detects that a DLL is being unloaded which contains a VTBL (i.e., the implementation) for a COM object. This is generally the result of unloading a DLL that implements one or more COM objects that still have outstanding marshaled references to them (i.e., COM is still holding a stub alive for objects implemented in this DLL). As this stop is only issued when unmapping a DLL from memory, this stop indicates a bug in the DLLs DllCanUnloadNow implementation. To debug, use 'ln PARAM1' to identify the VTBL of the COM object being freed, and 'du PARAM2' to identify the DLL. Examine the implementation of the DLL's DllCanUnloadNow function, and make sure that the DLL always returns S_FALSE when there are still active objects in the DLL.CA lock is being held across a COM call (examine the current stack). Not used. Not used. Not used. Not used.cThis stop is generated when COM detects that a critical section is being held across a remote (i.e., at least cross-thread) COM call. This is not a bug, per se, it's usually just a bad design. First of all, callbacks to the object on a different thread have a good chance of deadlocking. Second of all, there is no way of knowing how long the remote call is going to block, so holding the lock across the call is generally very bad from a scalability and performance point of view. To debug, look at the stack, and use the !locks debugger extention to figure out which locks this thread is holding.:Low security blanket (explicit CoInitializeSecurity call).Authentication service.Authentication level. Not used. Not used.WThis stop is generated when COM detects that a client process configures security settings (by calling CoInitializeSecurity explicitly) too low: the authentication service is RPC_C_AUTHN_WINNT (10) or authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). To debug, look for CoInitializeSecurity caller in the call stack.(Low authentication level (from registry)Authentication service.Authentication level.Registry path. Not used.This stop is generated when COM detects that a client process does not configure security settings explicitly. CoInitializeSecurity is called implicitly, authentication level is read from registry and turns out to be too low: less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). Low security blanket on a proxy.Authentication service.Authentication level. Not used. Not used.This stop is generated when COM detects that a client process configures security settings on a remote proxy (by calling IClientSecurity::SetBlanket or CoSetProxyBlanket) too low: the authentication service is RPC_C_AUTHN_WINNT (10) or authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5). To debug, look for IClientSecurity::SetBlanket or CoSetProxyBlanket caller in the call stack.1Low security blanket (incoming call on a server).Authentication service.Authentication level. Not used. Not used.A server process is accepting a remote call with security settings that are too low: the authentication service is RPC_C_AUTHN_WINNT (10) or authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (5).&Application should call OleInitialize.OLE API called. Not used. Not used. Not used.This stop is generated when an application calls one of the OLE clipboard or drag and drop APIs, without first calling OleInitialize.,Invalid query syntax in IEventSystem::RemoveprogID parameterqueryCriteria parameterApproximate error location Not used.This stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. The query contains a syntax error. PARAM3 contains the approximate location of the error, expressed as an offset into the queryCriteria string.3"ALL" used as queryCriteria to IEventSystem::RemoveprogID parameterqueryCriteria parameter Not used. Not used.This stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. The query has the value "ALL". This value is inappropriate because it selects all subscriptions or event classes registered on the machine, not just those created by this application.UqueryCriteria in IEventSystem::Remove contains no "identifying" subscriber propertiesprogID parameterqueryCriteria parameter Not used. Not used.NThis stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. When removing subscriptions, be sure the query selects by properties that can distinguish this application's subscriptions from subscriptions created by other applications. The heuristic used by this stop requires at least one of the following properties to be present in the query: -SubscriptionID uniquely identifies a subscription. This is preferred whenever possible. -SubscriptionName and Description can identify an application's subscriptions, if the application assigns them unique values. -SubscriberCLSID or SubscriberMoniker can identify persistent subscriptions belonging to a particular component. -To avoid false positives, the heuristic also accepts OwnerSID or MachineName because some administrative tools or scripts might use them. Most applications should not rely on these properties to select their subscriptions.GqueryCriteria in IEventSystem::Remove selected a COM+-configured objectprogID parameterqueryCriteria parameter Not used. Not used.This stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. The query selected a subscription or event class that was created through the COM+ Administration library. These objects cannot be removed with IEventSystem::Remove. Please check whether the query is correct.HE_ACCESSDENIED removing a transient subscription in IEventSystem::RemoveprogID parameterqueryCriteria parameter Not used. Not used.This stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. An E_ACCESSDENIED (0x80070005) error occurred while attempting to remove a transient subscription. It is unexpected for this error to occur when an application removes its own transient subscriptions. Please check whether the query is correct. This error can also occur if a service is impersonating when creating a subscription, but not impersonating when it attempts to remove it, or vice versa.>queryCriteria in IEventSystem::Remove selects multiple objectsprogID parameterqueryCriteria parameter Not used. Not used.This stop is generated when COM+ Event System detects that the IEventSystem::Remove method has been used incorrectly by an application. Incorrect usage can in some cases remove unintended objects, including objects owned by other applications. The progID parameter indicates that the caller is requesting a single object be removed, but the queryCriteria parameter selects multiple objects. This is a logical error in the caller because the behavior of IEventSystem::Remove is nondeterministic. Please check whether removing multiple subscriptions or event classes was intended - in which case progID should be PROGID_EventSubscriptionCollection or IDPROGID_EventClassCollection, respectively - or whether the query is missing properties that uniquely identify the object.YAn object marked as requiring full trust should not be marshaled to an untrusted process.,Pointer to IID of interface being marshaled.*Pointer to the COM object being marshaled. Not used. Not used.DThis stop is generated when COM detects that an object that has not been hardened to be usable from a low trust application is being marshaled to an untrusted application. In general, this can be either (1) older objects that don't implement the IInspectable::GetTrustLevel function to determine where the object is safe to be used from or (2) objects that return FullTrust from the GetTrustLevel function. To debug, look at the call stack. The method that allows this marshaling should be changed to only allow the marshaling of trusted interfaces to untrusted callers.;Unexpected QueryInterface on server side standard marshalerPointer to the IID queried&IMarshal pointer of standard marshaler!IUnknown pointer of server object Not used.This stop is generated when QueryInterface is called on a server-side standard marshaler, as obtained by CoGetStandardMarshal, with an IID that this object does not support. The server-side standard marshaler is designed for specific usage patterns to support specializing the marshaling behavior of a server object. Typically the server object calls CoGetStandardMarshal to get the IMarshal interface, calls the IMarshal methods as necessary, and Releases it when finished, with no need to QueryInterface. Calling QueryInterface with an IID that the standard marshaler does not support can indicate a bug in the caller, relying on undocumented and unsupported behavior of this object.Premature Stub Rundown DetectedPointer to the IID of the call Method Number Pointer to the IPID of the call. RundownType)This stop is generated when the COM runtime detects that a same machine call failed because the stub manager for the object has been prematurely rundown. For Store Application and Connected Standby scenarios that involve application suspension, this verifier stop points to a bug in the COM runtime's mitigations to prevent premature stub rundowns. The CallType could be one of the following: 1 - RundownInRemoteAddRefCall 2 - RundownInRemoteQueryInterfaceCall 3 - RundownInRemoteQueryInterface2Call 4 - RundownInNonIUnknownInterfaceCallThe async operation's completed delegate was set to null, which prevents the async operation from ever receiving a callback on completion.5The async operation object that was used incorrectly.Not usedNot usedNot usedThe async operation's completed delegate was set to null, which prevents the async operation from ever receiving a callback on completion because the completed delegate property is write-once.xThe async operation's completed delegate was set more than once, which is not allowed since it is a write-once property.5The async operation object that was used incorrectly.LThe duplicate completed delegate that was being set on the operation object.Not usedNot usedyThe async operation's completed delegate was set more than once, which is not allowed since it is a write-once property.The async operation was released before its completed delegate was set, so it was never capable of notifying its client of completion during its lifetime.5The async operation object that was used incorrectly.Not usedNot usedNot usedThe async operation was released before its completed delegate was set, so it was never capable of notifying its client of completion during its lifetime. The completed delegate property of the async operation should be set soon after creating the async operation so that the async operation can notify the client of completion. Failing to register a completed delegate is a violation of the WinRT Async Pattern.The async operation was released after it was notified of completion but before it called GetResults, so its completed delegate did not follow the contract.5The async operation object that was used incorrectly.HThe async operation's completed delegate that failed to call GetResults.Not usedNot used The async operation was released after it was notified of completion but before it called GetResults, so its completed delegate did not follow the contract. The completed delegate should either call GetResults or otherwise ensure that the client calls GetResults.vThe call failed because the AsyncBaseStateMachine was not in a terminal state (Error, Canceled, Completed, or Closed).5The async operation object that was used incorrectly.Not usedNot usedNot usedwThe call failed because the AsyncBaseStateMachine was not in a terminal state (Error, Canceled, Completed, or Closed).JThe call failed because the AsyncBaseStateMachine was in the Closed state.5The async operation object that was used incorrectly.Not usedNot usedNot usedJThe call failed because the AsyncBaseStateMachine was in the Closed state.Clients should not marshal their async operation objects out of the current process and servers should not marshal their completed delegates or progress delegates out of the current process.GThe async object that tried to be marshaled out of the current process.Not usedNot usedNot usedAClients should not marshal their async operation objects out of the current process and servers should not marshal their completed delegates or progress delegates out of the current process because to work correctly in all cases this usage relies on implementation details of cross-process calls to WinRT Async APIs.Calling Close after Cancel is unnecessary and prone to hangs since Cancel requires a response from the server and Close is a blocking operation that will wait until Cancel completes.5The async operation object that was used incorrectly.Not usedNot usedNot usedCalling Close after Cancel is unnecessary and prone to hangs since Cancel requires a response from the server and Close is a blocking operation that will wait until Cancel completes.MIllegal attempt to use a COM object after uninitializing COM for the process.HThe IUnknown of the COM object that was used after final CoUninitialize.Not usedNot usedNot usedAttempting to use objects provided by the COM runtime after uninitializing COM for the process is illegal since the global COM data structures used internally by those objects were cleaned up during COM uninitialization for the process.9Marshaling an agile object from a disconnectable context.[The IUnknown of the agile COM object that is being marshaled from a disconnectable context.+The v-tbl address pointed to by the object._The name of the DLL that contains the v-tbl(du to dump). Heuristically, this is the service DLLNot usedAn agile object hosted by a service DLL is being marshaled from a disconnectable context. CoDisconnectContext will not disconnect the stub (if any) for the object. Hence, the service DLL may be unloaded while the object is active, this is a bug.Stream usage leaking HGlobalNot usedNot usedNot usedNot usedLeaking HGlobal - Stream created with CreateStreamOnHGlobal(nullptr, false, ...) is released without calling GetHGlobalFromStream to manage the HGlobal lifetime\Possible security threat: Client is calling a remote endpoint without mutual authentication. Not used/ Not used/ Not used/ Not used/This stop is generated if a component uses RPC in such a way as to create security vulnerabilities. The user code in the current thread is the culprit. The stop does not cause a debug break and machine needs to be broken-into prior to debugging. The stop message is followed by some debugging information. To debug this stop use the following debugger commands: $ Ctrl-C or PrintScr - to break into the machine. $ !process pid 0 - to get the address ADDR of the faulting process; here pid is the faulting process id displayed in the verifier stop message. $ .process ADDR - to switch into the context of the faulting process. $ After the verifier stop message RPC will print the dump of the stack that has caused the stop. The printout will be preceded by: `RPC: Offending Stack:'. In the context of the faulting process, do an `ln' on the displayed stack addresses to get the corresponding symbols. $ If the faulting stack is not displayed or in addition to it, RPC will print some information identifying the faulting user code or component. These messages begin with `RPC:' and contain interface UUID's and other useful information: =========================================================== VERIFIER STOP 00000500: pid 0x3A4: Possible security threat: An unsecure interface becomes remotely accessible 00000000 : (null) 00000000 : (null) 00000000 : (null) 00000000 : (null) =========================================================== RPC: Starting to listen on protsec: ncacn_ip_tcp endpoint: (null) RPC: Unsecure interface UUID: 621dff68-3c39-4c6c-aae3-e68e2c6503ad RPC: Unsecure interface UUID: 00000134-0000-0000-c000-000000000046 RPC: Unsecure interface UUID: 18f70770-8e64-11cf-9af1-0020af6e72f4 RPC: Unsecure interface UUID: 00000131-0000-0000-c000-000000000046 In the above example, the owners of the interfaces that have not been secured are at fault. 00 000$01111(2@2 \========>>>%>0>J>U>d>v>>>>>>>>>>??-?9?D?d?v??????????0T00 000$040C0R0a0i0o0u0000000000001111!1(141?1F1`1k1z1111111111122'252;2A2M2o2z22222(3A3u333333444#4-4G4Q4r4|4566V7~778 888$868F8K8R8W8_8d8m8u8}88888889979@9s99999999999999:::,:E:N:V:a:i:q:w:|:::::;q;;;;;;;;;;;;,<5<=$=J=S=\=m=x======>??@000\111&2|225334445~55556 6(6=6V6q666757?7I77777788 919T9}99999:::7:?:I:g:o:::::::U=u=====>>>>>>>>>4???P 000011,161M1]1o1111111122'2?2N2b2r2222222233,3>3R3]3n3z33(4j467 777)727B7G7O7T7Z7j7o7t7}777777778,8P8k8s8{8888:;7;M;Z;;;;;;<<<p>>>>>>>>??&?1E1Q1\1b1r1111111111122#2/272<2T2Z2o2t22222222222233 3333#3)3D3O3V3[3r3333333 4*454:4B44467)84888?8J8N8U8888888889{92;;;e>M>l>q>v>{>>>>>>>?0?^?w?????pm0001!1'2/252;2W2c2i2223333%3=3N3x3~334 44%434=4C4^4n4z44445O555556)667,8j88889T9a9n9999M:S:Y:o:}:::::::::::*;r;};;;;p>>>>????????, 00$000G0R0o00000 1X1f11111 22,222>2I2S2v222222223O3_3i3s333334)4444 5)5/5X5b55555555626B6Q6[6m6y6666666677$7u7778x88888909H9c999::-:j:}::::r;v;z;;;<<1>>">V>]>u>>>>>>>>>>>>>>? ??????F?T?????f0v0000000000 1>111112%2O2g2r22223"3X3u333334K4f4u44444444444445 555*565I5a5i5|5555555 66C6I6q66666666666666677 7)777I7R7Z7`7f77777778 8!8+838;8G8P8X8^8d8l8888889&9c9q9x9999999995:L:V:_::::::::: ;;;;;;<<$ >>O>U>>>>>>>?1?8?>?C?R?\?l?????????0+01'1-1:1D1111L2x2222222O3_3e3n3t333334d44444444445-5?5K5Q5b5j5o5x5~5555555B6k6v66666667 777*7/757A7M7Y7i7~777777777778 8,878@8Z8w8888888 9#989>9C9S9]9c9999999999: :0:::A:K:T:j:::::::::;;;;:;G;N;S;Y;n;z;;;;;;<<<63><>D>W>_>g>q>w>}>>>>>>>>>>? ???&?,?2?8?F?z??????0K0\0m00000071L1`1112G2X2222222223 333 3'3/373?3E3N3S3Y3c3m3}333333333444,414I4V4a4f4k4q4{444444555!5555555555q6647j7v777777777777888*868B8N8Z8f8r8~88888888888999&929>9J9V9b9n9z999999999999 ::":.:::F:R:^:::;<<: >0>:>G>\>a>y>>>>>>>Q?]????(0}0000;1G1S1p1111111(000$0(04080D0X0`0x0000000000000001101H1t1x1|111111111111111122\2l2p2x2|222222<3@3H3L3P33333333333334444 4(404<4P4\4h4t444444444505<5H5T5`5l5x55555555555566 6,686D6P6\6h6t666666666666777D7P7\77 x?? 81,0, *H ,|0,x10  `He0 +700Y +70IB>մ$fڎ`(1$0  +71 IE8=,}0cw m~̞lI*|f#Oؖ ʢ9wB"7$&uyG鵅@ #QDcِc$>[{vj0WTd6N<\4E{ak?R52/F7Y9L{Mstv]JR[y£:"i$2ykJyJ6jl-g6d= O@Ocrt~׶ s &1+meKpArr$+{%,r4txMg0YBaq̎kOY(i3e*F4td^W41$+Gݖ( QrklKZD;3#49kQgj8F%? M$hjq贈OT5c߽>/xڌ#]Z3v8,B VbBP"@_c)ŵ&ԉr;xF`)6ʇ7Za +GdaUMef~1L. iM@ k`ȉߺs ;t-:Lh%~@nqS 7XMDfu Hd=yl;Apb^͆殴.܇>-hء]-ǽ3M&PAWa4(0AYʒVHk]?с r2+kꖶЦRv (3r\CvLO!>~F5-BP;6"nT@CiY]sC8)H=OFq(hs@@OڲŜ;o2 Y=ʺ8 T# =]B UM| HEc=Ew$d":7İίXLԹIS C*@| (zrhzT~3 -9 Vlٮ'&F<^_@>9eIŴz010  `He ZhP1#G8ZOY} 6 v003XgK=l|0  *H  0~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20100 240822192557Z 250705192557Z0t1 0 UUS10U Washington10URedmond10U Microsoft Corporation10UMicrosoft Corporation0"0  *H 0 cF9d16(V!)i+hzF`qCj<9L}0y0U%0 +7=+0UN#91_ -R-0TUM0KI0G1-0+U $Microsoft Ireland Operations Limited10U 230865+5027120U#0_{"XrN!t#20VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0 U00  *H  fXz}Y7||g!8!@cF(y^$e.7sяPܮs4OQM[5Fq//ER7.RAp,u^{oC#uf߾Y_qZ=eRi8wt"CbW9)B:1~m b5U2ʣVoj+?lr]BQ㻲H7?W %cg@0p0X a RL0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 100706204017Z 250706205017Z0~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20100"0  *H 0 dPyg LVhDXOv|mE9eҏDe,U}.+A+KnILk‰q͵K̈k:&?4W]I*.ՅY?+t+;FFIfTUbWrg% 4]^(ղcӲȊ& Y5LR[ HwօGj-\`ƴ*[#_Eo73jMjfcx0ϕ00 +70U_{"XrN!t#20 +7  SubCA0 U0U00U#0Vˏ\bh=[Κ0VUO0M0KIGEhttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z+N0L0J+0>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0U 00 +7.00=+1http://www.microsoft.com/PKI/docs/CPS/default.htm0@+042 Legal_Policy_Statement. 0  *H  tWO){xP" 4*,Ͽ4ہ5oywNaZ#bQEg?<09@!)奡i"tGCS0i% moar,iv=Qۦ9H7amS˧a¿⃫k}(QJQlȷJi~IprGc֢DciFz?!{#-A˿Lﱜ"KInv[Sy=s5SP8f3'9x6N_=GS a=*ג,7Z>@B1V$]Qjy{%qDj#u1>0:00~1 0 UUS10U Washington10URedmond10U Microsoft Corporation1(0&UMicrosoft Code Signing PCA 20103XgK=l|0  `He0 *H  1  +70 +7 10  +70/ *H  1" \f[ ΥH;"GE%0Z +7 1L0J$"Microsoft Windows" http://www.microsoft.com/windows0  *H dt!82cqĈ̓͟#e[%vVxcXQU 2>P3Y2M,1 u{rrzѪaMX+JLDb_3nK<+@*ޕ@P%q{f6~9Eӄuũ3!! !\E8䋮~1Iޝ <':񶩄)A[dVۙ<21^pa A5DL˔Gk( =ա0 +710 *H 010  `He0Z *H  IE0A +Y 010  `He Mz&CN~pd| n">]g&B20250423091543.267Z0٤01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:521A-05E0-D9471%0#UMicrosoft Time-Stamp Service0(03 ת*V0  *H  0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100 240725183121Z 251022183121Z01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:521A-05E0-D9471%0#UMicrosoft Time-Stamp Service0"0  *H 0 UiҤ?dz{(=/۩Hf`ؤ>帅 w:.zOi,RFP[fytsuZ(\vQI^ֳ IVɳK\XJL 6[@6:q)2V.y%~)֜JI JwނyXP Y9͇:6y,-}.Aq(8)٨XcX{'|IRa//v˄po<8eYp ۑ-5:suXau+L|`=͈YtL,[3`mªIF;ce6{)YY3aQ]ŦƮUkv3C&YwDhYp;|"2&!Jl%z=>-Q=6eV1pђ )cWy 8ϴY<nɡ!NӾ\I0E0U%$ھ #*^}}ww:0U#0]^b]eS5r0_UX0V0TRPNhttp://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l+`0^0\+0Phttp://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0 U00U% 0 +0U0  *H  (xѴ sX8ǽnW`9iS`طKe-؀ǃLU]z62Sx-5`:z;];{z-a=*bp"ĨK`O(s0Ze qf~ w=;x87uSZ|PbUx B.O@1DRq%0tÅq" e\ awF^4L~y*I_)Q][ ^FV25/]5 #U06^x ob}_X7>ZbP7N~4x5)ZfEÕ~Ⱥ;QRݜ;"lsm))LыԊq.K@~NxEpsLU3yѵ1%LVwa!2%;f1J}ㄤ"` |!mͶ%OoҐ۟g8ْ>BAeNML`ICNC0q0Y3kI0  *H  01 0 UUS10U Washington10URedmond10U Microsoft Corporation1200U)Microsoft Root Certificate Authority 20100 210930182225Z 300930183225Z0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100"0  *H 0 Lr! y$yՂҩlNu5WlJ⽹>`3\OfSqZ~JZ6gF# w2`}jRDFkvPDq\Q17 8n&S|9azĪri65&dژ;{3[~Rb%j]SVMݼ㑏9,Qpi 6-p15(㴇$ɏ~TUmh;Fz)7EFn20\O,b͹⍈䖬Jq[g`= s}AFu_4 }~ٞE߶r/}_۪~66L+nQsM7t4G|?Lۯ^s=CN39LBh.QFѽjZasg^(v3rק  co 6d[!]_0tعP a65Gk\RQ]%PzlrRą<7?xE^ڏriƮ{>j.00 +70# +7*RdĚhttp://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0  *H  U}*,g1$[rKo\>NGdx=139q6?dl|u9m1lѡ"fg:SMݘx6.Vi {jo)n?Hum m#TxSu$Wݟ=heV(U'$@]='@8)üTB  jBRu6as.,k{n?, x鑲[It 쑀=J>f;O2ٖtLrou04zP X@1Q{p( 6ںL 4$5g+ 挙"'B=%tt[jў>~13}{8pDѐȫ::bpcSMmqjU3XpfY0A0٤01 0 UUS10U Washington10URedmond10U Microsoft Corporation1-0+U $Microsoft Ireland Operations Limited1'0%U nShield TSS ESN:521A-05E0-D9471%0#UMicrosoft Time-Stamp Service# 0+-/{.Ul֎d0~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100  *H  벪0"20250422235420Z20250423235420Z0w0= +Y 1/0-0 벪0 t00 ,06 +Y 1(0&0  +Y  0 00  *H  *$]_QD6W۲` @X2HD1DnD+$=VJR7> TBLz($e{mYk<Hg]SrM  V2lNѧTJhHPK26j+wb-: