27/02/2021 09:10:56.9001361 Process Start tsdiscon.exe 27/02/2021 09:10:57.2315175 Process Start winlogon.exe pid=2368 27/02/2021 09:10:57.6166307 Process Start LogonUI.exe pid=2508 PID 992 many embedded services : modify "type=20h to type =10h" = one service in one process, the services don't share the same process 27/02/2021 09:11:02.3852432 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-864579208-975515589-129103804-500\ProfileImagePath x:\users\Administrator 0 ntoskrnl.exe CmpCallCallBacksEx + 0x1d1 0xfffff8066bbf16b9 X:\windows\system32\ntoskrnl.exe 1 ntoskrnl.exe NtQueryValueKey + 0x41f 0xfffff8066bbf81ef X:\windows\system32\ntoskrnl.exe 2 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 3 ntdll.dll NtQueryValueKey + 0x14 0x7ffa389eb0b4 X:\windows\SYSTEM32\ntdll.dll 4 KERNELBASE.dll LocalBaseRegQueryValue + 0x17f 0x7ffa3621cf9f X:\windows\System32\KERNELBASE.dll 5 KERNELBASE.dll RegQueryValueExW + 0xf3 0x7ffa3621c953 X:\windows\System32\KERNELBASE.dll 6 profapi.dll Windows::Internal::NativeString >::_InitializeFromRegistry + 0xe0 0x7ffa360b6b10 x:\windows\system32\profapi.dll 7 profapi.dll GetBasicProfileFolderPathAlloc + 0xff 0x7ffa360b48df x:\windows\system32\profapi.dll 8 profapi.dll _GetUserFolderPathFromSid + 0x17f 0x7ffa360b268f x:\windows\system32\profapi.dll 9 profapi.dll GetBasicProfileFolderPathAlloc + 0x197 0x7ffa360b4977 x:\windows\system32\profapi.dll 10 profapi.dll GetBasicProfileFolderPathAlloc + 0x1fd 0x7ffa360b49dd x:\windows\system32\profapi.dll 11 profsvc.dll LoadChangeUserClasses + 0x47a 0x7ffa2e4bffca x:\windows\system32\profsvc.dll 12 profsvc.dll CUserProfile::UseLocalProfile + 0x196 0x7ffa2e4c32e2 x:\windows\system32\profsvc.dll 13 profsvc.dll CUserProfile::RestoreUserProfile + 0x1a9 0x7ffa2e4c3609 x:\windows\system32\profsvc.dll 14 profsvc.dll ::operator() + 0x587 0x7ffa2e4ba2a7 x:\windows\system32\profsvc.dll 15 profsvc.dll CUserProfile::Load + 0x484 0x7ffa2e4b9b44 x:\windows\system32\profsvc.dll 16 profsvc.dll LogonThreadProcInternal + 0x1eb 0x7ffa2e4c3adb x:\windows\system32\profsvc.dll 17 profsvc.dll LogonThreadProc + 0x1d 0x7ffa2e4c3f2d x:\windows\system32\profsvc.dll 18 profsvc.dll _WorkItemWrapper + 0x35 0x7ffa2e4b5255 x:\windows\system32\profsvc.dll 19 ntdll.dll TppSimplepExecuteCallback + 0x99 0x7ffa3898e9c9 X:\windows\SYSTEM32\ntdll.dll 20 ntdll.dll TppWorkerThread + 0x68a 0x7ffa3896276a X:\windows\SYSTEM32\ntdll.dll 21 KERNEL32.DLL BaseThreadInitThunk + 0x14 0x7ffa37b76fd4 X:\windows\System32\KERNEL32.DLL 22 ntdll.dll RtlUserThreadStart + 0x21 0x7ffa3899cf31 X:\windows\SYSTEM32\ntdll.dll 27/02/2021 09:11:02.3868834 NO MORE FILES X:\Users\administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 0 FLTMGR.SYS FLTMGR.SYS + 0x608c 0xfffff8066b51608c X:\windows\System32\drivers\FLTMGR.SYS 1 FLTMGR.SYS FLTMGR.SYS + 0x5b37 0xfffff8066b515b37 X:\windows\System32\drivers\FLTMGR.SYS 2 FLTMGR.SYS FLTMGR.SYS + 0x4b46 0xfffff8066b514b46 X:\windows\System32\drivers\FLTMGR.SYS 3 FLTMGR.SYS FLTMGR.SYS + 0x48bb 0xfffff8066b5148bb X:\windows\System32\drivers\FLTMGR.SYS 4 ntoskrnl.exe ntoskrnl.exe + 0x287d3a 0xfffff8066b8a0d3a X:\windows\system32\ntoskrnl.exe 5 ntoskrnl.exe ntoskrnl.exe + 0x287ce7 0xfffff8066b8a0ce7 X:\windows\system32\ntoskrnl.exe 6 ntoskrnl.exe ntoskrnl.exe + 0x287ca0 0xfffff8066b8a0ca0 X:\windows\system32\ntoskrnl.exe 7 ntoskrnl.exe ntoskrnl.exe + 0x287bc0 0xfffff8066b8a0bc0 X:\windows\system32\ntoskrnl.exe 8 ntoskrnl.exe ntoskrnl.exe + 0x5e13f2 0xfffff8066bbfa3f2 X:\windows\system32\ntoskrnl.exe 9 ntoskrnl.exe ntoskrnl.exe + 0x64857f 0xfffff8066bc6157f X:\windows\system32\ntoskrnl.exe 10 ntoskrnl.exe ntoskrnl.exe + 0x6484ba 0xfffff8066bc614ba X:\windows\system32\ntoskrnl.exe 11 ntoskrnl.exe ntoskrnl.exe + 0x3af175 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 12 ntoskrnl.exe ntoskrnl.exe + 0x3a16a0 0xfffff8066b9ba6a0 X:\windows\system32\ntoskrnl.exe 13 fbwf.sys fbwf.sys + 0x23e6 0xfffff8066f3223e6 X:\windows\system32\DRIVERS\fbwf.sys 14 FLTMGR.SYS FLTMGR.SYS + 0x4cebf 0xfffff8066b55cebf X:\windows\System32\drivers\FLTMGR.SYS 15 FLTMGR.SYS FLTMGR.SYS + 0x3797c 0xfffff8066b54797c X:\windows\System32\drivers\FLTMGR.SYS 16 FLTMGR.SYS FLTMGR.SYS + 0x3a47b 0xfffff8066b54a47b X:\windows\System32\drivers\FLTMGR.SYS 17 FLTMGR.SYS FLTMGR.SYS + 0x3aacb 0xfffff8066b54aacb X:\windows\System32\drivers\FLTMGR.SYS 18 FLTMGR.SYS FLTMGR.SYS + 0x393a4 0xfffff8066b5493a4 X:\windows\System32\drivers\FLTMGR.SYS 19 FLTMGR.SYS FLTMGR.SYS + 0x256b 0xfffff8066b51256b X:\windows\System32\drivers\FLTMGR.SYS 20 FLTMGR.SYS FLTMGR.SYS + 0x3504 0xfffff8066b513504 X:\windows\System32\drivers\FLTMGR.SYS 21 FLTMGR.SYS FLTMGR.SYS + 0x40a1 0xfffff8066b5140a1 X:\windows\System32\drivers\FLTMGR.SYS 22 PROCMON24.SYS PROCMON24.SYS + 0x2c74 0xfffff80bc6cd2c74 X:\windows\system32\Drivers\PROCMON24.SYS 23 FLTMGR.SYS FLTMGR.SYS + 0x608c 0xfffff8066b51608c X:\windows\System32\drivers\FLTMGR.SYS 24 FLTMGR.SYS FLTMGR.SYS + 0x4490 0xfffff8066b514490 X:\windows\System32\drivers\FLTMGR.SYS 25 FLTMGR.SYS FLTMGR.SYS + 0x3b5b1 0xfffff8066b54b5b1 X:\windows\System32\drivers\FLTMGR.SYS 26 ntoskrnl.exe ntoskrnl.exe + 0x649d51 0xfffff8066bc62d51 X:\windows\system32\ntoskrnl.exe 27 ntoskrnl.exe ntoskrnl.exe + 0x5e5c5e 0xfffff8066bbfec5e X:\windows\system32\ntoskrnl.exe 28 ntoskrnl.exe ntoskrnl.exe + 0x5dae0e 0xfffff8066bbf3e0e X:\windows\system32\ntoskrnl.exe 29 ntoskrnl.exe ntoskrnl.exe + 0x5dbf4d 0xfffff8066bbf4f4d X:\windows\system32\ntoskrnl.exe 30 ntoskrnl.exe ntoskrnl.exe + 0x648c18 0xfffff8066bc61c18 X:\windows\system32\ntoskrnl.exe 31 ntoskrnl.exe ntoskrnl.exe + 0x3af175 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 32 ntdll.dll ntdll.dll + 0x9d684 0x7ffa389ed684 X:\windows\SYSTEM32\ntdll.dll 33 KERNELBASE.dll KERNELBASE.dll + 0x2af1c 0x7ffa3621af1c X:\windows\System32\KERNELBASE.dll 34 profsvc.dll profsvc.dll + 0x1004d 0x7ffa2e4c004d x:\windows\system32\profsvc.dll 35 profsvc.dll profsvc.dll + 0x132e2 0x7ffa2e4c32e2 x:\windows\system32\profsvc.dll 36 profsvc.dll profsvc.dll + 0x13609 0x7ffa2e4c3609 x:\windows\system32\profsvc.dll 37 profsvc.dll profsvc.dll + 0xa2a7 0x7ffa2e4ba2a7 x:\windows\system32\profsvc.dll 38 profsvc.dll profsvc.dll + 0x9b44 0x7ffa2e4b9b44 x:\windows\system32\profsvc.dll 39 profsvc.dll profsvc.dll + 0x13adb 0x7ffa2e4c3adb x:\windows\system32\profsvc.dll 40 profsvc.dll profsvc.dll + 0x13f2d 0x7ffa2e4c3f2d x:\windows\system32\profsvc.dll 41 profsvc.dll profsvc.dll + 0x5255 0x7ffa2e4b5255 x:\windows\system32\profsvc.dll 42 ntdll.dll ntdll.dll + 0x3e9c9 0x7ffa3898e9c9 X:\windows\SYSTEM32\ntdll.dll 43 ntdll.dll ntdll.dll + 0x1276a 0x7ffa3896276a X:\windows\SYSTEM32\ntdll.dll 44 KERNEL32.DLL KERNEL32.DLL + 0x16fd4 0x7ffa37b76fd4 X:\windows\System32\KERNEL32.DLL 45 ntdll.dll ntdll.dll + 0x4cf31 0x7ffa3899cf31 X:\windows\SYSTEM32\ntdll.dll 27/02/2021 09:11:02.3882807 HKLM\Software\Policies\Microsoft\MUI\Settings 0 ntoskrnl.exe CmpCallCallBacksEx + 0x1d1 0xfffff8066bbf16b9 X:\windows\system32\ntoskrnl.exe 1 ntoskrnl.exe CmpParseKey + 0x231 0xfffff8066bbede41 X:\windows\system32\ntoskrnl.exe 2 ntoskrnl.exe ObpLookupObjectName + 0x3ee 0xfffff8066bbf3e0e X:\windows\system32\ntoskrnl.exe 3 ntoskrnl.exe ObOpenObjectByNameEx + 0x17d 0xfffff8066bbf4f4d X:\windows\system32\ntoskrnl.exe 4 ntoskrnl.exe ObOpenObjectByName + 0x5a 0xfffff8066bbf74ea X:\windows\system32\ntoskrnl.exe 5 ntoskrnl.exe CmOpenKey + 0x295 0xfffff8066bbf79bd X:\windows\system32\ntoskrnl.exe 6 ntoskrnl.exe NtOpenKey + 0x12 0xfffff8066bc6e132 X:\windows\system32\ntoskrnl.exe 7 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 8 ntdll.dll NtOpenKey + 0x14 0x7ffa389eb014 X:\windows\SYSTEM32\ntdll.dll 9 ntdll.dll RtlpMuiRegLoadPreferredUILanguages + 0xd5 0x7ffa3897fb0d X:\windows\SYSTEM32\ntdll.dll 10 ntdll.dll InitializeUserOrMachineLangList + 0xaa 0x7ffa389bba4e X:\windows\SYSTEM32\ntdll.dll 11 ntdll.dll InitializeTEBUserLangList + 0x274 0x7ffa3897aa94 X:\windows\SYSTEM32\ntdll.dll 12 ntdll.dll RtlGetThreadPreferredUILanguages + 0x141 0x7ffa38977f91 X:\windows\SYSTEM32\ntdll.dll 13 ntdll.dll LdrpSetThreadPreferredLangList + 0x13a 0x7ffa38978602 X:\windows\SYSTEM32\ntdll.dll 14 ntdll.dll LdrpLoadResourceFromAlternativeModule + 0xea 0x7ffa38976c62 X:\windows\SYSTEM32\ntdll.dll 15 ntdll.dll LdrpSearchResourceSection_U + 0x178 0x7ffa38975994 X:\windows\SYSTEM32\ntdll.dll 16 ntdll.dll RtlFindMessage + 0x61 0x7ffa3895e1c1 X:\windows\SYSTEM32\ntdll.dll 17 KERNELBASE.dll BaseDllFormatMessage + 0xf5 0x7ffa36214559 X:\windows\System32\KERNELBASE.dll 18 KERNELBASE.dll FormatMessageW + 0x37 0x7ffa36214457 X:\windows\System32\KERNELBASE.dll 19 profsvc.dll CErrorText::CErrorText + 0x30 0x7ffa2e4e057c x:\windows\system32\profsvc.dll 20 profsvc.dll MountRegHive + 0x1651c 0x7ffa2e4d3360 x:\windows\system32\profsvc.dll 21 profsvc.dll LoadChangeUserClasses + 0x53d 0x7ffa2e4c008d x:\windows\system32\profsvc.dll 22 profsvc.dll CUserProfile::UseLocalProfile + 0x196 0x7ffa2e4c32e2 x:\windows\system32\profsvc.dll 23 profsvc.dll CUserProfile::RestoreUserProfile + 0x1a9 0x7ffa2e4c3609 x:\windows\system32\profsvc.dll 24 profsvc.dll ::operator() + 0x587 0x7ffa2e4ba2a7 x:\windows\system32\profsvc.dll 25 profsvc.dll CUserProfile::Load + 0x484 0x7ffa2e4b9b44 x:\windows\system32\profsvc.dll 26 profsvc.dll LogonThreadProcInternal + 0x1eb 0x7ffa2e4c3adb x:\windows\system32\profsvc.dll 27 profsvc.dll LogonThreadProc + 0x1d 0x7ffa2e4c3f2d x:\windows\system32\profsvc.dll 28 profsvc.dll _WorkItemWrapper + 0x35 0x7ffa2e4b5255 x:\windows\system32\profsvc.dll 29 ntdll.dll TppSimplepExecuteCallback + 0x99 0x7ffa3898e9c9 X:\windows\SYSTEM32\ntdll.dll 30 ntdll.dll TppWorkerThread + 0x68a 0x7ffa3896276a X:\windows\SYSTEM32\ntdll.dll 31 KERNEL32.DLL BaseThreadInitThunk + 0x14 0x7ffa37b76fd4 X:\windows\System32\KERNEL32.DLL 32 ntdll.dll RtlUserThreadStart + 0x21 0x7ffa3899cf31 X:\windows\SYSTEM32\ntdll.dll 27/02/2021 09:11:02.4283828 RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-864579208-975515589-129103804-500\State REG_DWORD 32768 ------->>>>>> error with profile file change the profilepath to x:\users\temp (which will gives a black desktop" then create a ".bak" entry in registry 27/02/2021 09:11:02.4265251RegRenameKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-864579208-975515589-129103804-500 New Name: S-1-5-21-864579208-975515589-129103804-500.bak 27/02/2021 09:11:02.4298580 RegSetValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-864579208-975515589-129103804-500\ProfileImagePath X:\Users\TEMP 27/02/2021 09:11:03.8604708 Process Start userinit.exe user:MicroWinPe\Administrator --->>> environment variables : USERNAME=SYSTEM USERPROFILE=X:\windows\system32\config\systemprofile 27/02/2021 09:11:03.9968140 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell explorer.exe 27/02/2021 09:11:03.9982835 Process Start Explorer.EXE user:MicroWinPe\Administrator --->>> environment variables : USERNAME=SYSTEM USERPROFILE=X:\windows\system32\config\systemprofile (i forget to copy the line for Process Start Explorer.exe) 27/02/2021 09:11:04.7540920 Process Start runonce.exe (parameter = /explorer) 27/02/2021 09:11:19.4457919 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\0D83063EA3BF2035 winlogon. 0 ntoskrnl.exe CmpCallCallBacksEx + 0x1d1 0xfffff8066bbf16b9 X:\windows\system32\ntoskrnl.exe 1 ntoskrnl.exe NtQueryValueKey + 0x41f 0xfffff8066bbf81ef X:\windows\system32\ntoskrnl.exe 2 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 3 ntoskrnl.exe KiServiceLinkage 0xfffff8066b9ba6a0 X:\windows\system32\ntoskrnl.exe 4 ntoskrnl.exe ExpWnfLookupPermanentName + 0xb8 0xfffff8066bbc7320 X:\windows\system32\ntoskrnl.exe 5 ntoskrnl.exe ExpWnfCheckCrossScopeAccess + 0x3c 0xfffff8066bc93c18 X:\windows\system32\ntoskrnl.exe 6 ntoskrnl.exe ExpNtUpdateWnfStateData + 0x410 0xfffff8066bbcce1c X:\windows\system32\ntoskrnl.exe 7 ntoskrnl.exe NtUpdateWnfStateData + 0x2e 0xfffff8066bbcc9fe X:\windows\system32\ntoskrnl.exe 8 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 9 ntdll.dll NtUpdateWnfStateData + 0x14 0x7ffa389ee784 X:\Windows\System32\ntdll.dll 10 ntdll.dll RtlPublishWnfStateData + 0x4b 0x7ffa389cb98b X:\Windows\System32\ntdll.dll 11 winlogon.exe CSession::SetShellStartupCompleteOrTimedOut + 0x44 0x7ff697828ea4 X:\Windows\System32\winlogon.exe 12 2368.exe PerformDelayedSwitchToApplicationDesktopCallback + 0xc7 0x7ff697828b17 X:\Windows\System32\winlogon.exe 13 ntdll.dll TppExecuteWaitCallback + 0xa4 0x7ffa3898ebac X:\Windows\System32\ntdll.dll 14 ntdll.dll TppWorkerThread + 0x456 0x7ffa38962536 X:\Windows\System32\ntdll.dll 15 kernel32.dll BaseThreadInitThunk + 0x14 0x7ffa37b76fd4 X:\Windows\System32\kernel32.dll 16 ntdll.dll RtlUserThreadStart + 0x21 0x7ffa3899cf31 X:\Windows\System32\ntdll.dll 27/02/2021 09:11:19.6953498 RegQueryValue HKLM\System\CurrentControlSet\Control\Notifications\0F810121A3BC0835 LogonUI.exe 0 ntoskrnl.exe CmpCallCallBacksEx + 0x1d1 0xfffff8066bbf16b9 X:\windows\system32\ntoskrnl.exe 1 ntoskrnl.exe NtQueryValueKey + 0x41f 0xfffff8066bbf81ef X:\windows\system32\ntoskrnl.exe 2 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 3 ntoskrnl.exe KiServiceLinkage 0xfffff8066b9ba6a0 X:\windows\system32\ntoskrnl.exe 4 ntoskrnl.exe ExpWnfLookupPermanentName + 0xb8 0xfffff8066bbc7320 X:\windows\system32\ntoskrnl.exe 5 ntoskrnl.exe ExpNtUpdateWnfStateData + 0x385 0xfffff8066bbccd91 X:\windows\system32\ntoskrnl.exe 6 ntoskrnl.exe NtUpdateWnfStateData + 0x2e 0xfffff8066bbcc9fe X:\windows\system32\ntoskrnl.exe 7 ntoskrnl.exe KiSystemServiceCopyEnd + 0x25 0xfffff8066b9c8175 X:\windows\system32\ntoskrnl.exe 8 ntdll.dll NtUpdateWnfStateData + 0x14 0x7ffa389ee784 X:\Windows\System32\ntdll.dll 9 ntdll.dll RtlPublishWnfStateData + 0x4b 0x7ffa389cb98b X:\Windows\System32\ntdll.dll 10 Windows.UI.Logon.dll LogonUX::Frame::_UpdateVisualState + 0x62a 0x7ffa29bfee7e X:\Windows\System32\Windows.UI.Logon.dll 11 Windows.UI.Logon.dll LogonUX::Frame::_UpdateFrameState + 0x164 0x7ffa29bfe820 X:\Windows\System32\Windows.UI.Logon.dll 12 Windows.UI.Logon.dll LogonUX::Frame::[LogonUX::__IFramePublicNonVirtuals]::_OnRootViewModelPropertyChanged + 0x1dd 0x7ffa29c0017d X:\Windows\System32\Windows.UI.Logon.dll 13 Windows.UI.Logon.dll `Windows::UI::Xaml::Data::PropertyChangedEventHandler::PropertyChangedEventHandler'::`2'::__abi_PointerToMemberWeakRefCapture::Invoke + 0xf2 0x7ffa29c0f8c2 X:\Windows\System32\Windows.UI.Logon.dll 14 Windows.UI.Logon.dll Platform::EventSource::DoInvokeVoid > + 0x154 0x7ffa29c05be4 X:\Windows\System32\Windows.UI.Logon.dll 15 Windows.UI.Logon.dll LogonUX::RootViewModel::PropertyChanged::raise + 0xa2 0x7ffa29c03db2 X:\Windows\System32\Windows.UI.Logon.dll 16 Windows.UI.Logon.dll LogonUX::RootViewModel::_UpdateChildViewVisibility + 0x92d 0x7ffa29bef98d X:\Windows\System32\Windows.UI.Logon.dll 17 Windows.UI.Logon.dll ?Shutdown@?QILogonUXViewModel@LogonUX@Logon@UI@Internal@Windows@@RootViewModel@2@UE$AAAXPE$AAUIOperationComplete@Callbacks@3456@@Z + 0x2b 0x7ffa29c5817b X:\Windows\System32\Windows.UI.Logon.dll 18 Windows.UI.Logon.dll ?__abi_Windows_Internal_UI_Logon_LogonUX_ILogonUXViewModel____abi_Shutdown@?QILogonUXViewModel@LogonUX@Logon@UI@Internal@Windows@@RootViewModel@2@UE$AAAJPE$AAUIOperationComplete@Callbacks@3456@@Z + 0x15 0x7ffa29c58131 X:\Windows\System32\Windows.UI.Logon.dll 19 Windows.UI.Logon.dll ::operator() + 0x6e 0x7ffa29c3e532 X:\Windows\System32\Windows.UI.Logon.dll 20 Windows.UI.XamlHost.dll ASTAThreadHost::ASTAThreadHostThreadProc + 0x26c 0x7ffa2c61aaac X:\Windows\System32\Windows.UI.XamlHost.dll 21 Windows.UI.XamlHost.dll ASTAThreadHost::s_ASTAThreadHostThreadProc + 0x30 0x7ffa2c61a810 X:\Windows\System32\Windows.UI.XamlHost.dll 22 shcore.dll _WrapperThreadProc + 0xe9 0x7ffa37add8e9 X:\Windows\System32\shcore.dll 23 kernel32.dll BaseThreadInitThunk + 0x14 0x7ffa37b76fd4 X:\Windows\System32\kernel32.dll 24 ntdll.dll RtlUserThreadStart + 0x21 0x7ffa3899cf31 X:\Windows\System32\ntdll.dll 27/02/2021 09:11:19.8976833 Process Exit LogonUI.exe pid 2508