Code:
(GuestSL4.pml)
14:36:00 1st FUS from admin LID
:15 sign in button to GuestX; spinning 'welcome'
:48 got black screen (except mouse pointer)
:39:30 got background screen for GuestX
(apx sign in button)
LogonUI.exe 6060 5640 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Windows\System32\cryptbase.dll 0.0000071 "LogonUI.exe" /flags:0x0 /state0:0xa3945855 /state1:0x41c64e6d 5588 16445 2:36:15.1294164 PM NT AUTHORITY\SYSTEM
winlogon.exe 5588 4460 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Windows\System32\usermgrcli.dll 0.0000083 winlogon.exe 4792 16452 2:36:15.1772640 PM NT AUTHORITY\SYSTEM
(GuestSL4.user.pml (f GuestX in USER; 12505 of 73053 records))
esif_assist_64.exe 3628 5880 Process Start SUCCESS Parent PID: 2844, Command line: "C:\Windows\TEMP\DPTF\esif_assist_64.exe", Current directory: C:\Windows\TEMP\DPTF\, "C:\Windows\TEMP\DPTF\esif_assist_64.exe" 2844 17260 2:36:17.7043437 PM DESKTOP-FUEV7T3\GuestX
(long intervals)
none > 2sec
(apx black screen)
RAVBg64.exe 376 1456 Process Start SUCCESS Parent PID: 568, Command line: "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS, Current directory: C:\Windows\system32\, "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 27161 2:36:49.3614151 PM
(long intervals)
taskhostw.exe 2204 5748 IRP_MJ_QUERY_SECURITY SUCCESS C:\Users\GuestX\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead Information: DACL 0.0000116 taskhostw.exe USER 568 2872 2:36:49.9366220 PM DESKTOP-FUEV7T3\GuestX
userinit.exe 2832 2720 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Windows\Fonts\micross.ttf 0.0000070 C:\windows\system32\userinit.exe 5588 2873 2:36:56.9289573 PM DESKTOP-FUEV7T3\GuestX
7sec
userinit.exe 2832 2720 FASTIO_QUERY_INFORMATION SUCCESS C:\Windows\Fonts\segoeprb.ttf Type: QueryBasicInformationFile, CreationTime: 10/30/2015 1:18:05 AM, LastAccessTime: 10/30/2015 1:18:05 AM, LastWriteTime: 10/30/2015 1:18:05 AM, ChangeTime: 6/28/2016 9:48:20 PM, FileAttributes: A 0.0000128 C:\windows\system32\userinit.exe 5588 2922 2:36:56.9507284 PM DESKTOP-FUEV7T3\GuestX
taskhostw.exe 2204 5748 Thread Exit SUCCESS Thread ID: 5748, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 taskhostw.exe USER 568 2923 2:37:00.5121093 PM DESKTOP-FUEV7T3\GuestX
3sec
sihost.exe 5740 2740 Thread Exit SUCCESS Thread ID: 2740, User Time: 0.0156250, Kernel Time: 0.0000000 0.0000000 sihost.exe 568 3024 2:37:02.1324597 PM DESKTOP-FUEV7T3\GuestX
userinit.exe 2832 2720 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Windows\Fonts\simsun.ttc 0.0678030 C:\windows\system32\userinit.exe 5588 3025 2:37:04.1437411 PM DESKTOP-FUEV7T3\GuestX
2sec
RAVBg64.exe 376 5776 FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION FILE LOCKED WITH ONLY READERS C:\Windows\System32\oledlg.dll SyncType: SyncTypeCreateSection, PageProtection: 5.7633843 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 3164 2:37:04.2281132 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 5776 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\oledlg.dll 0.0000083 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 3165 2:37:09.9915372 PM DESKTOP-FUEV7T3\GuestX
5sec
RAVCpl64.exe 5528 5152 IRP_MJ_READ SUCCESS C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Offset: 3,413,504, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 0.0160021 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 3264 2:37:10.7157185 PM DESKTOP-FUEV7T3\GuestX
userinit.exe 2832 2720 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Windows\Fonts\YuGothB.ttc 0.0000077 C:\windows\system32\userinit.exe 5588 3265 2:37:13.6227588 PM DESKTOP-FUEV7T3\GuestX
3sec
RAVCpl64.exe 5528 5152 FASTIO_QUERY_INFORMATION SUCCESS C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Type: QueryBasicInformationFile, CreationTime: 12/24/2015 9:56:37 AM, LastAccessTime: 12/24/2015 9:56:37 AM, LastWriteTime: 11/15/2015 9:16:54 PM, ChangeTime: 12/24/2015 9:57:38 AM, FileAttributes: A 0.0000403 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 3343 2:37:19.1593157 PM DESKTOP-FUEV7T3\GuestX
RAVCpl64.exe 5528 5152 IRP_MJ_READ SUCCESS C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Offset: 3,376,640, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 0.0557952 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 3344 2:37:22.8666456 PM DESKTOP-FUEV7T3\GuestX
3sec
RAVBg64.exe 376 5776 FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\RtkApi64.dll SyncType: SyncTypeOther 2.9108412 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 3880 2:37:29.7846012 PM DESKTOP-FUEV7T3\GuestX
userinit.exe 2832 6000 Thread Exit SUCCESS Thread ID: 6000, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 C:\windows\system32\userinit.exe 5588 3881 2:37:32.3132181 PM DESKTOP-FUEV7T3\GuestX
3sec
RAVCpl64.exe 5528 5152 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\System32\RtkCfg64.dll 0.0000070 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 3996 2:37:33.6892517 PM DESKTOP-FUEV7T3\GuestX
RAVCpl64.exe 5528 5152 IRP_MJ_CREATE SUCCESS C:\Windows\System32\RtkCfg64.dll Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened 0.0000640 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 3997 2:37:37.6323339 PM DESKTOP-FUEV7T3\GuestX
4sec
RAVCpl64.exe 5528 5152 IRP_MJ_READ SUCCESS C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Offset: 2,984,448, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal 0.0135080 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 4058 2:37:40.3187766 PM DESKTOP-FUEV7T3\GuestX
RAVCpl64.exe 5528 5520 Thread Create SUCCESS Thread ID: 5372 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 4059 2:37:47.1760768 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 36 Thread Create SUCCESS Thread ID: 6112 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 4060 2:37:55.8600842 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 6112 Thread Create SUCCESS Thread ID: 5192 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 4061 2:37:58.1782247 PM DESKTOP-FUEV7T3\GuestX
sihost.exe 5740 5264 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Users\GuestX\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat 0.0000071 sihost.exe 568 4062 2:38:00.0637626 PM DESKTOP-FUEV7T3\GuestX
20sec
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000070 sihost.exe 568 5606 2:38:12.9059081 PM DESKTOP-FUEV7T3\GuestX
sihost.exe 5740 5532 Thread Exit SUCCESS Thread ID: 5532, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 sihost.exe 568 5607 2:38:18.2855301 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 2608 IRP_MJ_CREATE NAME NOT FOUND C:\Users\GuestX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6b415fe2ca7204fa.customDestinations-ms Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 0.0000345 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 5608 2:38:19.1694406 PM DESKTOP-FUEV7T3\GuestX
7sec
sihost.exe 5740 5264 FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb SyncType: SyncTypeOther 0.0000090 sihost.exe 568 6667 2:38:26.8635998 PM DESKTOP-FUEV7T3\GuestX
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000064 sihost.exe 568 6668 2:38:26.8636408 PM DESKTOP-FUEV7T3\GuestX
RAVCpl64.exe 5528 5504 Thread Exit SUCCESS Thread ID: 5504, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 6669 2:38:32.5726462 PM DESKTOP-FUEV7T3\GuestX
RAVCpl64.exe 5528 5124 Thread Exit SUCCESS Thread ID: 5124, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s 568 6670 2:38:32.5768888 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 5392 Thread Exit SUCCESS Thread ID: 5392, User Time: 0.0000000, Kernel Time: 0.0156250 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 6671 2:38:34.0020250 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 6072 Thread Exit SUCCESS Thread ID: 6072, User Time: 0.0156250, Kernel Time: 0.0000000 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 6672 2:38:34.0342013 PM DESKTOP-FUEV7T3\GuestX
RAVBg64.exe 376 6100 Thread Exit SUCCESS Thread ID: 6100, User Time: 0.0000000, Kernel Time: 0.0156250 0.0000000 "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /AECBYLISTENTOSTATUS 568 6673 2:38:34.0342506 PM DESKTOP-FUEV7T3\GuestX
igfxEM.exe 3668 4424 Thread Exit SUCCESS Thread ID: 4424, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 igfxEM.exe 4768 6674 2:38:34.3089678 PM DESKTOP-FUEV7T3\GuestX
igfxHK.exe 5476 5388 Thread Exit SUCCESS Thread ID: 5388, User Time: 0.0000000, Kernel Time: 0.0000000 0.0000000 igfxHK.exe 4768 6675 2:38:34.4399542 PM DESKTOP-FUEV7T3\GuestX
rundll32.exe 2540 2784 Thread Exit SUCCESS Thread ID: 2784, User Time: 0.0156250, Kernel Time: 0.0781250 0.0000000 rundll32.exe AppXDeploymentExtensions.dll,ShellRefresh 5208 6676 2:38:48.9288805 PM DESKTOP-FUEV7T3\GuestX
rundll32.exe 2540 5556 Thread Exit SUCCESS Thread ID: 5556, User Time: 0.0000000, Kernel Time: 0.0156250 0.0000000 rundll32.exe AppXDeploymentExtensions.dll,ShellRefresh 5208 6677 2:38:49.0668916 PM DESKTOP-FUEV7T3\GuestX
23sec
rundll32.exe 2540 5332 Process Exit SUCCESS Exit Status: 0, User Time: 0.0156250 seconds, Kernel Time: 0.0937500 seconds, Private Bytes: 1,146,880, Peak Private Bytes: 2,031,616, Working Set: 5,816,320, Peak Working Set: 8,548,352 0.0000000 rundll32.exe AppXDeploymentExtensions.dll,ShellRefresh 5208 6701 2:38:49.0706446 PM DESKTOP-FUEV7T3\GuestX
sihost.exe 5740 5264 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Users\GuestX\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Microsoft.Windows.ContentDeliveryManager_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat 0.0000083 sihost.exe 568 6702 2:38:52.6846551 PM DESKTOP-FUEV7T3\GuestX
3sec
sihost.exe 5740 5264 FASTIO_QUERY_INFORMATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb Type: QueryBasicInformationFile, CreationTime: 10/30/2015 1:18:19 AM, LastAccessTime: 10/30/2015 1:18:19 AM, LastWriteTime: 10/30/2015 1:18:19 AM, ChangeTime: 6/28/2016 9:48:09 PM, FileAttributes: A 0.0000128 sihost.exe 568 6735 2:38:52.8044369 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 2608 Thread Exit SUCCESS Thread ID: 2608, User Time: 0.1875000, Kernel Time: 1.7500000 0.0000000 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 6736 2:38:55.9752407 PM DESKTOP-FUEV7T3\GuestX
3sec
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000064 sihost.exe 568 7536 2:39:01.5138270 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 5556 IRP_MJ_CREATE NAME NOT FOUND C:\Users\GuestX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6b415fe2ca7204fa.customDestinations-ms Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 0.0000339 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 7537 2:39:04.8310791 PM DESKTOP-FUEV7T3\GuestX
3sec
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000064 sihost.exe 568 8608 2:39:12.5464949 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 5556 IRP_MJ_CREATE NAME NOT FOUND C:\Users\GuestX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6b415fe2ca7204fa.customDestinations-ms Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 0.0000845 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 8609 2:39:17.1325576 PM DESKTOP-FUEV7T3\GuestX
5sec
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000064 sihost.exe 568 9138 2:39:19.5158047 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 5556 IRP_MJ_CREATE NAME NOT FOUND C:\Users\GuestX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6b415fe2ca7204fa.customDestinations-ms Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 0.0000391 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 9139 2:39:23.1254759 PM DESKTOP-FUEV7T3\GuestX
4sec
sihost.exe 5740 5264 FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION SUCCESS C:\Windows\AppPatch\apppatch64\sysmain.sdb 0.0000064 sihost.exe 568 9668 2:39:25.6796669 PM DESKTOP-FUEV7T3\GuestX
RuntimeBroker.exe 6012 5556 IRP_MJ_CREATE NAME NOT FOUND C:\Users\GuestX\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6b415fe2ca7204fa.customDestinations-ms Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Disallow Exclusive, Attributes: n/a, ShareMode: Read, AllocationSize: n/a 0.0000358 C:\Windows\System32\RuntimeBroker.exe -Embedding 864 9669 2:39:28.1730918 PM DESKTOP-FUEV7T3\GuestX
3sec
sihost.exe 5740 5704 Thread Create SUCCESS Thread ID: 5384 0.0000000 sihost.exe 568 9955 2:39:29.0355517 PM DESKTOP-FUEV7T3\GuestX
sihost.exe 5740 72 IRP_MJ_CREATE SUCCESS C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\S-1-5-21-2066208938-1081718929-168908179-1011.pckgdep Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 0.0001004 sihost.exe 568 9956 2:39:31.0343633 PM DESKTOP-FUEV7T3\GuestX
2sec
(apx background screen)
sihost.exe 5740 2272 FASTIO_NETWORK_QUERY_OPEN FAST IO DISALLOWED C:\Users\GuestX\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy\ActivationStore\ActivationStore.dat 0.0000076 sihost.exe 568 62915 2:39:31.1899637 PM