| BH12117 | Accesses registry settings. | |
| BH12123 | Accesses/installs certificates. | |
| BH12124 | Adds a new entry to the registry on a remote computer. | |
| BH12126 | Adds a new subkey to the registry on a remote computer. | |
| BH12127 | Adds a new entry to the registry. | |
| BH12128 | Adds a new subkey to the registry. | |
| BH12129 | Adds new users to a user group. | |
| BH12131 | Adds credentials to the Windows Credential Manager. | |
| BH12132 | Adds new certificates to trust store. | |
| BH12133 | Adds new users to an active directory user group. | |
| BH12135 | Adds or removes computer from a domain or workgroup. | |
| BH12144 | Bypasses the default script execution policy. | |
| BH12151 | Changes computer name. | |
| BH12152 | Changes event log settings using WMI. | |
| BH12155 | Changes operating system recovery settings using WMI. | |
| BH12158 | Changes properties of a scheduled task. | |
| BH12164 | Changes system domain information using WMI. | |
| BH12165 | Changes system environment variables using WMI. | |
| BH12166 | Changes system information using WMI. | |
| BH12171 | Changes username or password. | |
| BH12172 | Changes user account information using WMI. | |
| BH12173 | Changes WMI service settings. | |
| BH12181 | Clears content of items, such as registry keys. | |
| BH12182 | Clears content of items, such as registry values. | |
| BH12198 | Creates a new active directory user group. | |
| BH12200 | Creates a new user account. | |
| BH12201 | Creates a new local user group. | |
| BH12210 | Creates event triggers on local or remote machines. | |
| BH12211 | Creates new user accounts. | |
| BH12212 | Creates or changes item properties, such as registry keys. | |
| BH12218 | Creates new registry keys. | |
| BH12224 | Deletes a local user group. | |
| BH12229 | Deletes a subkey from the registry on a remote computer. | |
| BH12230 | Deletes a user account. | |
| BH12231 | Deletes an active directory user group. | |
| BH12234 | Deletes credentials from the Windows Credential Manager. | |
| BH12235 | Deletes entries from the registry on a remote computer. | |
| BH12236 | Deletes entries from the registry. | |
| BH12241 | Deletes the per-user audit policy for all users. | |
| BH12242 | Deletes users using cmdkey. | |
| BH12246 | Disables advanced boot options. | |
| BH12247 | Disables Automatic Startup Repair. | |
| BH12248 | Disables boot options editing. | |
| BH12250 | Disables Emergency Management Services (EMS). | |
| BH12251 | Disables failed boot warning messages at startup. | |
| BH12254 | Disables recovery console. | |
| BH12257 | Disables Startup Repair (Automatic Repair) at startup. | |
| BH12258 | Disables the Adobe update service. | |
| BH12259 | Disables the alerter service used to send administrative alerts to users. | |
| BH12260 | Disables the Application Identity service. | |
| BH12261 | Disables the Application Information service. | |
| BH12262 | Disables the Application Management service. | |
| BH12263 | Disables the BitLocker Drive Encryption service. | |
| BH12264 | Disables the Credential Manager service. | |
| BH12265 | Disables the Cryptographic services. | |
| BH12266 | Disables the Desktop Window Manager Session Manager service. | |
| BH12267 | Disables the Device Management Wireless Application Protocol service. | |
| BH12269 | Disables the DNS Client service. | |
| BH12270 | Disables the Dropbox update service. | |
| BH12271 | Disables the Enterprise App Management service. | |
| BH12272 | Disables the Extensible Authentication Protocol service. | |
| BH12273 | Disables the File History service. | |
| BH12274 | Disables the Google update service. | |
| BH12275 | Disables the Microsoft Passport service. | |
| BH12276 | Disables the Microsoft Smartcard Certificate Propagation service. | |
| BH12277 | Disables the Microsoft Software Shadow Copy Provider service. | |
| BH12278 | Disables the Microsoft Store Install service. | |
| BH12279 | Disables the Microsoft Windows Shared Access service. | |
| BH12282 | Disables the Network List service. | |
| BH12283 | Disables the Network Location Awareness service. | |
| BH12284 | Disables the Remote Access Connection Manager service. | |
| BH12285 | Disables the Remote Desktop services. | |
| BH12286 | Disables the Remote Procedure Call (RPC) service. | |
| BH12287 | Disables the Secondary Logon service. | |
| BH12288 | Disables the Server service. | |
| BH12289 | Disables the SPP Notification service (used for software licensing activation and notification). | |
| BH12290 | Disables the System Guard Runtime Monitor Broker service. | |
| BH12291 | Disables the Task Scheduler service. | |
| BH12292 | Disables the UPnP Device Host service. | |
| BH12294 | Disables the Windows Backup service. | |
| BH12295 | Disables the Windows Error Reporting service. | |
| BH12298 | Disables the Windows License Manager service. | |
| BH12299 | Disables the Windows Management Instrumentation service. | |
| BH12300 | Disables the Windows Modules Installer service. | |
| BH12301 | Disables the Windows Time service. | |
| BH12363 | Immediately runs a scheduled task on a remote computer. | |
| BH12364 | Immediately runs a scheduled task. | |
| BH12365 | Imports a certificate. | |
| BH12380 | Indicates whether or not a backup policy can perform bare metal recoveries from backups. | |
| BH12398 | List all sessions connected to this machine. | |
| BH12399 | List sessions from a given machine. | |
| BH12413 | Manipulates proxy settings. | |
| BH12414 | Manipulates settings that control features of third-party network services. | |
| BH12415 | Manipulates settings that determine what information browser makes available to websites. | |
| BH12416 | Manipulates settings that influence handling of network connections. | |
| BH12421 | Modifies Boot.ini file settings. | |
| BH12457 | Moves properties of items, such as registry values. | |
| BH12466 | Prepares a hard drive with the partitions necessary for BitLocker Drive Encryption. | |
| BH12477 | Registers itself as handler for a MIME type. | |
| BH12478 | Registers itself as handler for a protocol. | |
| BH12479 | Removes a computer from the domain. | |
| BH12487 | Removes certificates. | |
| BH12488 | Removes event triggers on local or remote machines. | |
| BH12491 | Removes the per-user audit policy for a specified account or all accounts. | |
| BH12492 | Removes the per-user audit policy for a specified account. | |
| BH12493 | Removes the per-user audit policy for all accounts. | |
| BH12494 | Removes user accounts. | |
| BH12495 | Removes users from a user group. | |
| BH12496 | Removes users from an active directory user group. | |
| BH12532 | Returns all child certificates from a parent certificate used in a user request for the AD RMS cluster. | |
| BH12533 | Returns all of the certificate enrollment policy server URL configurations. | |
| BH12535 | Returns an App-V connection group object. | |
| BH12538 | Returns the configuration for the DirectAccess client user experience. | |
| BH12540 | Returns use-license information from an issuance license used in a user request for the Active Directory Rights Management Services (AD RMS) cluster. | |
| BH12592 | Tampers with Active Directory Federation Services (AD FS) settings. | |
| BH12593 | Tampers with Active Directory Rights Management Services (AD RMS) settings. | |
| BH12594 | Tampers with Active Directory settings. | |
| BH12596 | Tampers with App-V Client settings. | |
| BH12597 | Tampers with AppLocker settings. | |
| BH12598 | Tampers with audit policies. | |
| BH12600 | Tampers with auto-disconnect time of the server service. | |
| BH12603 | Tampers with Best Practices Analyzer settings. | |
| BH12604 | Tampers with BitLocker settings. | |
| BH12605 | Tampers with boot configuration. | |
| BH12606 | Tampers with boot debugger of Windows Boot Manager. | |
| BH12607 | Tampers with Boot Event Collector settings. | |
| BH12608 | Tampers with Border Gateway Protocol, DirectAccess, RemoteAccess or other VPN settings. | |
| BH12609 | Tampers with BranchCache settings. | |
| BH12610 | Tampers with certificates and certificate store. | |
| BH12611 | Tampers with Cluster-Aware Updating. | |
| BH12614 | Tampers with Computer Machine Password. | |
| BH12615 | Tampers with Configurable Code Integrity settings. | |
| BH12616 | Tampers with Control Panel items. | |
| BH12617 | Tampers with cron jobs. | |
| BH12618 | Tampers with Data Center Bridging (DCB) Quality of Service (QoS) settings. | |
| BH12620 | Tampers with Developer Mode settings. | |
| BH12621 | Tampers with Device Health Attestation (DHA) settings. | |
| BH12623 | Tampers with Directory Certificate Services (AD CS) Certification Authority (CA). | |
| BH12626 | Tampers with Display Resolution. | |
| BH12627 | Tampers with Distributed File System (DFS) Namespaces. | |
| BH12635 | Tampers with Dynamic Host Configuration Protocol (DHCP) server settings. | |
| BH12636 | Tampers with Emergency Management Services (EMS). | |
| BH12637 | Tampers with Emergency Management Services console settings. | |
| BH12641 | Tampers with exploitation and security mitigation policies of a process. | |
| BH12642 | Tampers with F10 key during startup to allow/prevent access to advanced boot menu. | |
| BH12643 | Tampers with F8 key during startup to allow/prevent access to advanced boot menu. | |
| BH12644 | Tampers with failed boot warning messages at startup. | |
| BH12645 | Tampers with Failover Clustering. | |
| BH12646 | Tampers with file extension associations. | |
| BH12650 | Tampers with Group Policy Objects (GPOs) for a domain. | |
| BH12651 | Tampers with Group Policy Objects dependencies. | |
| BH12652 | Tampers with Group Policy settings. | |
| BH12653 | Tampers with Host Guardian Service (HGS) Key Protection Service (KPS) settings. | |
| BH12654 | Tampers with Host Guardian Service settings. | |
| BH12657 | Tampers with Hyper-V Host Compute Service. | |
| BH12658 | Tampers with Hyper-V Network Virtualization (HNV) settings. | |
| BH12659 | Tampers with Hyper-V virtual machines. | |
| BH12660 | Tampers with information in URL Zone Identifier, commonly used to bypass warnings after downloading files from the Internet. | |
| BH12661 | Tampers with installed applications. | |
| BH12662 | Tampers with Internet Information Services (IIS) settings. | |
| BH12663 | Tampers with IP Address Management (IPAM) settings. | |
| BH12668 | Tampers with Key Distribution Service (KDS) settings. | |
| BH12673 | Tampers with macro options. | |
| BH12674 | Tampers with Microsoft Distributed Transaction Coordinator (MSDTC) settings. | |
| BH12675 | Tampers with Microsoft Excel settings. | |
| BH12676 | Tampers with Microsoft Message Queuing. | |
| BH12677 | Tampers with Microsoft User Experience Virtualization (UE-V) settings. | |
| BH12679 | Tampers with Multipath I/O (MPIO) settings. | |
| BH12681 | Tampers with network adapter settings. | |
| BH12682 | Tampers with network adapters. | |
| BH12683 | Tampers with Network Address Translation (NAT). | |
| BH12685 | Tampers with Network Connectivity Status Indicator settings. | |
| BH12686 | Tampers with Network Controller settings. | |
| BH12687 | Tampers with Network File System (NFS) settings. | |
| BH12689 | Tampers with Network Load Balancing (NLB) cluster settings. | |
| BH12690 | Tampers with Network Logical Link Discovery Protocol. | |
| BH12691 | Tampers with Network Policy Server (NPS) settings. | |
| BH12693 | Tampers with Network Quality of Service (QoS) settings. | |
| BH12696 | Tampers with Network Switch settings. | |
| BH12697 | Tampers with Network Switch Team settings. | |
| BH12698 | Tampers with Network Virtualization settings. | |
| BH12699 | Tampers with NIC Teaming (load balancing and failover) settings. | |
| BH12702 | Tampers with Open Database Connectivity (ODBC) drivers. | |
| BH12703 | Tampers with password and logon restrictions. | |
| BH12704 | Tampers with performance counters. | |
| BH12712 | Changes printer settings. | |
| BH12713 | Tampers with registry entries. | |
| BH12714 | Tampers with Remote Desktop Licensing settings. | |
| BH12715 | Tampers with Remote Desktop Service settings. | |
| BH12721 | Tampers with Secure Boot settings. | |
| BH12723 | Tampers with security or audit policies. | |
| BH12724 | Tampers with Server Manager Tasks Configuration settings. | |
| BH12726 | Tampers with Server Message Block (SMB) witness client registrations. | |
| BH12730 | Tampers with Startup Repair (Automatic Repair) at startup. | |
| BH12731 | Tampers with Storage Management Initiative - Specification (SMI-S) provider. | |
| BH12732 | Tampers with Storage Pools. | |
| BH12733 | Tampers with Storage Quality of Service (QoS) settings. | |
| BH12734 | Tampers with Storage Replica settings. | |
| BH12735 | Tampers with storage subsystem. | |
| BH12738 | Tampers with system date. | |
| BH12739 | Tampers with system environment variables. | |
| BH12740 | Tampers with system firmware environment variables. | |
| BH12743 | Tampers with system settings. | |
| BH12749 | Tampers with the local computer name. | |
| BH12751 | Tampers with the secure channel between the local computer and its domain. | |
| BH12752 | Tampers with the workspace settings. | |
| BH12753 | Tampers with Transport Layer Security (TLS) protocol cipher suites. | |
| BH12754 | Tampers with Trusted Platform Module (TPM). | |
| BH12756 | Tampers with User Access Logging. | |
| BH12758 | Tampers with user logon screen. | |
| BH12761 | Tampers with visibility settings. | |
| BH12764 | Tampers with VPN Client settings. | |
| BH12769 | Tampers with Windows Container networking settings. | |
| BH12772 | Tampers with Windows features, roles or role services. | |
| BH12773 | Tampers with Windows Firewall or IPsec settings. | |
| BH12774 | Tampers with Windows Hardware Error Architecture memory policies. | |
| BH12775 | Tampers with Windows MultiPoint Server desktops. | |
| BH12778 | Tampers with Windows Search settings. | |
| BH12779 | Tampers with Windows Server Backup settings. | |
| BH12780 | Tampers with Windows Server Migration Tools. | |
| BH12781 | Tampers with Windows Server Update Services. | |
| BH12785 | Tampers with Windows Store apps. | |
| BH12787 | Tampers with worksheet editing options. | |
| BH12788 | Tampers with WS-Manager settings. | |
| BH12790 | Temporarily disables power management. | |
| BH12806 | Uses BCDboot command line tool. | |
| BH12807 | Uses BCDedit command line tool. | |
| BH12809 | Uses certutil command line tool. | |
| BH12810 | Uses cmstp command line tool. | |
| BH12819 | Verifies whether a TPM supports specified features. | |
| BH12826 | Removes protection from the active sheet, macro sheet, chart, dialog sheet, module, or scenario. | |
| BH12859 | Accesses a cron job file. | |
| BH12872 | Modifies a group password. | |
| BH12873 | Modifies a group name. | |
| BH12874 | Modifies a group gid. | |
| BH12875 | Removes a user from a group. | |
| BH12908 | Modifies user groups. | |
| BH12909 | Modifies the user home location. | |
| BH12910 | Modifies the primary user group. | |
| BH12911 | Locks the user account. | |
| BH12912 | Modifies the user uid. | |
| BH12913 | Modifies the user shell. | |
| BH12914 | Modifies the user subuids/subgids. | |
| BH12916 | Sets a gsettings value. | |
| BH12920 | Sets the value of an sd-bus property. | |
| BH12924 | Configues kernel parameters at runtime. | |
| BH12945 | Allocates system users or groups. | |
| BH12960 | Changes the ulimit configuration. | |
| BH13018 | Adds an apt repository. | |
| BH13037 | Changes a user's password expiry. | |
| BH13038 | Changes a user's login shell. | |
| BH13044 | Uses the Kerberos database maintenance utility. | |
| BH13045 | Uses the Kerberos V5 database administration system. | |
| BH13061 | Installs an XDG desktop file. | |
| BH13062 | Sets file capabilities. | |
| BH13076 | Manages devices of running Linux Containers. | |
| BH13084 | Moves LXD instances within or in between LXD servers. | |
| BH13087 | Manages LXD profiles. | |
| BH13088 | Manages LXD projects. | |
| BH13092 | Manages LXD storage pools and volumes. | |
| BH13122 | Populates a dconf subpath. | |
| BH13226 | Writes data to an SSH configuration file. | |
| BH13253 | Creates or modifies an environment variable. | |
| BH13259 | Deletes an environment variable. | |
| BH13295 | Contains references to environment variables related to Amazon Web Services (AWS). | |
| BH13296 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) access key. | |
| BH13297 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) configuration location. | |
| BH13298 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) secret access key. | |
| BH13299 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) session token. | |
| BH13300 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) access key location. | |
| BH13301 | Contains a reference to an environment variable that holds an Amazon Web Services (AWS) web identity token location. | |
| BH16142 | Creates a bitsadmin job. | |
| BH16143 | Activates a bitsadmin job. | |
| BH17299 | Modifies user profile settings. | |
| BH18123 | Detects if the current operating system is Windows NT. | |
| BH19114 | Enumerates audit policies. | |
| BH19127 | Enumerates cached Kerberos tickets. | |
| BH19134 | Enumerates TLS cipher suites for a computer. | |
| BH19149 | Enumerates default load balance policy for MPIO devices. | |
| BH19154 | Enumerates DFS namespace settings for a DFSN root server. | |
| BH19160 | Enumerates DTC instances. | |
| BH19161 | Enumerates Elliptic Curve Cryptography (ECC) cipher suites available for TLS for a computer. | |
| BH19166 | Enumerates event triggers on local or remote machines. | |
| BH19172 | Enumerates features of a network switch. | |
| BH19183 | Enumerates information about Windows Server roles, role services, and features that are available for installation and installed on a specified server. | |
| BH19190 | Enumerates IP addresses that need to be added and deleted to an IPsec rule. | |
| BH19207 | Enumerates MPIO settings. | |
| BH19213 | Enumerates network controller application settings. | |
| BH19214 | Enumerates network controller cluster settings. | |
| BH19215 | Enumerates network controller diagnostic settings. | |
| BH19216 | Enumerates network controller node settings. | |
| BH19222 | Enumerates NRPT global settings. | |
| BH19233 | Enumerates permissions for a DFS namespace folder. | |
| BH19245 | Enumerates products currently available on WSUS. | |
| BH19257 | Enumerates running processes on a remote computer. | |
| BH19261 | Enumerates scheduled tasks on a remote computer. | |
| BH19262 | Enumerates scheduled tasks. | |
| BH19270 | Enumerates settings for a DFS namespace folder. | |
| BH19271 | Enumerates settings for DFS namespaces. | |
| BH19272 | Enumerates settings for MSDSM automatically claiming SAN disks for MPIO. | |
| BH19273 | Enumerates settings for root targets of a DFS namespace. | |
| BH19274 | Enumerates settings for targets of a DFS namespace folder. | |
| BH19298 | Enumerates team interfaces. | |
| BH19332 | Enumerates values for the options that can be configured. | |
| BH19336 | Enumerates Windows Container networking settings. | |
| BH19343 | Gets a VIP resource. | |
| BH19344 | Gets a virtual desktop. | |
| BH19347 | Gets an object that contains information about a TPM. | |
| BH19348 | Gets and writes the RSoP information for a user, a computer, or both to a file. | |
| BH19349 | Gets BidTrace settings. | |
| BH19352 | Gets data center bridging exchange settings. | |
| BH19353 | Gets dynamic categories on a WSUS server. | |
| BH19355 | Gets global data of a network switch. | |
| BH19356 | Gets Group Policy inheritance information for a specified domain or OU. | |
| BH19363 | Gets information about the endorsement key and certificates of the TPM. | |
| BH19369 | Gets one GPO or all the GPOs in a domain. | |
| BH19370 | Gets one or more Registry preference items under either Computer Configuration or User Configuration in a GPO. | |
| BH19371 | Gets one or more registry-based policy settings under either Computer Configuration or User Configuration in a GPO. | |
| BH19372 | Gets or sets the security protocol used by the ServicePoint objects. | |
| BH19377 | Gets run-time information for a scheduled task. | |
| BH19381 | Gets the active encryption certificate thumbprint. | |
| BH19382 | Gets the active signing certificate. | |
| BH19383 | Gets the attestation signer certificates that the Key Protection Service trusts. | |
| BH19385 | Gets the certificate chain policy. | |
| BH19387 | Gets the configuration of the Key Protection Service. | |
| BH19393 | Gets the file information necessary to create AppLocker rules from a list of files or an event log. | |
| BH19395 | Gets the inactive encryption certificate. | |
| BH19396 | Gets the inactive signing certificate. | |
| BH19398 | Gets the job options of scheduled jobs. | |
| BH19401 | Gets the list of all WSUS classifications currently available in the system. | |
| BH19402 | Gets the local, the effective, or a domain AppLocker policy. | |
| BH19404 | Gets the object representing the policy store, which contains global QoS settings. | |
| BH19405 | Gets the permission level for one or more security principals on a specified GPO. | |
| BH19406 | Gets the prefix policy. | |
| BH19407 | Gets the priority-based flow control settings. | |
| BH19410 | Gets the security descriptor for a resource, such as a file or registry key. | |
| BH19411 | Gets the set of all Windows features that can be migrated from the local server or from a migration store. | |
| BH19412 | Gets the settings of the LLDP agent on a network interface on a host computer. | |
| BH19417 | Gets the task definition object of a scheduled task that is registered on the local computer. | |
| BH19418 | Gets the traffic class settings. | |
| BH19420 | Gets the WSUS computer object that represents the client computer. | |
| BH19421 | Gets the WSUS update object with details about the update. | |
| BH19422 | Gets the WSUS update server object. | |
| BH19423 | Gets trigger properties of a VPN connection. | |
| BH19425 | Gets VIP host mapping. | |
| BH19426 | Gets virtual network mapping. | |
| BH19427 | Gets VLANs for a network switch. | |
| BH19430 | Retrieves a storage QoS policy from the policy manager. | |
| BH19433 | Retrieves certificate auto-enrollment policy settings. | |
| BH19436 | Retrieves global DNS client settings like the suffix search list. | |
| BH19447 | Retrieves the current configuration of the Microsoft Group KdsSvc from Active Directory. | |
| BH20150 | Uses a Nishang command to modify Security Descriptors of DCOM and WMI namespaces to provide non-admin domain users access to WMI. | |
| BH20151 | Uses a Nishang command to modify Security Descriptors of PowerShell Remoting to provide access for non-admin domain users. | |
| BH20174 | Uses PowerSploit/Empire command to convert a given user/group name to a security identifier (SID). | |
| BH20176 | Uses PowerSploit/Empire command to convert a UAC integer value to human readable form. | |
| BH20177 | Uses PowerSploit/Empire command to convert Active Directory object names between a variety of formats. | |
| BH20239 | Uses PowerSploit/Empire command to modify a given property for a specified Active Directory object. | |
