Blog A Dive into URI's
Post
Cancel

A Dive into URI's

URI Windows Research Blog
Posted Sep 26, 2022
Preview Image
By Austin Martin
7 min read

Primer

Anytime you make a request in the browser, add an external link to a document, etc. Windows first checks what protocol is specified. The most common are web requests such as:

1

https://github.com

Here, the protocol used is HTTPS to transfer data over the line. This is just one of many protocols that Windows recognizes out of the box. Anytime a program is installed, it may make a registry entry to register a new protocol handler. Typing: calculator: in a web browser (with Windows OS) will have a popup asking if you would like to open calc.exe. The same applies if you have ever clicked on an email address and the web browser opens your email client. In this example, the URI handler is

1

mailto:exampleuser@exampledomain.com


If on Windows, clicking the below buttons should the corresponding apps:

An overview on URI’s

For the past year, I’ve been spending some time investigating how URI protocols are treated and potential avenues of abuse. With CVE-2021-40444 and CVE-2022-30190 (Follina), it still seems that there is research that needs to be done around these schemes. Most of these schemes are either undocumented or have minimal documentation on how they interact with the OS.

It’s easy to see what apps are associated with protocols. A simple Windows search of ‘Choose a default app for each protocol’ will take you to the settings page where these associations are listed. After looking at this list, I noticed it was missing URI’s that I knew were associated with my OS such as the Outlook feed: URI.

After digging through the registry, there a many URI’s that aren’t listed in the settings page. As of now, I’m not sure why MS pulls in some values to show while others are hidden. Searching the registry for URL: will show you schemes registered to URI’s:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#Reg searcher to find keys of name of "URL Protocol"
#Searches ALL hives. you can comment out lines below to limit searches and save time

function search {
  param([parameter(ValueFromPipeline)]$key)
  process {
    $key.getvaluenames() | foreach-object {
      $value = $_
      [pscustomobject] @{
        Path = $Key -replace  '.*\\'
        Name = $Value
      }
    }
  }
}

$searchterm = "URL Protocol"

echo "Searching HKCR Hive";
ls -r Registry::HKEY_CLASSES_ROOT\ -ErrorAction SilentlyContinue  | search | where name -like $searchterm | Format-Table -AutoSize
echo "`nSearching HKCU Hive`n";
ls -r Registry::HKEY_CURRENT_USER\ -ErrorAction SilentlyContinue | search | where name -like $searchterm | Format-Table -AutoSize
echo "`nSearching HKLM Hive`n";
ls -r Registry::HKEY_LOCAL_MACHINE\ -ErrorAction SilentlyContinue | search | where name -like $searchterm | Format-Table -AutoSize
echo "`nSearching HKU Hive`n";
ls -r Registry::HKEY_USERS\ -ErrorAction SilentlyContinue | search | where name -like $searchterm | Format-Table -AutoSize
echo "`nSearching HKCC Hive`n";
ls -r Registry::HKEY_CURRENT_CONFIG\ -ErrorAction SilentlyContinue | search | where name -like $searchterm | Format-Table -AutoSize
echo "`nReg search complete";
echo "DONE";


Note: Any scheme containing a “.” will not resolve if entered directly into the web browser.

Ex: microsoft.windows.camera:// entered into the address bar will get interpreted as –> http://microsoft.windows.camera//

However, entering it in the Window’s “run box” will open the camera as expected. To bypass the browser not interpreting correctly, the scheme can be included on the page itself:

1

<a href="microsoft.windows.camera://">microsoft.windows.camera</a></li>

will properly interpret when clicked:


List of Protocols

The list below is from my personal computer (Windows 10) tested in 2022. The intent is to gather as many URI’s as possible from a “used” computer, not a fresh install.

Protocols  
AAM://microsoft-edge-holographic://ms-word://
accnc://microsoftmusic://ms-wpc://
acrobat://microsoftvideo://ms-wpdrmv://
acrobat2018://mk://ms-xbet-survey://
acrobat2019://MMS://ms-xbl-3d8b930f://
acrobat2020://ms-aad-brokerplugin://ms-xgpueject://
acrobat2021.oauth2://ms-access://NordVPN.Notification://
adbps://ms-actioncenter://NordVPN://
adcnc://ms-appinstaller://nxm://
adobe.genuine.invoker://ms-apprep://oculus://
appinstaller.oauth2://ms-availablenetworks://odopen://
armodelviewing://ms-calculator://OneIndex16://
auphd://ms-clock://OneNote.URL.16://
battlenet://ms-contact-support://onenote://
bingmaps://ms-cortana2://onenote-cmd://
bingweather://ms-cxh://OneNoteDesktop.URL.16 bingweather://
bittorrent://ms-cxh-full://OneNoteDesktop://
Blizzard.URI.Battlenet://ms-default-location://openvpn-connect://
Blizzard.URI.Blizzard://ms-device-enrollment://origin://
Blizzard.URI.Heroes://ms-drive-to://origin2://
Blizzard.URI.SC2://ms-excel://Outlook.URL.feed.15://
blizzard://ms-eyecontrolspeech://Outlook.URL.mailto.15://
calculator://ms-gamebar://Outlook.URL.stssync.15://
callto://ms-gamebarservices://Outlook.URL.webcal.15://
citrixonline://ms-gamingoverlay://outlookaccounts://
citrixonline551://ms-getoffice://outlookcal://
com.epicgames.eos://ms-get-started://outlookmail://
com.epicgames.launcher://ms-holographicfirstrun://paintdotnet://
com.microsoft.3dviewer://msi-dc://rdcnc://
conf://ms-inputapp://read://
discord-://ms-insights://receiver://
discord-://ms-ipmessaging://res://
discord-://ms-meetnowflyout://rlogin://
discord-://ms-mmsys://rtkuwp://
discord-://ms-msdt://search://
DLNA-PLAYSINGLE://ms-msime-imepad://search-ms://
eadm://ms-msime-imjpdct://sgnl://
ealink://msnweather://signalcaptcha://
exodus://ms-officeapp://sip://
Explorer.AssocActionId.BurnSelection://ms-officecmd://sips://
Explorer.AssocActionId.EraseDisc://ms-oobenetwork://skype://
Explorer.AssocActionId.ZipSelection://ms-paint://skypecast15://
Explorer.AssocProtocol.search-ms://ms-pchealthcheck://skype-meetnow://
Explorer.BurnSelection://ms-penworkspace://skypewin://
Explorer.EraseDisc://ms-people://slack://
Explorer.ZipSelection://ms-perception-simulation://spotify://
feed://ms-phone://steamlink://
feedback-hub://ms-photos://steamtours://
feeds://ms-powerpoint://stssync://
FirefoxURL-://ms-print-addprinter://tbauth://
FirefoxURL-://ms-print-printjobs://tel://
ftp://ms-publisher://telnet://
GeForceExperience://ms-quick-assist://tg://
git-client://ms-rdx-document://tn3270://
gotomeeting://ms-retaildemo-launchbioenrollment://uplay://
gotomeeting18962://ms-retaildemo-launchstart://viscosity://
gotomeeting19228://ms-screenclip://viscosityserial://
gotomeeting19598://ms-screensketch://vm://
gotomeeting19796://ms-search://vmrc://
gotomeeting19932://ms-settings://vms://
gotomeeting19950://ms-settings-airplanemode://vmware-rvm://
gotoopener://ms-settings-bluetooth://vrmonitor://
gotoopener551://ms-settings-cellular://vsls://
grvopen://ms-settings-connectabledevices://vstfs://
heroes://ms-settings-displays-topology://vsweb://
http://ms-settings-emailandaccounts://webcal://
https://ms-settings-language://webcals://
iehistory://ms-settings-location://whatsapp://
ierss://ms-settings-lock://windows.tbauth://
im://ms-settings-mobilehotspot://windowsdefender://
insiderhub://ms-settings-notifications://windows-feedback iehistory://
jnlp://ms-settings-power://WMP11.AssocProtocol.DLNA-PLAYSINGLE://
jnlps://ms-settings-privacy://WMP11.AssocProtocol.MMS://
launchacrobat://ms-settings-proximity://wpa://
launchreader://ms-settings-screenrotation://xbls://
LDAP://ms-settings-wifi://xbox://
link2ea://ms-settings-workplace://xbox-arena://
Lync15://mssharepointclient://xbox-captures://
Lync15classic://ms-sttoverlay://xbox-friendfinder://
ma-chan://ms-taskswitcher://xbox-gamehub://
ma-filelink://msteams://xboxgames://
Magnet://ms-teams://xbox-lfg://
mailto://ms-unistore-email://xboxliveapp-1297287741://
mapi://ms-virtualtouchpad://xboxmusi://
mapi16://ms-voip-call://xbox-network://
microsoft.windows.camera.multipicker://ms-voip-video://xbox-profile://
microsoft.windows.camera.picker://ms-walk-to://xbox-settings://
microsoft.windows.camera://ms-wcrv://xbox-store://
microsoft.windows.camera://mswindowsmusic://xbox-tcui://
microsoft.windows.photos.crop://ms-windows-search://zoommtg://
microsoft.windows.photos.picker://ms-windows-store://ZoomPbx.im://
microsoft.windows.photos.videoedit://ms-windows-store2://ZoomPbx.zoomphonecall://
Microsoft.Workfolders://ms-windows-store-deskext://ZoomPhoneCall://
microsoft-edge://mswindowsvideo://zunemicrosoft.windows.photos.videoedit://


Strings.exe against C:\Windows\*

After finding all handlers, the next step is seeing how they can be invoked since many are undocumented. We could reverse engineer the executables, but who has time for that? The next best thing is pulling out any strings containing the above URI’s from installed PE files.

C:\Windows\*:

Protocols   
acrobat://remove_history>ftp://ftp.info-zip.org/pub/infozip/src/}}}\sectdms-gamingoverlay://startuptips 
acrobat://remove_history>Elftp://ftp.microsoft.comms-gamingoverlay://startuptips?%ls=%ls&ProcessId=%lu&WindowId=%ll 
acrobat://remove_history>Odstrftp://ftp.microsoft.com/pubms-gamingoverlay://startuptips?pid=%lu&WindowId=%llu 
acrobat://remove_history>Odstraniftp://ftp.microsoft.com/pub/*Cms-get-started://collection/?id=windows-collection&tipsetid=use 
acrobat://remove_history>Poistaftp://ftp.tlcsupport.com/Parsonstech1/Legal2001Updatms-get-started://redirect?id=apps_action 
acrobat://remove_history>Preflight-audittrailftp://localhost/samplefile.txtms-get-started://redirect?id=handwriting 
acrobat://remove_history>Preflight-Priehistory://ms-get-started://redirect?id=handwriting&p=ui&s=handwriting 
acrobat://remove_history>Removerierss://ms-get-started://redirect?id=helpoffline 
acrobat://remove_history>Supprimerlaunch=ms-actioncenter://ms-get-started://redirect?id=my-people 
acrobat://remove_history>UsuLDAP://ms-get-started://redirect?id=new 
acrobat://verify_fingerprint>LDAP://%ls/%lsms-get-started://redirect?id=touch_pen 
acrobat://verify_fingerprint>CheckLDAP://%smsldap:// 
acrobat://verify_fingerprint>ComprobarLDAP://%s%s%smsldap://CN=myStore,CN=Program 
acrobat://verify_fingerprint>ControllaLDAP://%s%s%s%s%sms-paint:// 
acrobat://verify_fingerprint>FingerabdruckLDAP://%s%sRootDSEms-phone:// 
acrobat://verify_fingerprint>KontrollerLDAP://%s,%sms-phone://phonelink?ocid=Winsettingshome 
acrobat://verify_fingerprint>KontrolleraLDAP://%s/ms-screensketch://edit? 
acrobat://verify_fingerprint>PreveriLDAP://%s/%sms-screensketch://edit?source=inkworkspace&sharedAccessToken= 
acrobat://verify_fingerprint>ProfilLDAP://%s/%s,%sms-search://search?q= 
acrobat://verify_fingerprint>SkontrolovaLDAP://%sC:\Windows\WinSxS\amd64_microsoft-hyper-v-vms-settings-location:// 
acrobat://verify_fingerprint>SprawdLDAP://%wsms-windows-store:// 
acrobat://verify_fingerprint>Tarkistaldap://%ws/ms-windows-store://assoc/?fileext= 
acrobat://verify_fingerprint>VLDAP://%ws/%wsms-windows-store://assoc/?protocol= 
acrobat://verify_fingerprint>VerificarLDAP://%ws/rootDSEms-windows-store://Assoc/?referrer=sharepicker&tags= 
acrobat://verify_fingerprint>VingerafdrukLDAP://,ms-windows-store://assoc/?Tags=ContactPanel-ContactPanel&OCID=ems 
acrobat://verify_fingerprint>Zkontrolovatldap:///ms-windows-store://collection/?CollectionId=Fonts&OCID=SettingsFo 
acrobat://verify_fingerprint>Checkldap:///%1!s!%2!s!?%3!s!,%4!s!,%5!s!,%6!s!,%7!s!?one?ms-windows-store://collection/?CollectionId=LocalExperiencePacks& 
acrobat2018://dc.acrobat.com/link/review?ldap:///%s?userCertificatems-windows-store://collection/?CollectionId=securityapps 
acrobat2018://dc.stage.acrobat.com/link/review?ldap:///%s?userCertificate?base?objectCategory=userms-windows-store://collection/?CollectionId=WindowsInkCollection 
acrobat2018://documentcloud.adobe.com/link/review?ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Publicms-windows-store://collection/?CollectionId=WindowsStickers 
acrobat2019://dc/launchTool?ldap:///CN=%7,CN=AIA,CN=Publicms-windows-store://collection/?CollectionId=WindowsThemes&OCID=OS 
acrobat2020://dc/launchToolWithFiles?ldap:///CN=%7,CN=Certificationms-windows-store://DownloadsAndUpdates 
browsertools://browsertools.debugger.js,n.QuotaExceededErrorMessage=QuotaExceededErrorldap:///CN=%7,CN=KRA,CN=Publicms-windows-store://navigatetopage/?Id=Subscriptions 
dlna-playsingle://ldap:///CN=%ws,CN=%ws,CN=CDPms-windows-store://pdp/?PFN= 
dlna-playsingle://%ls?sid=urn:upnp-org:serviceId:ContentDirectorldap:///CN=%ws,CN=Certificationms-windows-store://pdp/?PFN=%s 
feed://ldap:///CN=AIA,CN=Publicms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe 
feed://https://ldap:///CN=Certificationms-windows-store://pdp/?productId=%1&skuid=%2&catalogid=%3 
feedback-hub://ldap:///CN=KRA,CN=Publicms-windows-store://pdp/?ProductId=9mspc6mp8fm4 
feedback-hub://?ContextId=%s&PackageName=%sldap:///CN=NTAuthCertificatesms-windows-store://pdp/?productid=9n0866fs04w8 
feedback-hub://?contextid=104ldap:///CN=NTAuthCertificates,CN=Publicms-windows-store://pdp/?productid=9n0866fs04w8.ms-windows-store:/ 
feedback-hub://?contextid=114ldap:///CN=Publicms-windows-store://pdp/?productid=9nblggh10pg8> 
feedback-hub://?contextid=115LDAP://{0}/{1}ms-windows-store://pdp/?ProductId=9nblggh4qghw 
feedback-hub://?contextid=117LDAP://<GUID=ms-windows-store://pdp/?productid=9NFFX4SZZ23L 
feedback-hub://?contextid=118LDAP://<SID=ms-windows-store://pdp/?productid=9NNRDVCB3J7W 
feedback-hub://?contextid=119ldap://acraiz.suscerte.gob.ve07ms-windows-store://pdp/?productid=9NNRDVCB3J7W 
feedback-hub://?contextid=127ldap://admindir.admin.ch:389/cn=Swiss%20Government%20ms-windows-store://pdp/?productid=9PJ0NKL8MCSJ 
feedback-hub://?contextid=13LDAP://CN=…,DC=…ms-windows-store://pdp/?productid=9wzdncrdtbvb> 
feedback-hub://?contextid=137LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Pms-windows-store://pdp/?ProductId=9wzdncrfhvqm 
feedback-hub://?contextid=158LDAP://CN=Certificatems-windows-store://pdp/?productid=BF712690PL0G 
feedback-hub://?contextid=210LDAP://CN=ComPartitions,CN=System,%sms-windows-store://pdp?pfn=%s 
feedback-hub://?contextid=213LDAP://cn=DisplaySpecifiers,%sms-windows-store://PDP?PFN=Microsoft.XboxApp_8wekyb3d8bbwe 
feedback-hub://?contextid=215LDAP://CN=Machine,ms-windows-store://settings/ 
feedback-hub://?contextid=217LDAP://CN=ms-FVE-KeyPackage,ms-windows-store://Settings/?display=preferences 
feedback-hub://?contextid=220LDAP://CN=ms-FVE-RecoveryGuid,ms-windows-store://signin 
feedback-hub://?contextid=223LDAP://CN=ms-FVE-RecoveryInformation,ms-windows-store://signin 
feedback-hub://?contextid=236LDAP://CN=ms-FVE-RecoveryPassword,ms-windows-store://switchwindows 
feedback-hub://?contextid=239LDAP://CN=ms-FVE-VolumeGuid,mswindowsvideo://playurl//?url= 
feedback-hub://?contextid=242LDAP://CN=MyContainer,DC=MyDomain,DC=Company,DC=Comms-wpc://appblock?n= 
feedback-hub://?contextid=275LDAP://CN=Partitions,ms-wpc://exeblock?n= 
feedback-hub://?contextid=276LDAP://CN=Policies,CN=Systemms-xgpueject://?AdapterName=%ws 
feedback-hub://?contextid=330LDAP://CN=User,odopen://kfmWizard?launchSource=22&accounttype=personal 
feedback-hub://?contextid=331LDAP://DC=odopen://launch?ScenarioID=13 
feedback-hub://?contextid=335ldap://directory.d-trust.net/CN=D-TRUST%20Root%20CA%2odopen://launch?scenarioId=27&accounttype=personal 
feedback-hub://?contextid=336ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Classiteoforigin:/// 
feedback-hub://?contextid=338ldap://ldap.ca.posta.rs/cn=Posta%20CA%20Root,cn=AIA,ctbauth:// 
feedback-hub://?contextid=341ldap://ldap.e-szigno.hu/CN=Microsec%20e-Szigno%20Roottel:// 
feedback-hub://?contextid=394ldap://ldap.fpki.gov/cn=Federal%20Common%20Policy%20Ctftp:// 
feedback-hub://?contextid=454LDAP://OU=..,DC=…value=dlna-playsingle:// 
feedback-hub://?contextid=461LDAP://RootDSEvldap://directory.d-trust.net/CN=D-TRUST%20Root%20Clas 
feedback-hub://?contextid=506ldap://www.trustcenter.de/CN=TC%20TrustCenter%20Classvstfs:/// 
feedback-hub://?contextid=516lt?p=DefaultStartLayout1&amplaunch=ms-get-started://redirect%3Fid=placeholdertilesvstfs:///Classification/TeamProject/ 
feedback-hub://?contextid=53lt?p=DefaultStartLayout2&amplaunch=ms-get-started://redirect%3Fid=placeholdertilesvstfs:///LabManagement/LabExecution/ 
feedback-hub://?contextid=534mailto://vstfs:///LabManagement/TeamProjectCollectionHostGroup/ 
feedback-hub://?contextid=535mapi://vstfs:///LabManagement/TeamProjectCollectionLibrarySha 
feedback-hub://?contextid=547mapi://{vstfs:///LabManagement/TeamProjectHostGroup/ 
feedback-hub://?contextid=58mms://vstfs:///LabManagement/TeamProjectLibraryShare/ 
feedback-hub://?contextid=606ms-contact-support://windows.tbauth:// 
feedback-hub://?contextid=610ms-contact-support://?SearchKey=Audio%20Issueswindowsdefender:// 
feedback-hub://?contextid=615ms-contact-support://settings/windowsdefender://account/ 
feedback-hub://?contextid=620ms-cxh://AADPINRESETAUTHwindowsdefender://accountprotection/ 
feedback-hub://?contextid=630ms-cxh://AADSSPRwindowsdefender://allowappthroughfolder/ 
feedback-hub://?contextid=64ms-cxh://AADWEBAUTHwindowsdefender://appbrowser/ 
feedback-hub://?contextid=653ms-cxh://FRX/AADwindowsdefender://appguardsettings/ 
feedback-hub://?contextid=654ms-cxh://FRX/INCLUSIVEwindowsdefender://coreisolation/ 
feedback-hub://?contextid=657ms-cxh://FRX/INCLUSIVE?start=OobeProvisioningStatuswindowsdefender://coreisolationreboot/ 
feedback-hub://?contextid=658ms-cxh://FRX/TEAMEDITIONwindowsdefender://customscan 
feedback-hub://?contextid=66ms-cxh://FRXRDXINCLUSIVEwindowsdefender://devicesecurity/ 
feedback-hub://?contextid=67ms-cxh://mosetmsalocalwindowsdefender://enableandupdate/ 
feedback-hub://?contextid=68ms-cxh://MOSETMSALOCAL?ocid=winsettingshomewindowsdefender://enablertp/ 
feedback-hub://?contextid=684ms-cxh://MOSETMSALOCAL?ocid=winsettingshomerewardswindowsdefender://exclusions/ 
feedback-hub://?contextid=685ms-cxh://MSACFLPINRESETwindowsdefender://exploitprotection/ 
feedback-hub://?contextid=686ms-cxh://MSACFLPINRESETSIGNINwindowsdefender://family/ 
feedback-hub://?contextid=72ms-cxh://MSACXSIGNINAUTHONLYwindowsdefender://freshstart/ 
feedback-hub://?contextid=738ms-cxh://MSACXSIGNINPINADDwindowsdefender://fullhistory/ 
feedback-hub://?contextid=75ms-cxh://MSACXSIGNINPINRESETwindowsdefender://fullscan/ 
feedback-hub://?contextid=755ms-cxh://MSAPINRESETwindowsdefender://hardware/ 
feedback-hub://?contextid=756ms-cxh://MSASSPRwindowsdefender://history 
feedback-hub://?contextid=76ms-cxh://NTHwindowsdefender://Network 
feedback-hub://?contextid=79ms-cxh://NTH/AADRECOVERYwindowsdefender://network/ 
feedback-hub://?contextid=861ms-cxh://NTHAADNGCFIXMEwindowsdefender://perfhealth/ 
feedback-hub://?contextid=874ms-cxh://NTHAADNGCONLYwindowsdefender://protectedfolders/ 
feedback-hub://?contextid=886ms-cxh://NTHAADNGCRESETwindowsdefender://providers/ 
feedback-hub://?contextid=920ms-cxh://NTHAADNGCRESETDESTRUCTIVEwindowsdefender://quarantinehistory/ 
feedback-hub://?contextid=937ms-cxh://NTHAADNGCRESETNONDESTRUCTIVEwindowsdefender://quickscan/ 
feedback-hub://?contextid=952ms-cxh://NTHAADORMDM?ngc=enabledwindowsdefender://ransomwareprotection/ 
feedback-hub://?contextid=979ms-cxh://NTHENTNGCFIXMEwindowsdefender://reboot/ 
feedback-hub://?contextid=98ms-cxh://NTHENTNGCONLYwindowsdefender://samples 
feedback-hub://?contextid=99ms-cxh://NTHENTNGCRESETwindowsdefender://securityprocessor/ 
feedback-hub://?tabid=2&categoryid=57ms-cxh://NTHENTNGCRESETDESTRUCTIVEwindowsdefender://securityprocessortroubleshooting/ 
feedback-hub://?tabid=2&contextid=1010ms-cxh://NTHENTORMDMwindowsdefender://settings/ 
feedback-hub://?tabid=2&contextid=1032ms-cxh://NTHENTORMDM?ngc=enabledwindowsdefender://smartscreenpua/ 
feedback-hub://?tabid=2&contextid=1032&newFeedback=truems-cxh://NTHEXPEDITEDUPDATE%wswindowsdefender://threat/ 
feedback-hub://?tabid=2&contextid=869ms-cxh://NTHEXPEDITEDUPDATELITE%wswindowsdefender://threatsettings/ 
feedback-hub://?tabid=2&contextid=938ms-cxh://NTHNGCUPSELLwindowsdefender://update/ 
fldap://ldap.tmca.com.my:389/cn=arl1dp1,ou=ARL,ou=TMms-cxh://NTHPRIVACYwindowsdefender://updateandquickscan/ 
ftp://ms-cxh://SCOOBEwindowsdefender://wdoscan/ 
ftp://%s/ms-cxh://SCOOBE%wswldap://lcr1.certeurope.fr/cn=Certeurope%20Root%20CA%2 
ftp://%s:%s@%sms-cxh://SCOOBE/NDUPMSA%wswldap://lcr2.certeurope.fr/cn=Certeurope%20Root%20CA%2 
ftp://164.214.2.65/pub/gg/tr8350.2/changes.pdfms-cxh://SCOOBE/UPGRADExbox:// 
ftp://ftp.ms-cxh-full://SCOOBE/?surface=settingsvaluebannerxbox://launch?type=%s&xuid=%s 
ftp://ftp.cs.berkeley.\hich\af40\dbch\af31505\loch\fms-gamebarservices:///XBOX://LI 
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.Licenms-gamingoverlay://xbox-tcui:// 
ftp://ftp.info-zip.org/pub/infozip/src/ms-gamingoverlay://kglcheckzldap://admindir.admin.ch:389/cn=Swiss%20Government%20 
zldap://directory.d-trust.net/CN=D-TRUST%20Root%20Clas   
Contents