file where not subtype.delete and
not user_sid in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and (
file_path == "*\\windows\\ehome\\cryptbase.dll" or
file_path == "*\\windows\\system32\\sysprep\\cryptbase.dll" or
file_path == "*\\windows\\system32\\sysprep\\cryptsp.dll" or
file_path == "*\\windows\\system32\\sysprep\\rpcrtremote.dll" or
file_path == "*\\windows\\system32\\sysprep\\uxtheme.dll" or
file_path == "*\\windows\\system32\\sysprep\\dwmapi.dll" or
file_path == "*\\windows\\system32\\sysprep\\shcore.dll" or
file_path == "*\\windows\\system32\\sysprep\\oleacc.dll" or
file_path == "*\\windows\\system32\\ntwdblib.dll"
)
| unique process_path, file_path