drop windows wmi repository files · parse objects data · extract classes instances · event subscriptions · persistence detection · runs locally
load repository
WMI persistence often hides in permanent event subscriptions under ROOT\subscription. This tool does not fully deserialize the WBEM B-tree: it walks clustered ASCII / UTF-16 strings, scores persistence-shaped regions, and surfaces filters, consumers, bindings, and carve candidates from mapping-marked free pages.
Drop OBJECTS.DATA + MAPPING*.MAP
or repository folder
drop OBJECTS.DATA from System32\wbem\Repository (folder pick supported)