Look at the exclusion list for any kind of system files. This (or access to these) will make most AV systems go nuts, so the altered DLL's are usually excluded after the DLL's are injected. *Antivirus exclusions: More advanced crackers don't need a persistent process, but an altered system DLL or executable instead. It has most likely set itself up to the startup too. *Background processes, especially the ones in the startup section: Basic KMS crackers work through a persistent system process which needs to be alive all the time, look for anything that has the name KMS in it and doesn't look like a legitimate Windows file. Here is some steps that might let you point out if the KMS in your system is a fake or not: