The last 64 bytes of the Windows PRNG “Seed” registry key hold a unique hash used to seed the CryptoAPI PRNG. However, that registry key value is 76 bytes long. What do the first 12 bytes hold?

The seed bytes change after every reboot, but the first 12 bytes never change. I tried deleting them and then rebooting, but the system restored exactly the same first 12 bytes. Is there any security risk from an attacker managing to read those 12 bytes? I assume the seed is used in bitcoin private key generation, and those 12 bytes must have some relationship to the seed.

In older versions of Windows the seed was stored in this registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed

In newer versions of windows the seed now lives here.

HKEY_LOCAL_MACHINE\SYSTEM\RNG

The only information I found from a google was here.

http://illmatics.com/Windows%208%20Heap%20Internals.pdf