Monday, 3 November 2008

Enable Windows 7 PreBeta Build 6801 protected bits!


During PDC ‘08, I was passed a note indicating that I should dig deeper into the bits to discover the snazzy new Taskbar. Upon cursory analysis, I found no evidence of such and dismissed the idea as completely bogus.


I got home and starting doing some research on a potentially new feature called Aero Shake when I stumbled upon an elaborate set of checks tied to various shell-related components, including the new Taskbar.


Update: Although a newer-looking Taskbar is present, it’s not exactly what you saw at PDC ‘08. For example, the Quicklaunch toolbar still exists, Aero Peek doesn’t work properly, and Jumplists are stale. This is likely why it wasn’t enabled, out of the box, so set your expectations accordingly.


To use these, what I call “protected features”, you must meet the following criteria:



  1. Must be a member of an allowed domain

    • wingroup.windeploy.ntdev.microsoft.com

    • ntdev.corp.microsoft.com

    • redmond.corp.microsoft.com



  2. Must not be an employee with a disallowed username prefix

    • a- (temporary employees)

    • v- (contractors/vendors)





Protected Feature Flowchart (click for full)



As checking against this criteria is potentially expensive, in terms of CPU cycles, the result of the check is cached for the duration of Explorer’s lifetime (per protected feature). The cached value is stored within a variable, space of which is allocated in the image’s initialized data section (.data).


Explorer does not initialize these variables at start and checks for a cached result for before performing any checks. I exploited this behavior by setting the initialized value in the image itself to 1 vice 0 to bypass all twelve checks.


Why not use a hook to intercept GetComputerNameExW / GetUserNameW?


I thought about building a hook to inject into the Explorer process upon start, but I grew concerned that legitimate code in Explorer that uses those functions to perform various legitimate tasks would malfunction. And I was lazy.


Can I has too? Plz?


Simply download a copy of a tool I whipped up for either x86 or x64 (untested thus far), drop it into your Windows\ directory and execute the following commands as an Administrator in a command prompt window:



  • takeown /f %windir%\explorer.exe

  • cacls %windir%\explorer.exe /E /G MyUserName:F (replacing MyUserName with your username)

  • taskkill /im explorer.exe /f

  • cd %windir%

  • start unlockProtectedFeatures.exe


After changing the protected feature lock state, you can re-launch the shell by clicking the Launch button.



Screenshot of PDC ‘08 build with new Taskbar


Why did Microsoft do this?


I’m not sure why these features went into the main (winmain) builds wrapped with such protection. What are your thoughts?


1 comment:

juliaroberts said...

Earning money online never been this easy and transparent. You would find great tips on how to make that dream amount every month. So go ahead and click here for more details and open floodgates to your online income. All the best.

Nasser Hajloo
a Persian Graphic Designer , Web Designer and Web Developer
n.hajloo@gmail.com

Subscribe feeds via e-mail
Subscribe in my preferred RSS reader

Subscribe feeds rss Recent Entries

Advertise on this site Sponsored links

Labels And Tags

Archive

Followers

All My Feeds

Computer And Technology News Blog
Hajloo's Daily Note Blog
Development World Blog
Iran ITIL - ITSM Center Blog
Khatmikhi Press Blog
Khatmikhi Blog
Mac OS X in Practice Blog

Subscribe feeds rss Recent Comments

Technorati

Technorati
My authority on technorati
Add this blog to your faves