Flashy Windows 7 bits protected by elaborate scheme, workaround

During PDC ‘08, I was passed a note indicating that I should dig deeper into the bits to discover the snazzy new Taskbar. Upon cursory analysis, I found no evidence of such and dismissed the idea as completely bogus.

I got home and starting doing some research on a potentially new feature called Aero Shake when I stumbled upon an elaborate set of checks tied to various shell-related components, including the new Taskbar.

Update: Although a newer-looking Taskbar is present, it’s not exactly what you saw at PDC ‘08. For example, the Quicklaunch toolbar still exists, Aero Peek doesn’t work properly, and Jumplists are stale. This is likely why it wasn’t enabled, out of the box, so set your expectations accordingly.

To use these, what I call “protected features”, you must meet the following criteria:

  1. Must be a member of an allowed domain
    • wingroup.windeploy.ntdev.microsoft.com
    • ntdev.corp.microsoft.com
    • redmond.corp.microsoft.com
  2. Must not be an employee with a disallowed username prefix
    • a- (temporary employees)
    • v- (contractors/vendors)

 

Protected Feature Flowchart (click for full)

As checking against this criteria is potentially expensive, in terms of CPU cycles, the result of the check is cached for the duration of Explorer’s lifetime (per protected feature). The cached value is stored within a variable, space of which is allocated in the image’s initialized data section (.data).

Explorer does not initialize these variables at start and checks for a cached result for before performing any checks. I exploited this behavior by setting the initialized value in the image itself to 1 vice 0 to bypass all twelve checks.

Why not use a hook to intercept GetComputerNameExW / GetUserNameW?

I thought about building a hook to inject into the Explorer process upon start, but I grew concerned that legitimate code in Explorer that uses those functions to perform various legitimate tasks would malfunction. And I was lazy.

Can I has too? Plz?

Update: Blue Badge replaces this legacy patch.

Simply download a copy of a tool I whipped up for either x86 or x64 (, drop it into your Windows directory and execute the following commands as an Administrator in a command prompt window:

  • takeown /f %windir%explorer.exe
  • cacls %windir%explorer.exe /E /G %username%:F (enclose the username in quotes if username contains spaces)
  • taskkill /im explorer.exe /f
  • cd %windir%
  • start unlockProtectedFeatures.exe

After changing the protected feature lock state, you can re-launch the shell by clicking the Launch button.


Screenshot of PDC ‘08 build with new Taskbar

Why did Microsoft do this?

I’m not sure why these features went into the main (winmain) builds wrapped with such protection. What are your thoughts?