TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/58/02/metablogapi/8132.image_36D09DC8.png' alt='Can You Explain The Windows Xp Desktop Icons' title='Can You Explain The Windows Xp Desktop Icons' />Windows 10 Forums the biggest Windows 10 help and support forum, friendly help and many tutorials that will help you get the most out of Microsofts latest Operating. You can download Continue on PC in the App Store. Youll need to sign in with the same account you use on your PC. You can link your phone to your PC by visiting. Before Windows 8, repairing the desktop icons was relatively easy all you needed to do was to force Windows Explorer to rebuild the iconcache. Backing Up and Restoring the Windows XP Registry. It wasnt very long after I installed XP that I was messing around with the registry. I suspect youre probably. Try this feedback form for Windows 7 http It cant hurt if you let MS know youd like to be able to. Do you know what I hate most about Windows XP Its look. Its painful combination of blue and green. So one of the first thing I do after every Windows. Windows Shellbag Forensics. Microsoft Windows uses a set of Registry keys known as shellbags to maintain the size, view, icon, and position of a folder when using Explorer. These keys are useful to a forensic investigator. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. Yuandong Zhu, Pavel Gladyshev, and Joshua James provided a nice overview of the investigative value of shellbags in Using shellbag information to reconstruct user activities pdf however, they do not describe how to programmatically access the data. Allan S Hay went into greater detail in his December, 2. Mi. Te. C Registry Analyser pdf, although he also leaves out a thorough analysis of the format. TZWorks provides an effective closed source shellbag parser sbag, but does not explain its algorithm. Yogesh Khatri first described the basic structure of Windows Shell Items in his blog post for 4. LLC entitled Shell BAG Format Analysis. Joachim Metz went on to described the binary format of the Windows Shell Item structures with great detail in Windows Shell Item format specification pdf. 18 Wheels Of Steel Pedal To The Metal Torrent Crack Download. This page documents an approach to parsing shellbags in detail, as well as introduces an open source, cross platform shellbag parser. Shellbag locations. Shellbags may be found in a few locations, depending on operating system version and user profile. On a Windows XP system, shellbags may be found under HKEYUSERSUSERIDSoftwareMicrosoftWindowsShellHKEYUSERSUSERIDSoftwareMicrosoftWindowsShell. No. RoamThe NTUser. Registry key HKEYUSERSUSERID. On a Windows 7 system, shellbags may be found under HEKYUSERSUSERIDLocal SettingsSoftwareMicrosoftWindowsShellThe Usr. Class. dat hive file persists the registry key HKEYUSERSUSERID. Shellbag Parsing. Let us begin with the Shell key. The Shell key does not have any values. Under the Shell key are two keys ShellBags and ShellBag. MRU. FOLDERDATAEach subkey under ShellBags is named as increasing integers from one, such as ShellBags1 or ShellBags2. Let us call these subkeys FOLDERDATA, since they each represent one item viewed in Explorer, and this is usually a folder. FOLDERDATA subkeys do not have any values, but often have subkeys. The most common subkey is ShellBagsIntShell, but there are a few other possibilities Com. Dlg, Desktop, etc. The subkeys under a FOLDERDATA describe the settings, position, and icon when viewing the folder in Explorer. In particular, a Registry value whose name begins with Item. Pos specifies the location of the icons for a given desktop resolution. For example, on my Windows 7 system, the Registry key HKEYUSERSUSERIDLocal SettingsSoftwareMicrosoftWindowsShellBags6Shell5. C4. F2. 8B5 F8. 69 4. E8. 4 8. E6. 0 F1. DB9. 7C5. CC7 has 1. This set includes the value Item. Pos. 14. 27x. 82. REGBIN with length 0x. F 6. 0 4. 0 F0 5. F 6. 4. Q. d. B 1. F 0. 8 0. AA 0. 0 2. F 9. 5 4. E 1. 5 0. P. N. 0. 03. A0 0. A 0. 0 0. 2 0. 2 0. D 0. C 8. E. F. E 2. E 6. C 6. E 6. B 0. C 0. Cygwin. lnk. EF BE 1. 0 3. D 0. C 8. E 1. 0 3. D 0. C 8. E 1. 4 0. 0. E 0. 0 2. E 0. 0. C. y. g. w. i. n. C 0. 0 6. E 0. 0 6. B 0. 0 0. 0 0. 0 1. A 0. 0 1. 5 0. 0 0. A 0. 0 3. A 0. 0 4. D 9. 1 7. C 2. 0 0. Z. B. 0. 09. D 4. F 5. A 4. 9 4. C 4. C 7. E 3. 1 2. E 4. C 4. E 4. B 0. E 0. MOZILL1. LNK. 0. 0A0 0. EF BE 1. 0 3. D 9. C 1. 0 3. D 6. 1 8. B0 0. 0 0. 0 4. D 0. F 0. 0 7. A 0. 0 6. C 0. 0 6. C 0. 0 6. M. o. z. i. l. l. C0 2. 0 0. 0 4. 6 0. F 0. 0 7. 8 0. 0. F. i. r. e. f. o. D0 2. E 0. 0 6. C 0. E 0. 0 6. B 0. 0 0. C 0. 0 4. 1 0. 1 0. A. 0. 0E0 5. 1 0. D 2. C 8. 1 Q. 0. F0 1. 0 0. 0 4. D 4. E 0. 0 0. 3 0. 0 0. EF BE 1. 0 3. D. MIR. B0 8. 0 1. 0 3. D A7 8. C 1. 4 0. 0 0. 0 0. D 0. 0 4. 9 0. 0 5. M. I. R. 0. 11. 0 0. A. Q. With no tools beyond Regedit or Regview. Windows 8. 3 filenames eg. MOZILL1. LNK and Unicode filenames eg. Mozilla Firefox. lnk stand out. Fortunately, by applying the formats found in Joachims paper, more details can be extracted. Throughout this document, I refer to this Registry value type as an ITEMPOS value. ITEMPOS values. The ITEMPOS values structure is a list of Windows File Entry Shell Items SHITEMFILEENTRY terminated by an entry whose size field is zero. The list begins at offset 0x. Items are preceeded by 0x. The minimum size of a SHITEMFILEENTRY structure is 0x. The valid SHITEMFILEENTRY items have the following structure in pseudo C 0. Editor template format typedefstruct. SHITEMFILEENTRYUINT1. UINT1. 6flags UINT3. DOSDATEdate DOSTIMEtime FILEATTR1. UINT8alignment UINT1. UINT1. 6extversion ifextversion 0x. UINT1. 6unknown. 0 0x. UINT1. 6unknown. 1 0x. BEEF. DOSDATEcreationdate DOSTIMEcreationtime DOSDATEaccessdate DOSTIMEaccesstime UINT3. FILEREFERENCEfileref UINT6. UINT1. 6longnamesize ifextversion 0x. UINT3. 2unknown. 4 wstringlongname iflongnamesize 0wstringlongnameaddl elseifextversion 0x. UINT1. 6unknown. 5 UINT8paddingsize offset offsetsize SHITEMFILEENTRY FILEREFERENCE is a 6. MFT file reference structure 4. MFT record number, 1. MFT sequence number. FILEATTRS is a 1. Applying this template to the ITEMPOS Registry value, we see there are four list items one invalid entry, and three SHITEMFILEENTRY items. SHITEMFILEENTRY. SHITEMFILEENTRY. F 6. 0 4. 0 F0 5. F 6. 4. Q. d. B 1. F 0. 8 0. AA 0. 0 2. F 9. 5 4. E 1. 50. P. N. 0. 03. A0 0. A 0. 0 0. 2 0. 2 0. D 0. C 8. E. F. E 2. E 6. C 6. E 6. B 0. C 0. Cygwin. lnk. EF BE 1. 0 3. D 0. C 8. E 1. 0 3. D 0. C 8. E 1. 4 0. 0. E 0. 0 2. E 0. 0. C. y. g. w. i. n. C 0. 0 6. E 0. 0 6. B 0. 0 0. 0 0. 0 1. A 0. 01. 5 0. 0 0. A 0. 0 3. A 0. 0 4. D 9. 1 7. C 2. 0 0. Z. B. 0. 09. D 4. F 5. A 4. 9 4. C 4. C 7. E 3. 1 2. E 4. C 4. E 4. B 0. E 0. MOZILL1. LNK. A0 0. EF BE 1. 0 3. D 9. C 1. 0 3. D 6. 1 8. B0 0. 0 0. 0 4. D 0. F 0. 0 7. A 0. 0 6. C 0. 0 6. C 0. 0 6. M. o. z. i. l. l. C0 2. 0 0. 0 4. 6 0. F 0. 0 7. 8 0. 0. F. i. r. e. f. o. D0 2. E 0. 0 6. C 0. E 0. 0 6. B 0. 0 0. C 0. 0 4. 1 0. 1 0. A. 0. 0E0 5. 1 0. D 2. C 8. 1 Q. 0. F0 1. 0 0. 0 4. D 4. E 0. 0 0. 3 0. 0 0. EF BE 1. 0 3. D. MIR. B0 8. 0 1. 0 3. D A7 8. C 1. 4 0. 0 0. 0 0. D 0. 0 4. 9 0. 0 5. M. I. R. 0. 11. 0 0. A. Q. Taking the first valid entry from offset 0x. The following block visually maps out the relevant bytes, while the table translates each field into a human readable value. SHITEMFILEENTRY size. A 0. 0 0. 2 0. 2 0. D 0. C 8. E 2. 0 0. F. w. Cy. 0. E 2. E 6. C 6. E 6. B 0. C 0. EF BE 1. 0 3. D 0. C 8. E 1. 0 3. D 0. C 8. E 1. 4 0. C. 0. 03. 0 7. 9 0. E 0. 0 2. E 0. 0 6. C 0. 0 6. E 0. 0y. B 0. 0 0. 0 0. 0 1. A 0. 0 k. Offset. Field. Value. 0x. ITEMPOS size. 0x. Filesize. 0x. 20. Modified Date. August 1. E8. 3 Filename. Cygwin. Created Date. August 1. Modified Date. August 1. EUnicode Filename. Cywgin. lnk. At this point, it is easy to write parser that explores the FOLDERDATA keys under the Shell registry key. For each FOLDERDATA, the parser might enumerate each ITEMPOS value and consider the binary blob. By applying the binary template above, the tool could identify filenames, MACB timestamps, and other metadata independent of the filesystem MFT.