Most of you know that Windows 8 doesn’t have the traditional start menu or the start button. Instead, you’ve got the start screen. There is but a second menu that is accessible by righting click on the lower-left corner of the screen. This context menu is called WinX menu because it can be launched by the keyboard shortcut Win+X.
The WinX menu has shortcuts to some advanced system functions that are slightly out of reach, for instance, the Control Panel, the Task Manager, Device Manager, Computer Management etc. The entries of this menu is driven by shortcut (.lnk) files present in each Group folder located at C:\Users\$Usename$\AppData\Local\Microsoft\Windows\WinX\. It’s been noticed that you can’t manipulate the shortcuts or add new ones to this folder, because on restart, Windows reverts back to the default entries. Microsoft doesn’t want the WinX menu to be abused by software installers. But there are folks who genuinely want to extend the menu.
Rafael Rivera of WithinWindows dug into the security that protects the WinX menu from third-party invasion – and found a workaround. But first, allow him to explain how the security works.
An approved shortcut – a moniker I made up – is a .lnk file that has the appropriate markings to indicate to Windows “Hey, I’m special.” The marking is a simple 4-byte hash of several pieces of information. From the .lnk itself, two points are collected:
The link’s target application path/file (e.g. C:\Games\Minecraft.exe)
The link’s target application arguments (e.g. –windowed)The third ingredient is simply a hard-coded chunk of text, or a salt if you will, to keep things interesting. That string is, literally, “Do not prehash links. This should only be done by the user.”
With these three strings in hand, Windows then glues them together, lowercases everything, and runs them through the HashData function. But you’re probably wondering at this point, what does it compare to?
Let’s shift our focus to .lnk files. We know them as shortcuts to things. But they’re officially called Shell Links and can store a lot of information on other data objects in Windows. More specifically, they support storing a structure of data called a PropertyStoreDataBlock that acts as a container for arbitrary string or numeric key/value pairs. Yep, the “WinX hash” is stored in here. If you’re curious, the key can be defined as such:
DEFINE_PROPERTYKEY(PKEY_WINX_HASH, 0xFB8D2D7B, 0x90D1, 0x4E34, 0xBF, 0×60, 0x6E, 0xAC, 0×09, 0×92, 0x2B, 0xBF, 0×02);
So to tie it all together, Windows – the Shell specifically – iterates through the .lnk files in each GroupN folder; opens them up; pulls out and concatenates the target path, args, and an arbitrary string; then finally hashes the result. This hash is then compared with the one stored in the .lnk to determine if it’s approved. Rinse and repeat.
Was that too long for you? Okay, here is the gist of the thing.
Basically, what Windows does is calculate the hash of the .lnk file and compares it to the hash saved in the .lnk file itself, as metadata. This is like locking the door and leaving the key tied to the lock. So all it needs to be done is calculate the hash of the file using the built-in HashData function and save the calculated hash in the .lnk file. Then copy the shortcut to the WinX folder. Bingo!
To make things easy Rafael Rivera has coded a small tool that does the job of calculating the hash and storing it on the .lnk file. In the next section I will describe how to use the tool.
First, grab the hashlnk.zip file from this page and unzip the contents to a folder. Collect the .lnk files that you wish to add to the WinX menu and move them into the folder where you unzipped hashlnk.exe.
Open command prompt and navigate to the folder where you have hashlnk.exe and the .lnk files. I hope you know the basic DOS commands. Now type: hashlnk shortcut.lnk, where shortcut.lnk is the filename of the .lnk file.
Repeat this for all the .lnk files. Once the .lnk files have been patched, relocate them into the Group# folder of your choice at C:\Users\$Usename$\AppData\Local\Microsoft\Windows\WinX\.
Restart the computer or re-login to put the changes to effect.
Missing MSVCR100.DLL File
You’ll get this message if you don’t have Visual Studio 2010 or later installed. To workaround the missing DLL file (and missing Visual Studio 2010), get a Windows 7 machine, download MSVCR100.DLL file from here, copy it to the folder containing hashlnk.exe and execute the hashlnk commands on the Windows 7 machine.
The downloaded MSVCR100.DLL file is compatible only on Windows 7. If you want to run the hashlnk file on Windows 8, you have to have Visual Studio 2010 installed.
Customizing Entry Names
You’ll notice that the entries do not show up by the program’s shortcut name. For instance, MS Paint show up as “Create and edit drawings” in the menu and Google Chrome as “Access the Internet”.
To customize these entries, right click on the .lnk file and edit the Comment field.
I think that Microsoft should just replace the WinX menu with the traditional windows start menu. The WinX menu just looks like a regular right click dialog and doesn't fit in at all with the Metro interface.
ReplyDeleteNothing fits Metro.
ReplyDelete