We are apologize for the inconvenience but you need to download
more modern browser in order to be able to browse our page

Download Safari
Download Safari
Download Chrome
Download Chrome
Download Firefox
Download Firefox
Download IE 10+
Download IE 10+

Reverse Engineering of newly introduced “IconLayouts” registry value

Recently I’m trying to hide the desktop.ini and *.onetoc2 files from my desktop
For software security engineers, especially windows malware researchers, it’s extremely to enable the “Show all files” and disable “Hide system files”. Because usually all malware will make themselves into super-hide files, we do need these options to show all files constantly.
And that’s why on my desktop there will always the annoying hidden files.

Of course as a proud reverse engineer, I dug into our little explorer shell.

1. According to the answers from StackOverflow, before Windows 10 1703 the icons’ layout will be stored in https://superuser.com/questions/625854/where-does-windows-store-icon-positions

2. But after upgrading to 1703, everything changed. The ItemPosXXXxXXX reg value disappeared. Instead, the IconLayouts took its place, which is also a REG_BINARY value.

  •  I didn’t find any useful information on the internal structure of this binary data

3. Globally searching the “IconLayouts” in every DLL and EXE file under System32 directory revealed that only shell32.dll used this value

4. Thanks to the symbols offered by generous Microsoft and the easy-to-use IDA cross reference, I had a quick peek on the 20Mb shell32.dll and located the target code with almost no effort.

5. Reverse engineering the IconLayout took sometime, with some guessing and heruistic techniques I got the 010 Editor Template.

Use it as you wish :0