Wednesday, August 18, 2010

Missing Icons In Notification Area (Tray Bar)

A few days ago some of my programs stopped showing their icons in the Windows (7) notification area. A quick peek at the Task Manager revealed that they were, in fact, running.

Changing the notification settings and peeking around in the task bar configuration revealed nothing.

It turns out that Windows 7 stores its tray icons in a registry key. To reset the icons, do this:
1. Open regedit

2. Go to HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify

3. You should see two values: IconStreams (stores program path and other info) and PastIconsStream (stores the icon data), delete them

4. Restart the explorer.exe process (or restart the computer)

5. The missing icons should return, if the volume meter or other standard Windows icons are gone, you can re-enable them in the normal Taskbar Properties dialog
That did the trick for me.

Tuesday, August 17, 2010

Oldie But Goodie: Privilege Escalation In Windows

Number One:

Replace C:\Windows\system32\sethc.exe with cmd.exe (e.g. by renaming and/or using a repair CD: with the Vista repair CD you can open "notepad" in the command prompt and execute file manipulations from the Open Dialog).

Restart. At the login screen press "Shift" five times (at this point, you can guess what sethc.exe originally did) and a command window with full system privileges will appear. Often used to replace forgotten administrator passwords:

net user administrator *

Of course, booting some sort of live CD or tool might be simpler.

Number Two:

The btwdins.exe method. On systems with the right Bluetooth service executable, you can execute any executable located at C:\Program.exe with LocalSystem rights. More info here.

Number Three:

A.k.a. the famous "at"-method, there was a lot of talk about this back in the day (about a year ago). Basically, the concept went like this:

Open a command prompt as a normal user, type:


If it responds with an "Access denied." error, you are out of luck. If it responds with "There are no entries in the list." then you're good.

Now execute:

at 18:15 /interactive "cmd.exe"

And at a quarter past six a command prompt will appear, with SYSTEM privileges. Sounds sensible, right? Not really, since the only users able to schedule commands are already local administrators.