Also talk about the policy implementation of Windows administrators such as hidden drive characters

Online articles are aware of the Hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer folder under the control hidden drive hidden Control Panel key values, Change the key values to control whether the Windows configuration or permissions can be changed. or hide or show anything.

(Must be started again) so who's going to control the switch?

Trace to a stack such as the following through your own debugging

 # ChildEBP RetAddr Args to Child00 0235f134 7602ed30 00000528 765AEBE0 00000000 sandboxdll! MINE_REGQUERYVALUEEXW+0XCA [E:\ronggf\work\branches\minsheng\client_windows\src\hooklib\hook_advapi32.cpp @ 365] Warning:stack unwind information not available. Following frames may be wrong.01 0235f178 7602e977 00000528 765aebe0 0000ffff shlwapi! PATHISRELATIVEW+0XDF02 0235F1BC 7602aed2 80000002 0235f210 765aebe0 shlwapi! shreggetvaluew+0xe303 0235f1e0 7602b97e 80000002 0235f210 765aebe0 shlwapi! shgetvaluew+0x2104 0235f41c 76024a79 00000000 765af510 765aebe0 shlwapi! ordinal271+0x69*** Error:symbol file could not be found. defaulted to export symbols for C:\Windows\system32\SHELL32.dll-05 0235f43c 765aedb7 00000100 00000000 765aedc0 shlwapi!s trcmpniw+0x4006 0235f45c 766b1026 00000100 0235f4b8 00000004 shell32! shrestricted+0x2407 0235f474 766b07b3 00000000 02d80e68 00000000 shell32! ordinal744+0x32a108 0235f494 766b0476 0235f4b8 02d36040 02d36010 shell32! Ordinal744+0x2a2e09 0235f4e8 765685e502d80e68 00000001 0235f574 shell32! ordinal744+0x26f1*** Error:symbol file could not be found. defaulted to export symbols for C:\Windows\system32\explorerframe.dll-0a 0235f538 7198d77d 02d36010 00000001 0235f574 SHE ll32! openregstream+0x16520b 0235f5b0 7198041e 02a5c2e0 01000000 80000000 explorerframe! ordinal110+0xe3800c 0235f5d0 765d619e 02a5c2f4 7fffffff 02a63668 explorerframe! ordinal110+0x10210d 0235f5ec 765d6109 0235f628 00000000 02ac0fb8 shell32! shcreateitemfromidlist+0x1660e 0235f634 765caaa8 0235f64c 7602b6cf 02a63668 shell32! shcreateitemfromidlist+0xd10f 0235f63c 7602b6cf 02a63668 0030e150 0235f6c0 shell32! ordinal95+0x227410 0235f64c 771ab5e9 02ac0fb8 752c3f68 00294448 shlwapi! Pathbuildrootw+0x4c11 0235f6c0 771ae8d1 02ac0fb8 0030e150 752c3188 ntdll! RTLTESTBIT+0X21C12 0235f820 75f81194 00294440 0235f86c 771db3f5 ntdll! rtliscriticalsectionlockedbythread+0x47413 0235f82c 771db3f5 00294440 752c31c4 00000000 kernel32! basethreadinitthunk+0x1214 0235f86c 771db3c8 771ad63e 00294440 00000000 ntdll! rtlinitializeexceptionchain+0x6315 0235f884 00000000 771ad63e 00294440 00000000 ntdll! rtlinitializeexceptionchain+0x36  from the SHELL32.dll function  shrestricted, go to read the policy registry key value up, let's take a look at   The reverse of shrestricted

. text:7387f02b [Email protected] proc near; CODE xref:cmenuitemscache::refreshcacheddarwinshortcuts (int) +DP
. text:7387f02b; Cdesktopbrowser::_activateview (void) +3DP ...
. text:7387f02b
. text:7387f02b Rest = dword PTR 8
. text:7387f02b
. text:7387f02b mov edi, EDI
. text:7387f02d Push EBP
. text:7387f02e mov ebp, esp
. text:7387f030 push offset [email protected]@3ja; Long G_lrestrictionsversionnumber
. text:7387f035 Push 9Ch
. text:7387f03a push offset [email Protected]@3paka; ULONG * G_rgrestrictionitemvalues
. text:7387f03f Push Offset unk_7387f058
. text:7387f044 Push 0
. text:7387f046 push [Ebp+rest]
. text:7387f049 call Ds:[email protected]; Shrestrictionlookup (x,x,x,x,x,x)
. text:7387f04f Pop Ebp
. text:7387f050 RETN 4
. text:7387f050 [Email protected] ENDP

The SHLAPI was called in. The Shrestrictionlookup in the DLL

Shrestrictionlookup

Functions such as the following:

int __stdcall shrestrictionlookup (int a1, LPCWSTR pszdir, int a3, void *dst, int a5, int a6) {  char *v6;//[EMAIL&NB sp;protected]  int v7; [email protected]  unsigned int V8; [email protected]  int v9; [email protected]   V7 = 0;  if (!g_bdllterminating)   {    _validaterestrictionta Ble (Dst, A5, a6);    V8 = 0;    if ((unsigned int) a5 > 0)     {      V9 = a3;      while (a1! = * (_dword *) v9)       {        ++v8;        V9 + + 12;        if (V8 >= a5)           return v7;     }      V6 = (char *) Dst + 4 * v8;      v7 = * (_dword *) v6;      if (* (_dword *) V6 = =-1)       {        V7 = shgetrestriction (Pszdir, * (LPCWSTR *) (A3 + * V8 + 4), * (LPCWSTR *) (A3 + * V8 + 8);        acquiresrwlockexclusive (&g_csrwlockrestrictions);      & nbsp if (* (_dword *) A6 = = Shglobalcountergetvalue (globalcounter_restrictions))           * (_dword *) v 6 = v7;        releasesrwlockexclusive (&g_csrwlockrestrictions);     }  & nbsp } }  return v7;}

Gets the value from the register and returns (assuming that No 1 is obtained). or read it directly.

On MSDN:

Determines whether a specified administrator policy is in effect. In many cases, applications need to modify certain behaviors on order to comply with the policies enacted by system Admini Strators.

Detects whether the specified administrator policy is valid. In very many cases. The application needs to change some behavior in accordance with the policies specified by the system administrator.

The system behavior is this way, assuming that our program requires something different from the system behavior, then hook this function. And the return and the system different values will be able to play the effect.

Also talk about the policy implementation of Windows administrators such as hidden drive characters