Who are most familiar with Windows? May be SoftICE, but not always.
This is a common scenario: When you Ctrl+D, and input "hwnd", it is "Unable to find a desktop Window".
How to resolve it ...
By TnTTOOLS, The Art OF Reverse Engineering.
The system setup a session for every logged-in user. win32k.sys is loaded to generate the 4 Desktop: Desktop, Default Desktop, Disconnect Desktop, Winlogon Desktop. Yes, 4, four, for, ...
Even Spy++ just think there is only one desktop.
Figure 1. Properties
-----------------------------------------------------------
ClassName: #32769
TID, Process: csrss.exe
Handle: 0x00010002, 0x00010004, 0x0001000c, 0x00010014
WndProc: win32k!_xxxDesktopWndProc
Module: win32k.sys
-----------------------------------------------------------
We can see their only difference is the handle value. Because these handle values are fixed. I guess that are hard coded.
Figure 2. Root
--------------------------------------------------------
Desktop, 10002
|
|---- Desktop, Default, 10014
|---- Dekstop, Disconnect, 10004
|---- Desktop, Winlogon, 1000c
--------------------------------------------------------
The root node of windows, controls is Desktop, Handle 10002.
now, where is our familiar desktop? I know what you mean: the desktop full of a crusty picture and icons.
The desktop with the wallpaper is Default Desktop, in master of win32k.sys;
The desktop full with misc icons is SysListView32, named FolderView, in master of shell32.dll.
When Explorer.exe is loaded, its WinMain creates the two windows: the task bar and the desktop.Guess, what is this desktop? Just the named-FolderView desktop.
Are you confused? Now, loop loop back to the beginning of the article.
End Loop
Next
time, if you want to wander the object tree of windows in Softice, just input "Hwnd 10002".
