|
Post by TechSalt on Apr 9, 2024 10:45:00 GMT -8
I haven't publicly talked about my stobject.dll research, but it basically goes as follows: - stobject.dll handles system tray icons (sound, network, battery, etc.) - It also seems to handle tray icons in general - In Windows 8.1 and before, it handles the whole tray area as well as the start button seemingly? - Whenever porting stobject.dll from 7601 to 20348, non-system tray icons broke. - Whenever porting stobject.dll from 7601 to 9600, the start button and the whole tray area break. Task items still worked though.
It seems to also handle something else (I think "Set Desktop Background" from the context menu on an image? I forgot)
|
|
|
Post by ephemeralViolette on Apr 9, 2024 10:49:13 GMT -8
I haven't publicly talked about my stobject.dll research, but it basically goes as follows: - stobject.dll handles system tray icons (sound, network, battery, etc.) - It also seems to handle tray icons in general - In Windows 8.1 and before, it handles the whole tray area as well as the start button seemingly? - Whenever porting stobject.dll from 7601 to 20348, non-system tray icons broke. - Whenever porting stobject.dll from 7601 to 9600, the start button and the whole tray area break. Task items still worked though.
I thought the start button was implemented in explorer.exe (CPearl). Very interesting that it would break by swapping stobject.
|
|
aubymori
Sophomore Member
👅👅👅👅👅
Posts: 162
OS: Windows 10 IoT Enterprise LTSC 2021
Theme: Windows 10 Default
CPU: Intel Core i5-9300H
RAM: 8GB
GPU: Intel UHD Graphics 630 / NVIDIA GeForce GTX 1650
|
Post by aubymori on Apr 9, 2024 10:51:48 GMT -8
I haven't publicly talked about my stobject.dll research, but it basically goes as follows: - stobject.dll handles system tray icons (sound, network, battery, etc.) - It also seems to handle tray icons in general - In Windows 8.1 and before, it handles the whole tray area as well as the start button seemingly? - Whenever porting stobject.dll from 7601 to 20348, non-system tray icons broke. - Whenever porting stobject.dll from 7601 to 9600, the start button and the whole tray area break. Task items still worked though.
I thought the start button was implemented in explorer.exe (CPearl). Very interesting that it would break by swapping stobject. I have no idea what causes it to break, or if I'm misremembering? I'll have to see when I get home.
|
|
Legofan
Sophomore Member
Embrace modernity? Nah, embrace tradition.
Posts: 174
OS: Windows 11 24H2
Theme: Default
CPU: AMD Ryzen 5 3600 / Intel Pentium Gold 4425Y
RAM: 64GB / 8 GB
GPU: NVIDIA GeForce GTX 1050 Ti / IGPU
Computer Make/Model: Custom Built / Surface Go 2
|
Post by Legofan on Apr 9, 2024 12:02:58 GMT -8
And yes, this does work on 22h2 with other locales as well. (For the people that are wondering about that)
|
|
|
Post by wiktorwiktor12 on Apr 9, 2024 13:28:16 GMT -8
did some of my own work on this, did some scuffed editing and patching, and i managed to get the win7 network flyout to show when pressing the win10 tray icon, this was done by editing the exports of the win7 VAN.dll to rename RunVANW to ShowVAN, then patches to patch these 2 checks out this then would act as if -debug was passed in always and thus ranvanui would be ran, then in pnidui.dll in void __fastcall CPniMainDlg::_ShowFlyout(CPniMainDlg *this, char a2, __int64 a3) i patched this regkey check so it acts as if it always is 2 in theory, it should be possible to not need to patch pnidui.dll this is really scuffed but it works and thus u get this incredibly scuffed but it works streamable.com/zkmekj
|
|
|
Post by wiktorwiktor12 on Apr 9, 2024 16:00:51 GMT -8
Made a windhawk mod that hooks pnidui.dll's showminiflyout and makes it run win7 van instead, easiest way to do it in windhawk
// ==WindhawkMod==
// @id win7-van-restore
// @name Restore windows 7 network flyout
// @description Hooks showminiflyout in pnidui.dll to call RunVANUI instead
// @version 0.1
// @author wiktorwiktor12 for WH mod, joleman11 for original discovery
// @include explorer.exe
// @compilerOptions -lcomdlg32
// ==/WindhawkMod==
#include <Windows.h>
#include <shellapi.h>
#include <stdio.h>
#include <windhawk_utils.h>
//public: void __cdecl CVanUI::HideVanUI(void)
inline void(__cdecl*HideVanUI)(void* _this);
inline HRESULT(*RunVANUI)(UINT param_1, int param_2, int param_3, int param_4, HANDLE param_5, int param_6);
inline __int64(__fastcall* ShowMiniFlyout_orig)(void* _this);
DWORD tickHid = 0;
const DWORD tickShowDelay = 250;
void HideVanUI_hook(void* _this)
{
HideVanUI(_this);
tickHid = GetTickCount();
}
__int64 __fastcall ShowMiniFlyout_hook(void* _this)
{
UINT myMessage = RegisterWindowMessageW(L"Microsoft.VAN.Message");
HWND v8 = FindWindowExW(0, 0, L"NativeHWNDHost", L"View Available Networks");
if ( v8 )
{
if (GetTickCount() >= tickHid + tickShowDelay)
{
AllowSetForegroundWindow(0xFFFFFFFF);
if ( PostMessageW(v8, myMessage, 0, 0) )
return 0;
}
}
if (GetTickCount() >= tickHid + tickShowDelay)
RunVANUI(myMessage,5,0,0,(HANDLE)0x0,1);
return 0;
}
const WindhawkUtils::SYMBOL_HOOK hooks[] = {
{
{
L"private: long __cdecl CPniMainDlg::_ShowMiniFlyout(void)"
},
&ShowMiniFlyout_orig,
ShowMiniFlyout_hook,
false
}
};
const WindhawkUtils::SYMBOL_HOOK hooks2[] = {
{
{
L"public: void __cdecl CVanUI::HideVanUI(void)"
},
&HideVanUI,
HideVanUI_hook,
false
}
};
// The mod is being initialized, load settings, hook functions, and do other
// initialization stuff if required.
BOOL Wh_ModInit()
{
Wh_Log(L"Init");
HMODULE pniduiModule = LoadLibrary(L"pnidui.dll");
if (!pniduiModule)
{
Wh_Log(L"pniduiModule not found");
return FALSE;
}
HMODULE vanModule = LoadLibrary(L"van.dll");
if (!vanModule)
{
Wh_Log(L"vanModule not found");
return FALSE;
}
RunVANUI = decltype(RunVANUI)(GetProcAddress(vanModule, "RunVANUI"));
if (!RunVANUI)
{
Wh_Log(L"RunVANUI not found");
return FALSE;
}
if ( !WindhawkUtils::HookSymbols(pniduiModule,hooks, ARRAYSIZE(hooks)) || !WindhawkUtils::HookSymbols(vanModule,hooks2, ARRAYSIZE(hooks2)) )
{
Wh_Log(L"Failed to hook one or more symbol functions");
return FALSE;
}
return TRUE;
}
// The mod is being unloaded, free all allocated resources.
void Wh_ModUninit()
{
Wh_Log(L"Uninit");
}
|
|
|
Post by wiktorwiktor12 on Apr 9, 2024 17:08:20 GMT -8
just did a quick bit of digging into windows 7 pnidui.dll, seems like connecting to networks relies on pnidui.dll, ill attempt to implement the necessary missing functions into the windhawk mod
|
|
|
Post by wiktorwiktor12 on Apr 9, 2024 17:13:26 GMT -8
nvm, misinterpreted some things, it is just for the connecting animations
|
|
|
Post by wiktorwiktor12 on Apr 9, 2024 18:33:56 GMT -8
i think the issue with connecting is in xwizard.dll (could be xwizards.dll, dont remember exactly), the connect button flow does get to it, havent debugged the function inside it yet, will do so tomorrow
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 11:09:01 GMT -8
heres a little update on where i am, currently i replaced w10 xwizards.dll with w7 xwizards.dll, i used x64dbg to debug through the differences in execution on both a w7 machine and my w10 machine, i have found that there was a difference in HrGetWizardTypePluginCLSID in xwizards.dll, this is HrGetWizardTypePluginCLSID, as you can see it accesses the registry, on windows 7, there are keys that are not in windows10, after importing them into the registry, i got the function to request the same reg keys as in windows 7, and then when i hit connect, the dialog did not pop up, but rather explorer itself crashed, some progress, going to now debug why it is crashing and fix it
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 11:43:29 GMT -8
alright i believe something in CTask::RunWizard fails, time to step through it
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 13:11:44 GMT -8
i have gotten big progress, you can now connect to networks you have connected to before! this dialog pops up and it connects sadly, it only is working for networks you have connected to before, nothing happens when connecting to a new network this was done by doing all the other stuff i've mentioned and replacing xwtpdui.dll with the one from windows 7, along with its mui, and editing the dui70.dll import to dui71.dll i also replaced WLanConn.dll with the one from windows 7, however i don't think it is necessary for it i suspect replacing xwtpdui.dll with the windows 7 one may break some things, so ideally it would be best to try and get it working by using a renamed one and replacing all appropriate references in the xwizard area of the registry to the custom one
|
|
|
Post by ephemeralViolette on Apr 10, 2024 13:20:41 GMT -8
i have gotten big progress, you can now connect to networks you have connected to before! this dialog pops up and it connects sadly, it only is working for networks you have connected to before, nothing happens when connecting to a new network this was done by doing all the other stuff i've mentioned and replacing xwtpdui.dll with the one from windows 7, along with its mui, and editing the dui70.dll import to dui71.dll i also replaced WLanConn.dll with the one from windows 7, however i don't think it is necessary for it i suspect replacing xwtpdui.dll with the windows 7 one may break some things, so ideally it would be best to try and get it working by using a renamed one and replacing all appropriate references in the xwizard area of the registry to the custom one Is xwtpdui.dll still used even? The filename implies DUI, but Windows 10's network flyout isn't DUI at all. The last time DUI would've been used is probably Windows 8 (although I never particularly looked into that). Or is this used by other DUI applications too?
Have you tried patching anything to use Windows 10 dui70 instead of forcing the module to load a separate version? It probably wouldn't impact much, but if anything, it's a potential optimisation to be made.
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 13:33:09 GMT -8
i have gotten big progress, you can now connect to networks you have connected to before! this dialog pops up and it connects sadly, it only is working for networks you have connected to before, nothing happens when connecting to a new network this was done by doing all the other stuff i've mentioned and replacing xwtpdui.dll with the one from windows 7, along with its mui, and editing the dui70.dll import to dui71.dll i also replaced WLanConn.dll with the one from windows 7, however i don't think it is necessary for it i suspect replacing xwtpdui.dll with the windows 7 one may break some things, so ideally it would be best to try and get it working by using a renamed one and replacing all appropriate references in the xwizard area of the registry to the custom one Is xwtpdui.dll still used even? The filename implies DUI, but Windows 10's network flyout isn't DUI at all. The last time DUI would've been used is probably Windows 8 (although I never particularly looked into that). Or is this used by other DUI applications too?
Have you tried patching anything to use Windows 10 dui70 instead of forcing the module to load a separate version? It probably wouldn't impact much, but if anything, it's a potential optimisation to be made.
xwtpdui.dll is being used i believe as you can see here, it is a type in the types in XWizards, not entirely sure what its purpose is but it is used as i can see it being loaded as a module in x64dbg
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 13:34:43 GMT -8
also ignore the horrid theming, im using regcool (doesn't like my theme) as regedit is not working properly for me, e.g. importing into the syswow64node for some reason
|
|
|
Post by Brawllux on Apr 10, 2024 13:38:26 GMT -8
also ignore the horrid theming, im using regcool (doesn't like my theme) as regedit is not working properly for me, e.g. importing into the syswow64node for some reason If you used a 7TSP pack please run this command in an elevated command prompt: sfc /scanfile=%windir%\regedit.exe For some reason 7TSP packs break 64 bit version of regedit hence forcing windows to use 32 bit version,making modifications to 64 bit keys not apply at all.
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 13:41:16 GMT -8
also quick update: replacing wcnwiz.dll with the windows 7 version makes connecting to new networks work more (doesn't show the dialog for the password input, just says it gathers info on the network and then a dialog saying its connecting comes up, and never connects)
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 13:41:46 GMT -8
also ignore the horrid theming, im using regcool (doesn't like my theme) as regedit is not working properly for me, e.g. importing into the syswow64node for some reason If you used a 7TSP pack please run this command in an elevated command prompt: sfc /scanfile=%windir%\regedit.exe For some reason 7TSP packs break 64 bit version of regedit hence forcing windows to use 32 bit version,making modifications to 64 bit keys not apply at all. ah thanks for telling me, ye that would def be why
|
|
|
Post by ephemeralViolette on Apr 10, 2024 14:07:52 GMT -8
Is xwtpdui.dll still used even? The filename implies DUI, but Windows 10's network flyout isn't DUI at all. The last time DUI would've been used is probably Windows 8 (although I never particularly looked into that). Or is this used by other DUI applications too?
Have you tried patching anything to use Windows 10 dui70 instead of forcing the module to load a separate version? It probably wouldn't impact much, but if anything, it's a potential optimisation to be made.
xwtpdui.dll is being used i believe as you can see here, it is a type in the types in XWizards, not entirely sure what its purpose is but it is used as i can see it being loaded as a module in x64dbg It is indeed related to XWizards (Extensible Wizards). The file description states the purpose more clearly: "Extensible Wizard Type Plugin for DUI".
However, I'm completely unfamiliar with this architecture, so I don't know exactly what "Type Plugin" means. In particular, "plugin" could apply to either XWizards or DirectUI, but given these registry entries, it's probably the former. From this assumption, I would further assume that it is used to provide DirectUI services to the XWizards system, so it's probably unrelated.
I'm thinking the password dialog is implemented via XWizards. In that case, it's likely accessed via a GUID, so that would probably be further registry work.
|
|
|
Post by wiktorwiktor12 on Apr 10, 2024 14:16:47 GMT -8
xwtpdui.dll is being used i believe as you can see here, it is a type in the types in XWizards, not entirely sure what its purpose is but it is used as i can see it being loaded as a module in x64dbg It is indeed related to XWizards (Extensible Wizards). The file description states the purpose more clearly: "Extensible Wizard Type Plugin for DUI".
However, I'm completely unfamiliar with this architecture, so I don't know exactly what "Type Plugin" means. In particular, "plugin" could apply to either XWizards or DirectUI, but given these registry entries, it's probably the former. From this assumption, I would further assume that it is used to provide DirectUI services to the XWizards system, so it's probably unrelated.
I'm thinking the password dialog is implemented via XWizards. In that case, it's likely accessed via a GUID, so that would probably be further registry work.
yes thank you for reminding me, i went downstairs for a drink and completely forgot about the missing components from the registry that i exported, yes i think thatll be it
|
|