I got home and starting doing some research on a potentially new feature called Aero Shake when I stumbled upon an elaborate set of checks tied to various shell-related components, including the new Taskbar.

Update: Although a newer-looking Taskbar is present, it’s not exactly what you saw at PDC ‘08. For example, the Quicklaunch toolbar still exists, Aero Peek doesn’t work properly, and Jumplists are stale. This is likely why it wasn’t enabled, out of the box, so set your expectations accordingly.

To use these, what I call “protected features”, you must meet the following criteria:

1. Must be a member of an allowed domain
   • wingroup.windeploy.ntdev.microsoft.com
   • ntdev.corp.microsoft.com
   • redmond.corp.microsoft.com
2. Must not be an employee with a disallowed username prefix
   • a- (temporary employees)
   • v- (contractors/vendors)

Protected Feature Flowchart (click for full)

As checking against this criteria is potentially expensive, in terms of CPU cycles, the result of the check is cached for the duration of Explorer’s lifetime (per protected feature). The cached value is stored within a variable, space of which is allocated in the image’s initialized data section (.data).

Explorer does not initialize these variables at start and checks for a cached result for before performing any checks. I exploited this behavior by setting the initialized value in the image itself to 1 vice 0 to bypass all twelve checks.

Why not use a hook to intercept GetComputerNameExW / GetUserNameW?

I thought about building a hook to inject into the Explorer process upon start, but I grew concerned that legitimate code in Explorer that uses those functions to perform various legitimate tasks would malfunction. And I was lazy.

Can I has too? Plz?

Simply download a copy of a tool I whipped up for either x86 or x64 (untested thus far), drop it into your Windows directory and execute the following commands as an Administrator in a command prompt window:

• takeown /f %windir%explorer.exe
• cacls %windir%explorer.exe /E /G MyUserName:F (replacing MyUserName with your username)
• taskkill /im explorer.exe /f
• cd %windir%
• start unlockProtectedFeatures.exe

After changing the protected feature lock state, you can re-launch the shell by clicking the Launch button.