so quick reply.
>just write 100 lines code in 1 or 2 hours
EnumWindow,check window state and save them, then ShowWindow(Sync), some thing like this,
for me that is easy rather than ~"Windbg" things.~
>- do you modify the checksum of the file explorer after modify it ? I suppose yes but you don't say that. so i ask ....
yes, 0f85xxxxx -> 0f84xxxxx, and PEchecksum.exe explorer_modifed.exe.
- can you see with procmon64 some thing or make a save file .PML ?
I will try this.
>note : as i understand the code and my test, it is also the first jne that must be disable not only the second. The flag is base + 2F9 in build 14393. And i don't know the role of Base+2F8.
sorry, I had a typo on it.I was changed the first jne not the second one.
(learn the windbg skill from you, I follow the Tray::ModeChange message get the BASE+171h in my version,and it is the first check in Tray::_RaiseDesktop)
>use a exe and hook.dll to do that "dynamicaly" and put it on early posts
I change the BASE+171h,or the jne to je in "dynamicaly" with Visual Studio, That also worked.
>twice 6 "NOP" ( one for each jne ) seems to me to be better because "je" need to calculate the "delta" of offset.
I will try the 909090909090
thank again, that you is sharing your research(also the process), and How to disassemble explorer.exe with windbg.