Back to Top

Tuesday, December 30, 2008

An interesting Windows feature

This one has been around for ever (possibly since Windows '95), but it just so happens that I stumbled over it recently:

You can use the "desktop.ini" file to (amongst other things) change the name displayed for the given folder by Explorer (and other file-navigators which are based on Explorer - like Windows Total Commander or Free Commander) by creating a desktop.ini file in it and using the the LocalizedResourceName property for example.

I found the following page listing the possible options: Desktop.ini - List of keywords, documentation, downloads, tips, examples and utilities. The MS documentation is quite lacking from this point of view.

An other interesting section is "DeleteOnCopy", which - as the name suggests - gets deleted whenever the file is copied using the copy routine from Windows Explorer (which, again, can mean that other programs behave this way, not just Windows Explorer - for example this behavior is present in Free Commander).

What does this mean in the end? An other avenue for malicious obfuscation and something else to be aware of when doing forensic analysis on computers.

PS. Two interesting sidenotes: if you search for desktop.ini, you will find a list of sites which were created (at least partially) with Windows :-). Also, it has been used by some viruses as a way to start themselves.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.