Tuesday, March 31, 2009

Replacing Windows Applications – the Safe Way

[This post courtesy of Ian Prest]

Many folks are probably familiar with the System Internals Process Explorer, which enables users to see all the processes on the system, and provides much more detail than the built in Task Manager that comes with Windows.

One of the neat features of Process Explorer is the option to replace Task Manager so when you (or the system) launches Task Manager, Process Explorer opens instead:


You may also notice that once you have replaced it, that you can simply un-replace it.  You might think that under the covers this is replacing taskman.exe with procexp.exe.  It is not.  Windows Protection will replace procexp.exe with taskman.exe at it’s next available chance.  What Process Explorer is actually doing, is “faking” to debug Task Manager.

This is a much better way to replace applications in Windows, because it doesn’t actually touch the original executable.  Instead it launches the “debugger” application and passes in the path to the original executable as the first argument.  Process Explorer just swallows this argument and launches itself instead.

So let’s say that you’re more of a fan of Notepad2 instead of Notepad (due to the awesome text highlighting), and you’d rather windows launch Notepad2 instead of Notepad when opening things in clear text.  You can manually do what Process Explorer does programmatically.

Warning: Editing the Registry can cause serious problems and the utmost care should be taken.  I am not responsible for a broken machine.

Here is how we can do this.  Assuming you downloaded and installed Notepad2, follow these steps:

  1. Open Regedit, and navigate to this location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
  2. Create a new KEY for the name of the executable, for example “Notepad.exe” (without the quotes).
  3. In this new Key, create a new string value called “Debugger” without the quotes, and give it the value of the path to Notepad2. E.g. “c:\Program Files\Notepad 2\Notepad2.exe”

At this point you can run “Notepad.exe” and you’ll notice that Notepad2 opens with all sorts of garbage in it.  This is because Notepad2.exe is passed the path of Notepad.exe, and Notepad2 is opening Notepad.exe for editing.  Clearly we don’t want this, so we can use a “/g” which is a Notepad2 command to go-to line.

  1. Change the “Debugger” string to “c:\Program Files\Notepad 2\Notepad2.exe /g”

Now Notepad2 will be launched with the command to go to line “c:\windows\notepad.exe” which it translate to line 0, and you have a blank document. Voila!

Moral of the story, if you can tell the application your launching to ignore the argument after it, you can launch the application instead of the built in Windows Application, such as Notepad.exe

Want to go back to the built in application? simply delete the “Debugger” string-value.

Why is this better than replacing the executable itself?

  1. You keep the original file, so you can always go back to it
  2. You don’t have to worry about Windows Protection
  3. You don’t have to reboot

No comments: