IconCache: Max Cached Icons DataType Reverting Incorrectly from STRING to DWORD **SOLUTION**


In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section.

Greetings All,
I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details carefully considering the rampant questions appearing everywhere on the internet.  This article should demystify a great deal about this issue.

There is a lot of bruha on the net about implementing Microsoft Windows IconCache Size fixes that seem to work only for some and not others.  There's a lot of confusion and dangling questions out there, with no viable solution.

What the heck is up with that anyway??!
Well here's the real poop, and a fix for your not so co-operative Icon Cache in Windows.
Oh, and for once... its not Microsoft's Fault ;^)

You probably found this little article because you have read that setting a value for Max Cached Icons in your registry will speed up (and smooth out) operations on your Windows PC System.
In fact, Windows will startup, and operate, really slowly without this feature working properly, as it is a primary feature in Windows.

that is leaving folks unsatisfied and/or confused, and just plain stuck.

Even after you implement a proper solution (like Kelly's for instance)
!! XP WILL Revert the "datatype" for "Max Cached Icons"
from a String (REG_SZ) datatype (what it is without question the correct datatype)
to a Dword (REG_DWORD) datatype
***under [un]certain conditions***.

BUT Not Only That, -->> if you are a victim of this particular problem, it is likely you are looking for a solution to this because the natural feature in Windows is broken by this problem to begin with, before you even applied any adjustments of your own!!


WHY ??!
***It is little known that some Widcom Broadcom BlueTooth Drivers, even some of the newer ones subsequent to them supposedly addressing this issue in previous versions, have a conflict wherein they change some values in the registry incorrectly, ...this critical value being one of them!! AH HA !!

You can read all about it here (thank you so much, pincholas at PC Advisor!):
Widcom Driver Bug - PC Advisor

..And who knows who else's drivers might impose this problem (?now or later?) - I see so many complaints everywhere about how editing the Max Cached Icons feature is not working for people.  And if you have a wacky driver and cannot get the right one installed, you are stuck, period.

I looked all over the freaking internet and just when I was about to give up (somewhere near the end of the internet, I am sure [it said epilogue or something at, like, webpage kagillion or something...]) I found pincholas' posting.  After testing I was able to determine that this indeed was relevant to my issue.  Why just about no one else is posting about this, who knows, but it is plainly apparent that this is the relevant problem so many are facing with no proper answer.

  After updating my drivers (time of this posting Feb 2010) I continued experiencing the problem ...<hhrrumph>...
  To top it off, if you have the datatype issue referred to herein, its even worse because the natural iconcache.db file feature in Windows ends up going totally unused, i.e., the problem defeats a basic essential function in Windows, so your system is constantly polling and creating icons in all relevant places as you work ...desktop, menu's, windows, open/save dialogs, etc).

(..little steam release first...)
   I was really miffed that even after updating I could not get past this issue... so, what?.., if you want to use the bluetooth that comes built-in to your spanking new hot-rod system  you have to simply put up and shut up with lousy performance because of some essential component that insists on breaking a fundamental and critical featue of your operating system, ...no matter all the money you laid down for your power system???!
   And it really does add significantly to your overhead (major time consumption, this seemingly little issue of icons is) ...to have to live with constant rebuilding of icons - a 'primary' component in any graphical user interface no matter the operating system.

Ahem, okay Sooooo....

After finally sussing the correct understanding, without question, for the correct datatype to use,
 ...AND then when and how the problem occurs...

***I ended up creating a BATCH FILE for Automatically Resetting my desired registry entry ...that runs whenever Explorer loads or unloads (well pretty much... for now, at every Logoff and Logon); and so far my iconcache.db file is staying set and being used by the system correctly (seemingly), in spite of would-be bugger-uppers that keep insisting on inappropriately changing my registry.***

{HTH Dict: bugger-uppers... plural of noun 'bugger-upper', from the verb tense "to bugger up", based on pronoun 'nasty buggers', generally those who impose damage carelessly with impunity
...or something along those lines...}

I am still testing for the best timing for running my batch, but its doing okay for a few days now with the current parameters; so since I've come this far, and there's scant help for addressing this out there, I thought it does well to share this with others asap.

Below is the news (how to) so far. I'll update if needed.
Its only a single line of code really, but implementation is a little convoluted.
I have provided expert and newbie approaches to try to make it easy for anyone.
I hope you find this useful.
Thanks to all who have contributed in the spirit of sharing.
Best to all,
TwoHawks / HTH


Registry Editing Standard Disclaimer and Warning: Without rambling on about it... if you found this article then you have already read that this has to do with registry editing, and how that can be potentially dangerous to your system, and it is incumbent upon you to be careful, pay attention, backup, etc.
So you have been warned.

That said, this little bit of code is basically harmless, and should work on any version of Windows... 95 thru Windows 7.  (Wellll... Your mileage may vary if you are using really old versions I could not test on... if you do run into a wrinkle you should be able to iron it out with a little added Googling if need be.)

Caveat: This Fix relies on REG.EXE, which is not natively included on versions of Windows prior to XP, ..so if this is you, then you need to get it and install it...
Quote from Microsoft:
The registry can be manipulated in a number of ways from the command line. The reg.exe utility tool is included in Windows XP and later versions of Windows. Alternative locations for legacy versions of Windows include the Resource Kit CDs or the original Installation CD of Windows.

If nothing else, hunt it down at MS, or try heading on over to Daniel Petri's site and pick it up there...

You can test to see if you have REG.EXE installed already by opening a command Prompt
 - Go to Start: Run: type CMD: Hit enter
 (older widows versions use COMMAND instead of CMD)
Then in the command window type
   Reg /?

{Can't find Run?  Try Win-R.  That's the Window's Logo Key plus the letter R on your keyboard. Thank you Windows for making things easier and safer by removing that from view/access by default.}

If REG.EXE is installed, its command info will be displayed. If not you will observe an error reported.

The SHORT VERSION (for experts):
You will create a Command Batch File and add it in 2 Group Policy locations so it runs at logon (*after Exporer Loads) and logoff (*after Explorer unloads).  The timing is important because you need to re-address the entry right after it gets buggered (that's technical jargon for 'buggered'), or the fix won't work.  

(I'm still monitoring this because although it supposedly only happens after Explorer loads or unloads, I swear I have seen it happen at other times as well.  So this is not finalized, but its a good start, and on track, anyway.)

1) Create a Batch file and change its extension to ".cmd"

2) Open it in your favorite text editor
 - and Place the following line in there

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer /v "Max Cached Icons" /t REG_SZ /d "3072" /f

 - edit the quoted number to your liking
 - and Save it :

The Above Line may be wrapped. It starts with "REG" and ends with "f"... be sure to copy the whole thing exactly.

I use number schemes 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192, etc
..but I am sure you could use 2000, 3000, etc., as well.
Try lower numbers first (starting at 20xx, and gradually increase until it feels right as you test it.

I am somewhat of a power user and 3072 to 4096 neighborhood is working well for me during early testing... on XPSP3, with 16 Windows open, traversing All of Start Menus, Opening 6 programs and traversing Open/Save Dialogs (generally speaking). I am also running context-menu and window enhancements to Explorer that allow me to traverse directories from just about anywhere, heavy use of which was also included in my testing.  Of course, when  I am coding (or whatever) I will start getting way more windows and apps going, but I don't yet know that that will definitely necessitate raising the number, and I like to be conservative for starters.

  As implied, I'm a bit conservative, so conversely, if you are using all kinds of different icon views and have other related enhancement features turned on that may affect more 'iconage' in your working environment, then I would recommend start testing at 4096.

Just remember that the larger the iconcache file the more time the System will spend "in it" when it is 'polling' it for icons, so keeping its size down to "just over what you need" will result in the best performance, imho.

3) Open Group Policy Editor (Start: Run: gpedit.msc) and add your newly created command batch file to the following Group Policies:

a) Computer Configuration: Administrative Templates: System: Logon: Run these programs at user logon
b) User Configuration: Windows Settings: Scripts: "Logoff" script policy manager

Ehem... don't have Group Policies?  No worries... check the newbies section below for a workaround ;^)
DONE WITH INITIAL SETUP.   ...now on to testing...

TESTING SECTION (pros and newb's)
To Test, Basically:
1 - Adjust the number in the file you made (Newb's: Open My Computer (or Computer) and then open the root volume -> "Drive C:" in most cases, to find your file, right-click on it and select edit, make your change, then save it [not SaveAs, simply select File: Save], then Close the text editor)

2 - Delete your iconcache.db file: location C:\Documents and Settings\<userprofile>
 .- or delete your ShellIconCache file in your C:\Windows or C:\WinNT folder (older Windows versions, see below)

3 - Log off and then back on  (older versions, restart, see below)

4 - Test: open windows and traverse menus and open/save dialogs (i.e., go lots of places in order to "initialize" the iconcache file)

5 - Log off and then back on and "test:" again -->>

6 - Test thru a restart or two as well

7a - Note the performance: this is the general performance you can expect to experience at the current setting.  After you log in, when they start coming you should see your Desktop Icons appear straight-away all-together (pretty much) rather than slowly filling in piecemeal... Same thing in windows and menus, etc.  Everything should be fairly snappy from the outset ;^)
7b - Note the iconcache file size: I don't yet know if/how this file may or may not resize itself over the course of days, etc.  I'm still looking at how that performs or may change, but noting the size as you test is definitely relevant.

8 -Now Set a different Number  in your file and Start Testing again (from #1] to compare how another setting performs comparatively.  

When its running the way you like, you are...



In all the shooting I lost track of where/when exactly log ins/outs vs restarts may be necessary or significant, but I've been pretty lucky ;^).   Generally speaking...,

 In XP and above, each user's profile has its own iconcache.db file, and that's not dependent upon initial system loading, so logging on/off is fine, except I am still tracking some uncertain behavior (as mentioned in my opening) so need to test both (mostly log ins/outs with occasional restarts);

**however, older systems using ShellIconCache file located in the Windows folder, not the User's Profile folder, should 'require' restarts for rebuilding, and even may require booting into safemode in order to delete the file.

Per that last issue, you can find a utility for Delete On Boot (or ReStart) on the internet somewhere that will alleviate the need to boot to safemode ;^)

If you Use Kelly's Excellent Tweak for the Folder Options selector, you can either edit the reg file provided so it includes your desired settings, or uninstall it altogether as its not really needed or useful anyway if you are having to use this fix.

Whew... who'd-a thunk it would require so much attention to apply a fairly meager fix!...
 ...thank you Broadcom for addressing this, and then not keeping up with it after you know about... ::jeez::...
{hey, could've been worse, ...we may never have discovered the source of this issue !!}

Okay then, Now The Long Version (for newbies)
::sip of coffee::

We are going to create 2 files you need. One will be used for setting up policies for you (without you having to figure out the Group Policies Editor stuff).  The other one is the actual settings file (Command Batch File) that you will test and tweak.  
  If you are concerned about editing the registry (and you should be) get a friend with moderate experience to safely help you ;^)
{Moderate experience means they'd read this and say, "oh yeah, I get that, no problem ;^}


1) Open 'My Computer' (or 'Computer') and then open the root volume..., "Drive C:" in most cases.

2) Right-Click in a blank space in the window pane on the right side (i.e., not directly on any files or folders) to present/access the 'Context-Menu'
 - navigate the Context-Menu to "New: Text Document"
 - and then left click on that last bit ...to create a new file for editing.

3) Type in a Name and hit Enter: it can be anything, for instance, "MaxCacheIcons_Reassertion" (without the quotes) is the name I will use here.
   If you see ".txt" on the end of the name, leave it on there for now (don't delete it).  
   If you don't see it, don't concern yourself.  

4) Now Double-click the file to open it for editing (BUT ONLY IN THIS STEP - in future you will have to use the Right-Click menu for Editing this file).  
 It should open in Notepad.  
 !!! If it doesn't then something is amiss.  You should have created a "text" document.  
 Do not continue until you have a text file that, when you double-click it, opens in NotePad!

5) Paste the following line into the file you just opened:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer /v "Max Cached Icons" /t REG_SZ /d "3072" /f

The Above Line may be wrapped in this post. It starts with "REG" and ends with "f"... be sure to copy the whole thing exactly.

During testing I used number schemes 1024, 2048, 3072, 4096, 5120, 6144, 7168, 8192, etc
..but I am sure you could use 2000, 3000, etc.
Try lower numbers at first (starting at 20XX), and while testing gradually increase until it feels right.
I am a power user and 3072 / 4096 neighborhood works well for me (on XP) so far.

6) Save your File: ***do not do a regular save***, but do this instead...
 - Go to the Menu: File: SaveAs
 - In the "File name:" box appearing near the bottom where you should see your file's name
   **Surround the filename with double-quotes, and be sure it ends in .cmd
   example:  "MaxCacheIcons_Reassertion.cmd"   ...WITH the quotes
 - Click the Save Button to save this file onto your Drive_C:
 - Close the Notepad editor

Windows will convert this file into the correct format (from a Text file to a Command Batch File) for you.  Hmmm... I am farily certain older versions of Windows does this but I cannot test here.  If you have problems saving the file to the correct type, then see "FILE TYPE ISSUES SECTION" below, sort it out, and then continue on to Step #7...

7) If you know how to handle the Group Policy Editor (check it out at Start Menu: Run: type gpedit.msc, Enter) then continue with the short version instructions section above until DONE and that's it.  If not, (or if its not installed in your version of Windows [XP Home Users]) following is a direct/easy method for setting the policies up in your registry...
  {oh yeah, Win-R on your keyboard is same as "Start Menu: Run:" }

.....***OR DO IT THIS WAY INSTEAD***....
etc, following Steps 1 thru 4 above;

however, this time use a name something like
 - "Iconcache Policy Keys"  ...withOut the quotes.

You should now be in the Notepad editor...

8) Copy and Paste the below code into this file.  
Note, the first line will be different in Versions of Windows prior to 2000, as indicated:
Select the relevant first line, deleting the other one, and deleting the ";..comment portion.." as well in the chosen line.
For example, in XP the first line is simply
Windows Registry Editor Version 5.00

;=====Begin File (don't use this line)=============
Windows Registry Editor Version 5.00 ;<<-- First Line for Windows NT5 +, 2000 +, XP, Vista, & 7
REGEDIT4 ;<<-- First line if you use Windows 95, 98+, or NT4

"Script"="Reset MaxIconCache datatype"

;=====End File (don't use this line) =============

9) To Save, ***do not do a regular save***, but instead do this...
 - Go to Menu: File: SaveAs
 - In the "File name:" box appearing near the bottom where you should see your file's name
   **Surround the filename with double-quotes, and be sure it ends in .reg
   example:  "Iconcache Policy Keys.reg"   ...With the quotes
 - Click the Save Button
 - Close the Notepad editor

Windows will 'convert' this file into the correct format (from a Text file to a Command Batch File) for you.  Hmmm, again... I am fairly certain that older versions of Windows does this but I cannot test here.  If you have problems saving the file to the correct type, then see "FILE TYPE ISSUES SECTION" below, sort it out, and then continue on from here.

10) Now GoTo Your "My Computer: Drive C:" to find the file you just made...
 - Double-click it in order to enter those settings into your registry
 - click okay when prompted

DONE WITH INITIAL SETUP.   ...now on to testing -->>

NEXT:  SEE TESTING SECTION (ABOVE in Expert Section) for running your tests and adjusting your desired settings.


FINI  !!

The above procedures should work for all versions of Windows; however, I am not absolutely certain about windows 95 (been so long), but it can't hurt.
If your Drive Letter (or File Paths) were/are different in any of that, then you need to adjust code accordingly.


If you had trouble saving to the correct file format in Step 6 above, then try this instead...

#X) To Save, ***do not do a regular save***, but do this...
 - Go to the Menu: File: SaveAs
*Observe the "Save as type:" drop-down menu appearing below the "File name:" box near the bottom where you should be seeing your file's name...
 - Click on the down-arrow to the rightside end of the "Save as type:" menu
 - Select "All files"
 - In the "File name:" box
   Just be sure your filename ends with .xxx  (where xxx is the relevant extension from the directions you are following above)
   example:  "MaxCacheIcons_Reassertion.cmd"   ...withOut the quotes
        or:  "Iconcache Policy Keys.reg"   ...With the quotes
 - Click the Save Button to save this file onto your Drive_C:


Comments (4)

Jenn PrenticeContent Manager

Thanks for this article, twohawks. It's very informative and should have a lot of SEO value as well.  (Nice use of keywords)
Thanks for taking the time to write! I know Articles can be a time intensive process!
-Jenn Prentice
EE Content Coordinator


Thank you, Jenn !

....there's more to come...


Followup 1:  ...oh have mercy...

All righty then...,
Well I have been testing and running into some further 'caveats' to my initial post.
Oh, Everything works... for what its targeting, but the reg-key-value is still subject to abuse under certain other circumstances.  ::sigh::

The above posting has essentially to do with:
 - understanding some possibilities for why the problem is persistent (with a shameless rant)
 - addressing it with semi-automated methods for simply re-applying the corrected registry key value at seemingly relevant critical moments/events
 - including a guide for tweaking and testing
 - audience is newbie to advanced
 - all windows versions

[b]HOWEVER, Sometimes the regkey-value-datatype is still changed even without logging off/on !?[/b]  So unfortunately, the above implementation will not address all situations.

These other relevant circumstances/events may (or may not) be
 - when screensaver kicks in/out, or
 - upon lock/unlock
 - upon remote access login/out.

 ...I am also trying to track an instance I have been unable to catch that is causing mine to change simply "when I am not looking `8^0

Attempting to set more or our 'simple' Group Policies will not work with these events,
...which leads to investigating what other options are left.  
There are actually several options still available..., a few simple ones, and then there are some 'more-nerdy' ones.

My main focus here is on additionally 'catching' the "unlock event", i.e., those circumstances when you didn't necessarily log off, but you need to enter your credentials to resume, as this is easiest to implement and probably sufficient enough for most needs.

However, what if the regkey value changes either if the computer never locks, or during a long absence while it is locked (so that when you finally do login the system is having to poll for icons even though the registry value is being reset), ...or some other random trigger ??

Well, there are other events we can catch, or monitoring methods we can use, that can address these situations, so I cover those here as well ;^)

SO Below I will look at:
 - event triggers and/or object auditing (not as esoteric as it sounds)
* - reg key monitoring (possibly my favorite)
 - Winlogon Notification (DLL triggering)
 - Service Control Manager (SCM) (service trigger option)
 - System Event Notification (SENS) triggers
 - Window Management Instumentation (WMI) event triggering

Yeah, I know... long, boring "wade thru" (if you approach it that way),
but consider, if you are struggling to take back control you just might find some good info and pointers here ;^)


[b]1a) Use Scheduler:[/b] One thing to try in order to address these other types of events is to simply schedule your batch to run occasionally, using Windows scheduler.
 ..and yer Done.  
 Applies to all Windows Versions.  
 I don't like this option because I don't want to rely on random scheduling, but there you go.

[b]1b) Monitoring with a Script:[/b] There is a relevant method cited near the end that uses a simple vbscript (ties into WMI, but there are other ways to do it too).  
 Ths works just fine, however, the problem with this is it has to be running and monitoring all the time, so its not my first choice or recommendation.  

[b]EVENT TRIGGERS and/or OBJECT AUDITING: A bit more obscure for the average user, but possibly the simplest and easiest approaches, and some completely alleviate needing to use some of the Group Policy methods previously laid out.[/b]

[b]2a) Event Triggering for Vista and Up:[/b] Another option for Vista and above is to use the new "Attach Task" to Event feature for triggering your 'script' (batch) upon an unlock/lock/other Event.
If you Google the 4 words Attach Task Event Vista, you will find countless resources for learning about this.  The following references should get you well started...

Daniel Petri wrote a very simple and concise tutorial to help get you started.  
You can view that here...

Greg Schultz at TechRepublic wrote two very informative and helpful articles on this subject as well:

[b]2b) Event Triggering for XP and 2K3:[/b] XP and Win2K3+ users don't give up yet -->>you do have a related option to the one mentioned above.  MS provides us with the "Eventtriggers" command.
You can read about what it is here:

Learn about it here: Again, thanks to Daniel for posting this article (credited to Sarah Seftel) for a simple explanation/tut/example:

In order to set this up for our purposes (based on the batch provided in my original post) we are going to have to do 3 things:

1) turn on Auditing for Logon Events in the event log via Group Policy Editor
 - Start: Run: gpedit.msc
 - Navigate To: Computer Configuration: Windows Settings: Security Settings: Local Policies: Audit Policy: --> Audit Logon Events ..open and set Success checkmark
 - Start: Run:  "gpupdate /force"    (without the quotes ...to apply changes without restarting)

2) go to the Security Event Log for obtaining the event id you want to use
   In this example I want to obtain the unlock event id for my version of windows...
 - Do Win-L  to lock the computer (or you can do it with Ctl-Alt-Del and select Lock)
 - Log back in
 - Start: Run: eventvwr.msc  (to open event viewer, or you can do so from the Administrator Control Panel)
 - Click on Security in the Left Column
 - Peruse the Audit Events in the right window pane to find the Event, and its ID, that you want...
For unlocking XP (mine) I found 528 and 538.  I can use either of those.

3) Create the eventtrigger
**be sure to first see article cited above for details**

Example Event Trigger command I tested on my XP platform:

eventtriggers /create /eid 528 /tr "UnLocked ID528" /tk C:\MaxCacheIcons_Reassertion.cmd

Everytime I unlock the PC my batch/script runs.

[b]2 CAUTIONS:[/b]
!! -- on XP SP3 I ran into an interesting issue where, per the instructions, I could not delete the eventtrigger using its id.  It yielded error: bad variable.  I have yet to find help with this, so if you run into this issue you need to be prepared to delete all eventtriggers using the "*" method;
i.e., the typical delete eventtrigger command for, say, event trigger #1 is -->>
  eventtriggers /delete /tid 1
but if that's not working, use
  eventtriggers /delete /tid *
Mind you, although you will find the Event Trigger setup in the Scheduler, deleting it there will not delete it from the eventtrigger list (and I have not yet discovered where that is saved).
SO BEFORE BEGINNING I WOULD FIRST CHECK (/Query) to see if there are other eventtriggers setup on your system.  Most of you will not have, but if you have someone who helps maintain your system ...who knows.

!!-Secondly, when addressing login/logoff triggers DO NOT set a username and password in the command line or you will run an infinite loop!  Why?  Well, the trigger monitors for logon event, when that happens it triggers our event trigger... which will login if you include the user/pass, which will not only run our script but also once again trigger our logon event... ad infinitem.

[b]3) Audit Object Policy for ScreenSaver or Registry Key:[/b] Getting slightly more geeky (but not out of bounds, really), it is possible to turn on "Object Auditing" in your Group Policy manager and set auditing on your screensaver, ***or even directly on the registry key in question*** (cool), and then use that Event (in the Event Log) to trigger your batch/script.  

What this means is if you 'tag', say, your screensaver, anytime it runs (or even when it closes too I think) you can trigger your script.  
***As well, you can 'tag' a registry key so anytime it changes it triggers your batch/script.

Here are two article references to check out for understanding the methods used for this solution:

Brian at eggheadcafe posted an easy to follow example for triggering off the screensaver here:

MS Shows you how to audit the registry key(s) here....
(the reference is for win2k3, but I think you can use this in some earlier versions as well as any newer...)
'Regular users' just skip down to the non-server stuff:
...more relevant details on auditing here...

Although a bit more geeky, some users may prefer this over previous recommendations because you can set one or two objects to audit, prep your eventtrigger(s) accordingly, and that's it.  

 Be mindful, you [b]cannot monitor a registry-key "value"[/b] (its one of the very first things I looked into), only a key itself.  
[b]HOWEVER, when you audit a Key you can exclude SubKeys.[/b]  This means we can simply Audit the "values" under Explorer Key (there are only a few) without worry about all of its subkeys (which are constantly triggering and would render this method between difficult and useless)!
What you will need to do:
 - turn on Auditing for Object Access events in the Group Policy editor (same place as mentioned above)
 - figure out the event Id you wish to trigger off of
 - write your eventtrigger and set it

Setting this up is a little bit tricky. In order to find out the Event Id number for a Successful Set Key Value event, you either need to
 a) look it up online (for your particular operating system) or
 b) create a test so you can see what it is in the log.  

I prefer testing as, depending on the user (or system) issuing the change the Event Id may  be different !

This is not the way I did it, but the easiest thing might be for you to set auditing on the Explorer key for your user (yourself), run your batch yourself and then go look at the event log for your event id #, and then remove that audit setting later.

Another method would be using psexec to run your batch as the System (NT Authority) ...I will leave it to you to look that one up.. its pretty simple.

My eventrigger for monitoring Explorer key "set value" event looks something like
eventtriggers /create /eid 567 /tr "RegValueEdit ID567" /ru <username> /rp <password> /tk C:\MaxCacheIcons_Reassertion.cmd

567 is the event id in winXP for setting a value in the registry (by the 'system' user).

My logic for setting this up is this:
  I assume the nasty bugger that is changing my registry is an application and so is likely running as a "system authorized user", i.e., not me.
  So I turn on auditing objects, then go and set auditing on the Explorer Key for only that key, no subkeys, and only for success 'set value', and only for the "System" (refer to the MS article cited above for details on how to do this).
  Then I setup my eventtriggers command to run off my own user login, not the system.
  When the key is changed by the rouge app (as system, not me), my eventtrigger catches it and runs as me and safely, and mmediately, resets my key value back for me.  Since its running under my user authority it does not re-trigger the audit log, hence no conflict ;^)

Running this method should allieviate the need for any of the other policies thusfar discussed, but having not fully tested it I don't know if there might be chance for missing a correction during certain points of starup/shutdown.

test / test/ test  ;^)


[b]1) DLL for WinLogon Notifications (pre-Vista):[/b] Another option is to write a DLL that will run your script in response to lock/unlock and screensaver events via Winlogon Notification (applies to All Versions of Windows prior to Vista [according to Microsoft]).  
I downloaded MinGW and took a two-day crash course and finally created my first DLL... and it works.
Huge pita, not for newbies ;^)  Loads of fun for first-time out C/C++/C# programming ;^)

[b]2) SCM or SENS:[/b] Alternatively, for XP and 2k3 and up, you can create a Service and use Service Control Manager (SCM) notifications method for handling most of the relevent events.
Related to this, for Vista and up, is also System Event Notification Service (SENS)

You can begin reading about these available features at Technet here:

Really great article by Aspi Havewala on SENS here:

Its important to mention those two things as they are significant fairly modern Win tools any win administrators should be becoming familiar with.

[b]3) WMI:[/b] Oh, I almost overlooked Window Management Instumentation (WMI) which certainly can be used for triggering scripts (and much more), but unless you are hellbent on a tough resolution for, say, remote access or vpn related issues, I think its a bit overkill (as if writing your own DLL isn't! ;^)
Begin here perhaps: http://msdn.microsoft.com/en-us/library/aa394585(VS.85).aspx

Here's a simplistic example script using WMI trigger.  Its a vbs that you launch and it monitors continually.  I don't like the idea of having to continually run a script for this sort of thing, but you can check out this example here:

I don't know much about WMI, buts its been around for sometime, and seems to be fairly deep and powerful.

I post all this here in the spirit of efforting to include comprehensive information... so all potential options receive mention on this single page.

Obviously the methods being discussed here have ramifications well beyond dealing with a rogue entry in the registry.
I hope you find this information informative and useful.

Thanks to the hosts of this great establishment for facilitating one of the most significant collaborative resources in our worldwide coding community, and helping us to share and find answers together.

Best to you all.



This is a well known semi-obscure issue, so I figured I'd better add this...
If you go to run, say for instance, XP SP3 Update, it will fail near the end.  This is because the SP needs the registry permissions to be properly allowed, which the methods above have an affect on.

Tags: xp sp3 install "access denied" cannot set permissions

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.