Challenging Problem: XP Gurus Needed: Desktop Icons Revert To Defaults

R

Roger

THERE ARE MANY POSTS ON THIS SUBJECT BUT EVERY ONE I'VE READ MAKES
INCORRECT ASSUMPTIONS AND HEADS DOWN THE WRONG PATH OR ELSE JUST
ADDRESSES THE SYMPTOMS WITHOUT ADDRESSING THE PROBLEM. THIS IS GOING
TO BE LONG AND DETAILED BUT I'M GOING TO TELL YOU EVERYTHING I KNOW
ABOUT THIS PROBLEM AND HOPEFULLY SOME GURU CAN HELP US!

PROBLEM: After changing/renaming the XP Desktop System icons (My
Computer, Network Neighborhood, Recycle Bin, Outlook, Internet
Explorer) they revert back to their respective default icons/default
names. It does not matter how you make the modifications. (right
click, Theme, Display Properties, etc) The end result is the same.

WHAT IT IS NOT:
It is NOT an NVIDIA driver/service problem. I have an ATI Radeon
card.
It is NOT an icon cache issue. I've tried it and it doesn't work.
It is NOT a problem with any other icons. ONLY effects system desktop
icons.
It is NOT a NoSaveSettings issue. I've verified my settings here.
It is NOT a Windows Classic settings issue. I'm not using classic.
It is NOT a login script or boot problem. The change can happen at
any time.
It is NOT a problem right out of the box. It always works fine at
first.
It is NOT the windows default icon that displays when something is not
associated with anything.

OBSERVATIONS/ASSUMPTIONS:
Your icons actually revert back to the defaults behind the scenes
and you don't see it until the desktop has been refreshed. Your
desktop gets refreshed by various events so that is why we're seeing
it happen seemingly at random. If the icons have reverted then
anything that refreshes your desktop will cause the default icons to
reappear. If nothing refreshes your desktop then you would never
notice that they have already reverted.
Here is what is actually happening. XP stores it's true default
icons under HKEY_CLASSES_ROOT in a CLSID key. I've observed that
these do not seem to change. When you customize one of these system
icons XP will create a new key under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\.
As long as these keys are present then your icon customizations are
in effect. What is happening is that these override keys are being
deleted somehow!
I have spot checked regedit and seemingly at random I would find
these override keys missing. Sure enough, as soon as the keys turned
up missing, if I hit F5 to refresh my desktop *poof* my default icons
were back.

WHEN IT HAPPENED/WHAT I'VE TRIED:
I'd been running XP just fine for about 6 months and then it began
happening. Just a week ago I formatted and reinstalled XP and the
problem was gone. I spent the next several days installing
applications back on my PC and I noticed yesterday that the problem
was back! The only thing I installed that day was MS Encarta 2003 and
Unreal Tournament 2004. UT2004 was not out last year so I've
eliminated it from the running. I uninstalled MS Encarta 2003 but the
problem remained. My guess is that these applications have nothing to
do with the problem.
I've jacked up my icon cache and I've verified my NoSaveSettings
registry key but neither helped. I used regmon to watch all the
registry modifications but that didn't help because whatever made the
modifications DID NOT SHOW UP IN REGMON! I triple checked this and
used various methods of filtering to make certain that I hadn't missed
it in all the log clutter. I even tried deleting the keys myself just
to see if it would catch it and it did. Whatever is deleting these
keys is doing so in a way that is not detectable by regmon! I've also
monitored and verified my background processes and I keep them very
clean. I've not messed around with the services though because I
don't know much about them.

VIRUS/SPY SCANNING:
I've thoroughly scanned with McAfee and I'm running their Shield as
well. I've scanned everything with Adaware's spyware scanner (both up
to date) but I'm still having the issue. The only other thing I can
think of is that I know I DID have some spyware on my machine.
Adaware did report that it had cleaned up a few things (not just
cookies) and I do remember getting one message from McAfee telling me
that it detected something weird but couldn't delete the file. I
looked for the file in question and it was gone. It was something
like "[index].htm" or something like that. These could be unrelated
to the issue but I don't know.

WHAT I'M RUNNING:
My current Windows XP Home Edition installation has Service Pack 1 and
all subsequent patches installed using Windows Update. My system sits
behind a Linksys router and I also run XP's firewall. (enabled) I
keep McAfee and Adaware up to date. I have an ATI Radeon 9700 Pro
graphics card and an Audigy2 Sound Blaster card.

WHAT I WANT:
I know I can manually modify the default CLSID's in HKEY_CLASSES_ROOT
and thus when the icons "revert" they will be reverting back to my
overrides but that only addresses the symptoms not the cause. I would
greatly appreciate discovering the root cause of the issue and a
method to correct it. At this point I would even be willing to pay
someone a reasonable fee for technical support that actually led to
such a solution! Please help if you can!

Thank you,
Roger Westbrook
 
D

dOinK

From previous threads related to this issue, we know that winlogon.exe is
capable of causing this effect. This might be triggered by running backup as
a scheduled task (where you need to provide a user name and password in the
task setup).

I just think that ought to be added to your excellent collection of
information.

It is also likely that this is a bug in Windows, caused by recent updates (I
assume that you have installed some of those lately, too).

dOinK

Roger said:
THERE ARE MANY POSTS ON THIS SUBJECT BUT EVERY ONE I'VE READ MAKES
INCORRECT ASSUMPTIONS AND HEADS DOWN THE WRONG PATH OR ELSE JUST
ADDRESSES THE SYMPTOMS WITHOUT ADDRESSING THE PROBLEM. THIS IS GOING
TO BE LONG AND DETAILED BUT I'M GOING TO TELL YOU EVERYTHING I KNOW
ABOUT THIS PROBLEM AND HOPEFULLY SOME GURU CAN HELP US!

PROBLEM: After changing/renaming the XP Desktop System icons (My
Computer, Network Neighborhood, Recycle Bin, Outlook, Internet
Explorer) they revert back to their respective default icons/default
names. It does not matter how you make the modifications. (right
click, Theme, Display Properties, etc) The end result is the same.

WHAT IT IS NOT:
It is NOT an NVIDIA driver/service problem. I have an ATI Radeon
card.
It is NOT an icon cache issue. I've tried it and it doesn't work.
It is NOT a problem with any other icons. ONLY effects system desktop
icons.
It is NOT a NoSaveSettings issue. I've verified my settings here.
It is NOT a Windows Classic settings issue. I'm not using classic.
It is NOT a login script or boot problem. The change can happen at
any time.
It is NOT a problem right out of the box. It always works fine at
first.
It is NOT the windows default icon that displays when something is not
associated with anything.

OBSERVATIONS/ASSUMPTIONS:
Your icons actually revert back to the defaults behind the scenes
and you don't see it until the desktop has been refreshed. Your
desktop gets refreshed by various events so that is why we're seeing
it happen seemingly at random. If the icons have reverted then
anything that refreshes your desktop will cause the default icons to
reappear. If nothing refreshes your desktop then you would never
notice that they have already reverted.
Here is what is actually happening. XP stores it's true default
icons under HKEY_CLASSES_ROOT in a CLSID key. I've observed that
these do not seem to change. When you customize one of these system
icons XP will create a new key under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\.
As long as these keys are present then your icon customizations are
in effect. What is happening is that these override keys are being
deleted somehow!
I have spot checked regedit and seemingly at random I would find
these override keys missing. Sure enough, as soon as the keys turned
up missing, if I hit F5 to refresh my desktop *poof* my default icons
were back.

WHEN IT HAPPENED/WHAT I'VE TRIED:
I'd been running XP just fine for about 6 months and then it began
happening. Just a week ago I formatted and reinstalled XP and the
problem was gone. I spent the next several days installing
applications back on my PC and I noticed yesterday that the problem
was back! The only thing I installed that day was MS Encarta 2003 and
Unreal Tournament 2004. UT2004 was not out last year so I've
eliminated it from the running. I uninstalled MS Encarta 2003 but the
problem remained. My guess is that these applications have nothing to
do with the problem.
I've jacked up my icon cache and I've verified my NoSaveSettings
registry key but neither helped. I used regmon to watch all the
registry modifications but that didn't help because whatever made the
modifications DID NOT SHOW UP IN REGMON! I triple checked this and
used various methods of filtering to make certain that I hadn't missed
it in all the log clutter. I even tried deleting the keys myself just
to see if it would catch it and it did. Whatever is deleting these
keys is doing so in a way that is not detectable by regmon! I've also
monitored and verified my background processes and I keep them very
clean. I've not messed around with the services though because I
don't know much about them.

VIRUS/SPY SCANNING:
I've thoroughly scanned with McAfee and I'm running their Shield as
well. I've scanned everything with Adaware's spyware scanner (both up
to date) but I'm still having the issue. The only other thing I can
think of is that I know I DID have some spyware on my machine.
Adaware did report that it had cleaned up a few things (not just
cookies) and I do remember getting one message from McAfee telling me
that it detected something weird but couldn't delete the file. I
looked for the file in question and it was gone. It was something
like "[index].htm" or something like that. These could be unrelated
to the issue but I don't know.

WHAT I'M RUNNING:
My current Windows XP Home Edition installation has Service Pack 1 and
all subsequent patches installed using Windows Update. My system sits
behind a Linksys router and I also run XP's firewall. (enabled) I
keep McAfee and Adaware up to date. I have an ATI Radeon 9700 Pro
graphics card and an Audigy2 Sound Blaster card.

WHAT I WANT:
I know I can manually modify the default CLSID's in HKEY_CLASSES_ROOT
and thus when the icons "revert" they will be reverting back to my
overrides but that only addresses the symptoms not the cause. I would
greatly appreciate discovering the root cause of the issue and a
method to correct it. At this point I would even be willing to pay
someone a reasonable fee for technical support that actually led to
such a solution! Please help if you can!

Thank you,
Roger Westbrook
Click to expand...
 
K

Keith Miller

I've made some recent posts on this subject. The solution I've found is:

Start -> Run -> Regedit

Navigate to:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Clsid"
(HKCU = HKEY_CLASSES_ROOT)

Right-click the folder icon for this key & select 'Permissions'

Click 'Advanced' -> click 'Add' -> type "System" -> click 'OK'

Put a check in the 'Deny' column for the 'Set Value' permission.

'OK' your way out.

**************************
Here's a regmon filter string that will show you the offending process:

"winlogon.exe*HKCU\*Explorer\CLSID"

With this filter applied, open your scheduled tasks folder and run a task you know will be quick (or create something simple like a scheduled launch of notepad). You'll see winlogon executing a 'createkey' & 'closekey'. When winlogon creates this key, it copies the subkeys of "HKCU\Software\Classes\CLSID\" (to test this, modify the values for the icons found under this key to something other than those found in HKCR.)


If you were filtering for a 'delete' or 'setvalue' (which is what I was doing first, too :), you wouldn't see it.

Keith

Roger said:
THERE ARE MANY POSTS ON THIS SUBJECT BUT EVERY ONE I'VE READ MAKES
INCORRECT ASSUMPTIONS AND HEADS DOWN THE WRONG PATH OR ELSE JUST
ADDRESSES THE SYMPTOMS WITHOUT ADDRESSING THE PROBLEM. THIS IS GOING
TO BE LONG AND DETAILED BUT I'M GOING TO TELL YOU EVERYTHING I KNOW
ABOUT THIS PROBLEM AND HOPEFULLY SOME GURU CAN HELP US!

PROBLEM: After changing/renaming the XP Desktop System icons (My
Computer, Network Neighborhood, Recycle Bin, Outlook, Internet
Explorer) they revert back to their respective default icons/default
names. It does not matter how you make the modifications. (right
click, Theme, Display Properties, etc) The end result is the same.

WHAT IT IS NOT:
It is NOT an NVIDIA driver/service problem. I have an ATI Radeon
card.
It is NOT an icon cache issue. I've tried it and it doesn't work.
It is NOT a problem with any other icons. ONLY effects system desktop
icons.
It is NOT a NoSaveSettings issue. I've verified my settings here.
It is NOT a Windows Classic settings issue. I'm not using classic.
It is NOT a login script or boot problem. The change can happen at
any time.
It is NOT a problem right out of the box. It always works fine at
first.
It is NOT the windows default icon that displays when something is not
associated with anything.

OBSERVATIONS/ASSUMPTIONS:
Your icons actually revert back to the defaults behind the scenes
and you don't see it until the desktop has been refreshed. Your
desktop gets refreshed by various events so that is why we're seeing
it happen seemingly at random. If the icons have reverted then
anything that refreshes your desktop will cause the default icons to
reappear. If nothing refreshes your desktop then you would never
notice that they have already reverted.
Here is what is actually happening. XP stores it's true default
icons under HKEY_CLASSES_ROOT in a CLSID key. I've observed that
these do not seem to change. When you customize one of these system
icons XP will create a new key under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\.
As long as these keys are present then your icon customizations are
in effect. What is happening is that these override keys are being
deleted somehow!
I have spot checked regedit and seemingly at random I would find
these override keys missing. Sure enough, as soon as the keys turned
up missing, if I hit F5 to refresh my desktop *poof* my default icons
were back.

WHEN IT HAPPENED/WHAT I'VE TRIED:
I'd been running XP just fine for about 6 months and then it began
happening. Just a week ago I formatted and reinstalled XP and the
problem was gone. I spent the next several days installing
applications back on my PC and I noticed yesterday that the problem
was back! The only thing I installed that day was MS Encarta 2003 and
Unreal Tournament 2004. UT2004 was not out last year so I've
eliminated it from the running. I uninstalled MS Encarta 2003 but the
problem remained. My guess is that these applications have nothing to
do with the problem.
I've jacked up my icon cache and I've verified my NoSaveSettings
registry key but neither helped. I used regmon to watch all the
registry modifications but that didn't help because whatever made the
modifications DID NOT SHOW UP IN REGMON! I triple checked this and
used various methods of filtering to make certain that I hadn't missed
it in all the log clutter. I even tried deleting the keys myself just
to see if it would catch it and it did. Whatever is deleting these
keys is doing so in a way that is not detectable by regmon! I've also
monitored and verified my background processes and I keep them very
clean. I've not messed around with the services though because I
don't know much about them.

VIRUS/SPY SCANNING:
I've thoroughly scanned with McAfee and I'm running their Shield as
well. I've scanned everything with Adaware's spyware scanner (both up
to date) but I'm still having the issue. The only other thing I can
think of is that I know I DID have some spyware on my machine.
Adaware did report that it had cleaned up a few things (not just
cookies) and I do remember getting one message from McAfee telling me
that it detected something weird but couldn't delete the file. I
looked for the file in question and it was gone. It was something
like "[index].htm" or something like that. These could be unrelated
to the issue but I don't know.

WHAT I'M RUNNING:
My current Windows XP Home Edition installation has Service Pack 1 and
all subsequent patches installed using Windows Update. My system sits
behind a Linksys router and I also run XP's firewall. (enabled) I
keep McAfee and Adaware up to date. I have an ATI Radeon 9700 Pro
graphics card and an Audigy2 Sound Blaster card.

WHAT I WANT:
I know I can manually modify the default CLSID's in HKEY_CLASSES_ROOT
and thus when the icons "revert" they will be reverting back to my
overrides but that only addresses the symptoms not the cause. I would
greatly appreciate discovering the root cause of the issue and a
method to correct it. At this point I would even be willing to pay
someone a reasonable fee for technical support that actually led to
such a solution! Please help if you can!

Thank you,
Roger Westbrook
Click to expand...
 
D

David Candy

Try a bootlog with regedit.

--
----------------------------------------------------------
http://www.g2mil.com/Dec2003.htm
Roger said:
THERE ARE MANY POSTS ON THIS SUBJECT BUT EVERY ONE I'VE READ MAKES
INCORRECT ASSUMPTIONS AND HEADS DOWN THE WRONG PATH OR ELSE JUST
ADDRESSES THE SYMPTOMS WITHOUT ADDRESSING THE PROBLEM. THIS IS GOING
TO BE LONG AND DETAILED BUT I'M GOING TO TELL YOU EVERYTHING I KNOW
ABOUT THIS PROBLEM AND HOPEFULLY SOME GURU CAN HELP US!

PROBLEM: After changing/renaming the XP Desktop System icons (My
Computer, Network Neighborhood, Recycle Bin, Outlook, Internet
Explorer) they revert back to their respective default icons/default
names. It does not matter how you make the modifications. (right
click, Theme, Display Properties, etc) The end result is the same.

WHAT IT IS NOT:
It is NOT an NVIDIA driver/service problem. I have an ATI Radeon
card.
It is NOT an icon cache issue. I've tried it and it doesn't work.
It is NOT a problem with any other icons. ONLY effects system desktop
icons.
It is NOT a NoSaveSettings issue. I've verified my settings here.
It is NOT a Windows Classic settings issue. I'm not using classic.
It is NOT a login script or boot problem. The change can happen at
any time.
It is NOT a problem right out of the box. It always works fine at
first.
It is NOT the windows default icon that displays when something is not
associated with anything.

OBSERVATIONS/ASSUMPTIONS:
Your icons actually revert back to the defaults behind the scenes
and you don't see it until the desktop has been refreshed. Your
desktop gets refreshed by various events so that is why we're seeing
it happen seemingly at random. If the icons have reverted then
anything that refreshes your desktop will cause the default icons to
reappear. If nothing refreshes your desktop then you would never
notice that they have already reverted.
Here is what is actually happening. XP stores it's true default
icons under HKEY_CLASSES_ROOT in a CLSID key. I've observed that
these do not seem to change. When you customize one of these system
icons XP will create a new key under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\.
As long as these keys are present then your icon customizations are
in effect. What is happening is that these override keys are being
deleted somehow!
I have spot checked regedit and seemingly at random I would find
these override keys missing. Sure enough, as soon as the keys turned
up missing, if I hit F5 to refresh my desktop *poof* my default icons
were back.

WHEN IT HAPPENED/WHAT I'VE TRIED:
I'd been running XP just fine for about 6 months and then it began
happening. Just a week ago I formatted and reinstalled XP and the
problem was gone. I spent the next several days installing
applications back on my PC and I noticed yesterday that the problem
was back! The only thing I installed that day was MS Encarta 2003 and
Unreal Tournament 2004. UT2004 was not out last year so I've
eliminated it from the running. I uninstalled MS Encarta 2003 but the
problem remained. My guess is that these applications have nothing to
do with the problem.
I've jacked up my icon cache and I've verified my NoSaveSettings
registry key but neither helped. I used regmon to watch all the
registry modifications but that didn't help because whatever made the
modifications DID NOT SHOW UP IN REGMON! I triple checked this and
used various methods of filtering to make certain that I hadn't missed
it in all the log clutter. I even tried deleting the keys myself just
to see if it would catch it and it did. Whatever is deleting these
keys is doing so in a way that is not detectable by regmon! I've also
monitored and verified my background processes and I keep them very
clean. I've not messed around with the services though because I
don't know much about them.

VIRUS/SPY SCANNING:
I've thoroughly scanned with McAfee and I'm running their Shield as
well. I've scanned everything with Adaware's spyware scanner (both up
to date) but I'm still having the issue. The only other thing I can
think of is that I know I DID have some spyware on my machine.
Adaware did report that it had cleaned up a few things (not just
cookies) and I do remember getting one message from McAfee telling me
that it detected something weird but couldn't delete the file. I
looked for the file in question and it was gone. It was something
like "[index].htm" or something like that. These could be unrelated
to the issue but I don't know.

WHAT I'M RUNNING:
My current Windows XP Home Edition installation has Service Pack 1 and
all subsequent patches installed using Windows Update. My system sits
behind a Linksys router and I also run XP's firewall. (enabled) I
keep McAfee and Adaware up to date. I have an ATI Radeon 9700 Pro
graphics card and an Audigy2 Sound Blaster card.

WHAT I WANT:
I know I can manually modify the default CLSID's in HKEY_CLASSES_ROOT
and thus when the icons "revert" they will be reverting back to my
overrides but that only addresses the symptoms not the cause. I would
greatly appreciate discovering the root cause of the issue and a
method to correct it. At this point I would even be willing to pay
someone a reasonable fee for technical support that actually led to
such a solution! Please help if you can!

Thank you,
Roger Westbrook
Click to expand...
 
P

pheasant

I've made some recent posts on this subject. The solution I've found is:

Start -> Run -> Regedit

Navigate to:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Clsid"
(HKCU = HKEY_CLASSES_ROOT)

Right-click the folder icon for this key & select 'Permissions'

Click 'Advanced' -> click 'Add' -> type "System" -> click 'OK'

Put a check in the 'Deny' column for the 'Set Value' permission.

'OK' your way out.

I followed Keith's advice; except I used HKEY_CURRENT_USER then followed
the path. The classes_root folder didn't contain the path Keith mentioned
in my machine, and since I'm the only user, figured I'd give this a poke.
THANK YOU KEITH!!!!!!!!!!!!!
Rebooted and it held, so (fingers crossed) think I've finally got it
snagged.
Mark
 
R

Roger

Relic it's like I tell my 6 year old. Open your eyes and ears and
close your mouth and you might just learn something. Using CAPS to
emphasize my subject headings and preface is called a literary device
and makes for easier separation of ideas in a very detailed post.

"relic"
 
R

Roger

To those who helped, (Keith, Doink, and David) thank you very much
for your time and input. I must have read nearly 75 posts on this
subject together with my own extensive (though unfruitful) research
and I never encountered the winlogon.exe thing. I'm going to do some
more searches for this and perform my own research but can you folks
tell me if there is any documentation on this "feature"?

Why does winlogon.exe begin doing this after behaving itself for so
long? I am up to date on my windows update patches and that might
have done it but when this problem started happening to me it had been
days since I patched.

Correct me if I'm wrong but it sounds like Keith's solution still only
blocks winlogon from making those changes. Is there any way to figure
out why Winlogon is doing this?

Again thank you all for the help!!
 
D

David Candy

Sorry, I meant a bootlog with Regmon not regedit. Look on the menu.

Or you can turn on auditing on the registry key. Need to edit at
HKEY_LOCAL_MACHINE\SOFTWARE\Classes

Use help in Regedit. You also need to enable in Local Security Policy. Use help there. View in Event Viewer.

It will look like this
Handle Closed:

Object Server: Security

Handle ID: 88

Process ID: 3852

Image File Name: C:\WINDOWS\regedit.exe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to fix Steam game icons appearing as .url files 1
XP desktop problem 29
Custom desktop icons revert to default icons. 5
Cannot get my icons to stay 10
Red exclamations on desktop icons 4
Desktop icons revert to default 1
Electronics gurus? 6
No Desktop Icons, etc 2

Top