Skip to content

kfong-dev/TrayObserver

BranchesTags

Repository files navigation

TrayObserver

A Windows system tray API observer built in C/C++ (Win32, x64). Monitors and correlates Shell_NotifyIcon calls from any process against Explorer's internal tray list, logging the relationship between API calls and the actual notification area state.

Work in progress — core hook infrastructure is in place but event resolution and icon respawning have known issues.

What it does

Component A — Explorer watcher

  • Installs a WH_CALLWNDPROC global hook into Explorer's message pump
  • Intercepts WM_COPYDATA on Shell_TrayWnd and decodes SHELLTRAYDATA payloads (NIM_ADD, NIM_MODIFY, NIM_DELETE, NIM_SETFOCUS, NIM_SETVERSION)
  • Enumerates the live tray toolbar (SysPagerToolbarWindow32) via TB_GETBUTTON + ReadProcessMemory for on-demand snapshots

Component B — API observer

  • IAT-patches Shell_NotifyIconW in target processes
  • Intercepts calls before they reach Explorer, capturing the full NOTIFYICONDATA payload
  • Reports via named pipe (\\.\pipe\TrayObserver) back to the controller

GUI

  • Dark theme, owner-drawn Win32 controls
  • Per-process event detail windows
  • Persistent event history
  • Toolbar controls for snapshot, clear, and filter
  • Correlation view matching API call events to Explorer's internal tray state

IPC

  • Named pipe (\\.\pipe\TrayObserver) between injected DLLs and the controller
  • Local-only — routes through NPFS, not affected by UNC hardening policies

Architecture

TrayObserver.exe          — main application (GUI + controller + pipe server)
  TrayHook.dll            — WH_CALLWNDPROC hook, injected into Explorer
  ComponentA.dll          — snapshot enumerator + hook installer
  ComponentB.dll          — IAT patcher + process injector
    PayloadHook.dll       — IAT patch DLL injected into target processes

Known issues

  • System tray icons do not respawn correctly after the hook is installed — Explorer's internal icon list gets out of sync
  • Event log produces verbose or nonsensical entries during icon resolution due to timing between NIM_ADD/MODIFY/DELETE events and the snapshot enumerator
  • These are active areas of investigation

Requirements

  • Windows 10 x64
  • Must be run as administrator (required for SetWindowsHookEx into Explorer and process injection)
  • MSVC x64 build environment

Build

Open in Visual Studio and build the solution. Component DLLs must be built before the main executable. All binaries must be co-located for the hook installer to find them.

Security context

This tool uses process injection and global hooks. It will be flagged by antivirus — add the build directory to your AV exclusions. Designed for use on your own machine for development and research purposes.

PPL-protected processes and processes running at higher integrity are automatically skipped.

About

Windows system tray API observer using WH_CALLWNDPROC hooking and IAT patching to correlate Shell_NotifyIcon calls with Explorer's internal tray state.

Topics

windows cpp reverse-engineering win32 system-tray hooking iat-patching

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Contributors

Languages