Some of the fake security malware in the wild has been moving the start menu items to a temporary directory under the user profile. This has cause us at work some annoyance, since we remove all the temp files before starting a malware removal. So several times this week, we have had to rebuild several start menus from scratch — which was not fun.
In Windows 7, the Start menu items are move to
- All Users Items = %userprofile%AppDataLocalTempsmtmp1
- Current User Items = %userprofile%AppDataLocalTempsmtmp2
- Desktop Items = %userprofile%AppDataLocalTempsmtmp4
Desktop item can be moved or copied back with robocopy:
robocopy %userprofile%appdatalocaltempsmtmp4 %userprofile%desktop /move /a-:h
All Users can be moved with:
robocopy %userprofile%appdataLocalTempsmtmp1 "c:ProgramDataMicrosoftWindowsStart Menu" /move /a-:h[/code[
robocopy %userprofile%AppdataLocalTEmpsmtmp2 "%userprofile%AppdataRoamingMicrosoftWindowsStart Menu" /move /a-:h
Of course, /e can be subsituted for /move to make a copy of the files back to the correct locations. I've been using the /a-:h to remove the hidden attribute, since a few times the files have been hidden too.
I have not seen the start menu get moved in Windows XP, yet; however the paths will be very similar:
- All Users Items = %userprofile%Local SettingsTempsmtmp1
- Current User Items = %userprofile%Local Settings\Tempsmtmp2
- Desktop Items = %userprofile%Local SettingsTempsmtmp4