Application Security Testing: An Integral Part of DevOps
If you're writing programs to interface with the Windows Shell, chances are you'll eventually want to use the SHGetFileInfo function. This function "retrieves information about an object in the file system, such as a file, a folder, a directory, or a drive root". However, this information may come at a heavy price.
Recently, I wrote an Explorer style "Open file" dialog that used a CListCtrl. The CListCtrl was populated by enumerating the Windows Shell for a specified directory. I needed to retrieve the icon and the type name for each shell object. The dialog performed fine until I enumerated a directory with several thousand files. The total time required to fill the control ranged from 20-40 seconds. The code I used included the following snippet:
// get the shell object info. SHGetFileInfo(path, 0, &sfi, sizeof(SHFILEINFO), SHGFI_ICON | SHGFI_TYPENAME);
The resolution to my problem came about after much research and reading of Dino Esposito's Visual C++ Windows Shell Programming. I needed a way of obtaining the required information WITHOUT accessing every file in the enumeration. The resolution required the following change to my code:
// get attributes of the shell object using its pidl. psfFolder->GetAttributesOf(1, (LPCITEMIDLIST*)&pIDL, &dwFileAttr); // set the SHGetFileInfo attribute based on the type // of shell object. We'll use this to force the // SHGetFileInfo call to NOT access the shell object. // (all we want is the icon & type name; the // combination of the SHGFI_USEFILEATTRIBUTES flag // and the FILE_ attribute will prevent any unnecessary // access of the shell object). if ((dwFileAttr & SFGAO_FOLDER) == SFGAO_FOLDER) attr = FILE_ATTRIBUTE_DIRECTORY; else attr = FILE_ATTRIBUTE_NORMAL; // get the shell object info. SHGetFileInfo(path, attr, &sfi, sizeof(SHFILEINFO), SHGFI_USEFILEATTRIBUTES | SHGFI_ICON | SHGFI_TYPENAME);
By setting the attr variable to a valid FILE_ flag and adding the SHGFI_USEFILEATTRIBUTES flag, I was able to avoid accessing each file in the enumeration. By setting the SHGFI_USEFILEATTRIBUTES flag, I forced the function to assume that the file passed in through the "path" variable exists. An undocumented feature allows the function to use the extension and search the registry for information about the icon and the type name. This simple change reduced my total access time to 5-6 seconds. Although not up to par with Explorer, it's a change I can live with.