Screenshot of my Windows start menu

A while back I visited a German website devoted to hacking. A particular feature of the site stood out–it held a screenshot of my Windows start menu. How did they do this?

What makes you think it’s your start menu, as opposed to someone else’s?

I have heard of websites that claim to be able to “show you the contents of your hard drive”. The site makes use of some kind of Java applet that brings up an explorer-type window showing all the contents of your computer.

Be assured that these types of Java applets are all client-sided. This means that the website really can’t actually see your things on their end. They’ve just figured out a way to make your computer show itself to you through your browser.

Don’t worry too much. But just to be safe, try and avoid such websites.

Disable Java, cookies, … disable everything and see if they can do it.

I think it’s just an internal frame (you know, all the rage during the 90s, left menu is a separate frame “make sure your browser supports frames blah” stuff) that has its source (the piece of code specifying the contents of the frame) set as your hard drive (“C:” usually). How’d they get a screenshot of your start menu through any type of HTML or java/javascript tricks is beyond me though.

This should do it. At least for Opera and Netscape.

[file://localhost/C:/](file://localhost/C:/)

It works in IE as well (IE5.5SP2).

[file://localhost/C:/windows/start menu/](file://localhost/C:/windows/start menu/)

Thit submit too fast. The code I posted opens a browser window but note that hitting the"Windows" key on the keyboard makes the start menu pop up. I do not know if using Java or other script you can simulate a certain key being depressed but I would think it is not too difficult.

Do you mean that it showed a graphic that was identical to your start menu, or it showed an Explorer-like file view of the stuff that’s in the start menu?

sailor, I don’t think that Java can simulate a keypress. It’s designed to operate in its own little world, strictly kept apart from the critical stuff in your computer such as files or anything else that could be a security danger. There’s a raging controversy between Java and ActiveX - Microsoft likes ActiveX. With ActiveX, the web site can do anything with your computer. Microsoft’s security model says that you should either trust or not trust a site, and if you trust it, you give them the keys to your computer. With Java (which is from MS’s arch-rival Sun), the environment itself prevents any application from doing things that can be a security threat.

Since I don’t know what they each can do I just disable everything. And if a site needs that kind of stuff I pass.