What the FRunCM???

Was having a very annoying problem with SQL Server 2000 on a development box the other day. I would stop MSSQLSERVER but when I tried to restart it, I couldn't:
C:\>net stop mssqlserver
The MSSQLSERVER service is stopping.
The MSSQLSERVER service was stopped successfully.

C:\>net start mssqlserver
The MSSQLSERVER service is starting.
The MSSQLSERVER service could not be started.

The service did not report an error.

That wasn't helpful so I turned to the Event Viewer where I found the following error events:
Event Type: Error
Event Source: MSSQLServer
Event Category: (8)
Event ID: 19011
Date: 7/25/2006
Time: 10:17:01 AM
User: N/A
Computer: COMPNAME
SuperSocket info: ConnectionListen(Shared-Memory (LPC)) : Error 5.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Category: (2)
Event ID: 17052
Date: 7/25/2006
Time: 10:17:01 AM
User: N/A
Computer: COMPNAME
Error: 17826, Severity: 18, State: 1
Could not set up Net-Library 'SSNETLIB'.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
[info containing computer name]

Event Type: Error
Event Category: (2)
Event ID: 17055
Date: 7/25/2006
Time: 10:17:01 AM
User: N/A
Computer: COMPNAME
17120 :
SQL Server could not spawn FRunCM thread.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
[info containing computer name]

Probably, the first error was causing the next two. But what was really going on? Sounded like something was hanging on to some handle or resource that SQL Server wanted. In search of more info, I checked out
C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG which contained the following:
2006-07-25 10:17:01.38 server Microsoft SQL Server 2000 - 8.00.760 (Intel X86)

Dec 17 2002 14:22:05
Copyright (c) 1988-2003 Microsoft Corporation
Desktop Engine on Windows NT 5.1 (Build 2600: Service Pack 2)

2006-07-25 10:17:01.38 server Copyright (C) 1988-2002 Microsoft Corporation.
2006-07-25 10:17:01.38 server All rights reserved.
2006-07-25 10:17:01.38 server Server Process ID is 3640.
2006-07-25 10:17:01.38 server Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG'.
2006-07-25 10:17:01.40 server SQL Server is starting at priority class 'normal'(1 CPU detected).
2006-07-25 10:17:01.40 server Performance monitor shared memory setup failed: -1
2006-07-25 10:17:01.66 server SQL Server configured for thread mode processing.
2006-07-25 10:17:01.66 server Using dynamic lock allocation. [500] Lock Blocks, [1000] Lock Owner Blocks.
2006-07-25 10:17:01.68 spid3 Starting up database 'master'.
2006-07-25 10:17:01.83 server Using 'SSNETLIB.DLL' version '8.0.766'.
2006-07-25 10:17:01.83 spid5 Starting up database 'model'.
2006-07-25 10:17:01.88 server SQL server listening on .
2006-07-25 10:17:01.88 server Error: 17826, Severity: 18, State: 1
2006-07-25 10:17:01.88 server Could not set up Net-Library 'SSNETLIB'..
2006-07-25 10:17:01.88 server Unable to load any netlibs.
2006-07-25 10:17:01.88 server SQL Server could not spawn FRunCM thread.

I'm guessing the "Performance monitor shared memory setup failed: -1" corresponded to the first message in the Event Log ("SuperSocket info: ConnectionListen(Shared-Memory (LPC)) : Error 5."), and the other two Event Log messages appear in the ERRORLOG.

This made it look like SQL Server couldn't acquire a resource (Access denied, according to the first Event Viewer message) related to shared memory used for performance monitoring. On a whim, I closed SQL Server Enterprise Manager and tried to start SQL Server again. This time, it worked.

The log details provide information that indicates that the system is running SQL Server 2000 SP3. The SQL Server 2000 SP4 Fix List doesn't include any descriptions that seem to indicate the problem is fixed in SP4, and I won't have the opportunity to apply SP4 any time soon to see so I suppose I'll just have to deal with it by closing Enterprise Manager before restarting SQL Server.



RFIDs open to compromise?

Can Tag Viruses Infect RFID Systems? reports on a study that warns that RFID middleware and applications may be vulnerable to viruses.



All this to Patch ASP.NET?

Microsoft Knowledge Base Article 923101 (Error message when you try to install security update 917283 on a computer that is running Windows Server 2003 x64 Edition: "Error 1324. The folder 'Program Files' contains an invalid character") details a heinous resolution to a problem installing the ASP.NET 2.0 patch covered in Microsoft Security Bulletin MS06-033 - Vulnerability in ASP.NET Could Allow Information Disclosure (917283).

Basically, one needs to "temporarily unmount any drive volumes that you do not require", and the article includes the steps one should go through. The step-by-step instructions only mention "CD-ROM and DVD drive volumes" - I wish the article was clearer on precisely which volumes should be unmounted. Anyway, the next step is installing the the 917283 update, followed by a possible reboot. The last step is to "remount the drive volumes" (assigning the CD-ROM and DVD drive volumes their original drive letters).

I would love to know what the real problem is, and how this fixes it.

Error 1324 (sometimes referenced as -1324) seems to correspond to "The path" or "The folder" or "The folder path" "<path> contains an invalid character", which is the message described in article 923101. According to Windows Installer Error Messages, the message associated with 1324 is "The folder path '[2]' contains an invalid character".

Good thing 923101 only applies to x64 editions of Windows Server 2003.



ASP.NET: allowDefinition= 'MachineToApplication' / Web.Config

I was working on an ASP.NET application when I started getting the following message while building:

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.     web.config     28

I tried a few things out, and examined the referenced web.config line, but nothing seemed out of the ordinary.

It took me a few minutes to figure out that I was looking at the wrong web.config. I had made a backup copy of the project (no SCCS yet - don't ask) in a subfolder. The web.config referenced in the error message was the backup copy, not the one belonging to the application I was working on. Removing the subfolder / project backup got rid of the message.



Windows Vista to get Address Space Layout Randomization (ASLR)

I've wanted to mention this for a while, but haven't had the time.

Michael Howard writes about "a new defense against buffer overrun exploits called address space layout randomization" (ASLR) that is included in Windows Vista Beta 2. He also indicates that "it’s on by default too". Does this mean that it is possible to disable it? And if so will the ability to disable it make its way to the final release of Vista?

It seems that ASLR, combined with other strategies, will result in some significant improvements to the security of the Windows Vista platform. And personally, I don't see how it is relevant that various *nixz may have had this feature for a while. It just lends credibility to the decision to add the feature to Vista, I suppose.



Cool and Illegal Wireless Hotspot Hacks

Interesting article on EH-Net about ways to spoof public hotspots, steal credentials, and utilize different techniques to gain control of remote systems.

Cool and Illegal Wireless Hotspot Hacks



U3 USB Flash Drive and Remote Desktop Woes

[Update: See this post for how I was able to resolve the problem presented below.]

Like a lot of people, I use USB flash drives. I recently saw a good deal on a "Verbatim 1GB Store 'n' Go U3 Smart Drive", so I purchased one. U3 (www.u3.com) is a platform with a number of components that allow for "personal workspace portability". Basically, you can install applications designed or adapted specifically for running in a "U3 Environment". You can take your data and programs with you everywhere. There are email programs, office productivity packages, browsers, security packages, etc. that all offer the ability to run without leaving a footprint on the host system's hard drive.

I thought that sounded pretty cool. Of course, I must have usage patterns that deviate from that which is expected or perhaps desirable. I have a bunch of computers in my office. My main system is a laptop. I use it as such - the thing lives on my lap. So the prospect of a USB drive sticking out of the back isn't really one that I relish for what I hope are obvious reasons. Instead, I plug my flash drives into a server in my office and just set up secure shares, and access my data that way.

The U3 drive, being what it is, offers the ability to password-protect the data / program partition (there is a system partition that "autoruns" a launchpad-type program). I figured I could plug the drive into the server, and remote-desktop in later to enter the password and manipulate the data, run the programs, or whatever.

The first server I tried this on was running Windows Server 2003. I remote desktop'd into the server and tried to run the launch program. No UI ever displayed. I tried it a few times and even tried to run the program in Windows XP Compatibility mode. I quickly gave up because I had other stuff to do.

The next time I tried this, the U3 drive was plugged into a Windows XP workstation. I remote desktop'd into the system and tried it again. Same result. I went into my office, logged into the workstation, ran the program, and was presented with a UI that wanted a password. After I entered the password and went back to my main system, I was able to access the data and programs on the U3 drive as I would expect.

This led me to believe that the developer(s) of the LaunchU3.exe program are specifically preventing the exact scenario which I depend on from working (I want to be able to enter the password in the launch program via the RDP session). So, I fired up Dependency Walker and profiled the naughty program. Sure enough, DW showed the following as the last few lines of the profile:

00:00:06.875: GetProcAddress(0x77E40000 [c:\windows\system32\KERNEL32.DLL], "ProcessIdToSessionId") called from "g:\LAUNCHU3.EXE" at address 0x0040352B and returned 0x77E580F7 by thread 0x1020.
00:00:06.875: GetProcAddress(0x77E40000 [c:\windows\system32\KERNEL32.DLL], "WTSGetActiveConsoleSessionId") called from "g:\LAUNCHU3.EXE" at address 0x0040352B and returned 0x77E41A2D by thread 0x1020.
00:00:06.906: Thread 0x1158 exited with code 0 (0x0).
00:00:06.922: Thread 0x1300 exited with code 0 (0x0).
00:00:06.922: Thread 0x10E0 exited with code 0 (0x0).
00:00:06.953: Thread 0xFA4 exited with code 0 (0x0).
00:00:06.953: Exited "g:\LAUNCHU3.EXE" (process 0xB08) with code 0 (0x0) by thread 0x1020.

So I wrote my own program to see what those functions (ProcessIdToSessionId and WTSGetActiveConsoleSessionId) returned for the values of the session Ids. Sure enough, the values returned by the functions were different when using a RDP connection - ProcessIdToSessionId said the session id was 0 and WTSGetActiveConsoleSessionId said the console session id was 2 when RDP'd into the console of the remote system. The launch program must compare the results and if they are different it immediately calls TerminateProcess.

It would be interesting to know why the developers of the launch application saw fit to prevent someone from running the launch program via RDP, but one can enter the password "locally" and still access the data remotely.

Someday when I get some time I'll write something to mess with the values returned by ProcessIdToSessionId and / or WTSGetActiveConsoleSessionId so that I can use the drive how I want to...


Windows Update and Error 0x8DDD0009

[Added 2006-10-15: Another potential fix here...]
[Added 2006-09-19: Additional things to try here...]
[See other posts about 0x8ddd0009 here and here.]

I was encountering a Windows Update error 0x8DDD0009 on a Windows 2000 SP4 system. I tried a number of things like stopping and restarting the Windows Update Auto Update service (wuauserv) rebooting, unregistering Windows Update-related components, etc. and nothing worked. Then I noticed the time on the system was off by about 22 minutes. I changed the time to be correct, and Windows Update magically started working again.

FWIW, 0x8DDD0009 can be interpreted to mean a lot of things...

Defined In: bthdef.h

Defined In: bugcodes.h

Defined In: cderr.h

Defined In: ceplog.mc
Message: SCEP Add-on cannot retrieve CA's certificate (%2). %3 Please find support information at http://%1/certsrv/mscep/mscephlp.htm.

Defined In: certlog.mc
Symbolic Name: MSG_NO_POLICY
Message: The Certificate Services did not start: Unable to load an external policy module.

Defined In: cfgmgr32.h

Defined In: clusvmsg.h
Symbolic Name: LOG_MODULE_DM

Defined In: crypt32msg.mc
Message: Untrusted root certificate:: Subject: <%1> Sha1 thumbprint: <%2>

Defined In: dhcpssdk.h

Defined In: dlcapi.h

Defined In: hidpddi.h

Defined In: iaapi.h
Symbolic Name: IAAPI_BADANY
Message: Bad ANY value

Defined In: iiscnfg.h

Defined In: kerberr.h
Symbolic Name: KDC_ERR_NULL_KEY
Message: The client or server has a null key

Defined In: lpmapi.h
Symbolic Name: RSVP_Err_AMBIG_FILTER
Message: Ambiguous Filter spec in Resv

Defined In: lpmapi.h

Defined In: mapidefs.h

Defined In: mmsystem.h

Defined In: msaudite.h
Message: Account Logon

Defined In: msiquery.h
Message: invalid GUID

Defined In: nb30.h
Symbolic Name: NRC_NORES
Message: no resource available

Defined In: nddeapi.h

Defined In: netmon.h

Defined In: ntdddisk.h
Message: Invalid cmd flag set

Defined In: odbcinst.h

Defined In: ole.h
Message: Invalid metafile

Defined In: pollog.mc
Message: The Enrollee was not able to successfully authenticate to the Certificate Service. Please check your security settings.

Defined In: routprot.h
Symbolic Name: MFE_NO_ROUTE
Message: router has no route that matches

Defined In: scesvc.h

Defined In: snmp.h

Defined In: ssc.h
Message: GE internal error

Defined In: twain.h
Message: Unrecognized MSG DG DAT combination

Defined In: w32timemsg.mc
Message: The time provider '%1' returned an error when notified of a time jump. The error will be ignored. The error was: %2

Defined In: wincrypt.h

Defined In: winerror.h
Message: The storage control block address is invalid.

Defined In: winldap.h
Symbolic Name: LDAP_REFERRAL_V2

Defined In: winldap.h

Defined In: winsnmp.h


SQL Server, Local System account, and Event Viwer

I got the following message from SQL Query Analyzer the other day when I was trying to debug a stored procedure on a development system:

Of course, I was unable to debug the stored procedure with the current confiuration. The SP would run, but one could not debug it. The "Event Viwer" (love the spelling) had no additional information, contrary to the message.

INF: Transact-SQL Debugger Limitations and Troubleshooting Tips for SQL Server 2000 and PRB: SQL Server Debugging with Visual Studio Service Pack 5 Requires a Non-System Account both mention a resolution to the problem ("Use the Domain User account (and not the Local System account) as the SQL Server service account and [make sure] that the Domain User account is a member of the Local Administrators group for remote debugging.") but the exact cause is not explained. Perhaps another day...


Device Manager and NONPRESENT Devices

In writing about the Western Digital "Hard Drive Settlement", I started wondering what brands of hard drives I had. I've got about 6 HDs in external enclosures, but they were in my office and I wasn't. I didn't want to open each case up to see what the drive was, and I didn't want to hook all of the drives up to the laptop.

Instead, I opened up a CMD window and at the prompt I typed "set DEVMGR_SHOW_NONPRESENT_DEVICES=1", hit enter, and then typed "devmgmt.msc" and hit enter again. This brought up Device Manager, as one might expect. I then selected "Show hidden devices" from the view menu.

This allowed me to expand the "Disk drives" category and see all of the "nonpresent" hard drives, which had at least some indication of the manufacturer in the name.

2 Seagates, 1 Maxtor, 1 Quantum, and 2 Western Digitals...

The child process (mmc.exe) inherits the environment space from the parent process (cmd.exe), and since the parent process had the environment variable DEVMGR_SHOW_NONPRESENT_DEVICES set, the child inherited that setting. Running devmgmt.msc started mmc.exe, the Microsoft Management Console executable which is associated with .MSC files. The .MSC instructed mmc.exe to load devmgr.dll, which contains the code to check the setting of the environment variable named DEVMGR_SHOW_NONPRESENT_DEVICES and react appropriately.


Interesting Videos...

Ran across some interesting videos.

Rocket exploding shortly after takeoff:

Liquid nitrogen + Swimming pool =??


Why not to compress SQL Server data and log files

Very interesting explanation about why you shouldn't compress SQL Server log files and database files at http://blogs.msdn.com/khen1234/archive/2005/04/25/411852.aspx.

The obvious answer is performance, of course, but why performance suffers in this scenario is rather interesting. It's more than just the hit of compressing and decompressing the database data and log files. In short, when a compressed file is being read from or written to, IO operations are ALWAYS run synchronously.


Western Digital Hard Drive Settlement

There's a settlement for a class-action lawsuit brought against Western Digital. The suit is based on the whole binary vs. decimal "controversy" - HD manufacturers measure capacity using the decimal number system while OS manufacturers use the binary number system.

Using the binary number system, 80 GB amounts to 85,899,345,920 bytes.
Using the decimal number system, 80 GB amounts to 80,000,000,000 bytes.

That's a difference of 5,899,345,920 bytes. Windows takes a drive with 80,000,000,000 bytes (as labeled by the drive maker) and displays it has having a capacity of about 74.4 GB.

Settlement details are at http://www.wdc.com/settlement/. WD "decided to settle to avoid a potentially expensive legal battle". The settlement includes back up /restore software and is available to those that have purchased a boxed WD HD between 2001-03-22 and 2006-02-15. Registration must be completed before 2006-07-16.


HALT! Who goes there?

I've been curious about who visits this blog. It's quite an interesting mix, actually. Well, interesting to me. Probably not all that different from similar blogs. Er... wait - there are no similar blogs. This is the only blog with this type of content. This is the only blog with this type of content. This is the only blog with this type of content. Yeah.

Anyway, I've had visitors from Microsoft, Sun Microsystems, various military branches and defense agencies, Fortis Bank, various software companies, Computer Sciences Corporation, various universities, airlines, and even a legal firm (which makes me perhaps a bit nervous)...

I'm interested in why people visit this blog, and what inspires them to leave comments on blogs in general. Anyone care to start? <g>


What's the point?

I am aware that this is a rather low-traffic blog. I never set out to make this a high-traffic, vigintillion-visitor place. No big deal. I do this for a few reasons...

I like it. I like exploring things and reporting my findings. Sometimes I get to dig deep into something. Other times something just strikes my fancy and I want to say "Hey - check this out."

I also use this blog as a form of documentation. I write about problems I have encountered, etc. I like troubleshooting problems. The solution to a problem isn't as helpful as it could be if it's withheld. I'm a details kind of person, so I tend to want to provide as much background and detail as possible about the situation I am describing. Odds are, I or someone else will run into the problem or situation again. When / if that happens, I can go back and find out what I did, what conclusion I came to, and how I got there.

They also say "the sound of your own voice must soothe you", so there may be some of that going on... ;)