tag:blogger.com,1999:blog-209772802024-03-07T03:53:23.741-06:00My Green Paste, Inc.Tech things that interest me, the inevitable rant, and, of course, My Green Paste.
Windows Internals, Windows Drivers, Security, Development, .NET, Software Tools & Utilities...«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.comBlogger175125tag:blogger.com,1999:blog-20977280.post-75899354926533781282008-11-17T22:01:00.001-06:002008-11-17T22:06:58.907-06:00Despite it All, I'm Getting a 10.00 for Reliability in Windows Vista<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">My Green Paste, Inc</span></a><span style="font-size:78%;">. Thank you.</span> </p><p><span>I guess I've got nothing to complain about. I'll let the screenshot speak for itself...</span></p><p><span style="font-size:85%;"><br /></span> </p><p><span style="font-size:85%;"></span></p> <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIXmgcIVZygQJpigg7jsCLowO0zl6tyYP6cMXftIltm7udTWO6sckpbNnQWbnprJ-dJ1bijn5wlMS5u4-4ZN6Xq10VmRYRG9rBK4qBATVlsB_cMveGGTdRp1qSXOfbxIt0rUe71g/s1600-h/VistaReliabilityReport2008-11.jpg" target="_blank"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 171px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIXmgcIVZygQJpigg7jsCLowO0zl6tyYP6cMXftIltm7udTWO6sckpbNnQWbnprJ-dJ1bijn5wlMS5u4-4ZN6Xq10VmRYRG9rBK4qBATVlsB_cMveGGTdRp1qSXOfbxIt0rUe71g/s400/VistaReliabilityReport2008-11.jpg" alt="" id="BLOGGER_PHOTO_ID_5269843599126421778" border="0" /></a>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-2761692777546179822008-11-03T22:38:00.001-06:002008-11-03T22:43:20.202-06:00Error 0x8007052e from Windows Media Services<p><span style="font-size: 78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size: 78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size: 78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>I was recently working on getting Windows Media Services configured on a system. Going through the properties, I noticed that the "WMS Anonymous User Authentication" plugin was in an error state. On inspection, I was presented with the following dialog. </p><blockquote> <p><span style="font-family:Courier New;">---------------------------<br />Windows Media Services<br />---------------------------<br />The plug-in cannot be enabled because the user name or password does not match the settings for the Windows user account used for anonymous guests.<br />---------------------------<br />OK <br />---------------------------</span> </p></blockquote> <p>Also, the event viewer was showing the following: </p><blockquote> <p><span style="font-family:Courier New;">Event Type: Error<br />Event Source: WMServer<br />Event Category: Plugin<br />Event ID: 323<br />Date: [Date]<br />Time: [Time]<br />User: N/A<br />Computer: [CompName]<br />Description:<br />Plug-in 'WMS Anonymous User Authentication' on the server failed with the following information: Error code = 0x8007052e, Error text = 'Logon failure: unknown user name or bad password. '.<br />For more information, see Help and Support Center at </span><a href="http://go.microsoft.com/fwlink/events.asp"><span style="font-family:Courier New;">http://go.microsoft.com/fwlink/events.asp</span></a><span style="font-family:Courier New;">.<br />Data:<br />0000: 8007052e </span></p></blockquote> <p>Checking "Local Users and Groups", I could see that the specified user (WMUS_COMPNAME) certainly existed. I changed the password for the user and then set the password in the properties for "WMS Anonymous User Authentication". I was rewarded with the same message. The user name and password were correct, so I focused my attention elsewhere. I first tried changing the settings to provoke the message while running Sysinternals' <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx">Filemon</a> and <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx">Regmon</a>, but was unable to pull anything from the captured data that seemed like it was germane to the problem. </p><p>The next thing I tried was creating a new account and specifying that account in the properties for "WMS Anonymous User Authentication". This worked; the status of "WMS Anonymous User Authentication" became "Enabled". I found this odd, as I was working with a fresh installation of Windows Media Services. In comparing the accounts (WMUS_COMPNAME and the test account I created), I noticed the WMUS_COMPNAME account was just a member of the Guests group, while the test account was just a member of the Users group. So, I added the test account to Guests and removed it from Users, and then checked / OK'd the "WMS Anonymous User Authentication" properties. I got the aforementioned message. I changed the test account back to the original group memberships, and "WMS Anonymous User Authentication" did not complain. </p><p>At this point, I knew that the problem was related to some restriction placed on the Guests group. I ran secpol.msc to check the Local Security Policy Settings, and I noticed that Guests had been added to the Security Setting for the "Deny access to this computer from the network" policy. <a target="_blank" href="http://technet.microsoft.com/en-us/library/cc758316.aspx">According to TechNet</a>, the default for this policy is "None". Removing Guests from the setting allowed the WMUS_COMPNAME account to function as the anonymous account used by Windows Media Services. </p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com14tag:blogger.com,1999:blog-20977280.post-19935069230291260622008-10-21T22:27:00.001-05:002008-10-21T22:34:55.210-05:00Handle Leak in Apple's mDNSResponder.exe<p>A while ago, I noticed a handle leak in Apple's "Bonjour Service" (yeah, that <em>sounds </em>like something I want running on my system...) - mDNSResponder.exe. I knew right away that that was the executable for the "Bonjour Service" because the name is so helpful. (Joking. Even if it was named after the service, how the heck would I even guess what the "Bonjour Service" did. But I digress...)</p> <p>The service description is: </p><blockquote>Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start.</blockquote> <p></p> <p>I put up with the leak for a while, from time to time stopping the service when I thought of it after booting. Most of the time I didn't think of it and the leak did not appear to be having any kind of performance impact on my system (I never saw it get above 80,000 handles). An update (or two?) later, I thought it would be fixed. So I was surprised to find mDNSResponder.exe had more than 55,000 handles when I checked recently with Sysinternals' <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx">Process Explorer</a>.</p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfu_svQYnoDhSSFRtZR5CcYfc791ft9ayY8AK9BSS2bdkI3Vp_P9L5Ms6Bgj05dx-YoMmlI1ZSGPk4Zb34tlA6yHAR_PvQxe5fW7-ytFmU-SAScZqMpAjLWDpBM28p2BlrWhbAVg/s1600-h/mdsnresponder.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfu_svQYnoDhSSFRtZR5CcYfc791ft9ayY8AK9BSS2bdkI3Vp_P9L5Ms6Bgj05dx-YoMmlI1ZSGPk4Zb34tlA6yHAR_PvQxe5fW7-ytFmU-SAScZqMpAjLWDpBM28p2BlrWhbAVg/s400/mdsnresponder.jpg" alt="" id="BLOGGER_PHOTO_ID_5259815404658625666" border="0" /></a><p><br /></p> <p>I tried to use Process Explorer's handle pane to see the handles in mDNSResponder.exe, but with that many handles to display, and with Process Explorer running with its default High priority and refreshing every second, the system became rather sluggish. I dropped the priority of Process Explorer with Task Manager, hid the lower-pane view, and gave <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx">Handle.exe</a> a shot with <span style="font-family:Courier New;">handle.exe -a -p mdnsresponder.exe</span>.</p> <p>I found that the handles being leaked are handles to registry keys - specifically, HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters. (ControlSet001 is the current control set on my system.)</p> <p>Since there's not much I can do about the handle leak, I'll disable the service, and hope the next update fixes the problem as surely the next update will set the service to Automatic start. Wonder why the installer doesn't at least set a service such as this as "Delayed Start" in Vista...</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-49285305916347076652008-09-17T21:40:00.001-05:002008-09-17T21:42:12.696-05:00Advanced Windows Debugging on Channel 9<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">My Green Paste, Inc</span></a><span style="font-size:78%;">. Thank you.</span> </p><p>Just a quick note - <a target="_blank" href="http://www.advancedwindowsdebugging.com/book/authors.htm">the authors</a> of <a target="_blank" href="http://www.advancedwindowsdebugging.com/">Advanced Windows Debugging</a> have been <a target="_blank" href="http://channel9.msdn.com/posts/Charles/Advanced-Windows-Debugging-An-Introduction/">interviewed</a> on MSDN's Channel 9. It's about 43 minutes long, and it's interesting to hear the authors talk about their experiences, the motivation behind the book, the effect of additional layers of abstraction, etc., and go through a handle leak debugging session. <a target="_blank" href="http://channel9.msdn.com/posts/Charles/Advanced-Windows-Debugging-An-Introduction/">Check it out!</a></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-73764051471885729202008-07-09T20:43:00.001-05:002008-07-09T20:57:06.955-05:00In Vista, How Does the FLAGS Switch of REG.EXE Work? Part 2<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p><a href="http://mygreenpaste.blogspot.com/2008/04/in-vista-how-does-flags-switch-of.html" target="_blank">Previously</a>, I wrote about the FLAGS switch for REG.EXE in Vista and covered a technique that would set the virtualization-related flags of a registry key programmatically. This post intends to cover the other side - querying for the virtualization-related flags of a registry key. Again, we're dealing with an "undocumented" function in NTDLL.DLL - NtQueryKey:<br /></p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>NTSTATUS NtQueryKey(<br /> IN HANDLE KeyHandle,<br /> IN KEY_INFORMATION_CLASS KeyInformationClass,<br /> OUT PVOID KeyInformation,<br /> IN ULONG Length<br /> OUT PULONG ResultLength );</pre></div><br /><br />To retrieve the flags for a key, call NtQueryKey with KeyInformationClass set to 5, which WDM.h tells us is KeyFlagsInformation.<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _KEY_INFORMATION_CLASS {<br /> KeyBasicInformation,<br /> KeyNodeInformation,<br /> KeyFullInformation,<br /> KeyNameInformation,<br /> KeyCachedInformation,<br /> KeyFlagsInformation,<br /> KeyVirtualizationInformation,<br /> MaxKeyInfoClass // MaxKeyInfoClass should always be the last enum<br />} KEY_INFORMATION_CLASS</pre></div><br /><br />REG.EXE supplies 12 for the value of the Length param, and the last 4 bytes of the buffer (KeyInformation) are modified when NtQueryKey returns. This would seem to suggest that the struct to receive the information containing the virtualization flags looks something like:<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef struct _KEY_FLAGS_INFO {<br /> ULONG unknown1;<br /> ULONG unknown2;<br /> ULONG ControlFlags;<br />} KEY_FLAGS_INFO, *PKEY_FLAGS_INFO;</pre></div><br /><br />Putting it all together, then, we have something like:<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef NTSYSAPI NTSTATUS (NTAPI* FuncNtQueryKey)( HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength );<br />// ...<br />FuncNtQueryKey ntqk = (FuncNtQueryKey)GetProcAddress( GetModuleHandle( _T("ntdll.dll") ), "NtQueryKey" );<br />KEY_FLAGS_INFO kfi = {0};<br />HKEY hTheKey = NULL;<br />RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Whatever"), 0, KEY_ALL_ACCESS, &hTheKey );<br />DWORD dwResultLen = 0;<br />DWORD dwNtqkResult = ntqk( hTheKey , KeyFlagsInformation, &kfi, sizeof( KEY_FLAGS_INFO ), &dwResultLen );<br />RegCloseKey( hTheKey );<br />hTheKey = NULL;</pre></div><br /><br />The flags (_CONTROL_FLAGS, from <a href="http://mygreenpaste.blogspot.com/2008/04/in-vista-how-does-flags-switch-of.html" target="_blank">Part 1</a>) are stored as a bitmask in kfi.ControlFlags.<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _CONTROL_FLAGS {<br /> RegKeyClearFlags = 0,<br /> RegKeyDontVirtualize = 2,<br /> RegKeyDontSilentFail = 4,<br /> RegKeyRecurseFlag = 8<br />} CONTROL_FLAGS;</pre></div><br /><br />The code above provides the same information as invoking REG.EXE FLAGS HKLM\Software\Whatever QUERY.<br /><br />Again - note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-19923235279188217612008-06-30T21:13:00.001-05:002008-12-08T18:57:37.006-06:00A Little Fun with Rundll32.exe<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><br /><p>Was having a little fun with rundll32.exe (command-lines will probably be a little messed up due to the length - they should be entered as one complete command). I first tried the commands on XP, but they produce similar results on Vista.</p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\ntoskrnl.exe</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEQ0cAKmPdQAlP7K3GmZzgA5_lt_CK0-yRCNJw6Jd6tpTxNdP9mVNMnUhE8NkW_zAW8hWRgwDZYcV-sDBpTn4pankVsfMutOARp37pcIuAk9k86gf-ZkT3QbA3k7N4HNOoAjsC8w/s1600-h/ntoskrnl.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217863863324354562" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEQ0cAKmPdQAlP7K3GmZzgA5_lt_CK0-yRCNJw6Jd6tpTxNdP9mVNMnUhE8NkW_zAW8hWRgwDZYcV-sDBpTn4pankVsfMutOARp37pcIuAk9k86gf-ZkT3QbA3k7N4HNOoAjsC8w/s400/ntoskrnl.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\hal.dll</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwKJamWM-SAV0ROaYFWdB0IzTdycYDMxuxKQnNiGG9gZ0Z13Su84iGR2kn9_E9BrJWetw0u-155jtwQ9j_biHhOfCqFu2SH_Y6bI3HuR_IbacY79C96AzAPaXWlLg7SnfQnnUF2A/s1600-h/hal.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864769783255234" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwKJamWM-SAV0ROaYFWdB0IzTdycYDMxuxKQnNiGG9gZ0Z13Su84iGR2kn9_E9BrJWetw0u-155jtwQ9j_biHhOfCqFu2SH_Y6bI3HuR_IbacY79C96AzAPaXWlLg7SnfQnnUF2A/s400/hal.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\chkdsk.exe</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl8VzO6SIemVRRDoTz1wpm3MUOwKxcRKIUY3ul53Mb-V3XZ9GEBVixHgRCRubiSzHwjYc1JbfRY6AzpRWvI8gdqBYLeui9mmDRevAnfGHmrNf7FT5bfNBFcVivHzd8yVyVlSSbwQ/s1600-h/chkdsk.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864787169460914" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl8VzO6SIemVRRDoTz1wpm3MUOwKxcRKIUY3ul53Mb-V3XZ9GEBVixHgRCRubiSzHwjYc1JbfRY6AzpRWvI8gdqBYLeui9mmDRevAnfGHmrNf7FT5bfNBFcVivHzd8yVyVlSSbwQ/s400/chkdsk.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\autochk.exe</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigmtpchTjGXAj3E_C8mxXxAeVT1bwsLarzkADsc2e05I_oHIl6Jz3Ag_9oMwXH7DXPa22Bwa7Q59DjK3FM26ynr_yWE1-e0fFjxof9Jb4U37N84U3YlEFw2H5YbDtsv8GEdy1ZNA/s1600-h/autochk.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864780198622546" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigmtpchTjGXAj3E_C8mxXxAeVT1bwsLarzkADsc2e05I_oHIl6Jz3Ag_9oMwXH7DXPa22Bwa7Q59DjK3FM26ynr_yWE1-e0fFjxof9Jb4U37N84U3YlEFw2H5YbDtsv8GEdy1ZNA/s400/autochk.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\smss.exe</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGIy_cecs0VxhdMsIGhgDwwoyON26gMoJSbuHUkF6Wq5xRTrjBJCXantU_Uj307di8ytRegDYo1lSSOVjFtR_zcvDn__un21lGUdiZW2aUkXfR7dSetvPpcknTxXYuVeQDcZkCCQ/s1600-h/smss.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864777122460146" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGIy_cecs0VxhdMsIGhgDwwoyON26gMoJSbuHUkF6Wq5xRTrjBJCXantU_Uj307di8ytRegDYo1lSSOVjFtR_zcvDn__un21lGUdiZW2aUkXfR7dSetvPpcknTxXYuVeQDcZkCCQ/s400/smss.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException C:\windows\system32\winlogon.exe</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP8jm-3vH2LePmsFfZRPNGTW9I7AfwLgPfYRqQhyphenhyphenO4KclsGV751C3FVuIxcm7swdPB3kf5cfWFjELUK30MOck0i8bm-tKvf_L7xGzAkuRx2l0pQZrGfvuK3hNld1q99lZMqOuAeQ/s1600-h/winlogon.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864774729524738" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhP8jm-3vH2LePmsFfZRPNGTW9I7AfwLgPfYRqQhyphenhyphenO4KclsGV751C3FVuIxcm7swdPB3kf5cfWFjELUK30MOck0i8bm-tKvf_L7xGzAkuRx2l0pQZrGfvuK3hNld1q99lZMqOuAeQ/s400/winlogon.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException c:\windows\Soap Bubbles.bmp</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7msTBicw2_7UC0asu7f-w1McO3y32Btgc6Pn-bn5OAO-OuPDNEPgQaIRUTgR_b4v4yz4BJfx1Uq4jrKFkH7QVUD71n3ctzkJHdKvkeCi_7z9kC4rdyebL7bhUaWqJdIFngBSCbg/s1600-h/SoapBubbles.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864936710171170" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7msTBicw2_7UC0asu7f-w1McO3y32Btgc6Pn-bn5OAO-OuPDNEPgQaIRUTgR_b4v4yz4BJfx1Uq4jrKFkH7QVUD71n3ctzkJHdKvkeCi_7z9kC4rdyebL7bhUaWqJdIFngBSCbg/s400/SoapBubbles.jpg" /></a></p><br /><p></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-75484369311110965792008-06-22T13:57:00.001-05:002008-06-22T13:58:15.053-05:00New Tool for Detecting Rootkits<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>Congratulations to AD for the public release of the beta of RootRepeal, a new rootkit detector!</p><p>See the tool's site on GooglePages for more info or to download:</p><p><a title="http://rootrepeal.googlepages.com/home" href="http://rootrepeal.googlepages.com/">http://rootrepeal.googlepages.com</a></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-5489288571460805952008-05-27T06:34:00.001-05:002008-06-03T22:09:46.439-05:00Garbled Content Ratings Dialog in IIS 6<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><p>Ran into the following while configuring IIS 6 on a new system. Not sure if I need to be concerned...</p> <p align="center"><a target=_blank href="http://lh4.ggpht.com/mygreenpaste/SDvxpdsv5zI/AAAAAAAAAFA/X655UzDCLwo/s1600-h/cr%5B4%5D.jpg"><img style="border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px" border="0" alt="Garbled Content Ratings Dialog" src="http://lh3.ggpht.com/mygreenpaste/SDvxqNsv50I/AAAAAAAAAFI/8oTE40SGEt8/cr_thumb%5B2%5D.jpg?imgmax=800" width="421" height="445"></a></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-34212411912001859962008-05-25T16:24:00.000-05:002008-06-03T22:09:24.218-05:00Creating Programs for Windows 9x and NT with Visual C++ 2008<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><p><a href="http://forum.sysinternals.com/forum_posts.asp?TID=14431&PN=1" target="_blank">A recent topic</a> in the <a href="http://forum.sysinternals.com/forum_topics.asp?FID=10" target="_blank">Development forum</a> at <a href="http://forum.sysinternals.com/" target="_blank">Sysinternals Forums</a> contains some information about how to use Visual C++ 2008 to create binaries that run on Windows 9x and NT. For NT, it seems to just be a matter of changing the Subsystem Version to 4.0. One might think to use the <a href="http://msdn2.microsoft.com/en-us/library/fcc1zstk%28VS.80%29.aspx" target="_blank">/SUBSYSTEM linker switch</a> for this. However, when one attempts to do so, the shipping link.exe reports:</p><br /><p><font face="Courier New">LINK : warning LNK4010: invalid subsystem version number x.y; default subsystem version assumed</font> </p><br /><p>In this case, the default subsystem version is 5.0, and NT needs 4.0. One can use an older copy of EditBin.exe to change this (I found the version that shipped with Visual Studio .NET 2003 to work):</p><br /><p><font face="Courier New">editbin /SUBSYSTEM:CONSOLE,4.0 c:\path\to\your.exe</font></p><br /><p>The same requirement also exists to get the executable to run on Windows 9x, but one needs to do a bit more work. </p><br /><p><a href="http://www.steelbytes.com/" target="_blank">Louis Solomon</a> has taken the time and put forth the effort to find what is needed for this, and has documented it at <a href="http://louis.steelbytes.com/vs2008_vs_win40.html" target="_blank">C/C++ EXEs and DLLs created by Visual Studio 2008 don't run on Windows 4.0 (ie, NT4 and Win9x)</a>.</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-8034002025676634502008-04-27T21:52:00.001-05:002008-04-27T22:13:49.872-05:00In Vista, How Does the FLAGS Switch of REG.EXE Work?<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><br /><p>A while back, there was a topic (<a href="http://forum.sysinternals.com/forum_posts.asp?TID=10865" target="_blank">Virtual Registry vs. "Real registry"</a>) in the <a href="http://forum.sysinternals.com/default.asp" target="_blank">Sysinternals Forums</a> that brought up the question of how to set the virtualization-related flags of a registry key programmatically in Vista, rather than through the use of the REG.EXE tool's FLAGS switch. (For more information on the flags, see <a href="http://blogs.technet.com/markrussinovich/" target="_blank">Mark Russinovich</a>'s article in TechNet Magazine, "<a href="http://technet.microsoft.com/en-us/magazine/cc138019.aspx" target="_blank">Inside Windows Vista User Account Control</a>"). Even before that topic in the forum, I had wondered how it was done but had not had a chance to explore. It didn't seem that many others were curious about it. That topic had resurrected the idea, but it quickly fell to the bottom of the list. I've finally gotten around to experimenting, and that leads to this write-up. I still don't see much in the way of this discussed anywhere, by searching for terms involved (data types, function param names, etc.), so hopefully this will help someone. (Keep in mind that there very well may be a reason Microsoft hasn't made this available through another, more direct API.)</p><br /><p>In the referenced topic, I had gotten so far as determining that REG.EXE was doing its work through the use of NtSetInformationKey, an "undocumented" API in NTDLL.DLL.</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>NTSYSAPI <br /><br />NTSTATUS<br /><br />NTAPI<br /><br />NtSetInformationKey(<br /><br /> IN HANDLE KeyHandle,<br /><br /> IN KEY_SET_INFORMATION_CLASS InformationClass,<br /><br /> IN PVOID KeyInformationData,<br /><br /> IN ULONG DataLength );</pre></div><br /><br /><p>After a bit of plonking around in WinDbg, I've come up with the following following details. REG.EXE calls <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Key/NtSetInformationKey.html" target="_blank">NtSetInformationKey</a>, specifying a value of 2 for the InformationClass parameter. This parameter is of type KEY_SET_INFORMATION_CLASS, which wdm.h tells us is an enum:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _KEY_SET_INFORMATION_CLASS {<br /><br /> KeyWriteTimeInformation,<br /><br /> KeyWow64FlagsInformation,<br /><br /> KeyControlFlagsInformation,<br /><br /> KeySetVirtualizationInformation,<br /><br /> KeySetDebugInformation,<br /><br /> MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum<br /><br />} KEY_SET_INFORMATION_CLASS;</pre></div><br /><br /><p>So the 2 for the InformationClass parameter would correspond to KeyControlFlagsInformation. WDM.H also suggests that this class has a type that one passes for the KeyInformationData parameter - KEY_CONTROL_FLAGS_INFORMATION:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef struct _KEY_CONTROL_FLAGS_INFORMATION {<br /><br /> ULONG ControlFlags;<br /><br />} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;</pre></div><br /><br /><p>We have a basic idea of how to call NtSetInformationKey now. But what are the values that the ControlFlags member of KEY_CONTROL_FLAGS_INFORMATION can be set to? It would appear that the following (self-made) enum covers the pertinent flags - at least the ones REG.EXE FLAGS can handle (there may be more):</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _CONTROL_FLAGS {<br /><br /> RegKeyClearFlags = 0,<br /><br /> RegKeyDontVirtualize = 2,<br /><br /> RegKeyDontSilentFail = 4,<br /><br /> RegKeyRecurseFlag = 8<br /><br />} CONTROL_FLAGS;</pre></div><br /><br /><p>The control flags are a bitmask, so you can OR them to set more than one.</p><br /><p>Now that we have this information, what's left? We need to put it all together in a call to NtSetInformationKey. So, we need to get a pointer to the function in NTDLL.DLL. Then, we can declare a struct of type KEY_CONTROL_FLAGS_INFORMATION, set the ControlFlags member to be what we wish, and open a key to the desired location in the registry, that can be passed to NtSetInformationKey. In the end, we wind up with something like the following (error handling has been omitted):</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef NTSYSAPI NTSTATUS (NTAPI* FuncNtSetInformationKey) (<br /><br /> HANDLE KeyHandle,<br /><br /> KEY_SET_INFORMATION_CLASS InformationClass,<br /><br /> PVOID KeyInformationData,<br /><br /> ULONG DataLength ); <br /><br />//... <br /><br />FuncNtSetInformationKey ntsik = (FuncNtSetInformationKey)GetProcAddress( <br /><br /> GetModuleHandle( _T("ntdll.dll") ), "NtSetInformationKey" ); <br /><br />KEY_CONTROL_FLAGS_INFORMATION kcfi = {0}; <br /><br />kcfi.ControlFlags = RegKeyDontVirtualize | RegKeyRecurseFlag; <br /><br />HKEY hTheKey = NULL; <br /><br />RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Whatever"), 0, KEY_ALL_ACCESS, &hTheKey ); <br /><br />ntsik( hTheKey, KeyControlFlagsInformation, &kcfi, sizeof( KEY_CONTROL_FLAGS_INFORMATION ) ); <br /><br />RegCloseKey( hTheKey ); <br /><br />hTheKey = NULL;<br /><br /></pre></div><br /><br /><p>The code above is the equivalent of invoking <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever SET DONT_VIRTUALIZE RECURSE_FLAGS</font>. To clear the flags, just set kcfi.ControlFlags to RegKeyClearFlags (same as <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever SET)</font>.<br /><br /><p>Hopefully, this will prove useful to those that have wished to set these flags programmatically. In a future post, I hope to explore querying for these flags, ala <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever QUERY</font>.</p><br /><p>Note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-3136091603769695632008-04-25T18:21:00.001-05:002008-04-25T18:23:30.970-05:00My Answer to "Microsoft Advanced Windows Debugging and Troubleshooting" Puzzler 3<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p><a href="http://mygreenpaste.blogspot.com/2008/04/microsoft-advanced-windows-debugging.html" target="_blank">Previously</a>, I had written about the <a href="http://blogs.msdn.com/ntdebugging/archive/tags/Puzzler/default.aspx" target="_blank">puzzlers</a> on the <a href="http://blogs.msdn.com/ntdebugging/" target="_blank">NTDebugging / Microsoft Advanced Windows Debugging and Troubleshooting blog</a> - specifically, the most <a href="http://blogs.msdn.com/ntdebugging/archive/2008/04/21/ntdebugging-puzzler-0x00000003-matrix-addition-some-assembly-required.aspx" target="_blank">recent puzzler</a> which involved reverse engineering some assembler. The answer was posted today - there were a lot of responses, and a lot of correct responses.</p><p>I had <a href="http://mygreenpaste.blogspot.com/2008/04/microsoft-advanced-windows-debugging.html" target="_blank">posted the hashes</a> for my answer (which was correct), that I am now able to disclose...</p><div style="OVERFLOW-X: scroll; WIDTH: 410px;"><pre>void myfun( char* param1 )<br />{<br /> size_t local1 = strlen( param1 );<br /> for( int local2 = local1; local2 > 0; local2-- )<br /> {<br /> for( int local3 = 0; local3 < local2 - 1; local3++ )<br /> {<br /> if( *(param1+local3) > *(param1+local3+1) )<br /> {<br /> char local4 = *(param1+local3);<br /> *(param1+local3) = *(param1+local3+1);<br /> *(param1+local3+1) = local4;<br /> }<br /> }<br /> }<br />}</pre></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-12378273522519175032008-04-24T06:53:00.001-05:002008-04-24T17:14:26.809-05:00Microsoft Advanced Windows Debugging and Troubleshooting Puzzlers<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>Over on the <a href="http://blogs.msdn.com/ntdebugging/" target="_blank">Microsoft Advanced Windows Debugging and Troubleshooting</a> blog, they've been posting a "<a href="http://blogs.msdn.com/ntdebugging/archive/tags/Puzzler/default.aspx" target="_blank">Puzzler</a>" every Monday and providing the answers the following Friday.</p><p>The puzzlers are fun to participate in and it is interesting to read people's responses - everyone has their own ideas and own experiences to draw off of.</p><p>With the third puzzler, the blog authors have decided to make the challenge a bit more difficult - the <a href="http://blogs.msdn.com/ntdebugging/archive/2008/04/21/ntdebugging-puzzler-0x00000003-matrix-addition-some-assembly-required.aspx" target="_blank">latest puzzler</a> requires one to reverse engineer some assembler.</p><p>I've not got much experience with reverse engineering assembler - I can read some assembler and can usually get a very basic idea of what a targeted chunk of code is doing. So it was an interesting challenge for me to attempt to C-ify the assembler they provided. It doesn't appear that the authors are posting the responses until they reveal the answer (makes sense to me!). But I thought I'd post hashes of my response, which I'll also post once the NT Debugging blog authors post the answer and submitted comments / responses.</p><p>From <a href="http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx" target="_blank">Sigcheck</a>:</p><p></p><blockquote><p><span style="font-family:Courier New;"><br />Z:\NTDebuggingPuzzler3>sigcheck -h TheFunc.txt<br /><br />Sigcheck v1.52<br />Copyright (C) 2004-2008 Mark Russinovich<br />Sysinternals - www.sysinternals.com </span><p><span style="font-family:Courier New;">Z:\NTDebuggingPuzzler3\TheFunc.txt:<br />Verified: Unsigned<br />File date: 12:52 PM 4/22/2008<br />Publisher: n/a<br />Description: n/a<br />Product: n/a<br />Version: n/a<br />File version: n/a<br />MD5: 755394f9711b80968f17c8ffcb8f2394<br />SHA1: e8443f09eef43f2575aa08ba25f68267dba7243e<br />SHA256: 0e044419ef78f2fa7a8e258098f4f658426a8dc3e8a5b9a121a352c2dbbbfafc</span></p></blockquote><br />EDIT 2008-04-24: The hashes are for the code that was submitted in my <em>second</em> response (not the entire response - just the code). In my <em>first </em>response, I inadvertently left some garbage in the code (an unnecessary / unused local I had been playing with) and I neglected to remove it before submitting. Not sure how it will all pan out when the comments / responses get posted tomorrow...«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-77802322006832596142008-03-25T17:33:00.001-05:002008-03-25T17:41:18.343-05:00Clipboard Chaos!<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>OK, so perhaps chaos is a bit of a harsh word here. But the clipboard was recently driving me nuts! All I was trying to do was copy some text to it, and the operation was failing. Of course, as it was an ad hoc app, I didn't have any kind of error handling. The app worked just fine on one system, but running the app on another system (a virtual machine) consistently resulted in failure to copy the text to the clipboard.</p><p>Ultimately, I was able to determine what process was preventing my app from putting data in the clipboard, but I haven't yet found a decent workaround for when the problem happens. It's not critical for me, as the act of copying the text to the clipboard is more of a nicety than a requirement.</p><p>Anyway, using P/Invoke and <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.aspx" target="_blank">System.Diagnostics</a>, I found that vmusrvc.exe - the Virtual PC "Virtual Machine User Services" - had the clipboard open. Using the timestamps from <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx" target="_blank">Process Monitor</a>'s Profiling Events (generated at 100 ms intervals), and the timestamp of the failed operation from my app, I was able to determine the stack of vmusrvc.exe:</p><p><table><tbody><tr><td><span style="font-family:Courier New;">ntdll.dll</span></td><td><span style="font-family:Courier New;">KiFastSystemCallRet</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x9a17</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x9c24</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x91f8</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x907f</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">InternalCallWinProc + 0x28</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">UserCallWinProcCheckWow + 0x150</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">DispatchClientMessage + 0xa3</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">__fnDWORD + 0x24</span></td></tr><tr><td><span style="font-family:Courier New;">ntdll.dll</span></td><td><span style="font-family:Courier New;">KiUserCallbackDispatcher + 0x13</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x2d29</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0xdba6</span></td></tr><tr><td><span style="font-family:Courier New;">kernel32.dll</span></td><td><span style="font-family:Courier New;">BaseProcessStart + 0x23</span></td></tr></tbody></table></p><p>No parameters, of course, and symbol information for vmusrvc.exe does not appear to be available, but obviously user32.dll is processing some message. I may look into this more at a later point.</p><p>To find the process that was interfering with my clipboard work, I used P/Invoke to call <a href="http://msdn2.microsoft.com/en-us/library/ms649044(VS.85).aspx" target="_blank">GetOpenClipboardWindow</a>() and then <a href="http://msdn2.microsoft.com/en-us/library/ms633522(VS.85).aspx" target="_blank">GetWindowThreadProcessId</a>(), passing in the handle returned by GetOpenClipboardWindow(). Then, finding the process' executable name was just a matter of using the <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.modules.aspx" target="_blank">Modules</a> collection of the <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.aspx" target="_blank">Process</a> instance returned by passing in the process id retrieved by GetWindowThreadProcessId() to <a href="http://msdn2.microsoft.com/en-us/library/76fkb36k.aspx" target="_blank">System.Diagnostics.Process.GetProcessById</a>().</p><p>The following code:</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>using System.Runtime.InteropServices;<br />using System.Diagnostics;<br />...<br />string data = "aasdlkjasdlk alkjsdl kajsdlkj al";<br />try<br />{<br /> Clipboard.SetData( System.Windows.Forms.DataFormats.Text, data );<br />}<br />catch( ExternalException ee )<br />{<br /> LogIt( ee.ToString() );<br /> IntPtr hWnd = GetOpenClipboardWindow();<br /> if( IntPtr.Zero != hWnd )<br /> {<br /> uint pid = 0;<br /> uint tid = GetWindowThreadProcessId( hWnd, out pid );<br /> LogIt( "Process with hWnd {0}, PID {1} ({1:x}), TID {2} ({2:x}), " +<br /> "name {3} has the clipboard", hWnd, pid, tid,<br /> Process.GetProcessById( (int)pid ).Modules[0].FileName );<br /> }<br />}</pre></div><br /><p>Resulted in the following output:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>2008-03-25 00:54:45.4938864--> System.Runtime.InteropServices.ExternalException: Requested Clipboard operation did not succeed.<br /> at System.Windows.Forms.Clipboard.ThrowIfFailed(Int32 hr)<br /> at System.Windows.Forms.Clipboard.SetDataObject(Object data, Boolean copy, Int32 retryTimes, Int32 retryDelay)<br /> at System.Windows.Forms.Clipboard.SetData(String format, Object data)<br /> at Clippy.Form1.button1_Click(Object sender, EventArgs e)<br />2008-03-25 00:54:45.5339440--> Process with hWnd 65716 (65716), PID 1492 (5d4), TID 1496 (5d8), name C:\Program Files\Virtual Machine Additions\vmusrvc.exe has the clipboard</pre></div><br /><p>Interestingly, trying an alternative method of the Clipboard to set the content also failed. The <a href="http://msdn2.microsoft.com/en-us/library/ms158293.aspx" target="_blank">Clipboard.SetDataObject</a>() overload that takes a retryTimes and retryDelay parameter failed in the same fashion after roughly ten seconds when invoked as follows:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>Clipboard.SetDataObject( data, false, 100, 100 );</pre></div><br /><p>I tried variations on retryTimes and retryDelay, to no avail.</p><p>Not sure what vmusrvc.exe is doing with the clipboard (probably has to do with monitoring it for host / guest VM interaction), but the act of setting the contents of the clipboard didn't fail 100% of the time in the VM. Often enough to make it extremely unreliable, though. During "normal" system usage, I was not able to cause a failure when running the app on a non-virtual (actual?) system.</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com11tag:blogger.com,1999:blog-20977280.post-65383716975705047542008-02-21T20:17:00.000-06:002008-02-21T20:18:10.278-06:00w29n51.sys BSODs on XP<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>Twice now in as many months I have been the proud recipient of a BSOD on XP. The crashes were identical to each other with only various addresses being different (modules loaded into a different location and the like). They appear to have been caused by a bug in w29n51.sys; the crashes are of the IRQL_NOT_LESS_OR_EQUAL (a) variety. w29n51.sys is the "Intel® Wireless LAN Driver". Admittedly, I'm running a version that is likely not the latest. But it is interesting that googling the relevant stack entries (<a href="http://www.google.com/search?q=w29n51%2B0x1291" target="blank">w29n51+0x1291</a>, <a href="http://www.google.com/search?q=w29n51%2B0xa6af" target="blank">w29n51+0xa6af</a>) turns up no hits. Also of interest is that the driver file is larger than 3 MB - more than 3 times the size of the next largest driver file in %systemroot%\system32\drivers... <a href="http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx" target="_blank">Strings</a> does show a large number of verbose log-type messages that one can presumably cause to be logged via some configuration setting, as well as "tabular" data.</p><p>Of course, it is also disturbing that at the time of these crashes, the wireless hardware was disabled on this laptop... <img height="17" alt="Confused" src="http://forum.sysinternals.com/smileys/smiley5.gif" width="17" align="absMiddle" border="0" /></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-65001382170917273342008-02-19T21:36:00.001-06:002008-02-19T21:38:14.358-06:00Plagiarism, Revisited<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p><a href="http://blogs.msdn.com/oldnewthing/default.aspx" target="blank">Raymond Chen</a> posted about a topic yesterday that seems to hit the nail on the head with regard to some of the recent posts I've made here. In <a href="http://blogs.msdn.com/oldnewthing/archive/2008/02/18/7761978.aspx" target="blank">What's with all those spam ping-bots?</a>, he describes the methodology used by blog and comment spammers / content thieves, and the motivation ($$) for doing what they do.</p><p>Of interest: <blockquote>(You may notice that many of these sites mis-attribute the authorship; some of them even claim to have written the article themselves!)</blockquote><p></p><p>Raymond also offers some advice about what one can try to do to "hit them in the pocketbook". </p><p>Sadly (ironically?), as I write this, 50% of the comments to that very blog entry are of the type that Raymond was writing about.</p><p>So it appears that there is not much that one is going to do to curb this. Also, considering that much of the content <em>here</em> (not just the newer stuff) has already been picked up and assimilated into other sites that slap a label on it as their own, and have even translated it (?????) into foreign languages, and then stamped ads all over it, I'm not inclined to waste much effort on the matter. I'll simply preface each entry with what you have seen the last few articles start with, and hope that that part of it makes its way along with the article to wherever it winds up. I may intersperse one or two similar statements in the longer articles as well. I hope it's not too distracting...</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-74283699039105474112008-02-07T20:56:00.001-06:002008-02-21T20:13:51.685-06:00Use C# to Find What Services are Running in a Process<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>Recently, an individual going by the moniker 'hi' posted <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html#c2597936921948017958" target="_blank">a comment</a> to <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html">Setting the Priority of a Service Process via Script</a>:</p><blockquote><p>How would I, if I want to, find which services are part of a particular svchost.exe? Can in be done in C#? <p>Thanks!</p></blockquote><p>I replied <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html#c1058981251516324778" target="_blank">via comment</a>, but one has even less control over formatting in comments than one does in the actual blog posting, so I figured I would post the response here as well.</p><p align="center">=================</p><p><a href="http://technet.microsoft.com/en-us/library/bb491010.aspx" target="_blank">Tasklist.exe</a> with the /svc param can tell you, as can <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" target="_blank">Process Explorer</a>. You can also inspect the registry to determine what services would load with what SVCHOST group (see "<a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">Troubleshooting Performance Issues with Automatic Updates</a>" for more details).</p><p>As far as C# code, the following requires a reference to System.Management. Invoke the program, passing it the process id of the process you're curious about, and it will output the services running in that process. <p></p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>using System;<br />using System.Management;<br /><br />namespace MyGreenPaste<br />{<br /> class Program<br /> {<br /> static void Main( string[] args )<br /> {<br /> if( args.GetLength( 0 ) <= 0 )<br /> {<br /> Console.WriteLine( "Usage: {0} pid",<br /> System.IO.Path.GetFileName(<br /> System.Diagnostics.Process.GetCurrentProcess().<br /> MainModule.FileName ) );<br /> Console.WriteLine( " where pid is the process id " +<br /> "of a process hosting at least one service" );<br /> return;<br /> }<br /><br /> try<br /> {<br /> ManagementObjectSearcher mos =<br /> new ManagementObjectSearcher( "root\\CIMV2",<br /> string.Format( "SELECT * FROM Win32_Service " +<br /> "where ProcessId={0}", args[0] ) );<br /> foreach( ManagementObject result in mos.Get() )<br /> {<br /> Console.WriteLine( "{0} -> {1}", result["Name"],<br /> result["DisplayName"] );<br /> }<br /> }<br /> catch( ManagementException mex )<br /> {<br /> Console.WriteLine( "** Error querying WMI:{0}{1}",<br /> System.Environment.NewLine, mex.Message );<br /> }<br /> }<br /> }<br />}<br /></pre></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-26215154612497912622008-02-02T12:25:00.001-06:002008-02-02T12:29:19.416-06:00Small Update Regarding Previous Post Pertaining to Plagiarism<p>Ahhhh, alliteration. Anyway, just noticed that one of the other sites has posted the cheesy comment I referenced in my previous entry, <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name_31.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista - Part 2</a>. So, both saw fit to post the comments (took a while for the one site, though) - the first stamped 2008-01-31 2:37 GMT, and the second stamped 2008-01-30 13:40 GMT. No sign of Part 2 on either of these sites, though... Hmmm...</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-7376017655573016322008-01-31T21:17:00.001-06:002008-02-03T16:32:54.660-06:00Set the Priority of a Process By Name Automatically, in Vista - Part 2<p>This isn't what I want to be writing about. But a recent discovery compels me to do so. So, I've decided to make this an experiment, and beg your apologies that this will not have much technical merit despite the title.</p><p>After the last post, <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista</a> (which probably could have been named a lot better), I discovered that the post had made its way to some other sites. These sites appear to pull content from all over the web, package it up as their own, and toss ads all over it. One is lucky if the site even references the original author or links back to the original location of the post. It's frustrating, to say the least. I'm all for distribution of knowledge and the like, but that's taking it too far. Maybe I shouldn't feel this way, but I (like others) put brain sweat and time into the work I do, and it would be nice if the source of the information would at least be cited if they're going to republish it without the author's consent. </p><p>So I visited two of these sites (which I have not yet decided if I will mention or not, for what I hope are obvious reasons) and attempted to leave comments. Of course the comments are moderated - don't want any upset victims coming in and raising he. The comments were along the line of:</p><blockquote><p><span style="font-family:courier new;font-size:85%;">As the author of the original article referenced here, I kindly request that those interested in it please read it at MY blog, <a href="</span><span style="font-family:courier new;font-size:85%;">http://mygreenpaste.blogspot.com"</span><span style="font-family:courier new;font-size:85%;">>My Green Paste, Inc.</a><br /></span><p><span style="font-family:courier new;font-size:85%;">My site does not currently have ads, and I am NOT even considering ads at this time.<br /></span><p><span style="font-family:courier new;font-size:85%;">–«/\/\Øö±ò\/»®© (molotov)</span> </p></blockquote><br /><p>Can you guess what happened? Yep - the comments were not approved, and were never published on the sites in question. I then attempted to leave another comment at each copy of my posting. This time, one site saw fit to allow the comment, and the other one did not. I suspected NO comments would have been allowed through either site, so I was a bit surprised. The comment was a bit ridiculous given the content of the posting, and rather generic; perhaps that's why it was allowed. The comment was simply:</p><pre><blockquote>does this work for other os like XP or server 2003? </blockquote></pre><br /><p>Amazing. It was posted at 2008-01-31 2:37 GMT. The comment, like this post, is a part of the experiment. See, if I mention things that I mentioned in the previous post, like CpuPriorityClass, image file execution options, IoPriority, PagePriority, PerfOptions, powershell, priority, Process Monitor, setpriorityclass, Sysinternals, Vista, WorkingSetLimitInKB, Vista, Windows Vista, Windows Vista Ultimate, etc. (sorry to get carried away there), will this post make it to these sites as well? If so, wouldn't that be somewhat funny? The comment falls in there, too - if the now published comment magically disappears from the copy of my previous post, won't that be a bit odd?</p><p>I think I'll have to start embedding a "this content originally from <a href="http://mygreenpaste.blogspot.com/">http://mygreenpaste.blogspot.com/</a>" statement into the middle of each of my posts from now on. I'm sure I'll forget, and I've probably only got one shot. That'll make for some nice, flowing reading. We'll see.</p><p>I do have some more thoughts about the <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista</a> topic that I expect to get out in my next post. I apologize for this distraction, and hope you'll stay tuned...</p><p>BTW - I may also have a follow up to this fork in the saga as well.</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-59840660584971295412008-01-27T21:26:00.001-06:002008-01-27T21:51:49.295-06:00Set the Priority of a Process By Name Automatically, in Vista<p>The other day I was playing around with the <a href="http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html" target="_blank">Image File Execution Options</a> and Sysinternals' <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx" target="_blank">Process Monitor</a>, in Vista. I saw an interesting query take place. Using notepad.exe as an example, I saw a query for a key called "PerfOptions" in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe] when I ran notepad. The result was NAME NOT FOUND, so I decided to rectify that. After adding a key named "PerfOptions", I ran notepad again. In Process Monitor, I saw queries for four values:</p><ul><li>IoPriority</li><li>PagePriority</li><li>CpuPriorityClass</li><li>WorkingSetLimitInKB</li></ul><p>Because of recent explorations with process priorities*, CpuPriorityClass grabbed me right away. Looking at the <a href="http://msdn2.microsoft.com/en-us/library/ms686219.aspx" target="_blank">SetPriorityClass</a> function, one can see the different values for the dwPriorityClass parameter. I created a REG_DWORD named CpuPriorityClass in PerfOptions, and set the value to 0x80 in the hopes that notepad would launch with "HIGH_PRIORITY_CLASS". Instead, it launched with a priority of NORMAL_PRIORITY_CLASS (8) - the setting had not made any impact. Then, I set the value to 8 and launched notepad. Notepad launched with a priority of 8. I changed the value to 4, and that had no impact. I changed the value to 0 - no impact. I tried 10 - no impact. I couldn't see any tie in to any other listings of process priorities that I knew about, so I decided to try trial and error, starting from 0, with the following results:</p><center><br /><table cellspacing="0" cellpadding="2" width="310" border="1"><br /><tbody><br /><tr><br /><td valign="top" width="168"><strong>CpuPriorityClass Value</strong></td><br /><td valign="top" width="142"><strong>Priority of Notepad</strong></td><br /><td valign="top" width="118">Priority Class</td></tr><br /><tr><br /><td valign="top" width="168">1</td><td valign="top" width="142">4</td><td valign="top" width="118">Idle</td></tr><tr><td valign="top" width="168">3</td><td valign="top" width="142">13</td><td valign="top" width="118">High</td></tr><tr><td valign="top" width="168">5</td><td valign="top" width="142">6</td><td valign="top" width="118">BelowNormal</td></tr><tr><td valign="top" width="168">6</td><td valign="top" width="142">10</td><td valign="top" width="118">AboveNormal</td></tr><tr><td valign="top" width="168">Anything else^</td><td valign="top" width="142">8</td><br /><td valign="top" width="119">Normal</td></tr></tbody></table></center><br /><br /><p>^= I'm currently running a <a href="http://www.microsoft.com/powershell" target="_blank">PowerShell</a> script to iterate through all possible values (there's only about 2^32...) so it may be a while before the CpuPriorityClass value for REALTIME_PRIORITY_CLASS, should it exist, be uncovered. There may also be other values that can be used to specify a priority class that's been uncovered. I'll update or post a new topic if I uncover anything new...</p><p>The PowerShell script (don't laugh, it's my first substantial attempt at one):</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><br /><pre>$cpc=0<br />set-itemproperty "hklm:\software\microsoft\windows nt\currentversion\image file execution options\notepad.exe\perfoptions" cpupriorityclass $cpc<br />do<br />{<br /> $pp = [diagnostics.process]::start("notepad.exe", "")<br /> $ppc = $pp.PriorityClass<br /> $pp.Kill()<br /> if( $ppc -ne "Normal" )<br /> {<br /> Write-Host $cpc $ppc<br /> }<br /> $cpc++<br /> set-itemproperty "hklm:\software\microsoft\windows nt\currentversion\image file execution options\notepad.exe\perfoptions" cpupriorityclass $cpc<br />}<br />while( $cpc -lt 4294967295 )<p></p></pre></div><br /><p>Hopefully, I'll find time to do some digging into the other values in PerfOptions - IoPriority, PagePriority, and WorkingSetLimitInKB. IoPriority and PagePriority sound like they may have something to do with <a href="http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/" target="_blank">memory prioritization</a> and <a href="http://www.microsoft.com/technet/technetmag/issues/2007/02/VistaKernel/" target="_blank">IO prioritization</a> in Vista. WorkingSetLimitInKB sounds self-explanatory, but how it's applied or how it's used, and other circumstances, are quite vague.</p><br /><p>*= <a href="http://mygreenpaste.blogspot.com/2007/11/setthreadpriority-vista-and-autostart.html" target="_blank">SetThreadPriority, Vista, and Autostart Locations</a>, <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html" target="_blank">Setting the Priority of a Service Process via Script</a></p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-76283987539709140672007-12-16T15:36:00.001-06:002007-12-17T17:14:31.688-06:00Vista BSOD: THREAD_STUCK_IN_DEVICE_DRIVER (BugCheck ea) - Take Two<p>After the <a href="http://mygreenpaste.blogspot.com/2007/12/vista-bsod-threadstuckindevicedriver.html" target="_blank">previous BSOD in Vista</a>, I logged in to Vista interactively as an administrator (I usually run as a standard user), and I was greeted with a dialog informing me about a "serious error" or the like. I chose to check for updates to the problem. What came back was more than I expected, but not really all that helpful for my particular situation.</p><blockquote><p><span style="font-family:Courier New;font-size:85%;">Problem caused by ATI Graphics Driver</span></p><p><span style="font-family:Courier New;font-size:85%;">This problem was caused by ATI Graphics Driver.</span></p><p><span style="font-family:Courier New;font-size:85%;">This program was created by ATI Technologies, Inc.. ATI Technologies, Inc. does not currently have a solution for the problem that you reported.</span></p><p><span style="font-family:Courier New;font-size:85%;">Recommendation</span></p><p><span style="font-family:Courier New;font-size:85%;">--------------------------------------------------------------------------------</span></p><p><span style="font-family:Courier New;font-size:85%;">The following troubleshooting steps might prevent the problem from recurring.</span></p><p><span style="font-family:Courier New;font-size:85%;">Download and install an updated version of ATI Graphics Driver from one of the following locations:<br />Microsoft Update<br />ATI Technologies, Inc.</span></p><p><span style="font-family:Courier New;font-size:85%;">If an updated driver is not available for ATI Graphics Driver, check with your computer manufacturer.</span></p><p><span style="font-family:Courier New;font-size:85%;">If you are running the latest version of ATI Graphics Driver, contact ATI Technologies, Inc. for your support options.</span></p><p><span style="font-family:Courier New;font-size:85%;">Additional information</span></p><p><span style="font-family:Courier New;font-size:85%;">If this problem continues to occur after installing the latest product updates, we recommend you get assistance and troubleshooting information directly from ATI Technologies, Inc.. </span></p><p><span style="font-family:Courier New;font-size:85%;">--------------------------------------------------------------------------------</span> </p></blockquote>I am running the latest driver, and ATI has <a href="http://ati.amd.com/products/discontinued.html" target="_blank">discontinued</a> the Radeon 9600 Pro. Not a big deal, as the problem has only happened twice. Of course, I would rather that it not happen at all... <p>»</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com8tag:blogger.com,1999:blog-20977280.post-22400350052105671852007-12-13T21:20:00.001-06:002007-12-13T21:21:56.545-06:00Using WinDBG to Cheat at MineSweeper<p>Ran across this <a href="http://blogs.msdn.com/debuggingtoolbox/archive/2007/03/28/windbg-script-playing-with-minesweeper.aspx" target="_blank">rather unique notion</a> the other day. It works! <blockquote><span style="font-family:Courier New;font-size:85%;">eb poi(@$peb+0x8)+0x36fa c6 00 8a</span></blockquote>My interpretation is that this "enters byte values" "c6 00 8a" into the address starting at offset 0x36fa from the value pointed to by offset 8 into the PEB. Whatever that ultimately does! <p></p>»«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-83975646812257708072007-12-11T21:13:00.001-06:002007-12-11T21:16:18.842-06:00Internet Explorer VPC Refresh Available<p>Another update to the IE6 and IE7 <a href="http://mygreenpaste.blogspot.com/2007/07/multiple-versions-of-ie-on-same-system.html" target="_blank">Virtual PC images</a> that the IE Team at Microsoft makes available is <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=21EABB90-958F-4B64-B5F1-73D0A413C8EF&displaylang=en" target="_blank">available for download</a> in the Microsoft Download Center. The previous ones expired on 2007-12-07; these expire on 2008-04-01.</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-29398459957147140502007-12-10T21:34:00.000-06:002007-12-10T21:38:53.527-06:00Vista BSOD: THREAD_STUCK_IN_DEVICE_DRIVER (BugCheck ea)<p>Recently, after resuming my Vista laptop from hibernation, I was greeted with a rather strange wait, followed by a blue screen of death. Analysis of the dump yielded the following:</p><p><blockquote><span style="font-family:Courier New;">THREAD_STUCK_IN_DEVICE_DRIVER (ea)<br />The device driver is spinning in an infinite loop, most likely waiting for hardware to become idle. This usually indicates problem with the hardware itself or with the device driver programming the hardware incorrectly.<br />If the kernel debugger is connected and running when watchdog detects a timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()and detailed message including bugcheck arguments will be printed to the<br />debugger. This way we can identify an offending thread, set breakpoints in it, and hit go to return to the spinning code to debug it further. Because KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck<br />information in this case. The arguments are already printed out to the kernel debugger. You can also retrieve them from a global variable via<br />"dd watchdog!g_WdBugCheckData l5" (use dq on NT64).<br />On MP machines (OS builds <= 3790) it is possible to hit a timeout when the spinning thread is interrupted by hardware interrupt and ISR or DPC routine is running at the time of the bugcheck (this is because the timeout's work item can be delivered and handled on the second CPU and the same time). If this is the case you will have to look deeper at the offending thread's stack (e.g. using dds) to determine spinning code which caused the timeout to occur.<br />Arguments:<br />Arg1: 870246b8, Pointer to a stuck thread object. Do .thread then kb on it to find the hung location.<br />Arg2: 00000000, Pointer to a DEFERRED_WATCHDOG object.<br />Arg3: 00000000, Pointer to offending driver name.<br />Arg4: 00000000, Number of times this error occurred. If a debugger is attached, this error is not always fatal -- see DESCRIPTION below. On the blue screen, this will always equal 1. </span><p><span style="font-family:Courier New;">Debugging Details:<br />------------------ </span><p><span style="font-family:Courier New;">PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details </span><p><span style="font-family:Courier New;">PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details </span><p><span style="font-family:Courier New;">FAULTING_THREAD: 870246b8 </span><p><span style="font-family:Courier New;">DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_FAULT </span><p><span style="font-family:Courier New;">BUGCHECK_STR: 0xEA </span><p><span style="font-family:Courier New;">PROCESS_NAME: Ati2evxx.exe </span><p><span style="font-family:Courier New;">CURRENT_IRQL: 0 </span><p><span style="font-family:Courier New;">LAST_CONTROL_TRANSFER: from 89c2a825 to 81cace97 </span><p><span style="font-family:Courier New;">STACK_TEXT: <br />a53d7704 89c2a825 000000ea 870246b8 00000000 nt!KeBugCheckEx+0x1e<br />a53d7748 89c22bfa a53d7794 00000000 89c1d786 dxgkrnl!TdrTimedOperationBugcheckOnTimeout+0x2b<br />a53d7770 8b5785dc a53d7794 00000000 00000000 dxgkrnl!TdrTimedOperationDelay+0xc9<br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />a53d77c0 8b576468 8b670040 a53d785c ffffffff atikmdag+0x255dc<br />a53d77dc 8b66782c 861bd000 a53d77f8 00000014 atikmdag+0x23468<br />a53d7838 8b670101 86a58008 8b670040 a53d785c atikmdag+0x11482c<br />a53d7868 8b6cd9da 8685b0e8 00000000 00000001 atikmdag+0x11d101<br />a53d7888 8b59f159 88340000 00000000 00000001 atikmdag+0x17a9da<br />a53d78a8 8b59505c 86a58000 86a61974 00000000 atikmdag+0x4c159<br />a53d78dc 8b5973e3 00000000 86a611e0 00000001 atikmdag+0x4205c<br />a53d7904 8b5b3be0 00000001 00000001 00000001 atikmdag+0x443e3<br />a53d7960 8b5b80ab 86a58000 00000000 00000001 atikmdag+0x60be0<br />a53d7980 8b58e38d 86a58000 a53d799c a53d7ba0 atikmdag+0x650ab<br />a53d79b8 8b554e80 86a58000 a53d7ba0 00000030 atikmdag+0x3b38d<br />a53d79dc 8b55a7de a53d7ba0 00000030 a53d7bd4 atikmdag+0x1e80<br />a53d7a00 8b55af33 0011000e 00000030 a53d7bd4 atikmdag+0x77de<br />a53d7a24 8b56bdeb 00000030 a53d7ba0 00000000 atikmdag+0x7f33<br />a53d7a54 8b56bf8a 00000000 a53d7b1c a53d7ba0 atikmdag+0x18deb<br />a53d7a74 89c4a7b2 8640a648 a53d7ab4 000000b8 atikmdag+0x18f8a<br />a53d7a94 89c4a455 a53d7ab4 a5b4b811 0012e910 dxgkrnl!DXGADAPTER::DdiEscape+0x3b<br />a53d7d38 81c4607a 0012e910 0012e94c 77940f34 dxgkrnl!DxgkEscape+0x4af<br />a53d7d38 77940f34 0012e910 0012e94c 77940f34 nt!KiFastCallEntry+0x12a<br />0012e94c 00000000 00000000 00000000 00000000 0x77940f34 </span><p><span style="font-family:Courier New;">STACK_COMMAND: .thread 0xffffffff870246b8 ; kb </span><p><span style="font-family:Courier New;">FOLLOWUP_IP:<br />dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b<br />89c2a825 cc int 3 </span><p><span style="font-family:Courier New;">SYMBOL_STACK_INDEX: 1 </span><p><span style="font-family:Courier New;">SYMBOL_NAME: dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b </span><p><span style="font-family:Courier New;">FOLLOWUP_NAME: MachineOwner </span><p><span style="font-family:Courier New;">MODULE_NAME: dxgkrnl </span><p><span style="font-family:Courier New;">IMAGE_NAME: dxgkrnl.sys </span><p><span style="font-family:Courier New;">DEBUG_FLR_IMAGE_TIMESTAMP: 46899fd6 </span><p><span style="font-family:Courier New;">FAILURE_BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys </span><p><span style="font-family:Courier New;">BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys </span><p><span style="font-family:Courier New;">Followup: MachineOwner<br /></span></p></blockquote><p>Seems that the hardware was messed up, as I had to force the laptop to power down twice during subsequent boots, in order for Vista to make it to the logon prompt.</p><p>»</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-4403355054114528432007-11-18T21:57:00.000-06:002007-11-18T22:13:05.358-06:00SetThreadPriority, Vista, and Autostart Locations<p>I ran across a post on the <a href="http://blogs.msdn.com/vistacompatteam/default.aspx" target="_blank">Vista Compatibility Team Blog</a> entitled "<a href="http://blogs.msdn.com/vistacompatteam/archive/2007/04/12/setthreadpriority-from-run-key.aspx" target="_blank">SetThreadPriority from Run key</a>" that discusses a change in Vista whereby calling SetThreadPriority from an application launched from the Startup folder and the "Run" key in the registry will not cause the thread's priority to be increased.</p><p>Wanting to verify and play around with this, I wrote a simple program that called <a href="http://msdn2.microsoft.com/en-us/library/ms686277.aspx" target="_blank">SetThreadPriority</a> to set the priority of the thread to THREAD_PRIORITY_HIGHEST. The program then immediately called <a href="http://msdn2.microsoft.com/en-us/library/ms683235.aspx" target="_blank">GetThreadPriority</a> to determine if the call to SetThreadPriority had any effect. Next, in a loop, the program then called SetThreadPriority / GetThreadPriority until either an error was encountered, or GetThreadPriority returned the expected priority. The program logged before and after each call to SetThreadPriority / GetThreadPriority the time, the action, and the either the parameters or the return value.</p><p>I set the program to be launched automatically by placing a shortcut in the "Startup" folder, and rebooted. Once the system came back up, I waited a bit and then examined the log. The first call to <span style="font-family:courier new;font-size:85%;">SetThreadPriority( GetCurrentThread(), THREAD_PRIORITY_HIGHEST );</span> returned TRUE. The first call to <span style="font-family:courier new;font-size:85%;">GetThreadPriority( GetCurrentThread() );</span> returned 0 indicating THREAD_PRIORITY_NORMAL. In other words, the call to SetThreadPriority had succeeded, but the priority of the thread remained unchanged. The calls to SetThreadPriority and GetThreadPriority in the loop were identical, and returned identical values. That is, until about 45 seconds into the program's execution, when the call to GetThreadPriority returned 2, indicating that the priority of the thread was THREAD_PRIORITY_HIGHEST. This matches what is mentioned in the "SetThreadPriority from Run key" blog entry, where it is stated that:</p><blockquote>it is for about a minute or so after which the call to SetThreadPriority(THREAD_PRIORITY_HIGHEST ) will actually succeed in bumping up its priority level.</blockquote><p>I repeated the same tests, using THREAD_PRIORITY_ABOVE_NORMAL in the call to SetThreadPriority, with the same results.</p><p>I also used THREAD_PRIORITY_BELOW_NORMAL in the call to SetThreadPriority as well as THREAD_PRIORITY_LOWEST; in these cases, the call indicated success and GetThreadPriority confirmed the change in priority immediately.</p><p>The next set of tests removed the call to SetThreadPriority in the loop - just the initial call to SetThreadPriority was made. The return indicated success, but the call to GetThreadPriority returned THREAD_PRIORITY_NORMAL for many minutes; as the loop was a tight loop, I terminated the process once it became apparent that there truly would be no change to the priority of the thread. This means that requests to increase the priority are not queued up or held for later processing. The call to increase priority indicates success, the priority is not changed, and unless the thread checks, it is none the wiser.</p><p>One other thing that I thought of trying was to see what happened when a thread in a process spawned by an "autostart" process called SetThreadPriority, as above. To do so, I modified the original program to accept a command-line parameter indicating that it should spawn another instance of itself. The thread in the spawned process behaved identically to the thread in the "autostart" process; this persisted 3 "levels" deep ("autostart" instance spawns instance x, which spawns instance y), which is as deep as I tried. The Vista Compatibility Team Blog entry only mentions the Startup folder and the "Run" key as being affected by this, but I wonder if other things may be affected. It is interesting (and a good thing!) that there is a mechanism in place to cause this behavior to affect processes spawned by autostart processes (otherwise, the "protection" offered by this feature is easily defeated).</p><p>As a last test, I invoked the test program manually as quickly as I could while Vista was still processing the login. The first attempt to change the priority of the thread succeeded, and the first call to GetThreadPriority confirmed the priority change. At the same time, Vista was processing the autostart instance of the program, which behaved as it had previously when started automatically. So there is not a blanket ban on priority boosting in the first minute or so - how a program is started truly affects what it can do.</p><p>»</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-22317281500116724292007-09-06T20:36:00.000-05:002007-09-06T20:39:11.127-05:00Updated IE 6 and IE 7 Virtual PC Images Available<p><a href="http://mygreenpaste.blogspot.com/2007/07/multiple-versions-of-ie-on-same-system.html" target="_blank">Previously</a>, I had written about IE6 and IE7 Virtual PC images that the IE Team at Microsoft makes available. As the previous release of the VPCs has expired, <a href="http://blogs.msdn.com/ie/archive/2007/08/20/ie6-and-ie7-vpc-refresh-available.aspx" target="_blank">a refresh release has been issued</a>. The new release expires on 2007-12-07.</p><p>»</p>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0