tag:blogger.com,1999:blog-209772802011-10-10T01:05:43.102-07:00Tech things that interest me, the inevitable rant, and, of course, My Green Paste. Windows Internals, Windows Drivers, Security, Development, .NET, Software Tools & Utilities...«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.comBlogger1751100tag:blogger.com,1999:blog-20977280.post-75899354926533781282008-11-17T20:01:00.001-08:002008-11-17T20:06:58.907-08:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">My Green Paste, Inc</span></a><span style="font-size:78%;">. Thank you.</span> </p><p><span>I guess I've got nothing to complain about. I'll let the screenshot speak for itself...</span></p><p><span style="font-size:85%;"><br /></span> </p><p><span style="font-size:85%;"></span></p> <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_ZN289iRXuJw/SSI-1SPL4RI/AAAAAAAAAHY/yHZq5wTvfto/s1600-h/VistaReliabilityReport2008-11.jpg" target="_blank"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 171px;" src="http://1.bp.blogspot.com/_ZN289iRXuJw/SSI-1SPL4RI/AAAAAAAAAHY/yHZq5wTvfto/s400/VistaReliabilityReport2008-11.jpg" alt="" id="BLOGGER_PHOTO_ID_5269843599126421778" border="0" /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7589935492653378128?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-2761692777546179822008-11-03T20:38:00.001-08:002008-11-03T20:43:20.202-08:00<p><span style="font-size: 78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size: 78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size: 78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>I was recently working on getting Windows Media Services configured on a system. Going through the properties, I noticed that the "WMS Anonymous User Authentication" plugin was in an error state. On inspection, I was presented with the following dialog. </p><blockquote> <p><span style="font-family:Courier New;">---------------------------<br />Windows Media Services<br />---------------------------<br />The plug-in cannot be enabled because the user name or password does not match the settings for the Windows user account used for anonymous guests.<br />---------------------------<br />OK <br />---------------------------</span> </p></blockquote> <p>Also, the event viewer was showing the following: </p><blockquote> <p><span style="font-family:Courier New;">Event Type: Error<br />Event Source: WMServer<br />Event Category: Plugin<br />Event ID: 323<br />Date: [Date]<br />Time: [Time]<br />User: N/A<br />Computer: [CompName]<br />Description:<br />Plug-in 'WMS Anonymous User Authentication' on the server failed with the following information: Error code = 0x8007052e, Error text = 'Logon failure: unknown user name or bad password. '.<br />For more information, see Help and Support Center at </span><a href="http://go.microsoft.com/fwlink/events.asp"><span style="font-family:Courier New;">http://go.microsoft.com/fwlink/events.asp</span></a><span style="font-family:Courier New;">.<br />Data:<br />0000: 8007052e </span></p></blockquote> <p>Checking "Local Users and Groups", I could see that the specified user (WMUS_COMPNAME) certainly existed. I changed the password for the user and then set the password in the properties for "WMS Anonymous User Authentication". I was rewarded with the same message. The user name and password were correct, so I focused my attention elsewhere. I first tried changing the settings to provoke the message while running Sysinternals' <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx">Filemon</a> and <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896652.aspx">Regmon</a>, but was unable to pull anything from the captured data that seemed like it was germane to the problem. </p><p>The next thing I tried was creating a new account and specifying that account in the properties for "WMS Anonymous User Authentication". This worked; the status of "WMS Anonymous User Authentication" became "Enabled". I found this odd, as I was working with a fresh installation of Windows Media Services. In comparing the accounts (WMUS_COMPNAME and the test account I created), I noticed the WMUS_COMPNAME account was just a member of the Guests group, while the test account was just a member of the Users group. So, I added the test account to Guests and removed it from Users, and then checked / OK'd the "WMS Anonymous User Authentication" properties. I got the aforementioned message. I changed the test account back to the original group memberships, and "WMS Anonymous User Authentication" did not complain. </p><p>At this point, I knew that the problem was related to some restriction placed on the Guests group. I ran secpol.msc to check the Local Security Policy Settings, and I noticed that Guests had been added to the Security Setting for the "Deny access to this computer from the network" policy. <a target="_blank" href="http://technet.microsoft.com/en-us/library/cc758316.aspx">According to TechNet</a>, the default for this policy is "None". Removing Guests from the setting allowed the WMUS_COMPNAME account to function as the anonymous account used by Windows Media Services. </p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-276169277754617982?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com12tag:blogger.com,1999:blog-20977280.post-19935069230291260622008-10-21T20:27:00.001-07:002008-10-21T20:34:55.210-07:00<p>A while ago, I noticed a handle leak in Apple's "Bonjour Service" (yeah, that <em>sounds </em>like something I want running on my system...) - mDNSResponder.exe. I knew right away that that was the executable for the "Bonjour Service" because the name is so helpful. (Joking. Even if it was named after the service, how the heck would I even guess what the "Bonjour Service" did. But I digress...)</p> <p>The service description is: </p><blockquote>Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour, any network service that explicitly depends on it will fail to start.</blockquote> <p></p> <p>I put up with the leak for a while, from time to time stopping the service when I thought of it after booting. Most of the time I didn't think of it and the leak did not appear to be having any kind of performance impact on my system (I never saw it get above 80,000 handles). An update (or two?) later, I thought it would be fixed. So I was surprised to find mDNSResponder.exe had more than 55,000 handles when I checked recently with Sysinternals' <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx">Process Explorer</a>.</p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_ZN289iRXuJw/SP6ePirODII/AAAAAAAAAHQ/uqszxJVjObs/s1600-h/mdsnresponder.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://1.bp.blogspot.com/_ZN289iRXuJw/SP6ePirODII/AAAAAAAAAHQ/uqszxJVjObs/s400/mdsnresponder.jpg" alt="" id="BLOGGER_PHOTO_ID_5259815404658625666" border="0" /></a><p><br /></p> <p>I tried to use Process Explorer's handle pane to see the handles in mDNSResponder.exe, but with that many handles to display, and with Process Explorer running with its default High priority and refreshing every second, the system became rather sluggish. I dropped the priority of Process Explorer with Task Manager, hid the lower-pane view, and gave <a target="_blank" href="http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx">Handle.exe</a> a shot with <span style="font-family:Courier New;">handle.exe -a -p mdnsresponder.exe</span>.</p> <p>I found that the handles being leaked are handles to registry keys - specifically, HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters. (ControlSet001 is the current control set on my system.)</p> <p>Since there's not much I can do about the handle leak, I'll disable the service, and hope the next update fixes the problem as surely the next update will set the service to Automatic start. Wonder why the installer doesn't at least set a service such as this as "Delayed Start" in Vista...</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1993506923029126062?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-49285305916347076652008-09-17T19:40:00.001-07:002008-09-17T19:42:12.696-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">My Green Paste, Inc</span></a><span style="font-size:78%;">. Thank you.</span> </p><p>Just a quick note - <a target="_blank" href="http://www.advancedwindowsdebugging.com/book/authors.htm">the authors</a> of <a target="_blank" href="http://www.advancedwindowsdebugging.com/">Advanced Windows Debugging</a> have been <a target="_blank" href="http://channel9.msdn.com/posts/Charles/Advanced-Windows-Debugging-An-Introduction/">interviewed</a> on MSDN's Channel 9. It's about 43 minutes long, and it's interesting to hear the authors talk about their experiences, the motivation behind the book, the effect of additional layers of abstraction, etc., and go through a handle leak debugging session. <a target="_blank" href="http://channel9.msdn.com/posts/Charles/Advanced-Windows-Debugging-An-Introduction/">Check it out!</a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4928530591634707665?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-73764051471885729202008-07-09T18:43:00.001-07:002008-07-09T18:57:06.955-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p><a href="http://mygreenpaste.blogspot.com/2008/04/in-vista-how-does-flags-switch-of.html" target="_blank">Previously</a>, I wrote about the FLAGS switch for REG.EXE in Vista and covered a technique that would set the virtualization-related flags of a registry key programmatically. This post intends to cover the other side - querying for the virtualization-related flags of a registry key. Again, we're dealing with an "undocumented" function in NTDLL.DLL - NtQueryKey:<br /></p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>NTSTATUS NtQueryKey(<br /> IN HANDLE KeyHandle,<br /> IN KEY_INFORMATION_CLASS KeyInformationClass,<br /> OUT PVOID KeyInformation,<br /> IN ULONG Length<br /> OUT PULONG ResultLength );</pre></div><br /><br />To retrieve the flags for a key, call NtQueryKey with KeyInformationClass set to 5, which WDM.h tells us is KeyFlagsInformation.<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _KEY_INFORMATION_CLASS {<br /> KeyBasicInformation,<br /> KeyNodeInformation,<br /> KeyFullInformation,<br /> KeyNameInformation,<br /> KeyCachedInformation,<br /> KeyFlagsInformation,<br /> KeyVirtualizationInformation,<br /> MaxKeyInfoClass // MaxKeyInfoClass should always be the last enum<br />} KEY_INFORMATION_CLASS</pre></div><br /><br />REG.EXE supplies 12 for the value of the Length param, and the last 4 bytes of the buffer (KeyInformation) are modified when NtQueryKey returns. This would seem to suggest that the struct to receive the information containing the virtualization flags looks something like:<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef struct _KEY_FLAGS_INFO {<br /> ULONG unknown1;<br /> ULONG unknown2;<br /> ULONG ControlFlags;<br />} KEY_FLAGS_INFO, *PKEY_FLAGS_INFO;</pre></div><br /><br />Putting it all together, then, we have something like:<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef NTSYSAPI NTSTATUS (NTAPI* FuncNtQueryKey)( HANDLE KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, PVOID KeyInformation, ULONG Length, PULONG ResultLength );<br />// ...<br />FuncNtQueryKey ntqk = (FuncNtQueryKey)GetProcAddress( GetModuleHandle( _T("ntdll.dll") ), "NtQueryKey" );<br />KEY_FLAGS_INFO kfi = {0};<br />HKEY hTheKey = NULL;<br />RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Whatever"), 0, KEY_ALL_ACCESS, &amp;hTheKey );<br />DWORD dwResultLen = 0;<br />DWORD dwNtqkResult = ntqk( hTheKey , KeyFlagsInformation, &amp;kfi, sizeof( KEY_FLAGS_INFO ), &amp;dwResultLen );<br />RegCloseKey( hTheKey );<br />hTheKey = NULL;</pre></div><br /><br />The flags (_CONTROL_FLAGS, from <a href="http://mygreenpaste.blogspot.com/2008/04/in-vista-how-does-flags-switch-of.html" target="_blank">Part 1</a>) are stored as a bitmask in kfi.ControlFlags.<br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _CONTROL_FLAGS {<br /> RegKeyClearFlags = 0,<br /> RegKeyDontVirtualize = 2,<br /> RegKeyDontSilentFail = 4,<br /> RegKeyRecurseFlag = 8<br />} CONTROL_FLAGS;</pre></div><br /><br />The code above provides the same information as invoking REG.EXE FLAGS HKLM\Software\Whatever QUERY.<br /><br />Again - note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7376405147188572920?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-19923235279188217612008-06-30T19:13:00.001-07:002008-12-08T16:57:37.006-08:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><br /><p>Was having a little fun with rundll32.exe (command-lines will probably be a little messed up due to the length - they should be entered as one complete command). I first tried the commands on XP, but they produce similar results on Vista.</p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\ntoskrnl.exe</span><a href="http://4.bp.blogspot.com/_ZN289iRXuJw/SGmTicvLqAI/AAAAAAAAAFY/jlnQZQEIWzI/s1600-h/ntoskrnl.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217863863324354562" border="0" alt="" src="http://4.bp.blogspot.com/_ZN289iRXuJw/SGmTicvLqAI/AAAAAAAAAFY/jlnQZQEIWzI/s400/ntoskrnl.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\hal.dll</span><a href="http://4.bp.blogspot.com/_ZN289iRXuJw/SGmUXNj00MI/AAAAAAAAAFg/mbhFfN6gKN0/s1600-h/hal.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864769783255234" border="0" alt="" src="http://4.bp.blogspot.com/_ZN289iRXuJw/SGmUXNj00MI/AAAAAAAAAFg/mbhFfN6gKN0/s400/hal.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\chkdsk.exe</span><a href="http://1.bp.blogspot.com/_ZN289iRXuJw/SGmUYOVBQrI/AAAAAAAAAGA/Ck7Tt08qYgU/s1600-h/chkdsk.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864787169460914" border="0" alt="" src="http://1.bp.blogspot.com/_ZN289iRXuJw/SGmUYOVBQrI/AAAAAAAAAGA/Ck7Tt08qYgU/s400/chkdsk.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\autochk.exe</span><a href="http://1.bp.blogspot.com/_ZN289iRXuJw/SGmUX0XCtVI/AAAAAAAAAF4/wgD9RNXet1k/s1600-h/autochk.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864780198622546" border="0" alt="" src="http://1.bp.blogspot.com/_ZN289iRXuJw/SGmUX0XCtVI/AAAAAAAAAF4/wgD9RNXet1k/s400/autochk.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\smss.exe</span><a href="http://2.bp.blogspot.com/_ZN289iRXuJw/SGmUXo5oMfI/AAAAAAAAAFw/t6m84NUO67M/s1600-h/smss.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864777122460146" border="0" alt="" src="http://2.bp.blogspot.com/_ZN289iRXuJw/SGmUXo5oMfI/AAAAAAAAAFw/t6m84NUO67M/s400/smss.jpg" /></a></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;C:\windows\system32\winlogon.exe</span><a href="http://3.bp.blogspot.com/_ZN289iRXuJw/SGmUXf_G5gI/AAAAAAAAAFo/c30_rOc9VI8/s1600-h/winlogon.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864774729524738" border="0" alt="" src="http://3.bp.blogspot.com/_ZN289iRXuJw/SGmUXf_G5gI/AAAAAAAAAFo/c30_rOc9VI8/s400/winlogon.jpg" /></a><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;"></span></p><br /><p><span style="font-family:Courier New;font-size:78%;">C:\WINDOWS\system32\rundll32.exe&nbsp;C:\WINDOWS\system32\sysdm.cpl,NoExecuteProcessException&nbsp;c:\windows\Soap Bubbles.bmp</span><a href="http://2.bp.blogspot.com/_ZN289iRXuJw/SGmUg7aTaiI/AAAAAAAAAGI/CWf_V2DJisk/s1600-h/SoapBubbles.jpg"><img style="MARGIN: 0px auto 10px; CURSOR: hand; DISPLAY: block; TEXT-ALIGN: center" id="BLOGGER_PHOTO_ID_5217864936710171170" border="0" alt="" src="http://2.bp.blogspot.com/_ZN289iRXuJw/SGmUg7aTaiI/AAAAAAAAAGI/CWf_V2DJisk/s400/SoapBubbles.jpg" /></a></p><br /><p></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1992323527918821761?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-75484369311110965792008-06-22T11:57:00.001-07:002008-06-22T11:58:15.053-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>Congratulations to AD for the public release of the beta of RootRepeal, a new rootkit detector!</p><p>See the tool's site on GooglePages for more info or to download:</p><p><a title="http://rootrepeal.googlepages.com/home" href="http://rootrepeal.googlepages.com/">http://rootrepeal.googlepages.com</a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7548436931111096579?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-5489288571460805952008-05-27T04:34:00.001-07:002008-06-03T20:09:46.439-07:00<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><p>Ran into the following while configuring IIS 6 on a new system. Not sure if I need to be concerned...</p> <p align="center"><a target=_blank href="http://lh4.ggpht.com/mygreenpaste/SDvxpdsv5zI/AAAAAAAAAFA/X655UzDCLwo/s1600-h/cr%5B4%5D.jpg"><img style="border-right: 0px; border-top: 0px; border-left: 0px; border-bottom: 0px" border="0" alt="Garbled Content Ratings Dialog" src="http://lh3.ggpht.com/mygreenpaste/SDvxqNsv50I/AAAAAAAAAFI/8oTE40SGEt8/cr_thumb%5B2%5D.jpg?imgmax=800" width="421" height="445"></a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-548928857146080595?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-34212411912001859962008-05-25T14:24:00.000-07:002008-06-03T20:09:24.218-07:00<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><p><a href="http://forum.sysinternals.com/forum_posts.asp?TID=14431&amp;PN=1" target="_blank">A recent topic</a> in the <a href="http://forum.sysinternals.com/forum_topics.asp?FID=10" target="_blank">Development forum</a> at <a href="http://forum.sysinternals.com/" target="_blank">Sysinternals Forums</a> contains some information about how to use Visual C++ 2008 to create binaries that run on Windows 9x and NT. For NT, it seems to just be a matter of changing the Subsystem Version to 4.0. One might think to use the <a href="http://msdn2.microsoft.com/en-us/library/fcc1zstk%28VS.80%29.aspx" target="_blank">/SUBSYSTEM linker switch</a> for this. However, when one attempts to do so, the shipping link.exe reports:</p><br /><p><font face="Courier New">LINK : warning LNK4010: invalid subsystem version number x.y; default subsystem version assumed</font> </p><br /><p>In this case, the default subsystem version is 5.0, and NT needs 4.0. One can use an older copy of EditBin.exe to change this (I found the version that shipped with Visual Studio .NET 2003 to work):</p><br /><p><font face="Courier New">editbin /SUBSYSTEM:CONSOLE,4.0 c:\path\to\your.exe</font></p><br /><p>The same requirement also exists to get the executable to run on Windows 9x, but one needs to do a bit more work. </p><br /><p><a href="http://www.steelbytes.com/" target="_blank">Louis Solomon</a> has taken the time and put forth the effort to find what is needed for this, and has documented it at <a href="http://louis.steelbytes.com/vs2008_vs_win40.html" target="_blank">C/C++ EXEs and DLLs created by Visual Studio 2008 don't run on Windows 4.0 (ie, NT4 and Win9x)</a>.</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-3421241191200185996?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-8034002025676634502008-04-27T19:52:00.001-07:002008-04-27T20:13:49.872-07:00<p><font size="1">Note: this content originally from </font><a href="http://mygreenpaste.blogspot.com/" target="_blank"><font size="1">http://mygreenpaste.blogspot.com</font></a><font size="1">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</font></p><br /><p>A while back, there was a topic (<a href="http://forum.sysinternals.com/forum_posts.asp?TID=10865" target="_blank">Virtual Registry vs. "Real registry"</a>) in the <a href="http://forum.sysinternals.com/default.asp" target="_blank">Sysinternals Forums</a> that brought up the question of how to set the virtualization-related flags of a registry key programmatically in Vista, rather than through the use of the REG.EXE tool's FLAGS switch. (For more information on the flags, see <a href="http://blogs.technet.com/markrussinovich/" target="_blank">Mark Russinovich</a>'s article in TechNet Magazine, "<a href="http://technet.microsoft.com/en-us/magazine/cc138019.aspx" target="_blank">Inside Windows Vista User Account Control</a>"). Even before that topic in the forum, I had wondered how it was done but had not had a chance to explore. It didn't seem that many others were curious about it. That topic had resurrected the idea, but it quickly fell to the bottom of the list. I've finally gotten around to experimenting, and that leads to this write-up. I still don't see much in the way of this discussed anywhere, by searching for terms involved (data types, function param names, etc.), so hopefully this will help someone. (Keep in mind that there very well may be a reason Microsoft hasn't made this available through another, more direct API.)</p><br /><p>In the referenced topic, I had gotten so far as determining that REG.EXE was doing its work through the use of NtSetInformationKey, an "undocumented" API in NTDLL.DLL.</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>NTSYSAPI <br /><br />NTSTATUS<br /><br />NTAPI<br /><br />NtSetInformationKey(<br /><br /> IN HANDLE KeyHandle,<br /><br /> IN KEY_SET_INFORMATION_CLASS InformationClass,<br /><br /> IN PVOID KeyInformationData,<br /><br /> IN ULONG DataLength );</pre></div><br /><br /><p>After a bit of plonking around in WinDbg, I've come up with the following following details. REG.EXE calls <a href="http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Key/NtSetInformationKey.html" target="_blank">NtSetInformationKey</a>, specifying a value of 2 for the InformationClass parameter. This parameter is of type KEY_SET_INFORMATION_CLASS, which wdm.h tells us is an enum:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _KEY_SET_INFORMATION_CLASS {<br /><br /> KeyWriteTimeInformation,<br /><br /> KeyWow64FlagsInformation,<br /><br /> KeyControlFlagsInformation,<br /><br /> KeySetVirtualizationInformation,<br /><br /> KeySetDebugInformation,<br /><br /> MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum<br /><br />} KEY_SET_INFORMATION_CLASS;</pre></div><br /><br /><p>So the 2 for the InformationClass parameter would correspond to KeyControlFlagsInformation. WDM.H also suggests that this class has a type that one passes for the KeyInformationData parameter - KEY_CONTROL_FLAGS_INFORMATION:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef struct _KEY_CONTROL_FLAGS_INFORMATION {<br /><br /> ULONG ControlFlags;<br /><br />} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;</pre></div><br /><br /><p>We have a basic idea of how to call NtSetInformationKey now. But what are the values that the ControlFlags member of KEY_CONTROL_FLAGS_INFORMATION can be set to? It would appear that the following (self-made) enum covers the pertinent flags - at least the ones REG.EXE FLAGS can handle (there may be more):</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef enum _CONTROL_FLAGS {<br /><br /> RegKeyClearFlags = 0,<br /><br /> RegKeyDontVirtualize = 2,<br /><br /> RegKeyDontSilentFail = 4,<br /><br /> RegKeyRecurseFlag = 8<br /><br />} CONTROL_FLAGS;</pre></div><br /><br /><p>The control flags are a bitmask, so you can OR them to set more than one.</p><br /><p>Now that we have this information, what's left? We need to put it all together in a call to NtSetInformationKey. So, we need to get a pointer to the function in NTDLL.DLL. Then, we can declare a struct of type KEY_CONTROL_FLAGS_INFORMATION, set the ControlFlags member to be what we wish, and open a key to the desired location in the registry, that can be passed to NtSetInformationKey. In the end, we wind up with something like the following (error handling has been omitted):</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>typedef NTSYSAPI NTSTATUS (NTAPI* FuncNtSetInformationKey) (<br /><br /> HANDLE KeyHandle,<br /><br /> KEY_SET_INFORMATION_CLASS InformationClass,<br /><br /> PVOID KeyInformationData,<br /><br /> ULONG DataLength ); <br /><br />//... <br /><br />FuncNtSetInformationKey ntsik = (FuncNtSetInformationKey)GetProcAddress( <br /><br /> GetModuleHandle( _T("ntdll.dll") ), "NtSetInformationKey" ); <br /><br />KEY_CONTROL_FLAGS_INFORMATION kcfi = {0}; <br /><br />kcfi.ControlFlags = RegKeyDontVirtualize | RegKeyRecurseFlag; <br /><br />HKEY hTheKey = NULL; <br /><br />RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Whatever"), 0, KEY_ALL_ACCESS, &amp;hTheKey ); <br /><br />ntsik( hTheKey, KeyControlFlagsInformation, &amp;kcfi, sizeof( KEY_CONTROL_FLAGS_INFORMATION ) ); <br /><br />RegCloseKey( hTheKey ); <br /><br />hTheKey = NULL;<br /><br /></pre></div><br /><br /><p>The code above is the equivalent of invoking <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever SET DONT_VIRTUALIZE RECURSE_FLAGS</font>. To clear the flags, just set kcfi.ControlFlags to RegKeyClearFlags (same as <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever SET)</font>.<br /><br /><p>Hopefully, this will prove useful to those that have wished to set these flags programmatically. In a future post, I hope to explore querying for these flags, ala <font face="Courier New">REG.EXE FLAGS HKLM\Software\Whatever QUERY</font>.</p><br /><p>Note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-803400202567663450?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-3136091603769695632008-04-25T16:21:00.001-07:002008-04-25T16:23:30.970-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p><a href="http://mygreenpaste.blogspot.com/2008/04/microsoft-advanced-windows-debugging.html" target="_blank">Previously</a>, I had written about the <a href="http://blogs.msdn.com/ntdebugging/archive/tags/Puzzler/default.aspx" target="_blank">puzzlers</a> on the <a href="http://blogs.msdn.com/ntdebugging/" target="_blank">NTDebugging / Microsoft Advanced Windows Debugging and Troubleshooting blog</a> - specifically, the most <a href="http://blogs.msdn.com/ntdebugging/archive/2008/04/21/ntdebugging-puzzler-0x00000003-matrix-addition-some-assembly-required.aspx" target="_blank">recent puzzler</a> which involved reverse engineering some assembler. The answer was posted today - there were a lot of responses, and a lot of correct responses.</p><p>I had <a href="http://mygreenpaste.blogspot.com/2008/04/microsoft-advanced-windows-debugging.html" target="_blank">posted the hashes</a> for my answer (which was correct), that I am now able to disclose...</p><div style="OVERFLOW-X: scroll; WIDTH: 410px;"><pre>void myfun( char* param1 )<br />{<br /> size_t local1 = strlen( param1 );<br /> for( int local2 = local1; local2 &gt; 0; local2-- )<br /> {<br /> for( int local3 = 0; local3 &lt; local2 - 1; local3++ )<br /> {<br /> if( *(param1+local3) &gt; *(param1+local3+1) )<br /> {<br /> char local4 = *(param1+local3);<br /> *(param1+local3) = *(param1+local3+1);<br /> *(param1+local3+1) = local4;<br /> }<br /> }<br /> }<br />}</pre></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-313609160376969563?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-12378273522519175032008-04-24T04:53:00.001-07:002008-04-24T15:14:26.809-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p>Over on the <a href="http://blogs.msdn.com/ntdebugging/" target="_blank">Microsoft Advanced Windows Debugging and Troubleshooting</a> blog, they've been posting a "<a href="http://blogs.msdn.com/ntdebugging/archive/tags/Puzzler/default.aspx" target="_blank">Puzzler</a>" every Monday and providing the answers the following Friday.</p><p>The puzzlers are fun to participate in and it is interesting to read people's responses - everyone has their own ideas and own experiences to draw off of.</p><p>With the third puzzler, the blog authors have decided to make the challenge a bit more difficult - the <a href="http://blogs.msdn.com/ntdebugging/archive/2008/04/21/ntdebugging-puzzler-0x00000003-matrix-addition-some-assembly-required.aspx" target="_blank">latest puzzler</a> requires one to reverse engineer some assembler.</p><p>I've not got much experience with reverse engineering assembler - I can read some assembler and can usually get a very basic idea of what a targeted chunk of code is doing. So it was an interesting challenge for me to attempt to C-ify the assembler they provided. It doesn't appear that the authors are posting the responses until they reveal the answer (makes sense to me!). But I thought I'd post hashes of my response, which I'll also post once the NT Debugging blog authors post the answer and submitted comments / responses.</p><p>From <a href="http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx" target="_blank">Sigcheck</a>:</p><p></p><blockquote><p><span style="font-family:Courier New;"><br />Z:\NTDebuggingPuzzler3>sigcheck -h TheFunc.txt<br /><br />Sigcheck v1.52<br />Copyright (C) 2004-2008 Mark Russinovich<br />Sysinternals - www.sysinternals.com </span><p><span style="font-family:Courier New;">Z:\NTDebuggingPuzzler3\TheFunc.txt:<br />Verified: Unsigned<br />File date: 12:52 PM 4/22/2008<br />Publisher: n/a<br />Description: n/a<br />Product: n/a<br />Version: n/a<br />File version: n/a<br />MD5: 755394f9711b80968f17c8ffcb8f2394<br />SHA1: e8443f09eef43f2575aa08ba25f68267dba7243e<br />SHA256: 0e044419ef78f2fa7a8e258098f4f658426a8dc3e8a5b9a121a352c2dbbbfafc</span></p></blockquote><br />EDIT 2008-04-24: The hashes are for the code that was submitted in my <em>second</em> response (not the entire response - just the code). In my <em>first </em>response, I inadvertently left some garbage in the code (an unnecessary / unused local I had been playing with) and I neglected to remove it before submitting. Not sure how it will all pan out when the comments / responses get posted tomorrow...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1237827352251917503?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-77802322006832596142008-03-25T15:33:00.001-07:002008-03-25T15:41:18.343-07:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>OK, so perhaps chaos is a bit of a harsh word here. But the clipboard was recently driving me nuts! All I was trying to do was copy some text to it, and the operation was failing. Of course, as it was an ad hoc app, I didn't have any kind of error handling. The app worked just fine on one system, but running the app on another system (a virtual machine) consistently resulted in failure to copy the text to the clipboard.</p><p>Ultimately, I was able to determine what process was preventing my app from putting data in the clipboard, but I haven't yet found a decent workaround for when the problem happens. It's not critical for me, as the act of copying the text to the clipboard is more of a nicety than a requirement.</p><p>Anyway, using P/Invoke and <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.aspx" target="_blank">System.Diagnostics</a>, I found that vmusrvc.exe - the Virtual PC "Virtual Machine User Services" - had the clipboard open. Using the timestamps from <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx" target="_blank">Process Monitor</a>'s Profiling Events (generated at 100 ms intervals), and the timestamp of the failed operation from my app, I was able to determine the stack of vmusrvc.exe:</p><p><table><tbody><tr><td><span style="font-family:Courier New;">ntdll.dll</span></td><td><span style="font-family:Courier New;">KiFastSystemCallRet</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x9a17</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x9c24</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x91f8</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x907f</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">InternalCallWinProc + 0x28</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">UserCallWinProcCheckWow + 0x150</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">DispatchClientMessage + 0xa3</span></td></tr><tr><td><span style="font-family:Courier New;">USER32.dll</span></td><td><span style="font-family:Courier New;">__fnDWORD + 0x24</span></td></tr><tr><td><span style="font-family:Courier New;">ntdll.dll</span></td><td><span style="font-family:Courier New;">KiUserCallbackDispatcher + 0x13</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0x2d29</span></td></tr><tr><td><span style="font-family:Courier New;">vmusrvc.exe</span></td><td><span style="font-family:Courier New;">vmusrvc.exe + 0xdba6</span></td></tr><tr><td><span style="font-family:Courier New;">kernel32.dll</span></td><td><span style="font-family:Courier New;">BaseProcessStart + 0x23</span></td></tr></tbody></table></p><p>No parameters, of course, and symbol information for vmusrvc.exe does not appear to be available, but obviously user32.dll is processing some message. I may look into this more at a later point.</p><p>To find the process that was interfering with my clipboard work, I used P/Invoke to call <a href="http://msdn2.microsoft.com/en-us/library/ms649044(VS.85).aspx" target="_blank">GetOpenClipboardWindow</a>() and then <a href="http://msdn2.microsoft.com/en-us/library/ms633522(VS.85).aspx" target="_blank">GetWindowThreadProcessId</a>(), passing in the handle returned by GetOpenClipboardWindow(). Then, finding the process' executable name was just a matter of using the <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.modules.aspx" target="_blank">Modules</a> collection of the <a href="http://msdn2.microsoft.com/en-us/library/system.diagnostics.process.aspx" target="_blank">Process</a> instance returned by passing in the process id retrieved by GetWindowThreadProcessId() to <a href="http://msdn2.microsoft.com/en-us/library/76fkb36k.aspx" target="_blank">System.Diagnostics.Process.GetProcessById</a>().</p><p>The following code:</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>using System.Runtime.InteropServices;<br />using System.Diagnostics;<br />...<br />string data = "aasdlkjasdlk alkjsdl kajsdlkj al";<br />try<br />{<br /> Clipboard.SetData( System.Windows.Forms.DataFormats.Text, data );<br />}<br />catch( ExternalException ee )<br />{<br /> LogIt( ee.ToString() );<br /> IntPtr hWnd = GetOpenClipboardWindow();<br /> if( IntPtr.Zero != hWnd )<br /> {<br /> uint pid = 0;<br /> uint tid = GetWindowThreadProcessId( hWnd, out pid );<br /> LogIt( "Process with hWnd {0}, PID {1} ({1:x}), TID {2} ({2:x}), " +<br /> "name {3} has the clipboard", hWnd, pid, tid,<br /> Process.GetProcessById( (int)pid ).Modules[0].FileName );<br /> }<br />}</pre></div><br /><p>Resulted in the following output:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>2008-03-25 00:54:45.4938864--&gt; System.Runtime.InteropServices.ExternalException: Requested Clipboard operation did not succeed.<br /> at System.Windows.Forms.Clipboard.ThrowIfFailed(Int32 hr)<br /> at System.Windows.Forms.Clipboard.SetDataObject(Object data, Boolean copy, Int32 retryTimes, Int32 retryDelay)<br /> at System.Windows.Forms.Clipboard.SetData(String format, Object data)<br /> at Clippy.Form1.button1_Click(Object sender, EventArgs e)<br />2008-03-25 00:54:45.5339440--&gt; Process with hWnd 65716 (65716), PID 1492 (5d4), TID 1496 (5d8), name C:\Program Files\Virtual Machine Additions\vmusrvc.exe has the clipboard</pre></div><br /><p>Interestingly, trying an alternative method of the Clipboard to set the content also failed. The <a href="http://msdn2.microsoft.com/en-us/library/ms158293.aspx" target="_blank">Clipboard.SetDataObject</a>() overload that takes a retryTimes and retryDelay parameter failed in the same fashion after roughly ten seconds when invoked as follows:</p><br /><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>Clipboard.SetDataObject( data, false, 100, 100 );</pre></div><br /><p>I tried variations on retryTimes and retryDelay, to no avail.</p><p>Not sure what vmusrvc.exe is doing with the clipboard (probably has to do with monitoring it for host / guest VM interaction), but the act of setting the contents of the clipboard didn't fail 100% of the time in the VM. Often enough to make it extremely unreliable, though. During "normal" system usage, I was not able to cause a failure when running the app on a non-virtual (actual?) system.</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7780232200683259614?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com11tag:blogger.com,1999:blog-20977280.post-65383716975705047542008-02-21T18:17:00.000-08:002008-02-21T18:18:10.278-08:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>Twice now in as many months I have been the proud recipient of a BSOD on XP. The crashes were identical to each other with only various addresses being different (modules loaded into a different location and the like). They appear to have been caused by a bug in w29n51.sys; the crashes are of the IRQL_NOT_LESS_OR_EQUAL (a) variety. w29n51.sys is the "Intel® Wireless LAN Driver". Admittedly, I'm running a version that is likely not the latest. But it is interesting that googling the relevant stack entries (<a href="http://www.google.com/search?q=w29n51%2B0x1291" target="blank">w29n51+0x1291</a>, <a href="http://www.google.com/search?q=w29n51%2B0xa6af" target="blank">w29n51+0xa6af</a>) turns up no hits. Also of interest is that the driver file is larger than 3 MB - more than 3 times the size of the next largest driver file in %systemroot%\system32\drivers... <a href="http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx" target="_blank">Strings</a> does show a large number of verbose log-type messages that one can presumably cause to be logged via some configuration setting, as well as "tabular" data.</p><p>Of course, it is also disturbing that at the time of these crashes, the wireless hardware was disabled on this laptop... <img height="17" alt="Confused" src="http://forum.sysinternals.com/smileys/smiley5.gif" width="17" align="absMiddle" border="0" /></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6538371697570504754?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-65001382170917273342008-02-19T19:36:00.001-08:002008-02-19T19:38:14.358-08:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p><a href="http://blogs.msdn.com/oldnewthing/default.aspx" target="blank">Raymond Chen</a> posted about a topic yesterday that seems to hit the nail on the head with regard to some of the recent posts I've made here. In <a href="http://blogs.msdn.com/oldnewthing/archive/2008/02/18/7761978.aspx" target="blank">What's with all those spam ping-bots?</a>, he describes the methodology used by blog and comment spammers / content thieves, and the motivation ($$) for doing what they do.</p><p>Of interest: <blockquote>(You may notice that many of these sites mis-attribute the authorship; some of them even claim to have written the article themselves!)</blockquote><p></p><p>Raymond also offers some advice about what one can try to do to "hit them in the pocketbook". </p><p>Sadly (ironically?), as I write this, 50% of the comments to that very blog entry are of the type that Raymond was writing about.</p><p>So it appears that there is not much that one is going to do to curb this. Also, considering that much of the content <em>here</em> (not just the newer stuff) has already been picked up and assimilated into other sites that slap a label on it as their own, and have even translated it (?????) into foreign languages, and then stamped ads all over it, I'm not inclined to waste much effort on the matter. I'll simply preface each entry with what you have seen the last few articles start with, and hope that that part of it makes its way along with the article to wherever it winds up. I may intersperse one or two similar statements in the longer articles as well. I hope it's not too distracting...</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6500138217091727334?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-74283699039105474112008-02-07T18:56:00.001-08:002008-02-21T18:13:51.685-08:00<p><span style="font-size:78%;">Note: this content originally from </span><a href="http://mygreenpaste.blogspot.com/" target="_blank"><span style="font-size:78%;">http://mygreenpaste.blogspot.com</span></a><span style="font-size:78%;">. If you are reading it from some other site, please take the time to visit <a href="http://mygreenpaste.blogspot.com/" target="_blank">My Green Paste, Inc</a>. Thank you.</span></p><p></p><p>Recently, an individual going by the moniker 'hi' posted <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html#c2597936921948017958" target="_blank">a comment</a> to <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html">Setting the Priority of a Service Process via Script</a>:</p><blockquote><p>How would I, if I want to, find which services are part of a particular svchost.exe? Can in be done in C#? <p>Thanks!</p></blockquote><p>I replied <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html#c1058981251516324778" target="_blank">via comment</a>, but one has even less control over formatting in comments than one does in the actual blog posting, so I figured I would post the response here as well.</p><p align="center">=================</p><p><a href="http://technet.microsoft.com/en-us/library/bb491010.aspx" target="_blank">Tasklist.exe</a> with the /svc param can tell you, as can <a href="http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx" target="_blank">Process Explorer</a>. You can also inspect the registry to determine what services would load with what SVCHOST group (see "<a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">Troubleshooting Performance Issues with Automatic Updates</a>" for more details).</p><p>As far as C# code, the following requires a reference to System.Management. Invoke the program, passing it the process id of the process you're curious about, and it will output the services running in that process. <p></p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><pre>using System;<br />using System.Management;<br /><br />namespace MyGreenPaste<br />{<br /> class Program<br /> {<br /> static void Main( string[] args )<br /> {<br /> if( args.GetLength( 0 ) &lt;= 0 )<br /> {<br /> Console.WriteLine( "Usage: {0} pid",<br /> System.IO.Path.GetFileName(<br /> System.Diagnostics.Process.GetCurrentProcess().<br /> MainModule.FileName ) );<br /> Console.WriteLine( " where pid is the process id " +<br /> "of a process hosting at least one service" );<br /> return;<br /> }<br /><br /> try<br /> {<br /> ManagementObjectSearcher mos =<br /> new ManagementObjectSearcher( "root\\CIMV2",<br /> string.Format( "SELECT * FROM Win32_Service " +<br /> "where ProcessId={0}", args[0] ) );<br /> foreach( ManagementObject result in mos.Get() )<br /> {<br /> Console.WriteLine( "{0} -&gt; {1}", result["Name"],<br /> result["DisplayName"] );<br /> }<br /> }<br /> catch( ManagementException mex )<br /> {<br /> Console.WriteLine( "** Error querying WMI:{0}{1}",<br /> System.Environment.NewLine, mex.Message );<br /> }<br /> }<br /> }<br />}<br /></pre></div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7428369903910547411?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-26215154612497912622008-02-02T10:25:00.001-08:002008-02-02T10:29:19.416-08:00<p>Ahhhh, alliteration. Anyway, just noticed that one of the other sites has posted the cheesy comment I referenced in my previous entry, <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name_31.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista - Part 2</a>. So, both saw fit to post the comments (took a while for the one site, though) - the first stamped 2008-01-31 2:37 GMT, and the second stamped 2008-01-30 13:40 GMT. No sign of Part 2 on either of these sites, though... Hmmm...</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2621515461249791262?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-7376017655573016322008-01-31T19:17:00.001-08:002008-02-03T14:32:54.660-08:00<p>This isn't what I want to be writing about. But a recent discovery compels me to do so. So, I've decided to make this an experiment, and beg your apologies that this will not have much technical merit despite the title.</p><p>After the last post, <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista</a> (which probably could have been named a lot better), I discovered that the post had made its way to some other sites. These sites appear to pull content from all over the web, package it up as their own, and toss ads all over it. One is lucky if the site even references the original author or links back to the original location of the post. It's frustrating, to say the least. I'm all for distribution of knowledge and the like, but that's taking it too far. Maybe I shouldn't feel this way, but I (like others) put brain sweat and time into the work I do, and it would be nice if the source of the information would at least be cited if they're going to republish it without the author's consent. </p><p>So I visited two of these sites (which I have not yet decided if I will mention or not, for what I hope are obvious reasons) and attempted to leave comments. Of course the comments are moderated - don't want any upset victims coming in and raising he. The comments were along the line of:</p><blockquote><p><span style="font-family:courier new;font-size:85%;">As the author of the original article referenced here, I kindly request that those interested in it please read it at MY blog, &lt;a href="</span><span style="font-family:courier new;font-size:85%;">http://mygreenpaste.blogspot.com"</span><span style="font-family:courier new;font-size:85%;">&gt;My Green Paste, Inc.&lt;/a&gt;<br /></span><p><span style="font-family:courier new;font-size:85%;">My site does not currently have ads, and I am NOT even considering ads at this time.<br /></span><p><span style="font-family:courier new;font-size:85%;">–«/\/\Øö±ò\/»®© (molotov)</span> </p></blockquote><br /><p>Can you guess what happened? Yep - the comments were not approved, and were never published on the sites in question. I then attempted to leave another comment at each copy of my posting. This time, one site saw fit to allow the comment, and the other one did not. I suspected NO comments would have been allowed through either site, so I was a bit surprised. The comment was a bit ridiculous given the content of the posting, and rather generic; perhaps that's why it was allowed. The comment was simply:</p><pre><blockquote>does this work for other os like XP or server 2003? </blockquote></pre><br /><p>Amazing. It was posted at 2008-01-31 2:37 GMT. The comment, like this post, is a part of the experiment. See, if I mention things that I mentioned in the previous post, like CpuPriorityClass, image file execution options, IoPriority, PagePriority, PerfOptions, powershell, priority, Process Monitor, setpriorityclass, Sysinternals, Vista, WorkingSetLimitInKB, Vista, Windows Vista, Windows Vista Ultimate, etc. (sorry to get carried away there), will this post make it to these sites as well? If so, wouldn't that be somewhat funny? The comment falls in there, too - if the now published comment magically disappears from the copy of my previous post, won't that be a bit odd?</p><p>I think I'll have to start embedding a "this content originally from <a href="http://mygreenpaste.blogspot.com/">http://mygreenpaste.blogspot.com/</a>" statement into the middle of each of my posts from now on. I'm sure I'll forget, and I've probably only got one shot. That'll make for some nice, flowing reading. We'll see.</p><p>I do have some more thoughts about the <a href="http://mygreenpaste.blogspot.com/2008/01/set-priority-of-process-by-name.html" target="_blank">Set the Priority of a Process By Name Automatically, in Vista</a> topic that I expect to get out in my next post. I apologize for this distraction, and hope you'll stay tuned...</p><p>BTW - I may also have a follow up to this fork in the saga as well.</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-737601765557301632?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-59840660584971295412008-01-27T19:26:00.001-08:002008-01-27T19:51:49.295-08:00<p>The other day I was playing around with the <a href="http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html" target="_blank">Image File Execution Options</a> and Sysinternals' <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx" target="_blank">Process Monitor</a>, in Vista. I saw an interesting query take place. Using notepad.exe as an example, I saw a query for a key called "PerfOptions" in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe] when I ran notepad. The result was NAME NOT FOUND, so I decided to rectify that. After adding a key named "PerfOptions", I ran notepad again. In Process Monitor, I saw queries for four values:</p><ul><li>IoPriority</li><li>PagePriority</li><li>CpuPriorityClass</li><li>WorkingSetLimitInKB</li></ul><p>Because of recent explorations with process priorities*, CpuPriorityClass grabbed me right away. Looking at the <a href="http://msdn2.microsoft.com/en-us/library/ms686219.aspx" target="_blank">SetPriorityClass</a> function, one can see the different values for the dwPriorityClass parameter. I created a REG_DWORD named CpuPriorityClass in PerfOptions, and set the value to 0x80 in the hopes that notepad would launch with "HIGH_PRIORITY_CLASS". Instead, it launched with a priority of NORMAL_PRIORITY_CLASS (8) - the setting had not made any impact. Then, I set the value to 8 and launched notepad. Notepad launched with a priority of 8. I changed the value to 4, and that had no impact. I changed the value to 0 - no impact. I tried 10 - no impact. I couldn't see any tie in to any other listings of process priorities that I knew about, so I decided to try trial and error, starting from 0, with the following results:</p><center><br /><table cellspacing="0" cellpadding="2" width="310" border="1"><br /><tbody><br /><tr><br /><td valign="top" width="168"><strong>CpuPriorityClass Value</strong></td><br /><td valign="top" width="142"><strong>Priority of Notepad</strong></td><br /><td valign="top" width="118">Priority Class</td></tr><br /><tr><br /><td valign="top" width="168">1</td><td valign="top" width="142">4</td><td valign="top" width="118">Idle</td></tr><tr><td valign="top" width="168">3</td><td valign="top" width="142">13</td><td valign="top" width="118">High</td></tr><tr><td valign="top" width="168">5</td><td valign="top" width="142">6</td><td valign="top" width="118">BelowNormal</td></tr><tr><td valign="top" width="168">6</td><td valign="top" width="142">10</td><td valign="top" width="118">AboveNormal</td></tr><tr><td valign="top" width="168">Anything else^</td><td valign="top" width="142">8</td><br /><td valign="top" width="119">Normal</td></tr></tbody></table></center><br /><br /><p>^= I'm currently running a <a href="http://www.microsoft.com/powershell" target="_blank">PowerShell</a> script to iterate through all possible values (there's only about 2^32...) so it may be a while before the CpuPriorityClass value for REALTIME_PRIORITY_CLASS, should it exist, be uncovered. There may also be other values that can be used to specify a priority class that's been uncovered. I'll update or post a new topic if I uncover anything new...</p><p>The PowerShell script (don't laugh, it's my first substantial attempt at one):</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><br /><pre>$cpc=0<br />set-itemproperty "hklm:\software\microsoft\windows nt\currentversion\image file execution options\notepad.exe\perfoptions" cpupriorityclass $cpc<br />do<br />{<br /> $pp = [diagnostics.process]::start("notepad.exe", "")<br /> $ppc = $pp.PriorityClass<br /> $pp.Kill()<br /> if( $ppc -ne "Normal" )<br /> {<br /> Write-Host $cpc $ppc<br /> }<br /> $cpc++<br /> set-itemproperty "hklm:\software\microsoft\windows nt\currentversion\image file execution options\notepad.exe\perfoptions" cpupriorityclass $cpc<br />}<br />while( $cpc -lt 4294967295 )<p></p></pre></div><br /><p>Hopefully, I'll find time to do some digging into the other values in PerfOptions - IoPriority, PagePriority, and WorkingSetLimitInKB. IoPriority and PagePriority sound like they may have something to do with <a href="http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/" target="_blank">memory prioritization</a> and <a href="http://www.microsoft.com/technet/technetmag/issues/2007/02/VistaKernel/" target="_blank">IO prioritization</a> in Vista. WorkingSetLimitInKB sounds self-explanatory, but how it's applied or how it's used, and other circumstances, are quite vague.</p><br /><p>*= <a href="http://mygreenpaste.blogspot.com/2007/11/setthreadpriority-vista-and-autostart.html" target="_blank">SetThreadPriority, Vista, and Autostart Locations</a>, <a href="http://mygreenpaste.blogspot.com/2007/05/setting-priority-of-service-process-via.html" target="_blank">Setting the Priority of a Service Process via Script</a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-5984066058497129541?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-76283987539709140672007-12-16T13:36:00.001-08:002007-12-17T15:14:31.688-08:00<p>After the <a href="http://mygreenpaste.blogspot.com/2007/12/vista-bsod-threadstuckindevicedriver.html" target="_blank">previous BSOD in Vista</a>, I logged in to Vista interactively as an administrator (I usually run as a standard user), and I was greeted with a dialog informing me about a "serious error" or the like. I chose to check for updates to the problem. What came back was more than I expected, but not really all that helpful for my particular situation.</p><blockquote><p><span style="font-family:Courier New;font-size:85%;">Problem caused by ATI Graphics Driver</span></p><p><span style="font-family:Courier New;font-size:85%;">This problem was caused by ATI Graphics Driver.</span></p><p><span style="font-family:Courier New;font-size:85%;">This program was created by ATI Technologies, Inc.. ATI Technologies, Inc. does not currently have a solution for the problem that you reported.</span></p><p><span style="font-family:Courier New;font-size:85%;">Recommendation</span></p><p><span style="font-family:Courier New;font-size:85%;">--------------------------------------------------------------------------------</span></p><p><span style="font-family:Courier New;font-size:85%;">The following troubleshooting steps might prevent the problem from recurring.</span></p><p><span style="font-family:Courier New;font-size:85%;">Download and install an updated version of ATI Graphics Driver from one of the following locations:<br />Microsoft Update<br />ATI Technologies, Inc.</span></p><p><span style="font-family:Courier New;font-size:85%;">If an updated driver is not available for ATI Graphics Driver, check with your computer manufacturer.</span></p><p><span style="font-family:Courier New;font-size:85%;">If you are running the latest version of ATI Graphics Driver, contact ATI Technologies, Inc. for your support options.</span></p><p><span style="font-family:Courier New;font-size:85%;">Additional information</span></p><p><span style="font-family:Courier New;font-size:85%;">If this problem continues to occur after installing the latest product updates, we recommend you get assistance and troubleshooting information directly from ATI Technologies, Inc.. </span></p><p><span style="font-family:Courier New;font-size:85%;">--------------------------------------------------------------------------------</span> </p></blockquote>I am running the latest driver, and ATI has <a href="http://ati.amd.com/products/discontinued.html" target="_blank">discontinued</a> the Radeon 9600 Pro. Not a big deal, as the problem has only happened twice. Of course, I would rather that it not happen at all... <p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7628398753970914067?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com8tag:blogger.com,1999:blog-20977280.post-22400350052105671852007-12-13T19:20:00.001-08:002007-12-13T19:21:56.545-08:00<p>Ran across this <a href="http://blogs.msdn.com/debuggingtoolbox/archive/2007/03/28/windbg-script-playing-with-minesweeper.aspx" target="_blank">rather unique notion</a> the other day. It works! <blockquote><span style="font-family:Courier New;font-size:85%;">eb poi(@$peb+0x8)+0x36fa c6 00 8a</span></blockquote>My interpretation is that this "enters byte values" "c6 00 8a" into the address starting at offset 0x36fa from the value pointed to by offset 8 into the PEB. Whatever that ultimately does! <p></p>»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2240035005210567185?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-83975646812257708072007-12-11T19:13:00.001-08:002007-12-11T19:16:18.842-08:00<p>Another update to the IE6 and IE7 <a href="http://mygreenpaste.blogspot.com/2007/07/multiple-versions-of-ie-on-same-system.html" target="_blank">Virtual PC images</a> that the IE Team at Microsoft makes available is <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=21EABB90-958F-4B64-B5F1-73D0A413C8EF&amp;displaylang=en" target="_blank">available for download</a> in the Microsoft Download Center. The previous ones expired on 2007-12-07; these expire on 2008-04-01.</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-8397564681225770807?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-29398459957147140502007-12-10T19:34:00.000-08:002007-12-10T19:38:53.527-08:00<p>Recently, after resuming my Vista laptop from hibernation, I was greeted with a rather strange wait, followed by a blue screen of death. Analysis of the dump yielded the following:</p><p><blockquote><span style="font-family:Courier New;">THREAD_STUCK_IN_DEVICE_DRIVER (ea)<br />The device driver is spinning in an infinite loop, most likely waiting for hardware to become idle. This usually indicates problem with the hardware itself or with the device driver programming the hardware incorrectly.<br />If the kernel debugger is connected and running when watchdog detects a timeout condition then DbgBreakPoint() will be called instead of KeBugCheckEx()and detailed message including bugcheck arguments will be printed to the<br />debugger. This way we can identify an offending thread, set breakpoints in it, and hit go to return to the spinning code to debug it further. Because KeBugCheckEx() is not called the .bugcheck directive will not return bugcheck<br />information in this case. The arguments are already printed out to the kernel debugger. You can also retrieve them from a global variable via<br />"dd watchdog!g_WdBugCheckData l5" (use dq on NT64).<br />On MP machines (OS builds &lt;= 3790) it is possible to hit a timeout when the spinning thread is interrupted by hardware interrupt and ISR or DPC routine is running at the time of the bugcheck (this is because the timeout's work item can be delivered and handled on the second CPU and the same time). If this is the case you will have to look deeper at the offending thread's stack (e.g. using dds) to determine spinning code which caused the timeout to occur.<br />Arguments:<br />Arg1: 870246b8, Pointer to a stuck thread object. Do .thread then kb on it to find the hung location.<br />Arg2: 00000000, Pointer to a DEFERRED_WATCHDOG object.<br />Arg3: 00000000, Pointer to offending driver name.<br />Arg4: 00000000, Number of times this error occurred. If a debugger is attached, this error is not always fatal -- see DESCRIPTION below. On the blue screen, this will always equal 1. </span><p><span style="font-family:Courier New;">Debugging Details:<br />------------------ </span><p><span style="font-family:Courier New;">PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details </span><p><span style="font-family:Courier New;">PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details </span><p><span style="font-family:Courier New;">FAULTING_THREAD: 870246b8 </span><p><span style="font-family:Courier New;">DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_FAULT </span><p><span style="font-family:Courier New;">BUGCHECK_STR: 0xEA </span><p><span style="font-family:Courier New;">PROCESS_NAME: Ati2evxx.exe </span><p><span style="font-family:Courier New;">CURRENT_IRQL: 0 </span><p><span style="font-family:Courier New;">LAST_CONTROL_TRANSFER: from 89c2a825 to 81cace97 </span><p><span style="font-family:Courier New;">STACK_TEXT: <br />a53d7704 89c2a825 000000ea 870246b8 00000000 nt!KeBugCheckEx+0x1e<br />a53d7748 89c22bfa a53d7794 00000000 89c1d786 dxgkrnl!TdrTimedOperationBugcheckOnTimeout+0x2b<br />a53d7770 8b5785dc a53d7794 00000000 00000000 dxgkrnl!TdrTimedOperationDelay+0xc9<br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />a53d77c0 8b576468 8b670040 a53d785c ffffffff atikmdag+0x255dc<br />a53d77dc 8b66782c 861bd000 a53d77f8 00000014 atikmdag+0x23468<br />a53d7838 8b670101 86a58008 8b670040 a53d785c atikmdag+0x11482c<br />a53d7868 8b6cd9da 8685b0e8 00000000 00000001 atikmdag+0x11d101<br />a53d7888 8b59f159 88340000 00000000 00000001 atikmdag+0x17a9da<br />a53d78a8 8b59505c 86a58000 86a61974 00000000 atikmdag+0x4c159<br />a53d78dc 8b5973e3 00000000 86a611e0 00000001 atikmdag+0x4205c<br />a53d7904 8b5b3be0 00000001 00000001 00000001 atikmdag+0x443e3<br />a53d7960 8b5b80ab 86a58000 00000000 00000001 atikmdag+0x60be0<br />a53d7980 8b58e38d 86a58000 a53d799c a53d7ba0 atikmdag+0x650ab<br />a53d79b8 8b554e80 86a58000 a53d7ba0 00000030 atikmdag+0x3b38d<br />a53d79dc 8b55a7de a53d7ba0 00000030 a53d7bd4 atikmdag+0x1e80<br />a53d7a00 8b55af33 0011000e 00000030 a53d7bd4 atikmdag+0x77de<br />a53d7a24 8b56bdeb 00000030 a53d7ba0 00000000 atikmdag+0x7f33<br />a53d7a54 8b56bf8a 00000000 a53d7b1c a53d7ba0 atikmdag+0x18deb<br />a53d7a74 89c4a7b2 8640a648 a53d7ab4 000000b8 atikmdag+0x18f8a<br />a53d7a94 89c4a455 a53d7ab4 a5b4b811 0012e910 dxgkrnl!DXGADAPTER::DdiEscape+0x3b<br />a53d7d38 81c4607a 0012e910 0012e94c 77940f34 dxgkrnl!DxgkEscape+0x4af<br />a53d7d38 77940f34 0012e910 0012e94c 77940f34 nt!KiFastCallEntry+0x12a<br />0012e94c 00000000 00000000 00000000 00000000 0x77940f34 </span><p><span style="font-family:Courier New;">STACK_COMMAND: .thread 0xffffffff870246b8 ; kb </span><p><span style="font-family:Courier New;">FOLLOWUP_IP:<br />dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b<br />89c2a825 cc int 3 </span><p><span style="font-family:Courier New;">SYMBOL_STACK_INDEX: 1 </span><p><span style="font-family:Courier New;">SYMBOL_NAME: dxgkrnl!TdrTimedOperationBugcheckOnTimeout+2b </span><p><span style="font-family:Courier New;">FOLLOWUP_NAME: MachineOwner </span><p><span style="font-family:Courier New;">MODULE_NAME: dxgkrnl </span><p><span style="font-family:Courier New;">IMAGE_NAME: dxgkrnl.sys </span><p><span style="font-family:Courier New;">DEBUG_FLR_IMAGE_TIMESTAMP: 46899fd6 </span><p><span style="font-family:Courier New;">FAILURE_BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys </span><p><span style="font-family:Courier New;">BUCKET_ID: 0xEA_IMAGE_dxgkrnl.sys </span><p><span style="font-family:Courier New;">Followup: MachineOwner<br /></span></p></blockquote><p>Seems that the hardware was messed up, as I had to force the laptop to power down twice during subsequent boots, in order for Vista to make it to the logon prompt.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2939845995714714050?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-4403355054114528432007-11-18T19:57:00.000-08:002007-11-18T20:13:05.358-08:00<p>I ran across a post on the <a href="http://blogs.msdn.com/vistacompatteam/default.aspx" target="_blank">Vista Compatibility Team Blog</a> entitled "<a href="http://blogs.msdn.com/vistacompatteam/archive/2007/04/12/setthreadpriority-from-run-key.aspx" target="_blank">SetThreadPriority from Run key</a>" that discusses a change in Vista whereby calling SetThreadPriority from an application launched from the Startup folder and the "Run" key in the registry will not cause the thread's priority to be increased.</p><p>Wanting to verify and play around with this, I wrote a simple program that called <a href="http://msdn2.microsoft.com/en-us/library/ms686277.aspx" target="_blank">SetThreadPriority</a> to set the priority of the thread to THREAD_PRIORITY_HIGHEST. The program then immediately called <a href="http://msdn2.microsoft.com/en-us/library/ms683235.aspx" target="_blank">GetThreadPriority</a> to determine if the call to SetThreadPriority had any effect. Next, in a loop, the program then called SetThreadPriority / GetThreadPriority until either an error was encountered, or GetThreadPriority returned the expected priority. The program logged before and after each call to SetThreadPriority / GetThreadPriority the time, the action, and the either the parameters or the return value.</p><p>I set the program to be launched automatically by placing a shortcut in the "Startup" folder, and rebooted. Once the system came back up, I waited a bit and then examined the log. The first call to <span style="font-family:courier new;font-size:85%;">SetThreadPriority( GetCurrentThread(), THREAD_PRIORITY_HIGHEST );</span> returned TRUE. The first call to <span style="font-family:courier new;font-size:85%;">GetThreadPriority( GetCurrentThread() );</span> returned 0 indicating THREAD_PRIORITY_NORMAL. In other words, the call to SetThreadPriority had succeeded, but the priority of the thread remained unchanged. The calls to SetThreadPriority and GetThreadPriority in the loop were identical, and returned identical values. That is, until about 45 seconds into the program's execution, when the call to GetThreadPriority returned 2, indicating that the priority of the thread was THREAD_PRIORITY_HIGHEST. This matches what is mentioned in the "SetThreadPriority from Run key" blog entry, where it is stated that:</p><blockquote>it is for about a minute or so after which the call to SetThreadPriority(THREAD_PRIORITY_HIGHEST ) will actually succeed in bumping up its priority level.</blockquote><p>I repeated the same tests, using THREAD_PRIORITY_ABOVE_NORMAL in the call to SetThreadPriority, with the same results.</p><p>I also used THREAD_PRIORITY_BELOW_NORMAL in the call to SetThreadPriority as well as THREAD_PRIORITY_LOWEST; in these cases, the call indicated success and GetThreadPriority confirmed the change in priority immediately.</p><p>The next set of tests removed the call to SetThreadPriority in the loop - just the initial call to SetThreadPriority was made. The return indicated success, but the call to GetThreadPriority returned THREAD_PRIORITY_NORMAL for many minutes; as the loop was a tight loop, I terminated the process once it became apparent that there truly would be no change to the priority of the thread. This means that requests to increase the priority are not queued up or held for later processing. The call to increase priority indicates success, the priority is not changed, and unless the thread checks, it is none the wiser.</p><p>One other thing that I thought of trying was to see what happened when a thread in a process spawned by an "autostart" process called SetThreadPriority, as above. To do so, I modified the original program to accept a command-line parameter indicating that it should spawn another instance of itself. The thread in the spawned process behaved identically to the thread in the "autostart" process; this persisted 3 "levels" deep ("autostart" instance spawns instance x, which spawns instance y), which is as deep as I tried. The Vista Compatibility Team Blog entry only mentions the Startup folder and the "Run" key as being affected by this, but I wonder if other things may be affected. It is interesting (and a good thing!) that there is a mechanism in place to cause this behavior to affect processes spawned by autostart processes (otherwise, the "protection" offered by this feature is easily defeated).</p><p>As a last test, I invoked the test program manually as quickly as I could while Vista was still processing the login. The first attempt to change the priority of the thread succeeded, and the first call to GetThreadPriority confirmed the priority change. At the same time, Vista was processing the autostart instance of the program, which behaved as it had previously when started automatically. So there is not a blanket ban on priority boosting in the first minute or so - how a program is started truly affects what it can do.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-440335505411452843?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-22317281500116724292007-09-06T18:36:00.000-07:002007-09-06T18:39:11.127-07:00<p><a href="http://mygreenpaste.blogspot.com/2007/07/multiple-versions-of-ie-on-same-system.html" target="_blank">Previously</a>, I had written about IE6 and IE7 Virtual PC images that the IE Team at Microsoft makes available. As the previous release of the VPCs has expired, <a href="http://blogs.msdn.com/ie/archive/2007/08/20/ie6-and-ie7-vpc-refresh-available.aspx" target="_blank">a refresh release has been issued</a>. The new release expires on 2007-12-07.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2231728150011672429?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-23818738842297580982007-08-14T17:00:00.000-07:002007-08-14T17:06:29.374-07:00Microsoft has recently published an "Events and Errors Message Center" on TechNet. It is a bit like <a href="http://www.eventid.net/" target="_blank">EventId.net</a>, but you can search on more fields than Event ID and Source (note that non-Microsoft products aren't included in the Microsoft offering).<br /><br />The <a href="http://www.microsoft.com/technet/support/ee/ee_basic.aspx" target="_blank">basic search</a> allows for selection of a Microsoft product, and a search string. The <a href="http://www.microsoft.com/technet/support/ee/ee_advanced.aspx" target="_blank">advanced search</a> adds a <strong>Version</strong> field for the selected product, an <strong>Event ID</strong> field, an <strong>Event Source</strong> field, a <strong>File name</strong>, and <strong>Language</strong>. The product list isn't yet all that comprehensive with only 18 entries (and some duplicates or products that could be further filtered by version), but I hope to see it grow to encompass more products and more versions (Vista is not listed yet, for example). It would also be cool if the capability to annotate specific events was made available to users, much like can be done at EventId.net. Another idea that would be nice to see is that as products are developed / maintained / updated, part of the process would involve documenting the events and their meaning, in the same database that the Events and Errors Message Center interfaces with. Perhaps QA and other groups could even add their own annotations to specific events - what caused the problem, how the problem was resolved, etc.<br /><br />Hopefully, the Events and Errors Message Center keeps improving. Along similar lines, it would be nice to see the <a href="http://support.microsoft.com/dllhelp/" target="_blank">DLL Help Database</a> get some attention - several times I have hoped to see Vista files appear but have been disappointed.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2381873884229758098?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1714169311226856172007-07-29T13:23:00.000-07:002007-08-14T17:00:32.522-07:00<p>If you need to run IE 6 and IE 7 on the same system for some reason (testing?), what are you supposed to do?</p><p>One solution is the <a href="http://tredosoft.com/Multiple_IE" target=_blank>"Multiple IE installer" from TredoSoft</a>. I haven't tried it, but it is certainly a novel approach. Looks like you can run IE3, IE4.01, IE5, IE5.5, and IE6 with it.</p><p>TredoSoft also provides <a href="http://tredosoft.com/IE7_standalone" target=_blank>instructions and a utility</a> that allows you to run IE7 side-by-side with IE6. Again, I haven't tried it, but it is good to know that it is available.</p><p>When I need to test different versions of the browser, I have as of late been relying on <a href="http://blogs.msdn.com/ie/archive/2007/04/17/ie7-virtual-pc-image-and-ie6-virtual-pc-image-refresh.aspx" target=_blank>VPC images of Windows XP with IE6 and IE7</a> that have been provided by the IE team. The VPC images run with the free <a href="http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx" target=_blank>Virtual PC 2007</a>. They expire on 2007-08-17, for various reasons, but the IE team has in the past provided a "refresh" for the IE6 VPC image when it last expired, and the expectation is that this will continue. The expiration-refresh cycle allows for control over how "old" an image is allowed to get - refreshes have the latest security patches installed so people aren't left running ancient and (overly) vulnerable VPC images.</p><p>The images won't pass WGA for obvious reasons but this hasn't affected my ability to test with them.</p><p>I tend to customize my IE settings pretty severely, so it is nice to be able to test with "stock" / "virgin" installs of IE. One might argue that using the VPC images doesn't necessarily mean one has two different versions of IE on the same system - that the introduction of a VM means another "system" is involved. While this is true, the VM solution does prevent one from needing to have multiple physical machines around just for the sake of testing. And, while the TredoSoft solution may work, I can't help but think that the possbility exists for the solution itself to be a potential cause of problems. </p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-171416931122685617?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-42327018444234834372007-06-15T20:44:00.001-07:002007-06-15T20:46:12.273-07:00I recently received the following via email. I responded, but never heard back. Hopefully the information will be of use to others... <blockquote><p>Hi, Found your name on the web when I was looking at some stuff on slashdot and I thought maybe you might have a moment to point me in the right direction.<br />I have a custom app which I have zero access to in terms of the developer. When the app was run on new hardware, a few users would periodically get a bizarre error, but never on their old hardware. Main difference seems to be core 2 duo on the new laptops.<br />Anyway, this error causes a total reset of the internal windows database system used by the app and then there's an error in msvcr80.dll. Is there a way I can tell from the data below what routine went bad in that module? I could at least then tell the guy who guards the gates to tell the developer a little bit more. At this point the "guard" is convinced it is just because the dll is not the latest version. I think it is probably not that simple. </p><p>[app].exe signature<br />Appname [app].exe App. Ver. 0.0.0.0<br />Mod Name: msvcr80.dll<br />Mod Ver: 8.0.50215.44<br />Offsett: 000161fd<br /><br />Error report contents<br />Exception info:<br />Code 0x0000005<br />Flag 0x00000000<br />Record 0x000000000000000<br />Address: 0x000000007C3861fd</p><p> </p></blockquote>I responded with the following: <blockquote><p>It does appear that the problem may lie in the version of MSVCR80.DLL you referenced. At least, getting this to an appropriate version seems like a very reasonable first step towards troubleshooting. </p><p>According to a dude on the VC++ compiler team (Jonathan Caves @ <a href="http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=164465&SiteID=1&amp;PageID=1" target="_blank">http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=164465&SiteID=1&amp;PageID=1</a> ), version 8.0.50215.44 of MSVCR80.DLL "is not an officially released version"; he links to this site (<a href="http://www.dll-files.com/dllindex/dll-files.shtml?msvcr80" target="_blank">http://www.dll-files.com/dllindex/dll-files.shtml?msvcr80</a> ), which has a statement by another member of the VC++ team (Martyn Lovell):</p><p>"a) This is the beta 2 version of msvcr80.dll. Don\'t install it. b) This file should never be installed in system32 (except on Win9x and Windows 2000). c) The .NET framework already installs the copy correctly (in WinSxS). d) The correct source for an msvcr80 binary is from your application provider, not from this site. Martyn" </p><p>The MS DLLHelp Database entries for MSVCR80.DLL (<a href="http://support.microsoft.com/dllhelp/?dlltype=file&amp;l=55&alpha=msvcr80.dll&amp;S=1" target="_blank">http://support.microsoft.com/dllhelp/?dlltype=file&amp;l=55&alpha=msvcr80.dll&amp;S=1</a> ) indicate that you can get the DLL from "MS SQL 2005 Server Enterprise" or "Microsoft Visual Studio 2005 Professional". Martyn from Microsoft indicates that you should get this DLL from the application provider. He also stated that you can get it as part of the .NET Framework redistributable (version 2.0). It also appears that you can get it as a part of a package from the "Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)" at <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=200B2FD9-AE1A-4A14-984D-389C36F85647&displaylang=en" target="_blank">http://www.microsoft.com/downloads/details.aspx?FamilyID=200B2FD9-AE1A-4A14-984D-389C36F85647&amp;displaylang=en</a>.</p><p>FWIW, 0x0000005 is not a valid exception code, though I suspect you meant 0xc0000005, which is the code for an access violation. You're reporting a crash at address 0x7C3861fd. With no other info it is difficult to determine what is loaded at that address (especially since the "shipping" / non-beta versions of MSVCR80.DLL are based at 0x78130000 with a virtual size of 0x9b000), but it seems likely that the beta version of MSVCR80.dll has a different base address (0x7C370000) / size which could/should include the crash address (or, the DLL could have been rebased by the loader). </p><p>I suspect that a "Dr. Watson" or "Windows Error Reporting" dump file may have been created from the application crash(es) - these are files with a .dmp extension, and they contain information useful for debugging, or getting more information about, these kinds of problems. </p><p>Hope this helps you!</p><p>-molotov</p></blockquote><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4232701844423483437?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-49327748946226908752007-06-04T21:52:00.000-07:002007-06-04T19:33:26.532-07:00I was reading a recent blog entry by <a href="http://software.ericsink.com/" target="_blank">Eric Sink</a>, and he made some comments that I thought I would take the time to share. Nothing profound on my end, mind you... ;)<br /><br />In "<a href="http://software.ericsink.com/entries/Petzold_Nathan.html" target="_blank">In defense of Petzold's WPF book</a>", the founder of <a href="http://www.sourcegear.com/" target="_blank">SourceGear</a> writes about a recent trend in books and tools for developers that focus on "quick results", and the trade off that goes along with this trend - loss of "deep understanding". I too have noticed this in working with various developers. While it is admirable that one is able to produce results quickly and ship a product in record time, or add some features in the blink of an eye, it seems that much of the productivity is lost when problems crop up - problems that are at least partially a lack of - you guessed it - deep understanding. As I'm one who likes to have Deep Understanding, I'm probably biased. That said, I can fully appreciate Eric's statement that "When I hire a software developer, I look for deep understanding". I think that it is important to understand how something works so you are able to use it as effectively as possible. Perhaps this is why I am inclined to consider writing software an art, as opposed to a means to an end. Sure, it's both, but how you treat it can have a significant impact on the quality of the end product. At least, that's been my experience.<br /><br />To me, Deep Understanding implies passion - if one takes the time to understand something fully, to explore all venues of a topic or a technology, they truly care about what it is they're doing and are excited by it. And I can't see doing something as a profession and not being passionate about it.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4932774894622690875?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-17954900269015673612007-05-22T18:57:00.000-07:002007-05-22T19:10:01.736-07:00<p>Just received the following that is related to <a href="http://mygreenpaste.blogspot.com/search/label/SVCHOST">the SVCHOST issues that I've written about in the past</a>...</p><p>MS has released "<a href="http://www.microsoft.com/technet/security/advisory/927891.mspx" target="_blank">Microsoft Security Advisory (927891)</a> - Fix for Windows Installer (MSI)" that's not really a direct security concern, but actually addresses concerns that might prevent people from getting critical security or other updates.<br /><br />As previously mentioned, it involves MS KB 927891 - "<a href="http://support.microsoft.com/kb/927891" target="_blank">You receive an access violation error and the system may appear to become unresponsive when you try to install an update from Windows Update or from Microsoft Update</a>", and the current revision of the article (8.0) states "This fix is one component of a two-part fix that includes a Windows Update client software update. These updates will be deployed automatically using Windows Update in May 2007 and June 2007."</p><p>Again, this update is one of two that need to be applied to fully address the issue. The other update is version 3.0 of the Windows Update Client Software, available from MS KB 932494, "<a href="http://support.microsoft.com/kb/932494">When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process</a>". </p><p>One can also hope that this will help address <a href="http://mygreenpaste.blogspot.com/search?q=0x8ddd0009">the 0x8ddd0009 problems</a> that MANY have been experiencing...</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1795490026901567361?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-89403941889381354192007-05-21T21:15:00.000-07:002007-05-21T19:13:14.262-07:00<p>Initially, I was going to start off by saying that I've been reading more books and less content online, but that wouldn't be accurate. I've actually picked up more online reading, but I'm also more frequently finding myself with a good book in hand before bed. Currently, I'm finding my way through Eldad Eilam's <i><a href="http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817/ref=pd_bbs_sr_1/103-9684225-1836664?ie=UTF8&s=books&amp;qid=1177422598&sr=8-1" target="_blank">Reversing: Secrets of Reverse Engineering</a></i>. It's a good read so far and I hope to learn a lot.</p><p>I've ALWAYS got Russinovich &amp; Solomon's <i><a href="http://www.amazon.com/Microsoft-Windows-Internals-Fourth-Pro-Developer/dp/0735619174/ref=pd_bbs_sr_1/103-9684225-1836664?ie=UTF8&s=books&amp;qid=1177422755&sr=1-1" target="_blank">Windows Internals</a></i> open, and I've been through it cover to cover a few times as well. There's just so much good stuff there, and I've got a memory like a goldfish... =8-&gt;</p><p>Recently, I also read Hoglund and Butler's <i><a href="http://www.amazon.com/Rootkits-Subverting-Addison-Wesley-Software-Security/dp/0321294319/ref=pd_bbs_2/103-9684225-1836664?ie=UTF8&s=books&amp;qid=1177422755&sr=1-2" target="_blank">Rootkits: Subverting the Windows Kernel</a></i> for the second time. The chapter on DKOM is probably my favorite.</p><p>I just finished Raymond Chen's <i><a href="http://www.amazon.com/Old-New-Thing-Development-Throughout/dp/0321440307/ref=sr_1_1/103-9684225-1836664?ie=UTF8&amp;s=books&qid=1177423122&amp;sr=1-1" target="_blank">The Old New Thing: Practical Development Throughout the Evolution of Windows</a></i>. The anecdotes range from light to heavy, and the lessons to be learned are well presented. I like Raymond's writing style and it is good to hear his perspectives on why things are the way they are. For whatever reason I hadn't picked up Raymond's blog on MSDN, "<a href="http://blogs.msdn.com/oldnewthing/" target="_blank">The Old New Thing</a>", though I was well aware of it. Probably had something to do with the volume; two posts per day seems quite high to me. After reading the book, though, I'm subscribed! Sigh. I'm not a fan of the "bonus online chapters" concept, though I am sure that I'm going to go and read them sometime. Kind of detracts from the whole "book" experience if the whole book isn't... well, whole, I suppose.</p><p>A later post will detail some of the stuff I'm subscribed to online.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-8940394188938135419?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-63860608047931941582007-05-06T04:29:00.000-07:002008-12-08T16:57:37.275-08:00<P>I use <a href="http://www.microsoft.com/windows/products/windowsvista/features/details/readyboost.mspx" target=_blank>ReadyBoost</a> in Vista. One day, I went to power up my laptop and when Vista resumed from hibernation I noticed that the light on the USB Flash-memory Device (UFD) was not on. Finding this a bit odd, I jumped into Windows Explorer, double-clicked on the E drive (the letter assigned to the UFD), and was presented with an interesting dialog:<br /><a href="http://2.bp.blogspot.com/_ZN289iRXuJw/RjHfQf1tcyI/AAAAAAAAABk/-xS1qq_248c/s1600-h/VistaNullOpText.jpg"><img style="cursor:pointer; cursor:hand;" src="http://2.bp.blogspot.com/_ZN289iRXuJw/RjHfQf1tcyI/AAAAAAAAABk/-xS1qq_248c/s400/VistaNullOpText.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5058069331031454498" /></a><br /><pre><br />Title: Item Not Found<br />Text: Could not find this item<br />This is no longer located in &lt;%3 NULL:OpText&gt;.<br />Verify the item's location and try again.<br /> Removable Disk<br /><br /> Try Again Cancel<br /></pre>&nbsp;</P><P>So I looked at the back of my laptop to verify the item's location, and deciding that the item was still there I clicked "Try Again". (I know, I know - not really what the person who wrote the message for the dialog intended...) I don't recall if the dialog dismissed and another instance reappeared, or if it was just that nothing happened. Either way, I wasn't getting anywhere. I unplugged the UFD, and plugged it back in again and things were fine.</P><P>A few days later, the same thing happened. I suspect I'll be dealing with this for a while.</P><P>Procedurally, I hate to think that I'm going to have to eject the device prior to hibernating, and then plug the device in again when Vista resumes - that's too tedious for my tastes. ReadyBoost would have to have a significant impact on performance for me to go through that rigamarole, and at this point I'm just not convinced that's the case.</P><P>Anyone else coping with %3 NULL:OpText? How are you dealing with it?</P><br /><P>&raquo;<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6386060804793194158?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com5tag:blogger.com,1999:blog-20977280.post-90015252062599200032007-05-01T18:06:00.000-07:002007-05-01T18:32:03.629-07:00<p>Previously (<a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">here</a> and <a href="http://mygreenpaste.blogspot.com/2007/02/more-on-isolating-shared-services-in.html" target="_blank">here</a>), I've written about isolating shared services so that they run in their own process, with a specific focus on the Windows Update Automatic Updates Service (wuauserv) that typically runs in the NETSVCS SVCHOST.EXE instance. One thing that can be done once this is accomplished is to lower the priority of the process so that when the service winds up consuming 100% of the CPU, the system doesn't become unresponsive.</p><p>Since we're dealing with a service, setting the priority of such a SVCHOST.EXE process can become problematic - the service may already be running, or, because it is a service, it is not started as non-service processes are, so one is not able to use <span style="font-family:courier new;">START / [LOW NORMAL HIGH REALTIME ABOVENORMAL BELOWNORMAL] </span>to impose a priority when the process starts. One can use a utility like Task Manager or <a href="http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx" target="_blank">Process Explorer</a> to set the priority of a process on an ad hoc basis, but when the service restarts or the system reboots one has to remember to set the priority again.</p><p>Though not an ideal solution the following scripts (VBS using WMI, and <a href="http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx" target="_blank">PowerShell</a>) can be used to set the priority of the SVCHOST.EXE instance hosting the isolated Windows Update Automatic Updates Service service to "below normal". Note that no check is done to ensure that the SVCHOST.EXE instance is only hosting one service - if wuauserv is found to be a service inside of the process, the priority is adjusted. Note also that no error handling is implemented.</p><p>I'll try to format the code so it looks nice, but I fear I will be <a href="http://mygreenpaste.blogspot.com/2006/08/poor-code-formatting-with-blogger.html" target="_blank">limited</a>...</p><p>Here's the code for the VBS / WMI script:</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><br /><pre><br />Const BELOW_NORMAL = 16384<br />Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")<br />Set colServices = objWMIService.ExecQuery( _<br /> "SELECT * FROM Win32_Service where name='wuauserv'")<br />For Each oService in colServices<br /> Set colProcesses = objWMIService.ExecQuery( _<br /> "SELECT * FROM Win32_Process where ProcessId=" & oService.ProcessId )<br /> For Each oProcess in colProcesses<br /> oProcess.SetPriority(BELOW_NORMAL)<br /> Next<br />Next<br /></pre><br /></div><br /><p></p><p>Here's the code for the <a href="http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx" target="_blank">PowerShell</a> script:</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><br /><pre><br />(gps -id (get-wmiobject win32_service where {$_.name -eq "wuauserv"}).ProcessId).PriorityClass="BelowNormal"<br /></pre><br /></div><br /><p></p><p>The different values for the priority parameter of the SetPriority method of the Win32_Process WMI class can be found in the <a href="http://msdn2.microsoft.com/en-us/library/aa393587.aspx" target="_blank">documentation for the SetPriority method</a>.</p><p>The different values for the PriorityClass in the PowerShell script are "Normal", "Idle", "High", "RealTime", "BelowNormal", or "AboveNormal". Or, to get a list of the available options, one can use the following PowerShell command:</p><div style="OVERFLOW-X: scroll; WIDTH: 410px"><br /><pre><br />[ENUM]::getNames("System.Diagnostics.ProcessPriorityClass")<br /></pre><br /></div><p></p><p>Once the script is in place and working, one can cause it to be invoked at will, or via scheduled task at specific times, or after logon, or any other way that one can get something to happen when Windows boots or a user logs on.</p><p><br />»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-9001525206259920003?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com8tag:blogger.com,1999:blog-20977280.post-74993078993412751682007-04-27T07:07:00.000-07:002007-04-27T04:41:30.293-07:00<p><a href="http://www.alex-ionescu.com/?page_id=2" target="_blank">Alex Ionescu</a> has posted <a href="http://www.alex-ionescu.com/?page_id=6" target="_blank">some publications</a> at his blog. I've only had an opportunity to go through the three-part series on Windows XP / 2003 User-Mode Debugging Internals, but I found them to be quite interesting and I hope to go through the rest of the publications which cover topics like Process Internals, VB File Format, NTFS ADS, and Subverting Windows 2003 SP1 Kernel Integrity Protection.</p><p>One thing (probably trivial) that I am curoius about in the User-Mode Debugging Internals papers is the analysis of NtDebugActiveProcess. Alex comments in his analysis in <a href="http://www.alex-ionescu.com/dbgk-3.pdf" target=_blank>part 3</a> "Don't allow debugging the initial system process". The check for the initial system process is made, and STATUS_ACCESS_DENIED is returned if indeed it is the initial system process that is the subject of the debug attempt. I am curious as to why, prior to returning in this case, the process is not dereferenced (<a href="http://www.osronline.com/ddkx/kmarch/k107_6vg2.htm" target="_blank">ObDereferenceObject</a>(Process);)? Is it simply the nature of the system process that this is not required, though perhaps it might be considered good practice to call ObDereferenceObject(Process) in this case? Or is there some other reason?</p><p>Does anyone have any thoughts on the above?</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7499307899341275168?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-74576271548821755982007-04-23T19:00:00.000-07:002007-04-24T19:04:51.370-07:00<p>OK... I admit it. I'm jumping on the whole "tagging" thing (or as Blogger likes to call it, "Labels") a bit late. Shortly after converting to the "new" Blogger, I made a rather unconscious decision to ignore the field that allows for tagging new items. So there are many posts that were made with the new blogger that don't have tags. I plan on tagging a few at a time, but with 140+ posts, this could take a bit of time.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7457627154882175598?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-61471538561909799952007-04-16T21:57:00.000-07:002007-04-16T18:53:28.404-07:00Previously (<a href="http://mygreenpaste.blogspot.com/2007/03/part-1-introduction-whats-using-my-cpu.html" target=_blank>Part 1: Introduction - What's using my CPU?</a>), I kicked off what I expect to be a multi-part series on determining what is causing excessive CPU consumption, outside of the normal "which process has the highest value in the CPU column in Task Manager".<br /><br />Before I get into things, a little bit of background may prove useful or mildly entertaining. Over on "Sysinternals Forums", there were recently two similar problems that both involved excessive CPU utilization that was not attributable to a specific process. I became involved in both problems and attempted to use similar techniques to get additional information with the hopes of ultimately being able to pinpoint the problem. What may make this mildly entertaining is that in both cases, there was limited or no success in detetmining the cause of or solution to the problem. In the end, <a href="http://forum.sysinternals.com/forum_posts.asp?TID=10021&PN=2&TPN=1" target=_blank>one problem</a> was resolved by disabling the floppy disk controller, and the <a href="http://forum.sysinternals.com/forum_posts.asp?TID=10025&PN=2&TPN=1" target=_blank>other problem</a> appears to be as of yet unresolved. (In the latter case, <a href="http://forum.sysinternals.com/forum_posts.asp?TID=10025&PN=2&TPN=2#44180" target=_blank>the poster did admit</a> that the system was experiencing hardware problems - the chipset fan was dying and there were diagnostic beep codes during / after POST. These hardware problems could be related to the problem.) Despite the lack of success in determining the cause of the problems I do feel that I learned a bit about this type of problem and gained some insight into the use of some tools that can come in handy in this situation.<br /><br />In the two cases, the problem consisted of the CPU spending a lot of time servicing interrupts and deferred procedure calls (DPCs). What are interrupts and DPCs? "<i>Windows Internals</i>, Chapter 3 - System Mechanisms" says:<blockquote>Interrupts ... are operating system conditions that divert the processor to code outside the normal flow of control. An interrupt is an asynchronous event (one that can occur at any time) that is unrelated to what the processor is executing. Interrupts are generated primarily by I/O devices, processor clocks, or timers.</blockquote><blockquote>A deferred procedure call (DPC) is a function that performs a system task—a task that is less time-critical than the current one. The functions are called deferred because they might not execute immediately.<br /></blockquote>It is interesting to note that one may have a problem with excessive CPU use but may not be able determine it by using Windows' Task Manager. This is because for whatever reason, Task Manager adds time the CPU spends servicing interrupts and DPCs to the "System Idle Process". Microsoft's / Sysinternals' <a href="http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx" target=_blank>Process Explorer</a> includes separate "artificial" processes for interrupts and DPCs so that one can see how much time the CPU spends dealing with each. Per Process Explorer's help file, "high CPU consumption by these activities can indicate a hardware problem or device driver bug".<br /><br />Another thing that could be consuming CPU is the SYSTEM process. The process of determining what system thread is consuming the CPU is similar to determining what thread in a user-mode process is utilizing the CPU. However, excessive CPU utilization by the SYSTEM process might be a little more serious as it is an indication that some driver is possibly running rampant.<br /><br />Next time, I plan to introduce some tools that can be useful in exploring DPC and interrupt activity on a system, as well as discussing how to determine what driver might be inolved with excessive CPU utilization in the SYSTEM process.<P><br />&raquo;<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6147153856190979995?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-68099361627551693532007-03-26T04:35:00.000-07:002008-12-08T16:57:37.497-08:00Formatting strings can be a tricky job...<br /><center><a href="http://2.bp.blogspot.com/_ZN289iRXuJw/RgexDXTHuWI/AAAAAAAAABA/g_-vYXoYYoU/s1600-h/thanksVS.jpg"><img id="BLOGGER_PHOTO_ID_5046196578843867490" style="CURSOR: hand" alt="" src="http://2.bp.blogspot.com/_ZN289iRXuJw/RgexDXTHuWI/AAAAAAAAABA/g_-vYXoYYoU/s400/thanksVS.jpg" border="0" /></a></center><br />I'm sure there's a logical explanation, but still... It really {0} me off when {1} Visual Studio 2005 SP1 decided to throw this {2} my way.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6809936162755169353?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-2474689034396961272007-03-19T18:15:00.000-07:002007-04-16T18:57:35.755-07:00In the past, I've written about both <a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">high CPU utilization by SVCHOST.EXE</a> as well as <a href="http://mygreenpaste.blogspot.com/search?q=0x8ddd0009" target="_blank">the 0x8ddd0009 Windows Update / Microsoft Update error</a>, so I thought I would mention this...<br /><br />MS KB 932494 (<a href="http://support.microsoft.com/kb/932494">When you use Automatic Updates to scan for updates or to apply updates to applications that use Windows Installer, you experience issues that involve the Svchost.exe process</a>) references problems that are addressed by MS KB 916089 (<a href="http://support.microsoft.com/kb/916089">FIX: When you run Windows Update to scan for updates that use Windows Installer, including Office updates, CPU utilization may reach 100 percent for prolonged periods</a>) and MS KB 927891 (<a href="http://support.microsoft.com/kb/927891">You receive an access violation when you try to install an update from Windows Update after you apply hotfix package 916089</a>). However, even after applying the patch associated with 927891 (which replaces the patch associated with 916089), 932494 indicates that the following problems remain: <blockquote>1) Certain 100 percent CPU issues are still present when you use the Svchost.exe process.<br />2) An access violation may occur in the Svchost.exe process.</blockquote>I (as well as others) have speculated in the past that 916089 (and its succedent patches) can also help with <a href="http://mygreenpaste.blogspot.com/search?q=0x8ddd0009" target="_blank">the 0x8ddd0009 error message</a> that one might receive from Windows Update / Microsoft Update.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-247468903439696127?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com8tag:blogger.com,1999:blog-20977280.post-49974084548580658932007-03-06T18:35:00.000-08:002007-04-16T19:00:25.544-07:00Recently, I have been involved in attempting to diagnose problems with excessive CPU utilization. Often times, this type of thing is relatively easy to identify - at least as far as pointing the finger at the thing that is consuming CPU cycles. Task Manager can be used for this - simply sort the "CPU" column in descending order and note the process that is at the top of the list. One can use a similar technique with <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx" target="_blank">Process Explorer</a>.<br /><br />In the past (<a href="http://mygreenpaste.blogspot.com/2006/12/case-of-sluggish-internet-explorer-7.html" target="_blank">here</a> and <a href="http://mygreenpaste.blogspot.com/2006/12/using-process-monitor-to-troubleshoot.html" target="_blank">here</a>), I've given examples that demonstrate various techniques that can be used to try to determine what a process is doing when it is consuming so much CPU. Sometimes, you can do something about it - if you have the debugging symbols, perhaps there is something in the stack of the thread or threads in the process that is consuming the CPU that will lead you to some setting, feature, or configuration piece that can be manipulated so as to avoid the problem. Or perhaps just knowing the module name is enough information to identify the problem software - a recently installed add-in / plug-in, or a new utility, perhaps. Sometimes you are forced to work around the problem - you don't have any control over it and don't want to stop using the program, or have no choice but to keep using the program.<br /><br />But what happens when the excessive CPU utilization is not attributable to a "standard" process? In the coming series of articles, I hope to explore some of the things that can be done to diagnose and troubleshoot this type of scenario. Stay tuned...<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4997408454858065893?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1459585869309091762007-03-02T04:30:00.000-08:002007-03-02T04:32:18.324-08:00<p>I'll make this one brief...</p><p>Sorry for the lack of updates lately - I'm working on a number of other things and haven't found a lot of time to write. I have something kind of fun planned that may be a three or four <span class="blsp-spelling-error" id="SPELLING_ERROR_0">parter</span> but it will probably be a bit slow in coming. It will also be a learning experience for me, so that should be cool. I will post things as I finish them, but there may be revisions to the content when the later parts are posted. I hope to have the first one (introduction) up by the end of the coming weekend.</p><p>I appreciate your patience, understanding, and continued readership. Thank you.</p><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-145958586930909176?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-73209240977444346472007-02-18T09:44:00.000-08:002007-04-25T04:41:37.906-07:00I've written about Sysinternals' <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/processmonitor.mspx" target="_blank">Process Monitor</a> utility before:<br /><ul><li><a href="http://mygreenpaste.blogspot.com/2006/11/microsoft-sysinternals-process-monitor.html" target="_blank">Microsoft / Sysinternals Process Monitor</a></li><li><a href="http://mygreenpaste.blogspot.com/2006/12/using-process-monitor-to-troubleshoot.html" target="_blank">Using Process Monitor to Troubleshoot Internet Explorer 7 Performance Issues</a></li><br /></ul>I have had a few months now to work with Process Monitor, and it certainly is amazing. The filtering capabilities are great, and the fact that the filters are not destructive makes slicing and dicing the data many ways quite simple. The ability to capture all of the data that the utility can capture makes it quite powerful, and the ability to get stack traces for each event is extremely useful.<br /><br />Going off the observation that Process Monitor is currently at version 1.01, and the assumption that the utility will see further development, I have hopes that the following relatively small ideas will be taken into consideration for future releases, and that further discussion and conversation is sparked.<br /><br />1) Allow for the use of CTRL+C to copy selected data to the clipboard. Some data can be copied in this fashion, but from my experience not much. In many cases, one can right-click and choose "Copy" from the context menu, but that's inconvenient. For example, on Event properties, on the Event tab for a Profiling Interrupt, I can select the User and Kernel times and press CTRL+C, and the data will go to the clipboard. However, if I select the date, the result, or the sequence #, the only way to copy the selection is by using the mouse.<br /><br />2) Along the same lines, it would be useful to have a "Copy details to clipboard" button on each tab of the Event properties - it would simply grab all of the displayed data and copy it to the clipboard with the click of a button. Or the use of a hotkey accelerator. This would have come in handy on the Stack tab, but there I was at least able to save the data to a CSV file and work with it in that fashion.<br /><br />3) I would like to be able to sort by each of the columns displayed on Process tab of the Event's properties, in the "DLLs" section. It might also be nice to toggle display of path (this would affect sort as well), or perhaps add another column for just the module name.<br /><br />4) In Options --> "History Depth", the edit part of the spin control could be a bit wider - there is plenty of room on the dialog...<br /><br />5) It might be inferred that I prefer to avoid using the mouse. As such, it pains me when there are no hotkeys on a dialog box. I find myself constantly wanting to "ALT+A" to add a filter on the "Process Monitor Filter" dialog, or "ALT+R" to remove, or whatever. Other dialogs, such as Configure Symbols, Select Columns, Show Unique Values, etc, could also benefit from hotkeys. I do love the fact that so many things in the main UI are accessible with the CTRL key - CTRL+L for the filter, CTRL+J for jump to, etc.<br /><br />For further exploration / discussion:<br />-- I realize it can be difficult to determine what to do for an implementation of "Jump to" for certain classes - what would one "jump to" for a profiling interrupt, for example? For Process and Thread activity, one might wish to "Jump to" Dependency Walker for "Process Create" and "Load Image" operations. For "Thread Create" and "Thread Exit" events, however, a relevant action is not clear. Does anyone have any thoughts or ideas?<br /><br /><span style="font-size:85%;"><em>[Note: The spirit of the above was posted by me to the Process Monitor forum on Sysinternals' Forums at "</em></span><a href="http://forum.sysinternals.com/forum_posts.asp?TID=9862&PN=1" target="_blank"><span style="font-size:85%;"><em>Process Monitor - Feature Requests</em></span></a><span style="font-size:85%;"><em>". Reprinting here with my own permission. Apologies if you've seen this before. I also apologize for my client's rude behavior.]</em></span><br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7320924097744434647?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-36012733282237130012007-02-08T19:02:00.000-08:002007-04-25T04:40:59.438-07:00Previously (<a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">Troubleshooting Performance Issues with Automatic Updates / How to Isolate A Shared Service Hosted by SVCHOST.EXE</a>) I had detailed some steps that one could follow to isolate a shared service hosted by SVCHOST.EXE, in the context of the Windows Update Automatic Updates service. There are a couple of other ways to isolate a shared service, with different implications.<br /><br />The intention / desire of a service to be "shared" or not is typically indicated when the service is created - the fifth parameter to <a href="http://msdn2.microsoft.com/en-us/library/ms682450.aspx" target="_blank">CreateService</a> is dwServiceType, which for our interests can be, among other things, SERVICE_WIN32_OWN_PROCESS (0x10) or SERVICE_WIN32_SHARE_PROCESS (0x20). Once a service has been created, the dwServiceType setting can be changed by calling <a href="http://msdn2.microsoft.com/en-us/library/ms681987.aspx" target="_blank">ChangeServiceConfig</a> with the appropriate parameters.<br /><br />Windows XP and Server 2003 ship with a utility program called "SC.exe". (I seem to recall using SC.EXE on NT 4.0, after it was included in some resource kit, but I could be mistaken. The <a href="http://support.microsoft.com/dllhelp/?dlltype=file&l=55&amp;alpha=sc.exe&S=1&amp;x=8&y=16" target="_blank">DLL Help Database listing for SC.EXE</a> puts the earliest version as having shipped with Visual Studio .NET 2002.) SC presumably stands for "Service Controller". At any rate, one can use SC to change the configuration of a service, including the "service type" - "shared" or "own". So, using wuauserv - the Windows Update Automatic Updates service - as a guinea pig, one could execute from a CMD prompt:<br /><br /><pre>sc config wuauserv type= own</pre>to cause the service to run in its own process. (The service will need to be restarted for this to happen.) To change it back to a shared service, use the following command:<br /><br /><pre>sc config wuauserv type= share</pre>Note that in both commands, the space after the '=' character is critical. For this change (back to "shared") to take effect, the system will likely need to be rebooted as the "original" SVCHOST group that this service was a part of is already running. This is also the case when un-doing the configuration to make the service run in its <a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">own SVCHOST group</a>.<br /><br />The SC commands above are actually just manipulating the registry - you could make the change directly to achieve the same outcome. The setting in question (again, using wuauserv as a guinea pig) is located at [<span style="font-family:courier new;font-size:85%;">HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\wuauserv</span>] - the "Type" REG_DWORD value. The type corresponds to the aforementioned dwServiceType, which can be (for our purposes here) SERVICE_WIN32_OWN_PROCESS (0x10) or SERVICE_WIN32_SHARE_PROCESS (0x20). To isolate the service, set type to 0x10, and to undo the change, set type back to 0x20 (keeping in mind the restart considerations previously mentioned).<br /><br />Another thing to keep in mind is the consideration that perhaps a service is not meant to be isolated; those concerns are discussed a wee bit more <a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">here</a>.<br /><br />One subtle difference in techniques is that if you <a href="http://mygreenpaste.blogspot.com/2007/01/troubleshooting-performance-issues-with.html" target="_blank">isolate a service into its own SVCHOST group</a>, the command line for the svchost.exe process changes to reflect the group name you speficied when setting up the configuration. However, if you use the SC.EXE / "Type" registry value change technique, the command line for the svchost.exe process remains the same - in the case of wuauserv, the "netsvcs" group is still specified on the command line even though the SVCHOST instance will only be hosting one service.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-3601273328223713001?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com6tag:blogger.com,1999:blog-20977280.post-44886970856286072002007-02-01T19:25:00.000-08:002008-12-08T16:57:37.662-08:00Some additional questions have been raised here and elsewhere about what precisely causes the "<a href="http://mygreenpaste.blogspot.com/2007/01/unspecified-potential-security-risk.html" target="_blank">Unspecified Potential Security Risk</a>" dialog - the one from Internet Explorer that looks like:<br /><a href="http://1.bp.blogspot.com/_ZN289iRXuJw/Ra7l75o5DZI/AAAAAAAAAAk/75K7aYzspWs/s1600-h/unspecified.jpg"><img id="BLOGGER_PHOTO_ID_5021203451812056466" style="CURSOR: hand" alt="" src="http://1.bp.blogspot.com/_ZN289iRXuJw/Ra7l75o5DZI/AAAAAAAAAAk/75K7aYzspWs/s400/unspecified.jpg" border="0" /></a><br /><br /><span style="font-family:arial;">Internet Explorer<br /></span><br /><span style="font-family:arial;">This page has an unspecified potential security risk.<br />Would you like to continue?<br /></span><br />The dialog is displayed when the setting "Launching applications and unsafe files" is set to "Prompt" for the security zone that Windows / Internet Explorer believes itself to be operating in.<br /><br />Changing the setting to "Enable" for the specific zone eliminates the dialog, while changing the setting to "Disable" produces a "Security Alert" dialog stating that "Your current security settings do not allow this action."<br /><a href="http://4.bp.blogspot.com/_ZN289iRXuJw/RcKuY114sWI/AAAAAAAAAA4/bzbA5AjOKtM/s1600-h/securityDisallow.jpg"><img id="BLOGGER_PHOTO_ID_5026771875892080994" style="CURSOR: hand" alt="" src="http://4.bp.blogspot.com/_ZN289iRXuJw/RcKuY114sWI/AAAAAAAAAA4/bzbA5AjOKtM/s400/securityDisallow.jpg" border="0" /></a><br /><br /><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4488697085628607200?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com12tag:blogger.com,1999:blog-20977280.post-19976745294840056522007-01-28T19:20:00.000-08:002007-04-25T04:45:03.949-07:00...or,<br /><span style="font-size:130%;">How to Isolate A Shared Service Hosted by SVCHOST.EXE</span><br /><br />There are a number of articles in the Microsoft Knowledge Base about performance issues with Windows Update / Microsoft Update, as well as <a href="http://support.microsoft.com/kb/926464" target="_blank">other problems</a> related to the scanning mechanisms used by automatic-type update services. There are some <a href="http://support.microsoft.com/kb/916089" target="_blank">fixes</a>, and <a href="http://support.microsoft.com/kb/927891" target="_blank">fixes for some fixes</a>, but no "ultimate" solution. Stepping back a bit, how can you even determine if Automatic Updates is causing performance issues on your system?<br /><br />The Automatic Updates service is not a stand-alone process, so it is not sufficient to simply look for which process is consuming the most CPU time or the most memory. Rather, Automatic Updates is integrated into the "<strong>netsvcs</strong>" SVCHOST service hosting instance. On the systems that I have examined, this instance hosts over 20 services - 25 services on the system I am using to write this. How can you see what services are running inside of a process? One way is to use "<span style="font-family:courier;">tasklist /svc</span>", and examine the "Services" column. Another way is to use <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx" target="_blank">Process Explorer</a> - simply hover the mouse pointer over a process and any services that are contained in the process are listed in a tooltip. Or, view the Process' "Properties" page and examine the "Services" tab for more details.<br /><br />This sharing of services in one process isn't a bad thing - Windows has been doing this for some time. There are times when it makes sense, and times when it doesn't. Basically, processes are expensive and the more you have the more resources they consume. If you are able to share services in the address space of a process, you are conserving resources. But if the services have different security needs, for example, then you should probably split them into two separate processes to "isolate" the functionality that requires greater privileges.<br /><br />Back to the task at hand... The fact that services can share a process is nice, but this really gets in the way of troubleshooting a service you suspect may be causing problems. So it can be useful to extract a shared service and make it run in its own process. With services hosted by SVCHOST, the configuration is controlled in the registry. Microsoft doesn't publicly document the interfaces for SVCHOST.EXE as it doesn't want people writing services and making them run in the same address space of processes that host Windows built-in services - if the service is poorly written it can cause SVCHOST.EXE to crash, and subsequently kill all of the other services running in that instance of SVCHOST.EXE. That doesn't mean you can't manipulate the built-in Windows services to use a configuration you desire, though...<br /><br />The SVCHOST services are controlled by registry settings in <span style="font-family:courier new;font-size:85%;">[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]</span>. (Standard warnings about editing the registry apply.) Each REG_MULTI_SZ in this key represents a SVCHOST group containing a list of one or more services to run in an instance of SVCHOST.EXE. So if one wishes to isolate the Automatic Updates service, one needs to find which group it is in. The "name" of the Automatic Updates service is "<strong>wuauserv</strong>" - Windows Update Automatic Updates service. This service resides in the "<strong>netsvcs</strong>" group. So, since the desire is to create a new SVCHOST instance to run the service in, remove <strong>wuauserv</strong> from the list in the <strong>netsvcs</strong> value. Then, create a new REG_MULTI_SZ value and give it an appropriate name, such as AutomaticUpdates. Add <strong>wuauserv</strong> to this value.<br /><br />Next, navigate to <span style="font-family:courier new;font-size:85%;">[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\wuauserv]</span> and change the <strong>ImagePath</strong> (which specifies the program and arguments the Service Control Manager is to use to invoke the service) from:<br /><span style="font-family:courier;">%systemroot%\system32\svchost.exe -k netsvcs</span><br />to:<br /><span style="font-family:courier;">%systemroot%\system32\svchost.exe -k AutomaticUpdates</span><br /><br />That's it. Stop and restart the Automatic Updates service (<span style="font-family:courier new;">net stop wuauserv</span> / <span style="font-family:courier new;">net start wuauserv</span>) and you should see a new instance of SVCHOST.EXE that contains only the Automatic Updates service. Now you can monitor the performance of this process, drop its priority (Task Manager or Process Explorer), etc.<br /><br />The same technique can be applied to isolate other SVCHOST hosted services as well. However, some caution and investigation should be applied on a case-by-case basis- it should be noted that some services may have some dependence on residing in the same address space as another service. This may or may not be intentional; if intentional I suspect that it probably has to have some relation to performance. If not intentional, it is likely a bug.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1997674529484005652?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com5tag:blogger.com,1999:blog-20977280.post-22925890196898537732007-01-24T19:05:00.000-08:002007-04-25T04:45:40.249-07:00A quick one this week...<br /><br />Ran into an interesting posting at <strong>shell: revealed</strong> about features of Longhorn that didn't make the cut. <a href="http://shellrevealed.com/blogs/shellblog/archive/2006/10/09/Features-that-didn_2700_t-make-the-cut.aspx" target="_blank">The post</a> paints the picture that after the Longhorn reset (described <a href="http://www.microsoft-watch.com/content/developer/the_dirty_little_secret_about_longhorn.html" target="_blank">here</a>), a lot of features were yanked, and then goes on to describe some rather humorous things that just make you think... "What if?"<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-2292589019689853773?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-60663800903739942032007-01-18T19:18:00.000-08:002007-04-25T04:46:24.296-07:00I don't know how I missed it (well, I suspect it's related to quirks in the method(s) in which Microsoft makes notifications of new KB articles available), but it seems that Microsoft has released an update to Internet Explorer 7 to address the performance issues with the Phishing Filter that I had previously (<a href="http://mygreenpaste.blogspot.com/2006/12/case-of-sluggish-internet-explorer-7.html" target="_blank">here</a> and <a href="http://mygreenpaste.blogspot.com/2006/12/using-process-monitor-to-troubleshoot.html" target="_blank">here</a>) encountered.<br /><br />The KB article (<a href="http://support.microsoft.com/kb/928089" target="_blank">The computer may respond very slowly as the Phishing Filter evaluates Web page contents in Internet Explorer 7</a>) is dated December 12, 2006, and contains links to download pages for various versions of Windows that Internet Explorer 7 can run on. Your copy of Windows has to pass the Windows Genuine Advantage (WGA) check before Microsoft will allow you to download the fix. Once downloaded, installation is straightforward; depending on what programs you have open at the time, you may be required to reboot after the installation finishes.<br /><br />It is interesting to note that the Cause section (below) explains exactly the conditions I was operating in, and the behavior I observed.<br /><hr /><span style="font-family:arial;">CAUSE<br /></span><span style="font-family:arial;"><br />This problem occurs when one or more of the following conditions are true:<br />• The Web page contains many frames.<br />• You browse many frames in a short time.<br />Internet Explorer 7 evaluates the whole Web page when you browse a frame. Therefore, CPU usage may be very high.</span><br /><hr /><br /></span><p></p>Additionally, the workaround (at the bottom of the article) is to disable the Phishing Filter on the "Advanced" tab of the "Internet Options".<br /><p></p>Prior to installing the update, I set the Phishing Filter to "Turn off automatic website checking" ("Advanced" tab of "Internet Options") and made sure it was "Enabled" for the Internet Explorer Security Zone I was working in. I then verified that I was able to recreate the behavior I witnessed in <a href="http://mygreenpaste.blogspot.com/2006/12/case-of-sluggish-internet-explorer-7.html" target="_blank">The Case of the Sluggish Internet Explorer 7</a>.<br /><p></p>I installed the update and needed to reboot (I forgot I had <a href="http://www.sharpreader.net" target="_blank">SharpReader</a> open, and it had loaded MSHTML.DLL). Upon reboot I attempted to cause the CPU to spike by doing precisely the things that had caused the problem in the past. I didn't have any luck in doing so. In fact, none of the threads in the iexplore.exe process were consuming an inordinate amount of CPU. It would appear that the fix involved, to some extent at least, changing the technique Internet Explorer uses to queue up requests to have something evaluated by the Phishing Filter (<a href="http://mygreenpaste.blogspot.com/2006/12/case-of-sluggish-internet-explorer-7.html" target="_blank">previously</a>, I had hypothesized that Internet Explorer 7 was using the <a href="http://msdn2.microsoft.com/en-us/library/ms686760.aspx" target="_blank">ThreadPool API</a> and was creating a new thread for each request). Based on my explorations so far, the fix takes care of the problem. Kudos to Microsoft for recognizing the problem and taking appropriate steps to address it.<br /><p></p>The fix updates 2 Windows / Internet Explorer program files in %windir%\system32 - ieapfltr.dll (the "Microsoft Phishing Filter") and mshtml.dll (the "Microsoft (R) HTML Viewer"). I didn't take the time to save off copies of the previous versions of these DLLs to try to compare differences (perhaps an exercise for another day). However, the new MSHTML.DLL has a date of 2006-11-09, and the new IEAPFLTR.DLL has a date of 2006-11-08. Internet Explorer 7.0 was released on 2006-10-18. So it appears that Microsoft knew of problems with the Phishing Filter performance prior to launch; obviously this wasn't a showstopper issue. It also would appear to have taken just over 1 month for the fix to make its way through the testing / release process. I guess that's not too bad, considering that some high-priority / critical security updates take at least that long. On the other hand, this is a new feature so it didn't have the legacy behind it that some of the security updates have to contend with. I guess I should just be happy to have a fix... ;)<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6066380090373994203?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com14tag:blogger.com,1999:blog-20977280.post-85918017204463052252007-01-17T19:14:00.000-08:002008-12-08T16:57:37.701-08:00Oh, my. Two weeks in a row with ambiguous security-related messages from a web browser.<br /><br />This week, we have the following:<br /><a href="http://1.bp.blogspot.com/_ZN289iRXuJw/Ra7l75o5DZI/AAAAAAAAAAk/75K7aYzspWs/s1600-h/unspecified.jpg"><img id="BLOGGER_PHOTO_ID_5021203451812056466" style="CURSOR: hand" alt="" src="http://1.bp.blogspot.com/_ZN289iRXuJw/Ra7l75o5DZI/AAAAAAAAAAk/75K7aYzspWs/s400/unspecified.jpg" border="0" /></a><br /><br /><span style="font-family:arial;">Internet Explorer<br /></span><br /><span style="font-family:arial;">This page has an unspecified potential security risk.<br />Would you like to continue?<br /></span><br />If it wasn't for the fact that I wasn't browsing the web - I was trying to open a ZIP file on a network share - I probably would have said "No". But since I really needed to get into the ZIP file, I decided to take my unspecified potential chances. I think I'm OK.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-8591801720446305225?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-77379876341107242292007-01-10T18:34:00.000-08:002008-12-08T16:57:37.747-08:00I was going through some CHM help files the other day and I wound up copying one of the links to the clipboard and tossing it into <a href="http://www.maxthon.com/" target="_blank">Maxthon</a>. I wasn't even really aware of what I was doing (just plodding along mindlessly) so I was rather surprised when I was presented with the following dialog:<br /><a href="http://4.bp.blogspot.com/_ZN289iRXuJw/RaWiJ5o5DYI/AAAAAAAAAAY/IsE1qaZ_Nl0/s1600-h/Puritanical.jpg"><img id="BLOGGER_PHOTO_ID_5018595650749140354" style="CURSOR: hand" alt="" src="http://4.bp.blogspot.com/_ZN289iRXuJw/RaWiJ5o5DYI/AAAAAAAAAAY/IsE1qaZ_Nl0/s400/Puritanical.jpg" border="0" /></a><br /><br /><span style="font-family:arial;">Security Warning !<br /><br />Using MK: protocol in browser may cause puritanical security problems.<br />Do you really want to enable this protocol during this session?</span><br /><br />Of course, I had no desire to cause puritanical security problems, so I went with the default "No". The URL I had copied was in fact a "Microsoft Infotech" protocol link in the form of:<br /><span style="font-family:courier new;font-size:85%;">mk:@MSITStore:f:\file.chm::/Whatever/Whatever.html</span><br /><br />The InfoTech protocol has changed several times over the last few years to reduce security vulnerabilities in HTML help. See <a href="http://support.microsoft.com/kb/896358/" target="_blank">MS05-026: A vulnerability in HTML Help could allow remote code execution</a> and <a href="http://support.microsoft.com/kb/840315/" target="_blank">MS04-023: Vulnerability in HTML Help could allow code execution</a> for more information.<br /><br />Another issue that is seen rather frequently is the inability to open CHM / HTML Help files from a network path (UNC path or mapped drive). The article "<a href="http://support.microsoft.com/kb/896054" target="_blank">You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1</a>" discusses various registry settings that can be manipulated to allow the display of content in CHM files in this scenario.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7737987634110724229?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-14357533622934585742007-01-02T19:36:00.000-08:002008-12-08T16:57:37.761-08:00Unfortunately, I forgot what website I was visiting when I encountered the following dialog:<br /><br /><a href="http://2.bp.blogspot.com/_ZN289iRXuJw/RZslncS39mI/AAAAAAAAAAM/NfZep_BgiAc/s1600-h/IE+Dialog.jpg" target=_blank><img id="BLOGGER_PHOTO_ID_5015643969547662946" style="CURSOR: hand" alt="" src="http://2.bp.blogspot.com/_ZN289iRXuJw/RZslncS39mI/AAAAAAAAAAM/NfZep_BgiAc/s400/IE+Dialog.jpg" border="0" /></a><br /><br /><span style="font-family:courier;">Assertion Failed: Unrecognized tag mtpstoolkit:RatingBehavior<br /><br />Break into debugger?<br /></span><br />I have no concrete idea what the dialog is related to, but I suspect it has to do with some AJAX framework. Interestingly, <a href="http://www.google.com/search?q=mtpstoolkit" target=_blank>googling mtpstoolkit</a> (groups search <a href="http://groups.google.com/groups?q=mtpstoolkit" target=_blank>here</a>) currently proves to be rather fruitless. The stack of the thread "owning" the dialog (with a large number of calls in jscript.dll) seems to support the AJAX theory:<br /><span style="font-family:courier new;font-size:85%;"><br />ntoskrnl.exe!KiSwapContext+0x2e<br />ntoskrnl.exe!KiFastCallEntry+0xf8<br />ntdll.dll!KiFastSystemCallRet<br />USER32.dll!NtUserWaitMessage+0xc<br />USER32.dll!InternalDialogBox+0xd0<br />USER32.dll!SoftModalMessageBox+0x938<br />USER32.dll!MessageBoxWorker+0x2ba<br />USER32.dll!MessageBoxIndirectW+0x56<br />ieframe.dll!SHFusionMessageBoxIndirect+0x26<br />ieframe.dll!CDocHostUIHandler::ShowMessage+0x128<br />ieframe.dll!CDocHostUIHandler::Exec+0xe6<br />ieframe.dll!CDocObjectHost::OnExec+0xcb1<br />ieframe.dll!CDocObjectHost::Exec+0xd7<br />mshtml.dll!CreateHTMLPropertyPage+0x2503b<br />mshtml.dll!CreateHTMLPropertyPage+0x22f72<br />mshtml.dll!CreateHTMLPropertyPage+0x8980<br />mshtml.dll!CreateHTMLPropertyPage+0x3f40c<br />mshtml.dll!DllGetClassObject+0xc53d3<br />mshtml.dll!DllGetClassObject+0xca51f<br />mshtml.dll!DllGetClassObject+0xca498<br />mshtml.dll!DllGetClassObject+0xca353<br />jscript.dll!IDispatchExInvokeEx2+0xac<br />jscript.dll!IDispatchExInvokeEx+0x56<br />jscript.dll!InvokeDispatchEx+0x78<br />jscript.dll!VAR::InvokeByDispID+0x7e<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x16c9<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!JsFncCall+0x8e<br />jscript.dll!NatFncObj::Call+0x41<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x16c9<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!JsFncApply+0xc4<br />jscript.dll!NatFncObj::Call+0x41<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!VAR::InvokeByName+0x165<br />jscript.dll!VAR::InvokeDispName+0x43<br />jscript.dll!VAR::InvokeByDispID+0xb9<br />jscript.dll!CScriptRuntime::Run+0x1675<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!NameTbl::InvokeInternal+0x40<br />jscript.dll!VAR::InvokeByDispID+0xfd<br />jscript.dll!CScriptRuntime::Run+0x16c9<br />jscript.dll!ScrFncObj::Call+0x8d<br />jscript.dll!CSession::Execute+0xa1<br />jscript.dll!NameTbl::InvokeDef+0x179<br />jscript.dll!NameTbl::InvokeEx+0xcb<br />mshtml.dll+0x2234<br />mshtml.dll!DllGetClassObject+0x24151<br />mshtml.dll!DllGetClassObject+0x77fb6<br />mshtml.dll!DllGetClassObject+0x7925f<br />mshtml.dll!DllGetClassObject+0x6f679<br />mshtml.dll!DllGetClassObject+0x9f5de<br />mshtml.dll!DllGetClassObject+0xb63c7<br />USER32.dll!InternalCallWinProc+0x28<br />USER32.dll!UserCallWinProcCheckWow+0x150<br />USER32.dll!DispatchMessageWorker+0x306<br />USER32.dll!DispatchMessageW+0xf<br />avant.exe+0x5df02<br />avant.exe+0x5df5b<br />avant.exe+0x39941f<br /></span><br />Anyone know what precisely mtpstoolkit is a part of?<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1435753362293458574?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-85135351945523831562006-12-26T20:14:00.000-08:002007-04-25T04:47:58.792-07:00[<b><span style="color:red;">Added 2007-01-18: <a href="http://mygreenpaste.blogspot.com/2007/01/fix-available-for-performance-problems.html" target="_blank">Fix Available for Performance Problems with Internet Explorer 7's Phishing Filter </a>...</span></b>]<br /><br /><a href="http://mygreenpaste.blogspot.com/2006/12/case-of-sluggish-internet-explorer-7.html" target="_blank">Previously</a>, I wrote about sluggish behavior with Internet Explorer 7. I had used <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx" target="_blank">Process Explorer</a> to help pinpoint the cause of the sluggishness - in this case, it was Internet Explorer 7's (anti)phishing filter. I could also have used a relatively new tool from <a href="http://www.microsoft.com/technet/sysinternals/default.mspx" target="_blank">Microsoft's Windows Sysinternals</a> - <a href="http://mygreenpaste.blogspot.com/2006/11/microsoft-sysinternals-process-monitor.html" target="_blank">Process Monitor</a>.<br /><br /><p>In Process Monitor, it is easy to get inundated with all of the data that the tool collects. Filters are very critical to enabling one to find the desired information, and the implementation of filters in Process Monitor is top notch. For this exercise, after starting Process Monitor and checking "Generate Profiling Events" on the "Options" menu, I captured events while exercising the web application with the Phishing Filter set to "Turn off automatic website checking" and "Enabled" for the Security zone the web application was in. After capturing events for a minute or so, I set the following filters:<br />-Process Name is iexplore.exe then Include<br />-Event Class is Registry then Exclude<br />-Event Class is File System then Exclude<br />-Event Class is Process then Exclude</p><p>This displayed all "profiling" events for the iexplore.exe process. I double-clicked an event to bring up the "Event Properties" dialog and clicked on the "Stack" tab, which had the following information:<br /><span style="font-family:courier new;font-size:85%;"><br />ntdll.dll!KiFastSystemCallRet<br />kernel32.dll!WaitForSingleObject + 0x12<br />ole32.dll!GetToSTA + 0x6f<br />ole32.dll!CRpcChannelBuffer::SwitchAptAndDispatchCall + 0xf6<br />ole32.dll!CRpcChannelBuffer::SendReceive2 + 0xb9<br />ole32.dll!CAptRpcChnl::SendReceive + 0xab<br />ole32.dll!CCtxComChnl::SendReceive + 0x113<br />RPCRT4.dll!NdrProxySendReceive + 0x43<br />RPCRT4.dll!NdrClientCall2 + 0x1fa<br />OLEAUT32.dll!IDispatch_RemoteInvoke_Proxy + 0x1b<br />OLEAUT32.dll!IDispatch_Invoke_Proxy + 0xb6<br />ieapfltr.dll!ATL::CComPtr<idispatch>::GetProperty + 0x56<br />ieapfltr.dll!FieldContainer::VisitInput + 0x1b9<br />ieapfltr.dll!FieldContainer::VisitAllElements + 0x21d<br />ieapfltr.dll!FieldContainer::ExtractFieldCount + 0x10e<br />ieapfltr.dll!FieldContainer::InitFieldCount + 0x9<br />ieapfltr.dll!PageDetails::Init + 0x315<br />ieapfltr.dll!PageDetails::Factory + 0x59<br />ieapfltr.dll!HeuristicsFeatures::InnerExecute + 0x15b<br />ieapfltr.dll!HeuristicsFeatures::Execute + 0x55<br />ieapfltr.dll!ProcessingThread::RunPageAnalysis + 0x1b4<br />ieapfltr.dll!ProcessingThread::RunUrlAndPageAnalysis + 0xdb<br />ieapfltr.dll!ProcessingThread::Analyze + 0xd3<br />ieapfltr.dll!ProcessingThread::AnalyzeFrame + 0x249<br />ieapfltr.dll!ProcessingThread::EnumerateFrames + 0x2e5<br />ieapfltr.dll!ProcessingThread::EnumerateFrames + 0x249<br />ieapfltr.dll!ProcessingThread::Evaluate + 0x1ec<br />ieapfltr.dll!ProcessingThread::Execute + 0x78<br />ieapfltr.dll!ProcessingThread::Process + 0x24e<br />ieapfltr.dll!ProcessingThread::Start + 0x72<br />ieapfltr.dll!Evaluator::ContinueProcessing + 0x21f<br />ieapfltr.dll!Evaluator::ContinueProcessingWrapper + 0x21<br />ntdll.dll!RtlpWorkerCallout + 0x70<br />ntdll.dll!RtlpExecuteWorkerRequest + 0x1a<br />ntdll.dll!RtlpApcCallout + 0x11<br />ntdll.dll!RtlpWorkerThread + 0x87<br />kernel32.dll!BaseThreadStart + 0x37<br /></span><br />With this information from Process Monitor, one could come to a similar conclusion - the Phishing Filter in Internet Explorer 7 seems to cause Internet Explorer 7's performance to degrade in certain environments.<br /><br />» </p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-8513535194552383156?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-8121106216253329862006-12-19T16:13:00.000-08:002007-04-25T04:49:01.975-07:00[<b><span style="color:red;">Added 2007-01-18: <a href="http://mygreenpaste.blogspot.com/2007/01/fix-available-for-performance-problems.html" target="_blank">Fix Available for Performance Problems with Internet Explorer 7's Phishing Filter </a>...</span></b>]<br /><br />I like <a href="http://www.microsoft.com/windows/ie/default.mspx" target="_blank">Internet Explorer 7</a>. I've installed it many, many times and on<br />many systems. I've never had a problem with it. That is, until I had to spend some time working with a web-based application on an Intranet. I had to go through several iterations of repetetive steps in this application. It was the kind of work where it would have been more fun to write a program to achieve the end result, but it would probably have taken more time to write the program than it would to go through the tedious process. That, and the fact that I didn't immediately have access to some of the information that would be required to write the app, prevented me from taking the fun route. So I was stuck copying, clicking, pasting, and... WAITING.<br /><br />The problem wasn't the responsiveness of the web server - the problem was localized to my system. As I was working on a laptop, I could hear the fan kick into high gear as CPU utilization hit 100%... and stayed there. When I paused for a bit, the CPU usage went back down. So, interacting with the web application was causing the behavior. The task took about 90 minutes to complete, and when I was done, <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx" target="_blank">Process Explorer</a> showed iexplore.exe as having used nearly 90 minutes of CPU time. I didn't have this problem with Internet Explorer 6! In communicating with the vendor of the web application, they indicated that they hadn't had problems of this sort in any of their experiences with IE7 or with other customers.<br /><br />I surmised that there was likely a setting in Internet Explorer 7 that was affecting the performance. But IE7 has no shortage of settings, and to try each one was not a task that I wanted to undertake. I fired up IE7, loaded the web-based app, and started working. Then, while the CPU was taxed, I went to Process Explorer, hit the properties of the iexplore.exe process, and checked the "Threads" tab. There were 89 threads, most having a start address of "ndtll.dll!RtlpWorkerThread", and all vying for CPU time. It appeared that a new thread was created for each request that was made, which seems rather "wasteful". At any rate, RtlpWorkerThread is a private "run-time library" worker thread threadproc function, <a href="http://groups.google.com/group/microsoft.public.win32.programmer.kernel/browse_frm/thread/a9c5b6991066e740/5f46cca869da9ab7?lnk=st&q=&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;rnum=9&amp;hl=en#5f46cca869da9ab7" target="_blank">presumably</a> the threadproc used when one uses the <a href="http://msdn2.microsoft.com/en-us/library/ms686760.aspx" target="_blank">Thread Pool API</a>. The stack of one of these threads at the point that I captured it (obtained with Process Explorer and properly configured debugging symbols) is rather deep:<br /><br /><span style="font-family:courier new;font-size:85%;">ntkrnlpa.exe!KiSwapContext+0x2e<br />ntkrnlpa.exe!KiSwapThread+0x46<br />ntkrnlpa.exe!KeWaitForMultipleObjects+0x284<br />ntkrnlpa.exe!NtWaitForMultipleObjects+0x2a2<br />ntkrnlpa.exe!KiFastCallEntry+0xf8<br />ntdll.dll!KiFastSystemCallRet<br />ntdll.dll!ZwWaitForMultipleObjects+0xc<br />kernel32.dll!WaitForMultipleObjectsEx+0x12c<br />ole32.dll!CoWaitForMultipleHandles+0x100<br />ieapfltr.dll!AntiPhishingMutex::AntiPhishingMutex+0x91<br />ieapfltr.dll!AntiPhishingHashTable::Find+0xaf<br />ieapfltr.dll!CacheManager::FindUrlInUrsCache+0xa5<br />ieapfltr.dll!AntiPhishDataSeeker::MatchRollUps+0x2cf<br />ieapfltr.dll!AntiPhishDataSeeker::MatchRollUpsInCache+0x43<br />ieapfltr.dll!AntiPhishDataSeeker::FindOMOTarget+0x2d<br />ieapfltr.dll!PageDetails::CountTargetRollups+0x34<br />ieapfltr.dll!PageDetails::Init+0x1da<br />ieapfltr.dll!PageDetails::Factory+0x59<br />ieapfltr.dll!HeuristicsFeatures::InnerExecute+0x15b<br />ieapfltr.dll!HeuristicsFeatures::Execute+0x55<br />ieapfltr.dll!ProcessingThread::RunPageAnalysis+0x1b4<br />ieapfltr.dll!ProcessingThread::RunUrlAndPageAnalysis+0xdb<br />ieapfltr.dll!ProcessingThread::Analyze+0xd3<br />ieapfltr.dll!ProcessingThread::AnalyzeFrame+0x249<br />ieapfltr.dll!ProcessingThread::EnumerateFrames+0x2e5<br />ieapfltr.dll!ProcessingThread::EnumerateFrames+0x249<br />ieapfltr.dll!ProcessingThread::Evaluate+0x1ec<br />ieapfltr.dll!ProcessingThread::Execute+0x78<br />ieapfltr.dll!ProcessingThread::Process+0x24e<br />ieapfltr.dll!ProcessingThread::Start+0x72<br />ieapfltr.dll!Evaluator::ContinueProcessing+0x21f<br />ieapfltr.dll!Evaluator::ContinueProcessingWrapper+0x21<br />ntdll.dll!RtlpWorkerCallout+0x70<br />ntdll.dll!RtlpExecuteWorkerRequest+0x1a<br />ntdll.dll!RtlpApcCallout+0x11<br />ntdll.dll!RtlpWorkerThread+0x87<br />kernel32.dll!BaseThreadStart+0x37</span><br /><br />As you can see, after the thread pool plumbing is out of the way, the first function in the stack is ieapfltr.dll!Evaluator::ContinueProcessingWrapper - a function in ieapfltr.dll. ieapfltr.dll describes itself as "Microsoft Phishing Filter", though I suspect IEAP is an acronym for Internet Explorer <b>Anti</b>-Phishing. At any rate, it certainly seemed that the settings surrounding the (anti)phishing filter would be a good place to start.<br /><br />I went into "Internet Options" in the Control Panel (Start Run inetcpl.cpl) and hit the "Advanced" tab. Toward the bottom was a setting for the Phishing Filter where there were three options:<br />-Disable Phishing Filter<br />-Turn off automatic website checking<br />-Turn on automatic website checking<br /><br />Mine was set to "Turn off automatic website checking". I changed it to "Disable Phishing Filter" and hit OK, and re-tried the web application. The application was responsive as ever, and the "excess" threads that were previously being created were nowhere to be seen. Changing the setting back to "Turn off automatic website checking", and hitting the web application again caused iexplore.exe to consume as much of the CPU as it could. It appeared that I found the cause of the sluggish performance.<br /><br />It is worth noting that in the "Internet Options", on the Security tab, each Internet Explorer Zone has its own setting for the Phishing Filter. If one selects a Zone, and clicks the "Custom level..." button, about 75% of the way down is a setting for "Use Phishing Filter" that has 2 options - Disable or Enable. The setting on the Advanced tab overrides this - if the Security zone setting is set to "Enable" and the Advanced setting is set to "Disable Phishing Filter", the Phishing Filter is disabled for all zones. However, if the Advanced setting is set to "Turn off automatic website checking" or "Turn on automatic website checking", one can exercise more granular control over each Security zone by choosing to enable / disable the filter where it makes sense.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-812110621625332986?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com6tag:blogger.com,1999:blog-20977280.post-78279859875541026432006-12-14T21:07:00.000-08:002007-04-25T04:49:50.823-07:00Finally got through watching some good overview videos on MSDN's Channel 9.<br /><br /><a href="http://blogs.msdn.com/doronh/" target="_blank">Doron Holan</a> talks about the <a href="http://www.microsoft.com/whdc/driver/wdf/KMDF.mspx" target="_blank">Kernel Mode Driver Framework</a> (KMDF) in <a href="http://channel9.msdn.com/Showpost.aspx?postid=226116" target="_blank">this Channel 9 Video Segment</a>. Check out the state machine diagrams!<br /><br /><a href="http://blogs.msdn.com/peterwie" target="_blank">Peter Wieland</a> goes over the User Mode Driver Framework (UMDF) in <a href="http://channel9.msdn.com/Showpost.aspx?postid=236023" target="_blank">this video segment</a>. There's even some discussion about writing a driver with managed code (C# / VB.NET).<br /><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-7827985987554102643?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-30681309318448707212006-12-09T19:40:00.000-08:002006-12-26T19:58:26.292-08:00In <a href="http://mygreenpaste.blogspot.com/2006/08/how-does-this-warrant-kb-article.html" target="_blank">How does this warrant a KB article?</a>, I pondered the existence of a Microsoft KnowledgeBase article that discussed how to set the SmtpMail.SmtpServer property of the System.Web.SmtpMail class.<br /><br />In my travels, I encountered a blog posting in the "<a href="http://blogs.msdn.com/mstehle/default.aspx" target="_blank">The CDOs and CDONTS of Messaging Development" blog</a> - <a href="http://blogs.msdn.com/mstehle/archive/2005/11/23/496418.aspx" target="_blank">MYTH: SmtpMail.SmtpServer.Insert(0,"127.0.0.1") Actually Does Something</a>. This posting is interesting because it's possible that it prompted the aforementioned KB article (<a href="http://support.microsoft.com/kb/922777" target="_blank">922777: You receive an error message when you try to send an e-mail message by using the System.Web.Mail namespace in the .NET Framework 1.0</a>). It's also interesting because it talks about the source of the infamous code - a Code Project article.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-3068130931844870721?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-60702510126533120972006-12-06T06:02:00.000-08:002006-12-26T19:57:31.288-08:00It was maddening, I tell you. I like to write C# code in a C# source file, not inline in a script tag. So I went about modifying Global.asax to allow me to do so:<br /><br /><code>&lt;%@ Application language="C#" CodeBehind="Global.asax.cs" Inherits="Global" %&gt;</code><br /><code></code><br /><code></code>I then went about defining a class called "Global" in Global.asax.cs. I added the code I needed and proceeded to build the ASP.NET app in Visual Studio 2005. But I got an error:<br /><br /><code>Global.asax(1): Build (web): Could not load type 'Global'.</code><br /><code></code><br /><code></code>Of course, I was perplexed. Why not? Why couldn't the type be loaded?<br />I thought for a bit, but then went about doing some more coding. Eventually, I had to address the problem, though. How? On a whim I placed Global.asax.cs in the App_Code ASP.NET folder. Once I did that, I was able to build the app.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-6070251012653312097?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com6tag:blogger.com,1999:blog-20977280.post-14816060992619050162006-11-30T19:07:00.000-08:002006-11-30T19:12:30.454-08:00<a href="http://www.microsoft.com/technet/sysinternals/default.mspx" target="_blank">Microsoft / Sysinternals</a> recently released a new tool named "<a href="http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx" target="_blank">Process Monitor</a>" (that <a href="http://blogs.technet.com/markrussinovich/about.aspx" target="_blank">Mark Russinovich</a> has talked about for over a year). Process Monitor blows FileMon and RegMon (great tools in their own rite) out of the water with a well thought out filtering mechanism and NON DESTRUCTIVE filters! Filtering data no longer destroys the original! Now, since all events are captured, the amount of disk space required to store the events can grow quickly - it's easy to get a few GB of data in a short amount of time - but the data can be captured and stored for later analysis. There are plenty of other features in Process Monitor including the ability to get the FULL stack (userland and kernel!) of a thread at the time of an event, the ability to organize and persist filter sets, highlighting, and more. Thanks Mark & Bryce / Microsoft!<br /><br />Note that Process Monitor does require a "modern" operating system - Windows XP SP2 or later, Windows Server 2003 SP1, Windows 2000 SP4 with Update Rollup 1, Vista, and x64 versions of XP, Server 2003 SP1, and Vista. Some people <a href="http://forum.sysinternals.com/forum_posts.asp?TID=8925&PN=1" target="_blank">have issues with this</a>, but the requirements are not arbitrary. <a href="http://web.archive.org/web/20060427065610/http://www.sysinternals.com/AboutUs.html" target="_blank">Bryce</a> explains a bit <a href="http://forum.sysinternals.com/forum_posts.asp?TID=8757&amp;KW=bryce&TPN=2" target="_blank">here</a>.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-1481606099261905016?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-550794086846920402006-11-26T13:58:00.000-08:002006-11-26T14:00:40.456-08:00There's an article entitled "<a href="http://www.microsoft.com/technet/technetmag/issues/2006/11/ApplicationCompatibility/default.aspx" target="_blank">Inside the New Microsoft Application Compatibility Toolkit</a>" on TechNet that (surprise!) discusses some things about compatibility of applications running on Vista. It provides a good overview of some of the changes that can affect compatibility and some of the progress that has been made with Vista. For example, Windows Resource Protection redirects / sandboxes file and registry accesses to resources that the app wouldn't generally have permissions to when run under a standard account. The changes aren't persisted across invocations of the application, but nonetheless it could enable apps to work under a standard account when they previously were "admin or bust".<br /><br />The article also discusses how to go about analyzing the applications running on one's computers and assessing the compatibility impact. There is a central database of applications called the "Microsoft Compatibility Exchange" which contains information provided by other community members about the compatibility "levels" of various applications. I like the idea of leveraging community experiences for the benefit of all.<br /><br />The "Application Compatibility Toolkit" has other capabilities that are touched on in the article and are described in more detail in the documentation that accompanies the toolkit and at the <a href="http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/default.mspx" target="_blank">Windows Application Compatibility website</a>.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-55079408684692040?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-42344355510140818222006-11-22T03:46:00.000-08:002006-11-22T03:52:55.889-08:00I was working on a system that was suspected of being infested with malware. Sadly, it was clean - the flakiness was caused by all of the security utilities and software that had been installed on the system. But that's a rant for a different day. In the process of dealing with the system, an application crashed. I don't recall specifically what it was, but whilst gathering information about the crash, Dr. Watson had some problems himself. The good doctor just couldn't cope, apparently.<br /><br /><p align="center"><a href="http://photos1.blogger.com/blogger2/5760/2560/1600/DrwDrw.jpg" target="_blank"><img src="http://photos1.blogger.com/blogger2/5760/2560/400/DrwDrw.jpg" /></a></p>I cracked open <a href="http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx" target="_blank">Process Explorer</a> and looked at the process hierarchy. It seemed a bit odd to have Dr. Watson spawn Dr. Watson (drwtsn32.exe was the parent of drwtsn32.exe).<br /><br /><p>I love the standard wording: "DrWatson Postmortem Debugger has encountered a problem and needs to close. We are sorry for the inconvenience."</p><p>I think in this case I chose to send the error report to Microsoft. =8-><br /><br />»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-4234435551014081822?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160935740940790042006-11-12T17:32:00.000-08:002006-11-12T16:29:13.532-08:00As noted in <a href="http://mygreenpaste.blogspot.com/2006/08/signing-assemblies-in-visual-studio.html" target="_blank">Signing Assemblies in Visual Studio 2005 with Key Containers</a>, Visual Studio 2005 doesn't exactly deal well with key containers (there's no way to use the UI to specify one, as one can do with key files).<br /><br />And when I was <a href="http://mygreenpaste.blogspot.com/2006/11/deploying-aspnet-20-applications.html" target="_blank">exploring Web Deployment Projects</a>, I was reviewing "<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/aspnet_merge_exe.asp" target="_blank">Managing ASP.NET Precompiled Output for Deployment Using the aspnet_merge.exe Command</a>" (aspnet_merge.exe is used by Web Deployment Projects to combine the assemblies produced by aspnet_compiler.exe). That article states that "...you can use the following options with aspnet_merge.exe: -keyfile, -keyContainer, or -delaysign...". I'm a strong advocate of signing assemblies. While there may not be a strong (ha, ha) case for doing it in this instance, it at least provides some level of assurance that the code deployed is truly the code that is supposed to be running. And I prefer key containers to key files. So given the way that specifying a key container works in Visual Studio 2005, I was excited to see that aspnet_merge.exe supported key containers.<br /><br />Then I checked out the Web Deployment Project property pages. The Signing tab had a place to specify a key file location, but no way to specify a key container.<br /><br /><br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/wdp.1.jpg" target="_blank"><img style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="http://photos1.blogger.com/blogger/1005/2117/400/wdp.jpg" border="0" /></a><br />Argh! Here we go again, I thought. So I went about the process of trying to tear up the .WDPROJ file that is the Visual Studio 2005 project file for Web Deployment Projects. I tried the <a href="http://mygreenpaste.blogspot.com/2006/08/signing-assemblies-in-visual-studio.html" target="_blank">same technique that worked for .CSPROJ files</a>, but that didn't work. I checked Microsoft.WebDeployment.targets in %programfiles%\MSBuild\Microsoft\WebDeployment\v8.0 to see if there was some way to specify a key container there. I couldn't find anything for key containers, but there were certainly ways to specify a key file and that the merged assembly should be delay signed. Dead end there.<br /><br />Next I cracked open <a href="http://www.aisto.com/roeder/dotnet/" target="_blank">Reflector</a> and inspected Microsoft.WebDeployment.Tasks.dll (also from %programfiles%\MSBuild\Microsoft\WebDeployment\v8.0). In that assembly, there is a class named "AspNetMerge" that implements the merge task as instructed by MSBuild. (The class inherits from Microsoft.Build.Utilities.ToolTask.) The "AspNetMerge" class has the following private fields (as reported by Reflector):<br /><pre><br /> private string _applicationPath;<br /> private string _assemblyInfo;<br /> private string _contentAssemblyName;<br /> private bool _copyAttributes;<br /> private bool _debug;<br /> private bool _delaySign;<br /> private bool _errorStack;<br /> private string _exePath;<br /> private string _keyFile;<br /> private string _logErrorFile;<br /> private bool _mergeXmlDocs;<br /> private bool _nologo;<br /> private string _prefix;<br /> private bool _removeCompiledFiles;<br /> private string _singleAssemblyName<br /></pre><br />Sigh. A setting for a key container name is nowhere to be found. If the tool doesn't support key containers, no amount of creative configuration will get it there.<br /><br />The next thing I did, in retrospect, was probably the first thing I should have done:<br /><pre>aspnet_merge -?</pre>In short, aspnet_merge only supports the following parameters: <ul><li>-?</li><li>applicationPath</li><li>-keyfile</li><li>-delaysign</li><li>-o</li><li>-w</li><li>-prefix</li><li>-copyattrs</li><li>-debug</li><li>-nologo</li><li>-errorstack</li><li>-r</li><li>-xmldocs</li><li>-a</li><li>-log</li></ul><p>Aspnet_merge.exe does <b>NOT</b> support the <i>-keycontainer</i> option, as the "<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/aspnet_merge_exe.asp" target="_blank">Managing ASP.NET Precompiled Output for Deployment Using the aspnet_merge.exe Command</a>" article had stated. </p><p>So, given that there's no way to use a Web Deployment Project / aspnet_merge.exe to use a key container to sign an assembly, and one needs to edit the raw .CSPROJ file to get VS2005 to use a key container to sign an assembly, it seems that Microsoft is trying to say something about key containers.<br /><br />I wouldn't be surprised to see key containers completely dropped in <a href="http://msdn.microsoft.com/vstudio/future/default.aspx" target="_blank">Orcas</a>...</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116093574094079004?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1160935565991675592006-11-06T21:09:00.000-08:002006-11-12T16:29:13.209-08:00I was recently exploring deployment options for ASP.NET applications and I encountered a couple of Visual Studio 2005 add-ons - <a href="http://msdn2.microsoft.com/en-us/asp.net/aa336619.aspx" target="_blank">Visual Studio 2005 Web Deployment Projects</a> and <a href="http://msdn2.microsoft.com/en-us/asp.net/aa336618.aspx" target="_blank">Visual Studio 2005 Web Application Projects</a>. I could go into some detail about each of these post-Visual Studio 2005 release features, but Rick Strahl's got it covered with an extensive article entitled <a href="http://www.devx.com/codemag/Article/32624/1954?pf=true" target="_blank">Compilation and Deployment in ASP.NET 2.0</a>.<br /><br /><a href="http://msdn2.microsoft.com/en-us/asp.net/aa336618.aspx" target="_blank">Visual Studio 2005 Web Application Projects</a> bring ASP.NET 1.x style deployment capabilities (website compiles to an assembly at build time for later deployment with the display-side components compiled when accessed at runtime). <a href="http://msdn2.microsoft.com/en-us/asp.net/aa336619.aspx" target="_blank">Visual Studio 2005 Web Deployment Projects</a> allow one to manage web application build configuration and deployment options, and provide a tool to merge multiple assemblies into one. This allows one to, if desired and configured, deploy a web application rolled up into one assembly and a number of "marker" files. Display-side components can even be compiled into the assembly. Note that other assemblies that the web application depends on - such as assemblies from the <a href="http://www.microsoft.com/downloads/details.aspx?familyid=5A14E870-406B-4F2A-B723-97BA84AE80B5&displaylang=en" target="_blank">Enterprise Library</a> - and other resource files such as images also need to be deployed. One could potentially use ILMerge (<a href="http://www.microsoft.com/downloads/details.aspx?familyid=22914587-b4ad-4eae-87cf-b14ae6a939b0&amp;displaylang=en" target="_blank">here</a> and <a href="http://research.microsoft.com/~mbarnett/ILMerge.aspx" target="_blank">here</a>) to merge all required assemblies into one, if that was important.<br /><br />I really like the idea of minimizing the number of files that need to be deployed to a web server so I hope to work with Web Deployment Projects and Web Application Projects more in the future.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116093556599167559?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160537991406400462006-11-01T16:53:00.000-08:002006-11-12T16:29:12.524-08:00I'm probably being way too picky here.<br /><br />A new Community Solutions article in the Microsoft Knowledge Base entitled <a href="http://support.microsoft.com/kb/555737" target="_blank">How to find Windows uptime?</a> has been posted. The article is short (four steps and a summary for Option 1), but from my perspective this short article has a couple of errors, and / or at least could be a bit clearer.<br /><br />While <em>I</em> know what is meant by uptime (how long the computer has been "up" or running), someone looking for this information may not know that's what to call it or what it might mean, so in the event they are able to find the article they may gloss over it because they don't recognize the term. Perhaps a brief description of what is meant by "uptime" in the context of this article would be appropriate.<br /><br />Further, the steps detailed in the article (basically, instructions on how to run a command - <code>net statistics server</code> - and then parse the output) don't provide one with the information the article indicates will be provided. Granted, this is likely an academic detail, but the command really displays the amount of time that the Server service has been running - not the amount of time that the computer has been up. It is possible (but admittedly not all that likely) that the Server service has been restarted since the computer was booted.<br /><br />As an alternative, I might suggest using <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a>. (Boy, it seems that I've been pushing PE a lot lately. Oh well. It's a great tool.) One can get a pretty good figure on the system uptime by examining the start time of the Session Manager process - smss.exe. Smss.exe is the first user-mode process created when the system boots. It is created by Ntoskrnl.exe and is a purely native application - it doesn't use Windows APIs. Instead, it uses what is known as the Windows Native API. An overview of the Native API can be found on the Sysinternals site at <a href="http://www.sysinternals.com/Information/NativeApi.html" target="_blank">Inside the Native API</a>. Gary Nebbett also wrote <em>the</em> book on the Native API - <a href="http://www.amazon.com/Windows-2000-Native-API-Reference/dp/1578701996/ref=sr_11_1/102-7065077-0061736?ie=UTF8" target="_blank">Windows NT/2000 Native API Reference</a>. <p></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116053799140640046?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160537821444934532006-10-29T16:32:00.000-08:002006-11-12T16:29:12.192-08:00<a href="http://mygreenpaste.blogspot.com/2006/10/idea-for-process-explorer-enhancement.html" target="_blank">Previously</a>, I had discussed an enhancement to <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a> that would allow it to identify / indicate what version of the .NET Framework a process had loaded. I have submitted this as a feature request on Sysinternals Forums (<a href="http://forum.sysinternals.com/forum_posts.asp?TID=7272&PN=1&TPN=3" target="_blank">here</a> and <a href="http://forum.sysinternals.com/forum_posts.asp?TID=8599" target="_blank">here</a>).<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116053782144493453?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160537476940169752006-10-27T02:10:00.000-07:002006-11-12T16:29:12.029-08:00FWIW, on Sysinternals Forums I have submitted a feature request (<a href="http://forum.sysinternals.com/forum_posts.asp?TID=7272&PN=1&amp;TPN=2" target="_blank">here</a> and <a href="http://forum.sysinternals.com/forum_posts.asp?TID=8239&amp;PN=1" target="_blank">here</a>) for <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a> to be able to identify "<a href="http://mygreenpaste.blogspot.com/2006/09/windows-vista-and-protected-processes.html" target="_blank">Protected Processes</a>" in Vista.<br /><br />Not much discussion on it yet, though...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116053747694016975?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160537269139851462006-10-23T17:51:00.000-07:002006-11-12T16:29:11.843-08:00In a <a href="http://mygreenpaste.blogspot.com/2006/10/force-app-to-use-specific-version-of.html" target="_blank">recent blog entry's exploration</a>, I was determining which ".NET" processes were using what versions of the .NET Framework. The method that I was using for this was to find the ".NET processes" in <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a> (highlighted in Yellow by default) and either note the version of MSCOREE.DLL, or check the path of DLLs that are loaded into the process' address space - if %WINDIR%\Assembly and 2.0.0.0 or 2.0.50727 show up, the process is using the .NET Framework 2.0. Substitute appropriate version numbers for other versions of the .NET Framework.<br /><br />Then, because I'm lazy, I started thinking... what if Process Explorer could tell me this information without me having to dig a little bit for it? Process Explorer could highlight processes, using a configurable color, to indicate the version of the .NET Framework the process is using. E.g., processes with DLLs from the .NET Framework 1.1 would be highlighted in yellow, processes with DLLs from the .NET Framework 2.0 would be highlighted in blue, etc. By default, the colors could all be set to yellow, but the user could specify their own color for each version of the .NET Framework.<br /><br />Another consideration might be to add this information in a column that can be displayed in the upper pane of Process Explorer.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116053726913985146?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160537109949120752006-10-18T04:46:00.000-07:002006-11-12T16:29:11.693-08:00I was whipping through the list of processes in <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a> that were ".NET" processes (processes that had some version of MSCOREE.DLL loaded into their address space). I'm still under ten, out of 75 processes total. I was curious as to what versions of the .NET Framework were being used as I had 1.0, 1.1 SP1, and 2.0 installed.<br /><br />As <a href="http://msdn2.microsoft.com/en-us/library/9w519wzk.aspx" target="_blank">How to: Use an Application Configuration File to Target a .NET Framework Version</a> states, by default an application will run on the version of the .NET Framework that the application was built on, if it is present on the computer.<br /><br />Most ".NET" processes were using the .NET Framework 2.0, which is what I expected. But two were using version 1.1. Since many / most apps <em>should</em> work fine with any "future" version of the .NET Framework (it's supposed to be backwards compatible) I thought I would try running them against the .NET Framework 2.0. The apps in question are <a href="http://www.sharpreader.net" target="_blank">SharpReader</a> (0.9.7.0) and Red Gate Software's FREE <a href="http://www.red-gate.com/products/SQL_Prompt/index.htm" target="_blank">SQL Prompt 2.0</a>.<br /><br />To get the apps to run against the .NET Framework 2.0, I simply added the supportedRuntime element to the startup section in the app's app.config file (progname.exe.config). At its most basic (for this purpose) the config file would look something like:<pre><br />&lt;?xml version="1.0" encoding="utf-8" ?&gt;<br />&lt;configuration&gt;<br /> &lt;startup&gt;<br /> &lt;supportedRuntime version="v2.0.50727" /&gt;<br /> &lt;/startup&gt;<br />&lt;/configuration&gt;<br /></pre>After making or changing the app config files for SharpReader and SQL Prompt, I ran the applications. Without extensive testing, the apps appear to be running and functioning just fine while using the .NET Framework 2.0.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116053710994912075?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160933925389310372006-10-15T10:20:00.000-07:002006-11-12T16:29:12.940-08:00<span style="color:red;"><b>[See the sidebar at the right on the <a href="http://mygreenpaste.blogspot.com" target=_blank>entry page</a> for more links to information about error 0x8ddd0009 and Microsoft Update / Windows Update.]</b></span><br /><br />Microsoft released Knowledge Base article 916089, <a href="http://support.microsoft.com/kb/916089" target=_blank>FIX: The computer may stop responding for 40 or more seconds when you run a scan for updates or when you try to apply an update on Windows Server 2003, on Windows XP, or on Windows 2000</a>. As many people report an unresponsive system and high CPU utilization prior to receiving the 0x8ddd0009 error from Microsoft Update / Windows Update, it stands to reason that applying the hotfix presented in the article may be of help to some people.<br /><br />Unfortunately, the hotfix requires one to contact Product Support Services.<br /><br />The culprit appears to be Windows Installer. Windows Installer 3.1 v2 is a prerequisite, and the only file included in the hotfix is MSI.DLL (dated October 2006).<br /><br />The KB article states: <blockquote>This update decreases the duration of a scan that uses the Windows Update Agent. However, a scan is still a CPU-intensive operation. The Svchost.exe process contains the Automatic Updates service. When you perform a scan, the Svchost.exe process can cause CPU utilization to reach 100 percent for a prolonged time. For example, Microsoft Office updates use Windows Installer. When Microsoft Office updates are detected, these updates can contribute to 100 percent CPU utilization for a prolonged time.</blockquote>If you try this update and it helps, please post a comment about your experience!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116093392538931037?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-1160654754812809132006-10-12T04:54:00.000-07:002006-11-12T16:29:12.720-08:00Sigh.<br /><br />To all that are not finding what they're looking for because they were directed to what is now a non-existent page on the TechRepublic site, I apologize. I understand that you may not find this apology, but what else can I do?<br /><br />TechRepublic has gone and decided to do away with Member Blogs. I received the following email on 2006-10-03:<br /><p><span style=";font-family:Courier New;font-size:85%;" ></span></p><blockquote><p><span style=";font-family:Courier New;font-size:85%;" >TechRepublic Blogger:</span> </p> <p><span style=";font-family:Courier New;font-size:85%;" >As many of you know, we are preparing to launch a new version TechRepublic. This revamp brings a fresh new look-and-feel to the site as well as improvements to features and functionality.</span></p> <span style=";font-family:Courier New;font-size:70%;" ><p><a href="http://techrepublic.com.com/html/tr/preview/updated_TechRepublic.html" target=_blank>http://techrepublic.com.com/html/tr/preview/updated_TechRepublic.html</a></p></span> <p><span style=";font-family:Courier New;font-size:85%;" >The process of revamping the site forced us to make some tough decisions about which features we would support going forward. Unfortunately, our member blogging feature didn't make the cut. So, with the launch of the revamp, we will be changing our approach to blogging on TechRepublic. Instead of giving every member the option to blog individually, we will be building a dozen or so topical blogs that have multiple contributors.</span></p> <p><span style=";font-family:Courier New;font-size:85%;" >Starting next week, member blogs will no longer be available on TechRepublic. THIS MEANS THAT YOUR BLOG POSTS WILL NO LONGER APPEAR ON THE SITE AFTER THE LAUNCH. We apologize for any inconvenience that this causes; however, we feel that our new approach to blogging will better serve all of the members of TechRepublic.</span></p> <p><span style=";font-family:Courier New;font-size:85%;" >Please feel free to contact me with any questions or concerns you may have.</span> </p> <p><span style=";font-family:Courier New;font-size:85%;" >Sincerely,</span> </p> <p><span style="color: rgb(192, 192, 192);font-family:Arial;font-size:85%;" >---------------------------------------------------------------------------------------</span><br /><b><span style="color: rgb(128, 128, 128);font-family:Verdana;font-size:85%;" >Shawn Morton</span></b><br /><span style="color: rgb(128, 128, 128);font-family:Verdana;font-size:85%;" >Site Manager - TechRepublic, CNET Networks</span></p></blockquote><p><span style="color: rgb(128, 128, 128);font-family:Verdana;font-size:85%;" ></span></p> So, they're basically pulling my TR blog. That's fine, I guess - the blogging software sucked (it wouldn't work well with IE, it couldn't / refused to pull from the atom feed here, etc). But I wish they could account for the fact that they're effectively breaking links. Redirect people somewhere useful (perhaps this blog) when they go to my old TR blog. Or let me put up a message. Something. Now, you (usually) just get barfed out to the root topical blog collection they've started. Some of the old blog content is still accessible but I suspect that as they continue on with their site mods that stuff will be pulled.<br /><br />So again, if you went to TR looking for something and couldn't find it, I'm sorry.<br /><br />On a brighter note, at least I didn't have all of my eggs in one basket...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116065475481280913?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1160239602970542852006-10-09T07:17:00.000-07:002006-11-12T16:29:11.569-08:00I've been using the command prompt with mapped network drives lately. I usually set up my PROMPT so that the UNC path that the drive letter represents displays, along with the normal prompt info. There are a couple of ways to do this. It can be accomplished on an ad hoc basis by simply entering <code>set PROMPT=$M$P$G</code> at the command prompt. The prompt will change to something like <code>\\server\share\foldername X:\&gt;</code> when one is on a mapped drive. One could further simplify this by putting it into a batch file and running it when necessary.<br /><br />Of course, setting the prompt to this doesn't hurt anything, so why not make it a bit more permanent? One can use the "System Properties" to get to the "Environment Variables" on the "Advanced" tab (in XP, at least). From there, set either a USER (applies to the user currently logged on) or SYSTEM (applies to all users) variable named "PROMPT" to $M$P$G.<br /><br />I also usually prepend $+ to my PROMPT. This adds one '+' character to the front of the prompt for each level into the PUSHD stack that one is. PUSHD / POPD are commands that can be used to push / pop directories to / from a stack of directories that the command prompt keeps for you. If you're 10 folder levels deep and need to bounce to \TEMP, PUSHD to \temp (<code>PUSHD C:\TEMP</code>) and do your work. When you're done, <code>POPD</code> and you'll be back to the folder that's 10 levels deep. With $+ in the PROMPT ($+$M$P$G), the prompt will look like <code>++\\server\share\foldername X:\&gt;</code> when the "PUSHD" command has been executed twice without POPDing.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116023960297054285?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160239427223569772006-10-08T05:27:00.000-07:002006-11-12T16:29:11.421-08:00EthicalHacker.net has a pretty cool <a href="http://www.ethicalhacker.net/content/view/87/24/" target="_blank">video</a> showing how to use Metasploit's Meterpreter to launch a DCOM attack.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116023942722356977?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1160239356267148382006-10-07T09:41:00.000-07:002006-11-12T16:29:11.252-08:00On WHDC Microsoft has posted <a href="http://www.microsoft.com/whdc/driver/wdf/UMDF_COM_QS.mspx" target="_blank">A COM QuickStart for UMDF Developers</a>. The document goes over some high-level COM details as they apply to use in the user-mode driver framework.<br /><br />The COM run time is not used. Rather, the core COM programming model is used to make programming the drivers easier. It is naturally expected that C++ will be used to write the UMDF drivers, though C can be used at the expense of simplicity / convenience. Of course, if past experience is any indication reference counting will likely be a sore spot...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-116023935626714838?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1159530676510066792006-09-29T04:45:00.000-07:002006-11-12T16:29:11.027-08:00On WHDC, Microsoft has a document entitled "<a href="http://www.microsoft.com/whdc/system/vista/process_Vista.mspx" target="_blank">Protected Processes in Windows Vista</a>". While I'm not yet living in Vista-land (though I do visit at least weekly), I don't have my head buried in the sand, either. But I can honestly say that this is the first I've heard about this new type of process introduced in Vista. The new type of process was created "to enhance support for digital rights management functionality in Windows Vista". Heh heh. Seems a bit interesting that DRM is specified as the the driving force behind this.<br /><br />Anyway, the paper outlines what one can and cannot do with protected processes (from the perspective of utility software that does process reporting and other interaction with processes running on the system). There's really only 3 pages of meat in the document, but it seems like a good overview.<br /><br />The paper states that "...due to the restrictions of running inside a protected process, the operating system requires that these processes be specially signed". That's a good thing... Imagine malware running as a protected process. Blech.<br /><br />I'm probably being too literal here, but does the process need to be signed, or is it the binary image on disk that needs to be signed? And what is meant by "specially signed"? Is that something different from the standard implied meaning?<br /><br />And that statement makes me wonder further - there are restrictions on running <em>inside</em> a protected process? The paper also states that the "primary difference between a typical process and a protected process is the level of access that other processes in the system can obtain to protected processes". This seems contrary to the previous statement. However since the paper is about interacting with protected processes, rather than restrictions that may be imposed upon code running in the context of a protected process, the answers will have to come from elsewhere.<br /><br />Protected process can pose a "problem if memory scanning is critical to the operation of the application [that wishes to interact with protected processes]". Should be interesting to see how vendors of AV and other security software deal with this new class of process.<br /><br />Another blurb at the bottom of the document caught my attention...<blockquote><br />Do not attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process because the system and third-party applications may rely on the fact that protected processes are signed code that is run in a contained environment. </blockquote>What? I'm ignorant. What does this mean: "may rely on the fact that protected processes...run in a contained environment". What happens if a kernel-mode component plays with "the memory of a protected process"? Nothing may happen now, but it could break things later? If anyone would care to provide clarification, I would appreciate it.<br /><br />Also Channel 9 has a <a href="http://channel9.msdn.com/ShowPost.aspx?PostID=233976" target="_blank">video on Process Management in Windows Vista</a> which I have yet to find time to watch. The summary states:<br /><blockquote>Vista introduces a new type of process called a protected process. What are "protected processes"? How do they work? </blockquote>I suspect that at least some of my questions will be answered there.<br /><br />Doesn't look like Process Explorer yet detects / identifies protected processes. The feature isn't listed on the <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">program page</a>, and searches don't turn up much:<br /><a href="http://www.google.com/search?hl=en&q=%22protected+process%22+%22process+explorer%22+vista&amp;btnG=Google+Search" target="_blank">Google Search</a><br /><a href="http://groups.google.com/groups?hl=en&q=%22protected%20process%22%20%22process%20explorer%22%20vista&amp;btnG=Google+Search&sa=N&amp;tab=wg" target="_blank">Google Groups Search</a><br /><a href="http://forum.sysinternals.com/search.asp?KW=protected+process&SM=3&amp;SI=PT&FM=0&amp;OB=1" target="_blank">Sysinternals Forums Search</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115953067651006679?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1158718514206759582006-09-19T19:07:00.000-07:002006-11-12T16:29:08.790-08:00[<b><span style="color:red;">Added 2006-10-15: Another potential fix <a href="http://mygreenpaste.blogspot.com/2006/10/yet-another-potential-resolution-for.html" target="_blank">here</a>...</span></b>]<br /><br />In addition to the potential solutions posted <a href="http://mygreenpaste.blogspot.com/2006/08/error-0x8ddd0009-with-microsoft-update.html" target="_blank">here</a>, <a href="http://mygreenpaste.blogspot.com/2006/08/another-possible-fix-for-error.html" target="_blank">here</a>, and <a href="http://mygreenpaste.blogspot.com/2006/07/windows-update-and-error-0x8ddd0009.html" target="_blank">here</a>, the following are some additional things to try when battling the dreaded 0x8ddd0009 error from Windows Update / Microsoft Update. These suggestions come from comments that others have posted to the aforementioned blog entires, as well as new ideas compiled from various community discussions.<br /><br />In many cases, update sessions that ultimately result in the 0x8ddd0009 error cause high CPU utilization prior to erroring out. There is suspicion that on older hardware, this can cause "time outs" or other undesirable quirks with the Windows Update / Microsoft Update services / websites. Presumably, pruning some of the applications and services that are running prior to attempting to use Windows Update / Microsoft Update can help in this. Disabling antivirus applications in particular (read on) seems to help. It may be that rebooting the system, exiting as many applications as possible (including those running in the systray, by the clock) when the system comes back up, and then stopping unnecessary services(*) before trying Windows Update / Microsoft Update will do the trick for some people.<br /><span style="font-size:78%;">* - Of course, it helps to know what services are necessary and what services are merely "nice to have". The following may be of some assistance in determining this. Note that I have NOT reviewed these links; I encountered them when trying to determine what happened to BlackViper's site (blackviper.com); appears he forgot to pay his domain name registration fee and lost it... You may have some luck with <a href="http://web.archive.org/web/*/http://www.blackviper.com" target="_blank">Archive.org's archives</a> of the site... Anyway, on to the links:<br /><a href="http://www.theeldergeek.com/services_guide.htm" target="_blank">Services Guide for Windows XP</a><br /><a href="http://www.techspot.com/tweaks/winxp_services/index.shtml" target="_blank">Windows XP Services Tweak Guide</a><br /><a href="http://www.techspot.com/tweaks/win2k_services/index.shtml" target="_blank">Windows 2000 Services Tweak guide</a></span><br /><br />One person reported that uninstalling the .NET Framework 2.0 and rebooting took care of the problem.<br /><br />Another reported that registering / re-registering various components did the trick. The following can be executed from a Command Prompt (Start -> Run -> CMD.EXE):<span style="font-family:monospace;"><br /></span><span style="font-size:85%;"><span style="font-family:courier new;">net stop wuauserv</span><br /><span style="font-family:courier new;">regsvr32 wuapi.dll</span><br /><span style="font-family:courier new;">regsvr32 wups.dll</span><br /><span style="font-family:courier new;">regsvr32 wuaueng.dll</span><br /><span style="font-family:courier new;">regsvr32 wuaueng1.dll</span><br /><span style="font-family:courier new;">regsvr32 wucltui.dll</span><br /><span style="font-family:courier new;">regsvr32 wuweb.dll</span><br /><span style="font-family:courier new;">regsvr32 MSXML3.dll</span><br /><span style="font-family:courier new;">regsvr32 qmgr.dll</span><br /><span style="font-family:courier new;">regsvr32 qmgrprxy.dll</span><br /><span style="font-family:courier new;">regsvr32 jscript.dll</span><br /><span style="font-family:courier new;">net start wuauserv</span></span><br /><p><code></code>Someone else backed off some of the changes recently introduced to a system, and that enabled Windows Update / Microsoft Update to run successfully - changing the resolution back to 800x600 from 1024x768, and disabling the real-time scanning function of the newly installed anti-virus software did the trick. No word on what AV software was involved...<br /></p><p>Another person reported that shutting down services related to McAfee antivirus and using the "Custom" update feature on Microsoft Update enabled him to successfully update his system.</p><p>Selectively installing larger items (OS Service Packs, IE, .NET Framework, DirectX, etc) outside of Windows Update / Microsoft Update, and coming back to the Windows Update / Microsoft Update services for the smaller patches worked for another individual.</p><p>Hope this update provides additional things to try for those that have tried the things listed <a href="http://mygreenpaste.blogspot.com/2006/08/error-0x8ddd0009-with-microsoft-update.html" target="_blank">here</a>, <a href="http://mygreenpaste.blogspot.com/2006/08/another-possible-fix-for-error.html" target="_blank">here</a>, and <a href="http://mygreenpaste.blogspot.com/2006/07/windows-update-and-error-0x8ddd0009.html" target="_blank">here</a>.</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115871851420675958?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1157914162350749942006-09-10T11:47:00.000-07:002007-05-01T18:04:28.161-07:00Hmmm...<br /><br />I noticed this when digging through the dump of <a href="http://mygreenpaste.blogspot.com/2006/09/cause-of-regular-outlook-2003-crash.html" target="_blank">an Outlook 2003 crash</a>... EXCEPTION_RECORD.ExceptionInformation[0] for EXCEPTION_RECORD.ExceptionCode == EXCEPTION_ACCESS_VIOLATION can have a value other than 0 or 1... From the <a href="http://msdn2.microsoft.com/en-us/library/aa363082.aspx" target="_blank">EXCEPTION_RECORD documentation</a>:<br /><blockquote>If this value is 8, the thread causes a user-mode data execution prevention (DEP) violation.</blockquote>From the Outlook crash dump:<br /><font face="courier" size="-1">EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)<br />ExceptionAddress: 124132d5 (&lt;mytilus.dll&gt;+0x000132d5)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000000<br />NumberParameters: 2<br /> Parameter[0]: <strong>00000008</strong><br /> Parameter[1]: 124132d5<br />Attempt to execute non-executable address 124132d5<br /><br />DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT<br /></font><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115791416235074994?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1157678205702816682006-09-07T18:11:00.000-07:002006-11-12T16:29:08.257-08:00Something happened the other day and I was quite surprised by it. I hadn't really noticed how long it had been since I'd experienced a BSOD until there it was, staring me in the face.<br /> 0x0000007E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED).<br /> I wasn't doing anything special - the system wasn't starting up or shutting down, and I wasn't using any exotic hardware or software. Just a flash of the screen, and then FLOOP! BSOD.<br /><br />I let <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k105_17af10bb-b21d-408e-bf73-421ce705d117.xml.asp" target="_blank">KeBugCheckEx</a> write out the <a href="http://support.microsoft.com/kb/254649/" target="_blank">kernel memory dump</a>, and rebooted. SaveDump did its thing and I tossed Memory.DMP into <a href="http://www.microsoft.com/whdc/devtools/debugging/default.mspx" target="_blank">WinDbg</a>. I'm not very proficient with WinDbg, but WinDbg makes analyzing most crash dumps (that I've run across, at least) rather trivial.<span style="font-family:courier;"><br /><br />!analyze -v</span><br /><br />That's all you need to know.<br /><br />For my BSOD, WinDbg told me that the likely culprit was HCMON.SYS, which (indirectly) caused an access violation (0xc0000005) when an attempt was made to write to 0x2dc22865.<br /><br />A search of %windir%\system32\drivers shows that HCMON.SYS is a component of VMware Workstation (and likely VMware Player, and...). The Version Resource of HCMON.SYS indicates that it is the "VMware USB monitor". Of course, I had recently upgraded to <a href="http://www.vmware.com/download/ws/" target="_blank">VMware Workstation</a> 5.5.2, which was released on 2006-08-10. The timestamp on HCMON.SYS was 2006-08-04.<br /><br />I don't know if a problem was introduced in the new version of VMware Workstation, or if the fact that a VMware component was implicated in a BSOD that took place shortly after the component was upgraded is merely a coincidence, but it sure is nice to be able to identify the source of the BSOD. If it continues to be a problem, I know <a href="http://www.vmware.com/support/" target="_blank">where to go</a>...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115767820570281668?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1157111882926811032006-09-01T04:56:00.000-07:002006-11-12T16:29:08.094-08:00[<b><span style="color:red;">2006-09-29: Related post <a href="http://mygreenpaste.blogspot.com/2006/09/softwarenxfault-exceptioninformation0.html" target="_blank">here</a>...</span></b>]<br /><br />Found out what was causing <a href="http://mygreenpaste.blogspot.com/2006/08/os-loader-lock-and-mdaloaderlockmsg.html" target=_blank>my Outlook crash</a> today. MYTILUS.DLL, which happens to be the "Common Shell - Scanners' interface to the engine" part of Network Associates' McAfee VirusScan product, is regularly causing an access violation / SOFTWARE_NX_FAULT (Software-enforced no-execute / <a href="http://en.wikipedia.org/wiki/Data_Execution_Prevention" target="_blank">DEP</a> fault).<br /><br />Sigh. At least it only happens when I'm shutting Outlook down.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115711188292681103?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1157078044423161802006-08-31T19:31:00.000-07:002006-11-12T16:29:07.936-08:00I just noticed that the fix for the <a href="http://mygreenpaste.blogspot.com/2006/02/insufficient-system-resources-exist-to.html" target="_blank">hibernation problems that I was experiencing</a> and had to contact Microsoft Product Support Services for is now available for download to those "customers running genuine Microsoft Windows".<br /><br />The problem is detailed in Knowledge Base article 909095, <a href="http://support.microsoft.com/kb/909095" target="_blank">The computer occasionally does not hibernate and you receive an "Insufficient System Resources Exist to Complete the API" error message in Windows XP with Service Pack 2, in Windows XP Tablet PC Edition 2005, or in Windows XP Media Center Edition 2005</a>, and the fix is available <a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=9D20F96A-A8D6-4627-89F7-787CD9B3852C&amp;displaylang=en" target="_blank">here</a>. One must validate Windows prior to downloading.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115707804442316180?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com6tag:blogger.com,1999:blog-20977280.post-1156902001440140122006-08-29T18:37:00.000-07:002006-11-12T16:29:07.766-08:00<a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Sysinternals' Process Explorer</a> can detect binary images it suspects are <a href="http://en.wikipedia.org/wiki/UPX#Executable_packing" target="_blank">packed</a>, and highlights them. Packed executables are highlighted in the top pane, and packed DLLs in a selected process are highlighted in the lower pane's "DLL View".<br /><br />Interestingly, debug builds of binaries that link with <a href="http://mygreenpaste.blogspot.com/2006/08/initial-experience-with-detours-from.html" target="_blank">Detours</a> cause Process Explorer to suspect that the binary is packed ("Image is probably packed"). Release builds are not, however.<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/Packed.jpg" target="_blank"><img src="http://photos1.blogger.com/blogger/1005/2117/320/Packed.jpg" /></a><br /><br />I would be interested to know how Process Explorer determines that a binary is probably packed.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115690200144014012?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1156820434986884542006-08-28T19:54:00.000-07:002006-11-12T16:29:07.513-08:00I had a bit of a chuckle this morning when I fired up SharpReader:<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/InsideHTTP.jpg" target=_blank><img src="http://photos1.blogger.com/blogger/1005/2117/320/InsideHTTP.jpg" /></a><br /><br />The feed for Eric Lawrence's <a href="http://insidehttp.blogspot.com/" target=_blank>InsideHTTP</a> was bad because "the server committed an HTTP protocol violation".<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115682043498688454?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1156730560984974192006-08-27T18:56:00.000-07:002006-11-12T16:29:07.276-08:00In reviewing my previous post, "<a href="http://mygreenpaste.blogspot.com/2006/08/initial-experience-with-detours-from.html" target="_blank">Initial Experience with Detours from Microsoft Research</a>", I must say that I am not impressed with the way the code was formatted. Blogger ate up all of the nbsp's that I had put in. When I put them back in, Blogger chewed them up again.<br /><br />Anyone know of a way to get source code to keep its formatting when posting? Hope I'm not missing something overly simple! &lt;g&gt;<br /><br />Or is there simply a better way to do it? Thoughts / suggestions welcomed!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115673056098497419?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com10tag:blogger.com,1999:blog-20977280.post-1156705368234591432006-08-27T11:55:00.000-07:002006-11-12T16:29:07.014-08:00<a href="http://mygreenpaste.blogspot.com/2006/07/u3-usb-flash-drive-and-remote-desktop.html" target="_blank">Previously</a>, I had been considering techniques that would allow me to RDP into a system and still be able to use my U3 Flash drive. I didn't want to have to log into a <a href="http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Session0_Vista.doc" target="_blank">session on the glass</a>, and then plug in the password for the U3 Launch Pad program. I want to plug the drive into the system in my office, and be able to hit it when I want to. I'm lazy.<br /><br />Ultimately, I chose to explore <a href="http://research.microsoft.com/sn/detours/" target="_blank">Detours</a> from <a href="http://research.microsoft.com/" target="_blank">Microsoft Research</a> to accomplish this. I'm happy to report a rather simple, if somewhat unelegant, success. I simply downloaded <a href="http://research.microsoft.com/research/downloads/download.aspx?FUID=f0f2bb83-369b-4d96-8f4a-b0e88e52a0ff" target="_blank">Detours Express 2.1</a>, explored the documentation a bit, and played with the samples. In under 2 hours, I had accomplished what I had set out to do - essentially make <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/processidtosessionid.asp" target="_blank">ProcessIdToSessionId</a> return the same thing as <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/wtsgetactiveconsolesessionid.asp" target="_blank">WTSGetActiveConsoleSessionId</a>.<br /><br />Two of the Detours samples ("WithDll" and "Simple") were used in my solution. WithDll was just what I needed to jumpstart the LaunchU3.exe process with the code I wanted to "inject" into the process, so I was able to use that sample with absolutely no modifications.<br /><br />The "Simple" sample provided framework code that I simply adapted to do what I wanted. Again, I was looking to "replace" <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/processidtosessionid.asp" target="_blank">ProcessIdToSessionId</a>'s implementation with:<br /><span style="font-family:courier;">*pSessionId = WTSGetActiveConsoleSessionId();</span><br /><br />The code at the bottom of this post uses Detours to help me do just that. The code was written in Visual Studio 2005 / VC++ 8.0, so some of the CRT functions are the "Secure (_s)" versions. I didn't go through and do the _CRT_INSECURE_DEPRECATE #ifdefs.<br /><br />So anyway, this works great, but normally the LaunchU3.exe program runs automatically when the USB drive is plugged into a system - a small partition presents itself as a read-only drive formatted with the CDFS filesystem. That partition contains an AutoRun.inf instructing Windows to kick off LaunchU3.exe. But I need to run WithDll.exe from the Detours Express package, not LaunchU3.exe.<br /><br />Sounded like a killer application for an image file hijack ala "<a href="http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html" target="_blank">Image File Execution Options: Good, Evil, Fun</a>":<br /><span style="font-family:courier;">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LaunchU3.exe\Debugger = "&lt;path to&gt;\WithDll.exe /d:&lt;path to&gt;\MyDetoursDll.dll "</span><br /><br />Note the space before the closing quote of the value - the Debugger gets passed the image name, so the command to WithDll.exe looks like:<br /><span style="font-family:courier;">&lt;path to&gt;\WithDll.exe /d:&lt;path to&gt;\MyDetoursDll.dll x:\LaunchU3.exe</span><br /><br />The only problem is that we do actually want to launch the specified program (LaunchU3.exe). But running LaunchU3.exe will kick off WithDll.exe, which will start LaunchU3.exe, which will start WithDll.exe... There are a couple of options to deal with this. The easiest is to copy LaunchU3.exe from the USB drive onto the hard drive and give it a new name - this was the approach that I took. Then, specify the following as the Debugger command in Image File Execution Options:<br /><span style="font-family:courier;">&lt;path to&gt;\WithDll.exe /d:&lt;path to&gt;\MyDetoursDll.dll &lt;path to&gt;\MyLaunchU3.exe</span><br /><br />Another way would be to turn WithDll into a debugger - change the flags that get passed to the Detours function "DetourCreateProcessWithDll" to specify "DEBUG_ONLY_THIS_PROCESS", and incorporate a dummy debugger loop into the application, something like:<span style="font-family:courier;"><br />DEBUG_EVENT de = {0};<br />for( ;; )<br />{<br /> WaitForDebugEvent( &de, INFINITE );<br /> if( EXIT_PROCESS_DEBUG_EVENT == de.dwDebugEventCode ) break;<br /> ContinueDebugEvent( de.dwProcessId, de.dwThreadId, DBG_CONTINUE );<br />}</span><br />When a process calls CreateProcess with DEBUG_PROCESS or DEBUG_ONLY_THIS_PROCESS specified in dwCreationFlags, the Debugger value of Image File Execution Options is not checked (makes sense, right? That's what the "Debugger" value is for). Thus, WithDll.exe can launch LaunchU3.exe without having LaunchU3.exe launch another instance of WithDll.exe. Launcherrific.<br /><br /><p>The last option is to <a href="http://cse.msstate.edu/~rwm8/hackingU3/" target="blank">modify the contents of the small CDFS partition on the U3 drive</a>. This would allow one to toss the Detours programs (WithDll.exe and dependencies, as well as the "payload" DLL - a modified "Simple.dll" in this case) right onto the USB drive. Modify AutoRun.inf to kick off WithDll.exe with the right parameters, and the solution is clean and self-contained. Perhaps I will experiment with this... When I get more time =8-&gt;<br /><br />Code for the Detours payload DLL:<br /><span style="font-family:courier;">#ifndef _WIN32_WINNT<br />#define _WIN32_WINNT 0x0501 // for WTSGetActiveConsoleSessionId<br />#endif<br /><br />#include &lt;stdio.h&gt;<br />#include &lt;windows.h&gt;<br />#include "detours.h"<br /><br />static BOOL (WINAPI* TrueProcessIdToSessionId)<br /> ( DWORD dwProcessId, DWORD* pSessionId ) = ProcessIdToSessionId;<br /><br />static const unsigned short c_usLogTimeBufLen = 40;<br />static const unsigned short c_usMsgBufLen = 980;<br />static const unsigned short c_usFullMsgBufLen =<br /> c_usLogTimeBufLen + c_usMsgBufLen;<br />static const char* const c_pszModName = "U3Detours";<br /><br />void DebugPrint( const char* const pszFormat, ... )<br />{<br /> char szNowTime[c_usLogTimeBufLen + 1] = {0};<br /> SYSTEMTIME st = {0};<br /> ::GetLocalTime( &st );<br /> _snprintf_s( szNowTime, c_usLogTimeBufLen, c_usLogTimeBufLen,<br /> "%04d-%02d-%02d %02d:%02d:%02d.%03d", st.wYear, st.wMonth,<br /> st.wDay, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds );<br /><br /> va_list args;<br /> va_start( args, pszFormat );<br /> char szMsg[c_usMsgBufLen + 1] = {0};<br /> _vsnprintf_s( szMsg, c_usMsgBufLen, c_usMsgBufLen, pszFormat, args );<br /> va_end( args );<br /><br /> char szFullMsg[c_usFullMsgBufLen + 1] = {0};<br /> _snprintf_s( szFullMsg, c_usFullMsgBufLen, c_usFullMsgBufLen,<br /> "%s ==> %s(TID=%d): %s\n", szNowTime, c_pszModName,<br /> GetCurrentThreadId(), szMsg );<br /><br /> OutputDebugString( szFullMsg );<br />}<br /><br />BOOL WINAPI InterceptProcessIdToSessionId( DWORD dwProcessId,<br /> DWORD* pSessionId )<br />{<br /> BOOL bSuccess = TrueProcessIdToSessionId( dwProcessId, pSessionId );<br /> if( !bSuccess )<br /> {<br /> DebugPrint( "ProcessIdToSessionId for PID %d failed with %d",<br /> dwProcessId, GetLastError() );<br /> }<br /> else<br /> {<br /> DWORD dwActiveConsoleSessionId = WTSGetActiveConsoleSessionId();<br /> DebugPrint( "ProcessIdToSessionId for PID %d succeeded; "<br /> "SessionId %d intercepted and being set to %d",<br /> dwProcessId, *pSessionId, dwActiveConsoleSessionId );<br /> // This is all we're really looking to do...<br /> *pSessionId = dwActiveConsoleSessionId;<br /> }<br /> return bSuccess;<br />}<br /><br />BOOL APIENTRY DllMain( HMODULE hMod,<br /> DWORD ul_reason_for_call,<br /> LPVOID lpReserved<br /> )<br />{<br /> (void)hMod;<br /> (void)lpReserved;<br /> LONG lErr = 0;<br /><br /> if( DLL_PROCESS_ATTACH == ul_reason_for_call )<br /> {<br /> DebugPrint( "Starting..." );<br /><br /> DetourRestoreAfterWith();<br /> DetourTransactionBegin();<br /> DetourUpdateThread( GetCurrentThread() );<br /> DetourAttach( &(PVOID&amp;)TrueProcessIdToSessionId,<br /> InterceptProcessIdToSessionId );<br /> lErr = DetourTransactionCommit();<br /> if( NO_ERROR == lErr )<br /> {<br /> char szExe[MAX_PATH + 1] = {0};<br /> GetModuleFileName( NULL, szExe, MAX_PATH );<br /> DebugPrint( "Detoured ProcessIdToSessionId in PID %d(%s)",<br /> GetCurrentProcessId(), szExe );<br /> }<br /> else<br /> {<br /> DebugPrint( "Error detouring ProcessIdToSessionId: %d", lErr );<br /> }<br /> }<br /> else if( DLL_PROCESS_DETACH == ul_reason_for_call )<br /> {<br /> DetourTransactionBegin();<br /> DetourUpdateThread(GetCurrentThread());<br /> DetourDetach( &(PVOID&amp;)TrueProcessIdToSessionId,<br /> InterceptProcessIdToSessionId );<br /> lErr = DetourTransactionCommit();<br /><br /> DebugPrint( "Removed ProcessIdToSessionId: %d", lErr );<br /> }<br /><br /> return TRUE;<br />}<br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115670536823459143?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1156704521981321212006-08-26T05:46:00.000-07:002006-11-12T16:29:06.725-08:00I was having significant performance problems on a Windows XP SP2 laptop - the system was performing at 25% - 50% of its regular ability. So I pushed the "Turbo" button on the front, and that took care of everything.<br /><br />In 1994, maybe.<br /><br />No such fix for my problem. It was getting rather unbearable. I wanted to point the finger at Norton / Symantec software, but I didn't have hours to spend uninstalling it so I had to endure. I noted that the performance degradation came into play when there was moderate to heavy disk I/O.<br /><br />Finally, I had some time to troubleshoot the problem. <a href="http://www.sysinternals.com/Utilities/ProcessExplorer.html" target="_blank">Process Explorer</a> was telling me that Interrupts were monopolizing the CPU - 75% - 80% at times! I hadn't installed any hardware recently, and it was happening when the laptop was docked and undocked. Event Viewer didn't have any pertinent information.<br /><br />After some thought, I recalled my observation about the performance degradation coinciding with disk I/O. I suspected that somehow the IDE channel had been set to PIO mode rather than Ultra DMA Mode 5. Device Manager confirmed my suspicions. Something (Windows?) had modified the setting for the Primary IDE Channel without notifying me. I uninstalled the primary IDE channel, rebooted, and let Windows redetect the hardware. The setting was back to Ultra DMA Mode 5, and the system was back to performing as it should have.<br /><br />Microsoft Knowledge Base article "<a href="http://support.microsoft.com/kb/817472" target="_blank">IDE ATA and ATAPI disks use PIO mode after multiple time-out or CRC errors occur</a>" may provide some insight into how the transfer mode setting on my system was changed, but I'm running SP2 from August 2004 with all updates, and ATAPI.SYS referenced in the KB article is from April 2003. And, there was nothing in Event Viewer from ATAPI indicating that there were time-out or CRC errors.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115670452198132121?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1156383573046314142006-08-23T18:36:00.000-07:002006-11-12T16:29:06.539-08:00Found the following Microsoft Knowledge Base article today:<br /><a href="http://support.microsoft.com/kb/922777" target="_blank">You receive an error message when you try to send an e-mail message by using the System.Web.Mail namespace in the .NET Framework 1.0</a><br /><br />The gist of the article is that one should not use:<br /><span style="font-family:courier;">SmtpMail.SmtpServer.Insert(0, "mail.mycompany.com");</span><br /><br />to change the Smtp.SmtpServer property. Rather, one should use:<br /><span style="font-family:courier;">SmtpMail.SmtpServer = "mail.mycompany.com";</span><br /><br />Really? I'll make a note.<br /><p>Further, the <b>CAUSE</b> section is kind of bogus - it states:</p><blockquote>This issue occurs because the String.Insert method does not change the value of the SmtpMail.SmtpServer property. Therefore, the value of the SmtpMail.SmtpServer property is null.</blockquote>Now, my take on this is that the chances are pretty good that if a person is using the "problematic" method of setting SmtpServer, they might want to know <i>WHY</i> it is that "the String.Insert method does not change the value of the SmtpMail.SmtpServer property". (The answer, of course, is that <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemstringclassinserttopic.asp" target="_blank">String.Insert</a> returns "a new String equivalent to this instance but with <i>value</i> inserted at position <i>startIndex</i>.")<br /><br />At least the suggested resolution wasn't:<br /><span style="font-family:courier;">SmtpMail.SmtpServer = SmtpMail.SmtpServer.Insert(0, "mail.mycompany.com");</span><br /><br />This type of problem, sadly, is probably rather common. I imagine that this type of thing happens all over the place. So why does this specific instance warrant a new article in the Microsoft knowledge base? I hope it doesn't mean that a bug resulting from the code depicted in <a href="http://support.microsoft.com/kb/922777" target="_blank">922777</a> was discovered in a Microsoft product...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115638357304631414?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1156298656251465672006-08-22T23:58:00.000-07:002006-11-12T16:29:06.415-08:00[<b><span style="color:red;">Added 2006-10-15: Another potential fix <a href="http://mygreenpaste.blogspot.com/2006/10/yet-another-potential-resolution-for.html" target="_blank">here</a>...</span></b>]<br />[<b><span style="color:red;">Added 2006-09-19: Additional things to try <a href="http://mygreenpaste.blogspot.com/2006/09/0x8ddd0009-with-microsoft-update.html" target="_blank">here</a>...</span></b>]<br />[See other posts about 0x8ddd0009 <a href="http://mygreenpaste.blogspot.com/2006/08/error-0x8ddd0009-with-microsoft-update.html" target="_blank">here</a> and <a href="http://mygreenpaste.blogspot.com/2006/07/windows-update-and-error-0x8ddd0009.html" target="_blank">here</a>.]<br /><br />Microsoft just posted knowledge base article 924092 today - "<a href="http://support.microsoft.com/kb/924092" target="_blank">You experience problems when you use a Microsoft update service</a>".<br /><br />The <b>CAUSE</b> section states:<br /><blockquote>These problems may occur because some of the Windows Update Agent 2.0 files are missing or corrupted. Windows Update Agent 2.0 is required to use these products and services.</blockquote>This <em>could </em>be another way to fix the mysterious 0x8ddd0009 Windows Update / Microsoft Update error - intall the "Windows Update Agent 2.0" package.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115629865625146567?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-1156295678577979802006-08-22T18:10:00.000-07:002006-11-12T16:29:06.230-08:001) Wrote <a href="http://mygreenpaste.blogspot.com/2006/02/protecting-against-pointer-subterfuge.html" target=_blank>a while back</a> about "Protecting aginst Pointer Subterfuge". <a href="http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx" target=_blank>Michael Howard</a> has updated the description of the algorithm used to encode pointers with EncodePointer/EncodeSystemPointer.<br /><br />2) <a href="http://mygreenpaste.blogspot.com/2006/01/windows-kernel-patch-protection.html" target=_blank>Previously</a>, I pointed to an article on the Microsoft Driver site that details x64 Kernel Patch Protection. The <a href="http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx" target=_blank>Windows Vista Security</a> blog has a higher-level description of kernel patching as well as some suggestions for alternatives.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115629567857797980?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1156213506438857422006-08-21T19:12:00.000-07:002006-11-12T16:29:06.100-08:00Windows Vista hates me. I've been wasting my time trying to get Vista beta 2 installed. I know, I know - "beta 2? That was released months ago!" But I've simply been too busy to install it even though I downloaded it when Microsoft opened up the Consumer Preview Program.<br /><br />My first attempt at installing Vista was on a brand new hard drive. No partitions on it, no nothing. I booted the DVD I had burned the ISO to, and was greeted with a screen that looked like this:<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/WindowsIsLoadingFiles1.jpg" target=_blank><img src="http://photos1.blogger.com/blogger/1005/2117/200/WindowsIsLoadingFiles1.jpg" /></a><br /><br /><br />Over and over and over and over again. The progress bar would complete, and the system would reboot, boot from the DVD, and go through the progress bar again. And again. And again. Ad nauseam.<br /><br />I suspected a bad burn so I burned another disc. Same result. I ultimately tried 7 discs (DVD-R, DVD+R, DVD-RW) using 3 different software packages and 3 different burners (no rhyme or reason to my selection process). Always had the same result.<br /><br />I googled a bit and discovered that I wasn't the only one with the problem where "Windows is loading files..." would display on the screen with a progress bar and setup would reboot after the progress bar completed... and the problems were most often related to a bad burn or a a bad download. Sigh.<br /><br />After making 2 backups, I tried upgrading XP Pro to beta 2, using one of the same discs. Setup begain, and I was prompted for some information. When the file copy process began, I left to go do some other things. Coming back to the system, I was greeted with an error:<br /><blockquote>An error occurred while copying setup files onto your local machine. Error code is 0x80070241.</blockquote>I obtained access to another Vista beta 2 ISO image, burned it, and tried installing Vista. This time, the "Windows is loading files" screen looked a bit different - the font was different and there was a flashing white cursor at the end of the line with the progress bar:<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/WindowsIsLoadingFiles2.jpg" target=_blank><img src="http://photos1.blogger.com/blogger/1005/2117/200/WindowsIsLoadingFiles2.jpg" /></a><br /><br />I thought that was a bit strange. Once the progress bar completed, I was presented with an error message:<br /><blockquote>File: \windows\system32\winload.exe<br />Status: 0xc0000001<br />Info: The selected entry could not be loaded because the application is missing or corrupt</blockquote><a href="http://photos1.blogger.com/blogger/1005/2117/1600/WinLoad.exe_Error.jpg" target=_blank><img src="http://photos1.blogger.com/blogger/1005/2117/200/WinLoad.exe_Error.jpg" /></a><br /><br />Once again, I tried buring with different media types, using different software and different hardware. Same results each time.<br /><br />I was trying to avoid using a VM to run Vista because I actually wanted to get some real-world, day-to-day experience with it. But at this point I broke out VMware and mounted the ISO. The virtual machine did the same thing as the "real" machine - the same error messages and problems with the ISO images.<br /><br />Looks like I'll have to wait until RC1 is released (<a href="http://bink.nu/Article8071.bink" target="_blank">hopefully sometime in early September</a>) before I get a chance to install Vista...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115621350643885742?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com7tag:blogger.com,1999:blog-20977280.post-1155695664544120942006-08-18T07:29:00.000-07:002006-11-12T16:29:05.867-08:00<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sbscs/setup/zombifyactctx.asp" target=_blank>ZombifyActCtx</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115569566454412094?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1155641889651800482006-08-17T04:36:00.000-07:002006-11-12T16:29:05.058-08:00I had an interesting need the other day. I wanted to set up a test Windows Server 2003 box on a development system. I didn't have a license for <a href="http://www.vmware.com/products/ws/" target="_blank">VMware workstation</a> that I could use on the development system, and I didn't want to install the free <a href="http://www.vmware.com/products/server/" target="_blank">VMware Server</a> since I've not yet had an opportunity to use it yet and this wasn't the time to start. <a href="http://www.vmware.com/products/player/" target="_blank">VMware Player</a> can only "play" (not create) virtual machines.<br /><br /><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6D58729D-DFA8-40BF-AFAF-20BCB7F01CD1&displaylang=en" target="_blank">Virtual PC 2004 w/SP1</a> from Microsoft is now free. But I find that I prefer VMware's products to the Microsoft offerings. Not wanting to spend much time debating which virtualization package I should use, I went ahead and installed Virtual PC 2004 w/SP1. Whilst installing Windows Server 2003 Standard Edition into a virtual machine, I started wondering if VMware Player could interpret Virtual PC virtual machines.<br /><br /><a href="http://www.vmware.com/products/player" target="_blank">The VMware Player product page</a> states:<br /><blockquote>VMware Player also supports Microsoft virtual machines...</blockquote>It wasn't a large jump to interpret "Microsoft virtual machines" as "Virtual PC 2004 virtual machines". Indeed, that is the case. I finished installing Windows Server 2003 in Virtual PC 2004, and powered the VM off just after the final reboot that takes place during installation. I installed VMware Player, ran it, opened the Virtual PC 2004 .VMC file, and after a short import process I was able to start the virtual machine that I had created with Virtual PC 2004, in VMware Player.<br /><br />So, for $0 (well, a Windows OS license is required) I was able to create a Windows Server 2003 virtual machine with Virtual PC 2004 and use it with VMware Player. Pretty cool...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115564188965180048?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1155688424650272992006-08-16T05:26:00.000-07:002006-11-12T16:29:05.694-08:00[<b><span style="color:red;">Added 2006-10-15: Another potential fix <a href="http://mygreenpaste.blogspot.com/2006/10/yet-another-potential-resolution-for.html" target="_blank">here</a>...</span></b>]<br />[<b><span style="color:red;">Added 2006-09-19: Additional things to try <a href="http://mygreenpaste.blogspot.com/2006/09/0x8ddd0009-with-microsoft-update.html" target="_blank">here</a>...</span></b>]<br />[See other posts about 0x8ddd0009 <a href="http://mygreenpaste.blogspot.com/2006/08/another-possible-fix-for-error.html" target=_blank>here</a> and <a href="http://mygreenpaste.blogspot.com/2006/07/windows-update-and-error-0x8ddd0009.html" target=_blank>here</a>.]<br /><br />It seems that a LOT of people are getting error 0x8ddd0009 with <a href="http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us" target="_blank">Microsoft Update</a> or <a href="http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us" target="_blank">Windows Update</a>, and are looking for fixes to the problem.<br /><br /><a href="http://mygreenpaste.blogspot.com/2006/07/windows-update-and-error-0x8ddd0009.html" target="_blank">Previously</a>, I had noted that I had gotten around the problem by correcting the system time on the affected computer. But apparently that's not the only "fix" for the problem. Given that it doesn't do the trick for everyone, here is a compilation of suggestions that I have run across. Note that I haven't tried all of them and I can't vouch for their accuracy. Some suggestions involve the use of a 3rd party program or utility. Use them at your own risk.<br /><br />If you have gotten the 0x8ddd0009 error from Microsoft Update or Windows Update and something listed here fixes it, please chime in. Also, if you did something not listed here and it took care of the problem, please share your resolution with others.<br /><br />I can't find any reference to 8ddd0009 OR 0x8ddd0009 in the Microsoft knowledge base, so we're pretty much going off of community references here.<br /><br />While most of the people reporting 0x8ddd0009 seem to be running Windows 2000 with some recent service pack (3 or 4), some are running Windows XP SP2.<br /><br />To restate, I fixed my problem by ensuring that the system time on the affected computer was accurate - it had been about 22 minutes off. Once I corrected the time, the problem went away.<br /><br />Another thing to do is to make sure that the computer that is having problems has sufficient free space available on the disk. I'll grab 1 GB out of the air and toss it in here - make sure there's 1 GB of free space on the disk. Just to be safe...<br /><br />Several people report that uninstalling Windows Installer 3.1 resolved the 0x8ddd0009 error. To uninstall Windows Installer 3.1, use the "Add or Remove Programs" applet in the Control Panel, and find "Windows Installer 3.1 (KB893803)" in the list, and click the "Remove" button. Alternatively, running <span style="font-family:courier;">"%WINDIR%\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"</span> from Start --> Run may do the trick.<br /><br />Running <span style="font-family:courier;">regsvr32 /u "%systemroot%\system32\mobsync.dll"</span> has apparently worked for at least one individual; Microsoft Knowledge Base article "<a href="http://support.microsoft.com/kb/289650/" target="_blank">Event ID 4100 appears repeatedly in Event Viewer</a> details this approach (not in the context of the 0x8ddd0009 error, though), and also the implications:<br /><blockquote>After you unregister Mobsync.dll, Client Side Caching (CSC) no longer works. The behavior described in the "Symptoms" section of this article does not affect CSC functionality, but unregistering Mobsync.dll does</blockquote>If that doesn't do the trick, one should be able to UNDO the unregistration (???) of Mobsync.dll by running <span style="font-family:courier;">regsvr32 "%systemroot%\system32\mobsync.dll"</span>. Might be worth a shot...<br /><br />Other people report that downloading / installing / running a program called "Dial-A-Fix" (apparently free) and using it to fix "Windows Update" (whatever that program considers "Windows Update") fixes the problem. The program can likely be found <a href="http://fileforum.betanews.com/detail/Dialafix_Medium/1131569373/3" target="_blank">here</a>. And here are <a href="http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windowsupdate&tid=1354e407-5cb1-4e9e-a84b-8ba700304043&amp;m=1&p=1" target="_blank">extensive instructions</a> for using the program to fix the problem.<br /><br />Re-running the "Connection Setup Wizard" (presumably, in IE's Tools --> Internet Options --> Connections tab --> "Setup..." button; it can also be run by tossing "<span style="font-family:courier;">rundll32.exe netshell.dll,StartNCW</span>" in the Start --> Run box) is reported to have resolved the 0x8ddd0009 error for several people.<br /><br />Another thing that has worked in certain cases is running <span style="font-family:courier;">regsvr32 msxml3.dll</span> from the Start --> Run box or a Command Prompt.<br /><br />Something else to try is to run the following commands from a Command Prompt (Start --> Run --> Cmd):<br /><span style="font-family:courier;">proxycfg -d<br />net stop wuauserv<br />net start wuauserv</span><br /><br />Disabling any firewalls might be another thing to try.<br /><br />Some have indicated that following the instructions in Microsoft Knowledge Base article <a href="http://support.microsoft.com/kb/910341" target="_blank">Error messages that you may receive when you try to download and install updates from the Windows Update Web site, from the Microsoft Update Web site, or from a WSUS server: "0x800704DD," "0x80240020," or both</a> took care of the 0x8ddd0009 error for them.<br /><br />Stopping the "Automatic Updates" service (from the Services management console snap-in - Start --> Run --> Services.msc, or by running <span style="font-family:courier;">net stop wuauserv</span>), and deleting (renaming is less destructive, I suppose) the %windir%\SoftwareDistribution folder can also resolve various issues with Microsoft Update / Windows Update.<br /><br />On a more drastic note, uninstalling Windows XP Service Pack 2 and then reinstalling it took care of the 0x8ddd0009 error for at least one person.<br /><br />Again, if you have gotten the 0x8ddd0009 error from Microsoft Update or Windows Update and something listed here fixes it, please chime in. Also, if you did something not listed here and it took care of the problem, please share your resolution here so that others may benefit.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115568842465027299?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com39tag:blogger.com,1999:blog-20977280.post-1155641709823318042006-08-15T04:34:00.000-07:002006-11-12T16:29:04.923-08:00I've been using wireless networking for a couple of years now. I have a few wireless routers on my network, and often while troubleshooting various connectivity issues (is it related to the environment, or to the settings on the router, or is it a driver issue, or...) I've wished for the ability to connect to multiple wireless networks simultaneously. Without having to have a separate wireless card for each wireless network. Looks like Microsoft Research is working on a project that allows one to do just that.<br /><br />The project is called "<a href="http://research.microsoft.com/netres/projects/virtualwifi/" target="_blank">Virtual WiFi</a>", and sounds pretty cool. The current implementation is a functional prototype and doesn't have certain features yet, but the basic functionality is there. WEP or 802.1x is not supported yet, and support for multiple cards has not been fully implemented (driver supports it, "user level code"/"VirtualWiFi service" does not).<br /><br />A Virtual WiFi FAQ can be found <a href="http://research.microsoft.com/netres/projects/virtualwifi/faq.htm" target="_blank">here</a>, and the Virtual WiFi software can be downloaded <a href="http://research.microsoft.com/netres/projects/virtualwifi/software.htm" target="_blank">here</a>.<br /><br />Have to wonder a bit about the potential ramifications of this software on security - what happens when one connects the wireless card to an unsecured "public" network AND the corporate wireless network? I suppose, that's not much different than connecting to the wired corporate network and using the wireless card to connect to an unsecured public network...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115564170982331804?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1155425444588347372006-08-12T16:29:00.000-07:002006-11-12T16:29:04.789-08:00With my recent antics involving <a href="http://mygreenpaste.blogspot.com/2006/08/ntfs-alternate-data-streams.html" target="_blank">NTFS Alternate Data Streams</a> (ADS), I had an idea for an application. None of the tools I have used or heard of offered the ability to extract a stream from a file or folder and save it as a "stand-alone" file. Integrated viewing / inspection / editing of the streams ala "<a href="http://www.fiddlertool.com" target="_blank">Fiddler</a>" would also be quite cool. And of course, the ability to append a stream to a file or folder, or copy / move a stream from one "host" to another could come in handy in certain situations.<br /><br />Strange it was then that I accidentally stumbled across a utility published recently by PC Magazine called <a href="http://www.pcmag.com/article2/0,1895,1969420,00.asp" target="_blank">Stream Revealer</a>. Stream Revealer seems to have many of these features. It includes the ability to "View" streams in Text / Hex, the ability to extract streams, and the ability to attach a stream to a file. It also integrates with FileSnoop, another PC Magazine utiltity that allows one to "snoop" or preview the contents of a file.<br /><br />I haven't used the utility as it costs $7.97 to download unless one has a PC Magazine "Utility Library" subscription. Still, if / when one needs the features described above, $7.97 is a heckuva lot cheaper than it would cost to develop the utility one's self...<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115542544458834737?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1155178019856257782006-08-09T19:37:00.000-07:002006-11-12T16:29:04.621-08:00[<b><font color="red">2006-09-29: Related post <a href="http://mygreenpaste.blogspot.com/2006/08/more-on-ntfs-alternate-data-streams.html" target="_blank">here</a>...</font></b>]<br /><br />I was recently exposed to a "White Paper" (love the term...) called "<a href="http://www.globalknowledge.com/training/olm/go.asp?find=wp_datastream&country=United+States" target="_blank">Alternate Data Streams – What’s Hiding in Your Windows NTFS?</a>"<br /><br />I was a bit disappointed as I was hoping to learn a bit more about alternate data streams. I really didn't pick up anything new, aside from the introduction of a few software utilities that can somewhat facilitate manipulation of ADS. A few things in the paper were left unexplored though.<br /><br />The paper states:<br /><blockquote>When you use Microsoft Internet Explorer (at least through version 6) to download and save files from the Internet, the browser creates an ADS called Zone.Identifier. This file contains information about the Internet zone from which the file was downloaded.We have yet to discover why we might need that information, but that is what it does.</blockquote>Without direcly stating that ADS is the underlying mechanism (it only states "The Web content zone information is saved together with the files only if the hard disk uses the NTFS file system"), <a href="http://support.microsoft.com/kb/883260" target="_blank">Description of how the Attachment Manager works in Windows XP Service Pack 2</a> describes what the information in the ADS is used for. Further, this behavior is <i>new</i> with Windows XP Service Pack 2, and was not present in previous versions of IE ("at least through version 6").<br /><br /><p></p>The paper also states:<br /><blockquote>In the Windows XP Windows Explorer, if you choose the View –> Thumbnails option for pictures, it appears to create the thumbnail as an ADS. These files have names similar to {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}. Very informative, as you can see. Note that we are not certain that this is the thumbnail, since we’ve yet to find a way to open one of those files. However, using the utilities discussed above, we can clearly see that choosing View –> Thumbnails creates ADSs behind picture files.</blockquote>I tried to do just what the author described, but I was unable to see any files OR streams named with the {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} convention. It's a GUID, of course - it's not <i>meant</i> to be informative - just unique. The statement about not being able to "find a way to open one of those files" is rather interesting. Try a binary editor or even a simple text editor like Notepad - what's in the stream?<br /><br /><p></p>I decided to do a bit of digging, and found plenty of references to the GUID the author mentioned - {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} - in fact, <a href="http://www.google.com/search?hl=en&amp;q=%224c8cc155-6c1e-11d1-8e41-00c04fb9386d%22" target="_blank">Googling the GUID</a> (alliteration?) yields about 1000 results. That seemed like a lot of hits for a GUID that, based on the author's description, was a filename or stream name for a thumbnail.<br /><br />Turns out that running <a href="http://www.sysinternals.com" target="_blank">FileMon</a> on my system and filtering for "4c8cc155" turns up a bunch of hits (er... misses?) when I start browsing the file system with Windows Explorer. Specifically, an attempt was made to open an ADS named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on each folder I browsed to, and each file that I selected. So it would seem that something else is going on here.<br /><br />I wondered what the shell (explorer.exe) would do if it found such a stream on a folder or file, so I made one. Nothing significant happened. Then I tried simply changing the view of a folder (without the ADS {4c8cc155-6c1e-11d1-8e41-00c04fb9386d}) to "Thumbnails". FileMon indicated that explorer.exe tried to open the ADS in question on the folder. Nothing earth shattering here.<br /><br />Next, I created a test folder with a test file - molotov.eee. I did a "Properties" on the file, and hit the Summary tab. I entered some garbage in the Title and Subject fields, and hit "Apply". FileMon showed that explorer.exe indeed created a stream named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on molotov.eee. It would appear that our mysterious GUID-named stream is related to the "Summary" metadata that one can specify for most / all files.<br /><br />Interestingly, tossing garbage in the {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} stream causes Explorer to not display the Summary tab when one views the Properties of the subject file. It must not recognize the format, decide that the stream is used for something else, and in the interest of stability or not overwriting data chooses not to provide an interface to view the uninterpretable stream. A 0 byte stream named {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} on a file does not have an impact on whether or not the shell chooses to display the Summary tab in the file's Properties. In fact, the stream that Explorer creates is 0 bytes. The real meat of the Summary information, then, must be in the other stream that's created - the ♣SummaryInformation stream - which does vary in size based on what is entered in the Summary fields.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115517801985625778?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-1155092190073962812006-08-08T19:52:00.000-07:002006-11-12T16:29:04.505-08:00I ran across an article in the Microsoft knowledge base that really got me worrying: <a href="http://support.microsoft.com/kb/324519" target="_blank">PRB: "Can not Access File 'AssemblyName' Because It Is Being Used by Another Process" Error Message in ASP.NET</a>. The shocker is in the <b>CAUSE</b> section: <blockquote><b>CAUSE</b><br />This problem occurs because signed assemblies in the Bin directory are not supported.</blockquote><p></p>What? Where is this documented (besides the KB article)? Why? And what versions of the .NET Framework does this apply to? The KB article states it applies to the .NET Framework 1.1 and 1.0 / ASP.NET 1.1 and 1.0, but the article's "Last Review" was on 2005-09-27 - before the .NET Framework 2.0 / ASP.NET 2.0 was officially released. Is the article simply waiting for an update? <p></p>Another article that makes one wonder if the .NET Framework 2.0 / ASP.NET 2.0 is affected is <a href="http://support.microsoft.com/kb/813833" target="_blank">PRB: "Access Denied" Error Messages When You Do Not Put Strong-Named Assemblies in the Global Assembly Cache</a>. This article's "Last Review" was on 2004-01-24, but it states that it applies to "Microsoft Web Services Enhancements for Microsoft .NET 2.0". I'm probably being way too literal, but couldn't one at least glance at that and think it applies to the .NET Framework 2.0? <p></p>Anyway, Tess Ferrandez writes in her blog "<a href="http://blogs.msdn.com/tess/archive/2006/04/13/575361.aspx" target="_blank">If broken it is, fix it you should</a>":<br /><blockquote>...strong named assemblies, irrespectively of where they are loaded from are loaded into a shared domain (they are domain neutral)... <p></p>...Since the assemblies in the shared domain are not unloaded when the app domain unloads they may get locked if you are unlucky with timing. Locking issues most frequently occur with processes that frequently scan folders such as index server, virus scanning software or backup software... <p></p>...If a strong named assembly is used by multiple web applications and each application grants it varying permissions or if the permission grant varies between application domain restarts, you might see errors like “Assembly <assembly>.dll security permission grant set is incompatible between appdomains”...</blockquote>That would explain the "Why" (<a href="http://support.microsoft.com/kb/813833" target="_blank">article 813833</a> makes a similar statement, but Tess goes into more detail). But it's not clear if the .NET Framework 2.0 / ASP.NET 2.0 is affected until you look at the comments, where Tess states: <blockquote>In 2.0 the assemblies are not loaded domain neutral [...] there was a very specific reason i mentioned 1.1. (and 1.0 for that matter) </blockquote>and<br /><blockquote>the issue is due to the dlls being loaded in the shared domain in 1.0 and 1.1. which no longer occurrs in 2.0 [...]</blockquote>An interesting comment to Tess' post points one to FxCop's <a href="http://www.gotdotnet.com/team/fxcop/docs/rules/Design/AssembliesShouldHaveValidStrongNames.html" target="_blank">AssembliesShouldHaveValidStrongNames rule</a>. FxCop likes assemblies to be signed, but there's nothing that says they have to go in the GAC... Ouch.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115509219007396281?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1154997385895266942006-08-07T17:27:00.000-07:002006-11-12T16:29:04.340-08:00I have an annoying problem with Outlook 2003 crashing on me sometimes when I shut it down. Usually, if I'm closing Outlook, I'm leaving for the day. That means that I don't necessarily have the time nor the desire to try to figure out what's going on. I just clear the box that wants to restart Outlook, choose not to send the report to Microsoft (sorry!), and go on my merry way.<br /><br />One day, I finally looked into things a bit. I chose to debug the problem, which kicked off VSJITDebugger.exe (Visual Studio Just-In-Time Debugger), and let me pick a new Visual Studio 2005 instance.<br /><br />In the Output window of VS2005, I saw the following and tossed it into a "New Text Document":<br /><span style="font-family:courier;font-size:85%;">&lt;mda:msg xmlns:mda= "http://schemas.microsoft.com/CLR/2004/10/mda"&gt;<br />&lt;!--<br />Attempting managed execution inside OS Loader lock. Do not attempt to run managed code inside a DllMain or image initialization function since doing so can cause the application to hang.<br />--&gt;<br />&lt;mda:loaderLockMsg break="true"/&gt;<br />&lt;/mda:msg&gt;<br />&gt; mscorwks.dll!MdaXmlMessage::SendDebugEvent() + 0x1c8 bytes<br />mscorwks.dll!MdaXmlMessage::SendMessage() + 0xf3 bytes<br />mscorwks.dll!MdaXmlMessage::SendMessagef() + 0xa9 bytes<br />mscorwks.dll!MdaLoaderLock::ReportViolation() + 0x13d bytes<br />mscorwks.dll!CanRunManagedCode() + 0xa64de bytes<br />mscorwks.dll!Unknown_Release() + 0x18 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x1a02 bytes<br />[Frames below may be incorrect and/or missing, no symbols loaded for LookoutAddinShim.dll]<br />LookoutAddinShim.dll!DllGetClassObject() + 0x1974 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x2650 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x3dbb1 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x22033 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x21f67 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x1dd01 bytes<br />LookoutAddinShim.dll!DllGetClassObject() + 0x1df5f bytes<br />ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 bytes<br />ntdll.dll!_LdrUnloadDll@4() + 0x7569 bytes<br />kernel32.dll!_FreeLibrary@4() + 0x19 bytes<br />ole32.dll!CClassCache::CDllPathEntry::CFinishObject::Finish() + 0x25 bytes<br />ole32.dll!CClassCache::CFinishComposite::Finish() + 0x1599e bytes<br />ole32.dll!CClassCache::CleanUpDllsForApartment() + 0x63 bytes<br />ole32.dll!FinishShutdown() + 0x64 bytes<br />ole32.dll!ApartmentUninitialize() + 0x51 bytes<br />ole32.dll!wCoUninitialize() + 0x3f bytes<br />ole32.dll!_CoUninitialize@0() + 0x52 bytes<br />OUTLLIB.DLL!DllCanUnloadNow() + 0x13062 bytes<br />OUTLLIB.DLL!RenExitInstance@0() + 0x204 bytes<br />kernel32.dll!_BaseProcessStart@4() + 0x23 bytes</span><br /><br />And of course I had to get going by the time all of the symbols were loaded, etc, so I closed the debugger and left for the day. But the output above seems to point to <a href="http://www.microsoft.com/downloads/details.aspx?familyid=09b835ee-16e5-4961-91b8-2200ba31ea37&displaylang=en" target="_blank">Lookout</a> doing something naughty inside of the OS loader lock. (A list of naughty things can be found in the <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/dllmain.asp" target="_blank">documentation for DllMain</a> and "DllMain Restrictions" in "<a href="http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vcconMixedDLLLoadingProblem.asp?frame=true#vcconmixeddllloadingproblemanchor3" target="_blank">Mixed DLL Loading Problem</a>".) I assume the message above is the implementation of the "Proposed Long-Term Solution" described in "<a href="http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vcconMixedDLLLoadingProblem.asp?frame=true#vcconmixeddllloadingproblemanchor6" target="_blank">Mixed DLL Loading Problem</a>":<br /><blockquote>In addition to providing the managed module initializer mechanism to fix the loader lock problem in newly compiled images, this solution also provides checks to prevent the common language runtime from executing unsafe images that may have been built with old tools.</blockquote>This would make sense, since LookoutAddinShim.dll is a mixed image - it is a COM component with dependencies on MSCOREE.DLL. In my case, it is using the .NET Framework 2.0, which presumably has incorporated the "Proposed Long-Term Solution" described in "<a href="http://msdn.microsoft.com/library/en-us/dv_vstechart/html/vcconMixedDLLLoadingProblem.asp?frame=true#vcconmixeddllloadingproblemanchor6" target="_blank">Mixed DLL Loading Problem</a>" as it certainly is "the next version of the common language runtime (after version 1.1)".<br /><br />Generally, the "OS loader lock" issue is best dealt with by following the instructions specified in the Managed Extensions for C++ Reference at "<a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmex/html/vcconconvertingmanagedextensionsforcprojectsfrompureintermediatelanguagetomixedmode.asp" target="_blank">Converting Managed Extensions for C++ Projects from Pure Intermediate Language to Mixed Mode</a>".<br /><br />I should note that I'm not sure what specifically caused Outlook to crash - the above is just a message that was in the Output window in Visual Studio 2005. It may or may not be the culprit.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115499738589526694?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-1154741510405859482006-08-04T18:29:00.000-07:002006-11-12T16:29:04.183-08:00So I've been messing with the <a href="http://www.microsoft.com/downloads/details.aspx?familyid=5A14E870-406B-4F2A-B723-97BA84AE80B5&displaylang=en" target="_blank">Enterprise Library for .NET Framework 2.0 - January 2006</a> a bit lately (see also <a href="http://www.gotdotnet.com/codegallery/codegallery.aspx?id=295a464a-6072-4e25-94e2-91be63527327" target="_blank">patterns &amp; practices: Enterprise Library: Home</a>). Since I'm using strong-named assemblies, I needed to sign the assemblies from the Enterprise Library in order to use them. It seems, however, that this scenario was given little thought since it is quite tedious to do this. Ultimately, through sheer brute force I did manage to get them signed using a key container rather than a key file. Here's how...<br /><br /><br /><p>Use Windows' "Search" function to find *.csproj in the root installation folder for the Enterprise Library ("C:\Program Files\Microsoft Enterprise Library January 2006" by default) and all sub-folders. Select all of the files (102 of them), right-click, and choose "Properties". Click the box to clear the "Read-only" check box, and "OK" the changes.<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/FIF1.jpg" target="_blank"><img style="FLOAT: right; MARGIN: 0px 10px 10px 0px; CURSOR: hand" alt="" src="http://photos1.blogger.com/blogger/1005/2117/320/FIF1.jpg" border="0" /></a><br />Then, open Visual Studio 2005 and use the "Find In Files" feature to find files containing a space, of type *.csproj, in the root installation folder for the Enterprise Library (again, "C:\Program Files\Microsoft Enterprise Library January 2006" by default) and all sub-folders. Also tick the "Display file names only" box. <p><br />The names of the 102 files will display in the "Find Results 1" area. In each (EACH!) CSPROJ project file, add <span style="font-family:courier;font-size:85%;">&lt;KeyContainerName&gt;ContainerName&lt;/KeyContainerName&gt;</span> to the first <span style="font-family:courier;">&lt;PropertyGroup&gt;</span> section, as described in <a href="http://mygreenpaste.blogspot.com/2006/08/signing-assemblies-in-visual-studio.html" target="_blank">Signing Assemblies in Visual Studio 2005 with Key Containers </a>. If I wouldn't have been so adept at the "click, paste, F8" trio (position the iBeam, paste the key container blurb, go to the next CSPROJ file), I probably would have automated the process with some code or something. Anyway, if this is all one does and one saves the files and then tries to build the Enterprise Library, one gets several <a href="http://msdn2.microsoft.com/en-us/library/ms228237.aspx" target="_blank">CS1726</a> compiler errors. <p><b>Compiler Error CS1726 Error Message</b><br /><i>Friend assembly reference 'reference' is invalid. Strong-name signed assemblies must specify a public key token in their InternalsVisibleTo declarations.</i> <p>To get past the CS1726 errors, more details need to be added to the "InternalsVisibleTo" attribute for various assemblies - specifically, the public key. The public key can be obtained by starting a Visual Studio 2005 Command Prompt or SDK Command Prompt and using SN.EXE (the "Microsoft (R) .NET Framework Strong Name Utility") to extract the public key from the key container:<br /><span style="font-family:courier;">sn -pc ContainerName PubKeyFile</span><br /><br />Then, SN.EXE is used again to display the public key:<br /><span style="font-family:courier;">sn -tp PubKeyFile</span> <p></p>Copy the public key from the console to the clipboard and paste it into Notepad to do a bit of massaging. While you're at it, prefix the public key with ", PublicKey=" so you have something that looks like:<br /><span style="font-size:85%;"><span style="font-family:courier;">, PublicKey=002400000480000[...]559ea </span><i>[truncated for brevity]</i></span><br /><br />Copy that whole blurb to the clipboard. Next, use Windows' Search function to find all files named "AssemblyInfo.cs" in the root installation folder for the Enterprise Library and all sub-folders, containing the text "InternalsVisibleTo". Again, select all of the files (15 of them), right-click, and choose "Properties". Click the box to clear the "Read-only" check box, and "OK" the changes.<br /><br />Then, bring up "Find In Files" in Visual Studio 2005 again, and search the root installation folder for the Enterprise Library for files named AssemblyInfo.cs containing "InternalsVisibleTo". Again, make sure the "Display file names only" box is checked. There should be 15 hits, but note that some files have more than one "InternalsVisibleTo" attribute. Place the iBeam in the attribute after the assembly name, and paste the public key. The attribute should change from something like:<br /><span style="font-family:courier;font-size:85%;">[assembly: InternalsVisibleTo( "Microsoft.Practices.<br />EnterpriseLibrary.Caching.Tests" )]</span><br /><br /><p></p>to something like:<br /><span style="font-size:85%;"><span style="font-family:courier;">[assembly: InternalsVisibleTo( "Microsoft.Practices.EnterpriseLibrary.<br />Caching.Tests, PublicKey=002400000480000[...]559ea" )]</span> <i>[truncated for brevity]</i></span><br /><br />Change all of the files, save the changes, and build the Enterprise Library. The library should now build successfully.<br /><br /><br /><p></p>Note that you can use the "Build Enterprise Library" shortcut in the "Microsoft patterns & practices\Enterprise Library - January 2006" program group, but by default it builds a debug configuration. To build the release configuration, open a Visual Studio 2005 Command Prompt or SDK Command Prompt, navigate to the root installation folder for the Enterprise Library, and run BuildLibrary.bat specifying "Release":<br /><span style="font-family:courier;">BuildLibrary Release</span><br /><br />Then, to copy the assemblies to the bin folder, run CopyAssemblies.bat, also specifying "Release":<br /><span style="font-family:courier;">CopyAssemblies Release</span><br /><br />To copy the assemblies elsewhere, supply the location to CopyAssemblies.bat, like:<br /><span style="font-family:courier;">CopyAssemblies Release C:\EntLibJan2006</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115474151040585948?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com2tag:blogger.com,1999:blog-20977280.post-1154399570147390492006-08-03T07:21:00.000-07:002006-11-12T16:29:03.808-08:00I noted the following the other day when I was doing some C# development...<br /><p>If one creates a new "Windows Application" and examines AssemblyInfo.cs, it has the following content:<br /><span style="font-family:Courier;"><br />// Version information for an assembly consists of the following four values:<br />//<br />// Major Version<br />// Minor Version<br />// Build Number<br />// Revision<br />//<br />[assembly: AssemblyVersion( "1.0.0.0" )]<br />[assembly: AssemblyFileVersion( "1.0.0.0" )]<br /><br /></span>However, if one creates a new "Class Library" and examines AssemblyInfo.cs, one sees the following:<br /><span style="font-family:Courier;"><br />// Version information for an assembly consists of the following four values:<br />//<br />// Major Version<br />// Minor Version<br />// Build Number<br />// Revision<br />//<br />// You can specify all the values or you can default the Revision and Build Numbers<br />// by using the '*' as shown below:<br />[assembly: AssemblyVersion( "1.0.0.0" )]<br />[assembly: AssemblyFileVersion( "1.0.0.0" )]</span><br /></p><p>Of course, the '*' notation in the comments for the Class Library (in this case, at least) that incorrectly indicates the '*' is "shown below" is a remnant of Visual Studio .NET 2002 and Visual Studio .NET 2003, where the default for the AssemblyVersion attribute was a value like "1.0.*". </p><p>According to the <a href="http://msdn2.microsoft.com/en-us/library/system.reflection.assemblyversionattribute.assemblyversionattribute.aspx" target="blank">AssemblyVersionAttribute Constructor</a> on MSDN, specifying "1.0.*" sets the "build number" value to be equal to the number of days since January 1, 2000 local time, and "revision" to be equal to the number of seconds since midnight local time, divided by 2. Specifying "1.0.1.*" sets the "revision" to be equal to the number of seconds since midnight local time, divided by 2.</p>To remove the minor inaccuracy, one could probably change the inaccurate comment by modifying the project template at either %PROGRAMFILES%\Microsoft Visual Studio 8\Common7\IDE\ProjectTemplatesCache\CSharp\Windows\1033\ClassLibrary.zip\AssemblyInfo.cs, or AssemblyInfo.cs in %PROGRAMFILES%\Microsoft Visual Studio 8\Common7\IDE\ProjectTemplates\CSharp\Windows\1033\ClassLibrary.zip. Alternatively, one could change the values of AssemblyVersion and AssemblyFileVersion...<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115439957014739049?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1154400171887244222006-08-02T07:34:00.000-07:002006-11-12T16:29:03.922-08:00When signing an assembly, I prefer to use key containers rather than key files. Just specify a key name in AssemblyKeyName and the assembly is signed with that key provided that it has been installed on the machine. Installing the key into a key container is easy. Take the keyfile (keyfile.snk) obtained by running <span style="font-family:courier;">sn -k keyfile.snk</span> from a Visual Studio / SDK Command Prompt and run it with <span style="font-family:courier;">sn -i keyfile.snk keycontainer</span>. Set AssemblyKeyName in AssemblyInfo.cs to "keycontainer" (<span style="font-family:courier;">[assembly: AssemblyKeyName("keycontainer")]</span>) and the assembly will be signed with the key in keycontainer. <p>At least, that's how it worked in Visual Studio .NET 2002 and Visual Studio .NET 2003. In Visual Studio 2005, if one uses the AssemblyKeyName attribute in AssemblyInfo.cs, one gets the following warning:<br /><br /><span style="font-family:courier;">Properties\AssemblyInfo.cs(16,12): warning CS1699: Use command line option '/keycontainer' or appropriate project settings instead of 'AssemblyKeyName'</span><br /></p><p>This is fine, except a reason we'll get into later. If one looks up C# compiler warning <a href="http://msdn2.microsoft.com/en-us/library/xh3fc3x0.aspx" target="_blank">CS1699 in the VC# Reference</a>, one will note that "Prior to Microsoft Visual C# 2005, you specified the key file using CLR attributes in source code. These attributes are now deprecated". The warning description goes on to list security, usability, and decreased compiler efficiency as reasons for the deprecation. </p><p>Now, the reference page for CS1699 also states "Beginning in Microsoft Visual C# 2005, you should use the Signing Page of the Project Designer or the Assembly Linker to specify the key". The problem here is that the "Signing Page" has no place to specify a key container!<br /><a href="http://photos1.blogger.com/blogger/1005/2117/1600/SigningPage.3.jpg"><img style="CURSOR: hand" alt="" src="http://photos1.blogger.com/blogger/1005/2117/320/SigningPage.3.jpg" border="0" /></a><br /><br /><br />CS1699's documentation points one to a page titled "<a href="http://msdn2.microsoft.com/en-us/library/5b92wy0h.aspx" target="_blank">/keycontainer (Specify Strong Name Key Container) (C# Compiler Options)</a>". On that page one finds the following tasty morsel:<br /><br /><b>To set this compiler option in the Visual Studio development environment</b><br /><li>This compiler option is not available in the Visual Studio development environment</li><br /><br />Well, that would explain how this can lead to an increase in compiler efficiency! <g><br /><br />You can't specify any additional options to the C# compiler via the IDE, and there's no way to specify a keycontainer on the "Signing Page".<br /><p>Luckily, there is a way to specify a keycontainer without using the AssemblyKeyName attribute. One needs to close the C# project and open up the .csproj file for the particular project in an XML editor ("Notepad"). In the first &lt;PropertyGroup&gt; element one can add the following line, replaing [containername] with the name of the key container one wishes to use:<br /><br /><span style="font-family:courier;">&lt;KeyContainerName&gt;[containername]&lt;/KeyContainerName&gt;</span><br /><br />Note that as tempting as it may be, you need to leave the value of the "SignAssembly" element as false. Apparently, "SignAssembly" really means "use an assembly key file".</p><p>Open up the project again and build the assembly, and it should be signed with the key that was installed into the container specified in the KeyContainerName.<br /><p>»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115440017188724422?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com3tag:blogger.com,1999:blog-20977280.post-1153970335752403812006-08-01T06:01:00.000-07:002006-11-12T16:29:03.688-08:00See other "interesting" posts about Community Solutions articles <a href="http://mygreenpaste.blogspot.com/2006/07/juvenile-life-without-art.html" target="blank">here</a> and <a href="http://mygreenpaste.blogspot.com/2006/06/loss-of-unsaved-user-data-by-design.html" target="blank">here</a>.<br /><br />The "<a href="http://www.microsoft.com/windowsserver2003/community/centers/terminal/default.mspx" target="blank">Welcome to the Terminal Services Community</a>" page on Microsoft.com currently has a bunch of interesting links in the "Windows Server Solutions by MVPs" section: <ul><li><a href="http://support.microsoft.com/kb/555626/en-us" target="blank">TT-Template</a> <li><a href="http://support.microsoft.com/kb/555679/en-us" target="blank">http://support.microsoft.com/kb/555679/en-us</a> <li><a href="http://support.microsoft.com/kb/555681/en-us" target="blank">.net test article</a> <li><a href="http://support.microsoft.com/kb/555627/en-us" target="blank">TT-Template</a></li></ul>The TT-Template pages are rather identical and differ only by KB number (<a href="http://support.microsoft.com/kb/555626" target="blank">555626</a> and <a href="http://support.microsoft.com/kb/555627" target="blank">555627</a>). The <a href="http://support.microsoft.com/kb/555681" target="blank">.net test article</a> is quite concise, and <a href="http://support.microsoft.com/kb/555679" target="blank">555679</a> just happens to be the article I posted about <a href="http://mygreenpaste.blogspot.com/2006/07/juvenile-life-without-art.html" target="blank">here</a>.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115397033575240381?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1153969215654404442006-07-31T07:29:00.000-07:002006-11-12T16:29:03.511-08:00Was having a very annoying problem with SQL Server 2000 on a development box the other day. I would stop MSSQLSERVER but when I tried to restart it, I couldn't:<br /><span style="font-family:courier new;font-size:85%;">C:\>net stop mssqlserver<br />The MSSQLSERVER service is stopping.<br />The MSSQLSERVER service was stopped successfully.<br /><br />C:\>net start mssqlserver<br />The MSSQLSERVER service is starting.<br />The MSSQLSERVER service could not be started.<br /><br />The service did not report an error. </span><br /><br />That wasn't helpful so I turned to the Event Viewer where I found the following error events:<br /><span style="font-family:courier new;font-size:85%;">Event Type: Error<br />Event Source: MSSQLServer<br />Event Category: (8)<br />Event ID: 19011<br />Date: 7/25/2006<br />Time: 10:17:01 AM<br />User: N/A<br />Computer: COMPNAME<br />Description:<br />SuperSocket info: ConnectionListen(Shared-Memory (LPC)) : Error 5.<br />For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.<br /><br />Event Type: Error<br />Event Source: MSSQLSERVER<br />Event Category: (2)<br />Event ID: 17052<br />Date: 7/25/2006<br />Time: 10:17:01 AM<br />User: N/A<br />Computer: COMPNAME<br />Description:<br />Error: 17826, Severity: 18, State: 1<br />Could not set up Net-Library 'SSNETLIB'.<br />For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.<br />Data:<br />[info containing computer name]<br /><br />Event Type: Error<br />Event Source: MSSQLSERVER<br />Event Category: (2)<br />Event ID: 17055<br />Date: 7/25/2006<br />Time: 10:17:01 AM<br />User: N/A<br />Computer: COMPNAME<br />Description:<br />17120 :<br />SQL Server could not spawn FRunCM thread.<br />For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.<br />Data:<br />[info containing computer name]</span><br /><br />Probably, the first error was causing the next two. But what was really going on? Sounded like something was hanging on to some handle or resource that SQL Server wanted. In search of more info, I checked out<br />C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG which contained the following:<br /><span style="font-family:courier new;font-size:85%;">2006-07-25 10:17:01.38 server Microsoft SQL Server 2000 - 8.00.760 (Intel X86)<br /><br />Dec 17 2002 14:22:05<br />Copyright (c) 1988-2003 Microsoft Corporation<br />Desktop Engine on Windows NT 5.1 (Build 2600: Service Pack 2)<br /><br />2006-07-25 10:17:01.38 server Copyright (C) 1988-2002 Microsoft Corporation.<br />2006-07-25 10:17:01.38 server All rights reserved.<br />2006-07-25 10:17:01.38 server Server Process ID is 3640.<br />2006-07-25 10:17:01.38 server Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL\LOG\ERRORLOG'.<br />2006-07-25 10:17:01.40 server SQL Server is starting at priority class 'normal'(1 CPU detected).<br />2006-07-25 10:17:01.40 server Performance monitor shared memory setup failed: -1<br />2006-07-25 10:17:01.66 server SQL Server configured for thread mode processing.<br />2006-07-25 10:17:01.66 server Using dynamic lock allocation. [500] Lock Blocks, [1000] Lock Owner Blocks.<br />2006-07-25 10:17:01.68 spid3 Starting up database 'master'.<br />2006-07-25 10:17:01.83 server Using 'SSNETLIB.DLL' version '8.0.766'.<br />2006-07-25 10:17:01.83 spid5 Starting up database 'model'.<br />2006-07-25 10:17:01.88 server SQL server listening on .<br />2006-07-25 10:17:01.88 server Error: 17826, Severity: 18, State: 1<br />2006-07-25 10:17:01.88 server Could not set up Net-Library 'SSNETLIB'..<br />2006-07-25 10:17:01.88 server Unable to load any netlibs.<br />2006-07-25 10:17:01.88 server SQL Server could not spawn FRunCM thread.</span><br /><br />I'm guessing the "Performance monitor shared memory setup failed: -1" corresponded to the first message in the Event Log ("SuperSocket info: ConnectionListen(Shared-Memory (LPC)) : Error 5."), and the other two Event Log messages appear in the ERRORLOG.<br /><br />This made it look like SQL Server couldn't acquire a resource (Access denied, according to the first Event Viewer message) related to shared memory used for performance monitoring. On a whim, I closed SQL Server Enterprise Manager and tried to start SQL Server again. This time, it worked.<br /><br />The log details provide information that indicates that the system is <a href="http://support.microsoft.com/dllhelp/?fid=98175&l=55&amp;det=1" target="blank">running SQL Server 2000 SP3</a>. The <a href="http://support.microsoft.com/kb/888799/" target="blank">SQL Server 2000 SP4 Fix List</a> doesn't include any descriptions that seem to indicate the problem is fixed in SP4, and I won't have the opportunity to apply SP4 any time soon to see so I suppose I'll just have to deal with it by closing Enterprise Manager before restarting SQL Server.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115396921565440444?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com4tag:blogger.com,1999:blog-20977280.post-1153868557311417102006-07-30T04:02:00.000-07:002006-11-12T16:29:03.404-08:00<a href="http://www1.rfidjournal.com/article/view/2201/" target="blank">Can Tag Viruses Infect RFID Systems?</a> reports on a study that warns that RFID middleware and applications may be vulnerable to viruses.<br /><br />»<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115386855731141710?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com0tag:blogger.com,1999:blog-20977280.post-1153868509995263532006-07-29T16:01:00.000-07:002006-11-12T16:29:03.285-08:00<a href="http://support.microsoft.com/kb/923101/" target="blank">Microsoft Knowledge Base Article 923101</a> (<b>Error message when you try to install security update 917283 on a computer that is running Windows Server 2003 x64 Edition: "Error 1324. The folder 'Program Files' contains an invalid character</b>") details a heinous resolution to a problem installing the ASP.NET 2.0 patch covered in <a href="http://www.microsoft.com/technet/security/bulletin/ms06-033.mspx" target="blank">Microsoft Security Bulletin MS06-033</a> - <a href="http://support.microsoft.com/kb/917283" target="blank"><b>Vulnerability in ASP.NET Could Allow Information Disclosure (917283)</b></a>. <p>Basically, one needs to "temporarily unmount any drive volumes that you do not require", and the article includes the steps one should go through. The step-by-step instructions only mention "CD-ROM and DVD drive volumes" - I wish the article was clearer on precisely which volumes should be unmounted. Anyway, the next step is installing the the 917283 update, followed by a possible reboot. The last step is to "remount the drive volumes" (assigning the CD-ROM and DVD drive volumes their original drive letters). <p>I would <i>love</i> to know what the real problem is, and how this fixes it. <p>Error 1324 (sometimes referenced as <b>-</b>1324) seems to correspond to "The path" or "The folder" or "The folder path" "&lt;path&gt; contains an invalid character", which is the message described in article 923101. According to <a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/windows_installer_error_messages.asp" target="blank">Windows Installer Error Messages</a>, the message associated with 1324 is <i>"The folder path '[2]' contains an invalid character"</i>. <p>Good thing 923101 only applies to x64 editions of Windows Server 2003.<br /><br />»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115386850999526353?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1tag:blogger.com,1999:blog-20977280.post-1153868455922910882006-07-28T15:57:00.000-07:002006-11-12T16:29:03.150-08:00I was working on an ASP.NET application when I started getting the following message while building: <br/><br /><blockquote><span style="font-family:courier new;font-size:85%;">It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;web.config&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;28</blockquote></span> <p>I tried a few things out, and examined the referenced web.config line, but nothing seemed out of the ordinary.<br /><br />It took me a few minutes to figure out that I was looking at the wrong web.config. I had made a backup copy of the project (no SCCS yet - don't ask) in a subfolder. The web.config referenced in the error message was the backup copy, not the one belonging to the application I was working on. Removing the subfolder / project backup got rid of the message.<br /><br />»</p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/20977280-115386845592291088?l=mygreenpaste.blogspot.com' alt='' /></div>«/\/\Ø|ö±ò\/»®©http://www.blogger.com/profile/04886149439479604072noreply@blogger.com1