August, 2007

  • The Old New Thing

    Why is the blog's subtitle "Not actually a .NET blog"?


    Based on the feedback from my last CLR week, I think one CLR week a year is about right, Welcome to CLR Week 2007.

    I'll kick off the week with something not actually technical, but which might be puzzling to the newcomers: Why is the blog's subtitle "Not actually a .NET blog"?

    When I started, the blog hosting site for Microsoft technical bloggers was, and this site was consequently located at (The old address still works. Blog backward compatibility, I guess.) It was the .NET folks like Brad Abrams and Chris Brumme who started the big wave of Microsoft blogging in 2003, and when they set me up, they set me up with what they had.

    I chose the subtitle, therefore, because the name implied that all the blogs would be .NET-related, but mine wasn't. The blog moved to and then to, so the .NET assumption no longer applied, but I kept the tag line anyway.

    (If you want something technical for the start of CLR Week, may I recommend this puzzle from Eric Gunnerson on how overloaded functions are resolved in derived classes and this bonus puzzle from Neal Horowitz. Or, if you're more historically-bent, A Brief History of DateTime and A Brief History of DateTime Follow-up.)

  • The Old New Thing

    Things I've written that have amused other people, Episode 4


    One of my colleagues pointed out that my web site is listed in the references section of this whitepaper. It scares me that I'm being used as formal documentation because that is explicitly what this web site isn't. I wrote back,

    I really need to put a disclaimer on my web site.

    Remember, this is a blog. The opinions (and even some facts) expressed here are those of the author and do not necessarily reflect those of Microsoft Corporation. Nothing I write here creates an obligation on Microsoft or establishes the company's official position on anything. I am not a spokesperson. I'm just this guy who strings people along in the hopes that they might hear a funny story once in a while.

    You'd think this was obvious, but apparently there are people who think that somehow what I write has the weight of official Microsoft policy and take my sentences apart as if they were legal documents or who take my articles and declare them to be official statements from Microsoft Corporation.

  • The Old New Thing

    Martina Navratilova's final Wimbledon appearance, and this time she means it


    When I was growing up, our family followed professional tennis on television, and Wimbledon was of course the tennis tournament of the year. During those years, it seemed always to boil down to Martina Navratilova against Chris Evert in the final, and the family's loyalties were split. (I sided with the old guard and pulled for Chris Evert.)

    In this NPR interview, Martina Navratilova talks about her retirement (she really means it this time), looks back at the years she dominated women's tennis, how she and Chris Evert got along off the court, and how she is disappointed with the current generation of players who seem to spend more time posturing than just hitting the ball.

    Although I wasn't a big fan of hers during those years long ago, I've since come around and greatly admire not just Navratilova's accomplishments, but even more her sportsmanship and grace in what has become an increasingly antagonistic sport. So here's a salute to arguably the greatest female tennis player of all time.

  • The Old New Thing

    How do I get the handle of the primary monitor?


    The primary monitor by definition has its upper left corner at (0, 0). Therefore, you can use this function:

    HMONITOR GetPrimaryMonitorHandle()
     const POINT ptZero = { 0, 0 };
     return MonitorFromPoint(ptZero, MONITOR_DEFAULTTOPRIMARY);

    To make double extra sure (belt and suspenders), we also tell it, "If you're not sure what monitor to return, give us the primary."

    Sure, this sounds obviously simple, but I actually found somebody who fumbled around in the dark passing intentionally invalid parameters to MonitorFromWindow trying to find one that would return the primary monitor handle. (I've heard this called Programming By Accident.)

  • The Old New Thing

    Bowling coming to Bellevue, and given the location, it's naturally upscale


    The Lincoln Square mall in Bellevue will have a new tenant: An upscale bowling all^H^H^Hlounge. Expected to open before the Christmas holiday season, there will be two bars, full-service dining, lots of big plasma screens, all the stuff that makes bowling better. The lounge be positioned on the second floor, beneath Parlor Billiards, a business which by a fantastic coincidence has exactly the same business model as the bowling all^H^H^Hlounge, but with billiards instead of bowling. By Christmastime, the 23,900 square foot venue will be the site of strikes, splits, and, no doubt, lots of failed pick-up attempts.

  • The Old New Thing

    Email tip: I don't have my bug numbers memorized


    Far too often I'll get email like this:

    From: X
    Subject: 27183

    Have you started looking at this one yet?

    It may surprise you to learn that I do not memorize all my bug numbers. Please include a brief description of the bug in your message so I have a clue what you're talking about. The bug title is a good start.

    It's like going to a doctor and asking, "What's your opinion on patient 1732?" You'll probably get a better response if you ask, "What's your opinion on Mr. Jenkins, the one in A113 who hit his head on the sidewalk?"

    Addendum (since I know people are going to bring it up): Inside Microsoft, many teams use the defect tracking system to track things other than, well, defects. For those teams, it would more properly be called a "things that will require time" database. Records in the database might be bugs. They might be feature requests. They might be work items. They might be requests for collaboration from customers. I was once on a team that used the defect tracking system to keep track of vacations! Using the defect tracking system to record everything that consumes an employee's time means that you can generate a "How many days of work remain?" report to get a rough idea of how you're doing on your schedule.

    Even teams that use the defect tracking system purely for tracking defects will usually have entries for things that aren't defects. For example, a defect report typically goes into the defect tracking system as soon as the report is received, before it is confirmed to be an actual bug.

    Some teams maintain two databases, one for "potential bugs" and another for "actual bugs" and transfer records to the second database only after the bug has been confirmed. To me, this just seems like a bunch of work for no real benefit. Well, okay, they get brag about their low bug count since they make it hard to get something into the bug database in the first place. (This strikes me as just playing games with numbers.)

    Addendum 2: I've been told that these useless email subjects are exacerbated by our defect tracking system. When you highlight a record and pick Send Mail, it generates a message whose subject line is... just the record number. Worse, the mail window is modal, so you can't go back to the record and copy/paste text out of it. At least that's what I've been told; I never use the Send Mail option, so I don't know what it does.

  • The Old New Thing

    One would be hard pressed to find a group of characters more in need of a lawyer


    When all you have is a law degree, everything looks like a legal question: The legal issues that arise on Gilligan's Island.

  • The Old New Thing

    It rather involved being on the other side of this airtight hatchway: Executable corruption


    In the category of dubious vulnerability, I submit the following (paraphrased) report:

    I discovered that if I take an EXE file and corrupt its header, then when I try to run the EXE file, the process starts up and then crashes. I used the information in the crash dialog to direct further investigations, noting that the specific crash location could be controlled by modifying particular bytes in the EXE. Finally, I was able to put all the details together to form an exploit: I modified a block of bytes in the EXE file to consist of code which opens a network socket and connects it to a command shell, then modified the header to point to those bytes. When I run the EXE, the exploit code runs, and I can connect to the network socket from another computer and control the command shell.

    Yeah, that's great, but what's the vulnerability? What you did was take a program that you have write permission to and change the code in it to run your exploit. If you can modify an EXE file, then you may as well just replace the entire contents of the file with the bytes of PWNZ0RD.EXE. In other words, modifying bytes here and there is just a very slow, inefficient, and unnecessarily complicated way of doing this:

    copy pwnz0rd.exe victim.exe
    Then when the user runs the infected program, they're really running the PWNZ0RD.EXE program, and your so-called exploit can do whatever it wants. That's a lot easier than trying to modify a dozen bytes here, a dozen bytes there.

    In order to trigger the vulnerability, the user has to run the compromised program, but a program is already arbitrary code. No need to be so sneaky about it. It's sort of a tautology: "Here's my clever way to get the user to run my code. Step 1: Write some code. Step 2: Get the user to run it."

    Of course, if this corrupted EXE file created other types of problems, such as crashing Explorer or triggering a buffer overflow when the user tried to view its properties, then you'd be onto something. Or if you could somehow avoid detection by not altering the digital signature, then that'd be interesting as well. But if the only way to trigger code injection is to run the injected code, then that's not really all that interesting. You just found a roundabout way of creating a Trojan horse.

  • The Old New Thing

    The truth about 4/29 the government doesn't want you to know


    With the loss of the Weekly World News, I'll have to rely on the trustworthy Internet to keep me informed of government conspiracies. I happen to be partial to 4/, which uncovers the strange coincidences and inconsistencies in the "official" explanation of the tanker crash and fire on April 29, 2007 that destroyed a highway overpass in the San Francisco Bay Area. (This site is so noteworthy, even The Los Angeles Times sang its praises.)

    My favorite factoid: The only way Governor Schwarzenneger could have gotten to the scene in time was if he was already en route when the explosion occurred, proving that the explosion was no accident.

  • The Old New Thing

    Freudian typo: Enchanced metafiles


    Back in 1993, there was an internal presentation discussing the various new features that were being added to that fancy new version of Windows that ultimately came to be known as Windows 95. In the GDI section, one of the new features was listed as "Enchanced metafiles".

    When the slide went up, you could hear the scattered titters of laughter as each person read and discovered the typographical error. For a few days thereafter, the GDI folks had to endure people stopping by and asking them, "Hey, so how are those enchanced metafiles coming?"

Page 4 of 5 (46 items) 12345