December, 2007

  • The Old New Thing

    Throwing a cup of hot water into the air in sub-zero temperatures

    • 21 Comments

    One of my colleagues on a previous team was stationed in Alaska as part of his military service. He said that one of the things people did for a cheap thrill was to take a cup of hot water outside when it was like a bazillion degrees below zero and throw it up into the air. (Things must be really boring in Alaska in the dead of winter.)

    But you have to see it to believe it. And now you can.

  • The Old New Thing

    AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs

    • 26 Comments

    I have no idea why the window manager team added this feature to Windows NT. It basically says, "Hi, use this key to violate all the rules known to mankind about what can legitimately be done in a DllMain function. Oh, and be an attractive malware attack vector, too."

    I've debugged a few crashes that were traced back to the AppInit_DLLs key. What makes them particularly fun is that the offending DLL is usually not on the stack. Rather, the fact that a foreign DLL is being loaded inside USER32's initialization code means that you're violating the rule against calling LoadLibrary inside a DllMain function. The result of this madness is that DLLs get initialized out of order, and typically manifests itself in some DLL crashing trying to use an object (often a critical section) that it is supposed to have initialized in its DLL_PROCESS_ATTACH handler. It crashed because the loader got tricked into initializing DLLs out of order. The dependent DLL received its DLL_PROCESS_ATTACH before the prerequisite DLL.

    I end up looking at these failures because the victim DLL is often a DLL that my group is responsible for.

    The window manager folks came to the same conclusion about AppInit_DLLs, and it doesn't work any more in Windows Vista by default. (Nick Kramer describes how to re-enable it.)

  • The Old New Thing

    Christmas lights in the Dyker Heights neighborhood

    • 9 Comments

    If you come to New York City in December, you'll find the festive Christmas season throughout the town. Skaters wobble beneath the giant tree in Rockefeller Center. Giant snowflakes adorn the upper floors of the Saks Fifth Avenue store while animated Christmas-themed window displays entertain visitors on the ground floor of Saks, as well as Macy's (where Santa takes a roller coaster ride), Lord and Taylor, and many other stores.

    But somewhat overlooked in all this extravagance are the amateur efforts of the residents of Dyker Heights. (Take the R to 86th then make the 20-minute walk or catch the B64 bus to 11th Avenue.) There is no line for tickets; there is no entrance. You just wander through the streets admiring the Christmas lights, inflatable snowmen, Nativity displays, and other decorations, be they tasteful and reverential or (what you're more likely to notice) ostentatious and mind-boggling.

    There were a lot of extravagant displays, but the one that took the cake was the large house with a 15-foot-tall Santa flanked by 20-foot tall nutcracker soldiers, accompanied by two merry-go-rounds and life-size figures waving to passers-by from the upper balcony.

    Visit in the early evening, say from 5pm to 7pm. This hits the sweet spot between "late enough that night has fallen" and "catch them before the lights are turned off." We visited during a weekday and there were barely any people on the streets, and those we saw were locals just out for an evening stroll. There were a few cars driving slowly through the neighborhood, but not enough to disrupt that friendly neighborhood atmosphere. (I suspect things are much different on the weekends.) Remember, this is a residential neighborhood, not a commercial display, so don't make a lot of noise and please respect the residents' privacy.

  • The Old New Thing

    When selecting system colors, match but don't mix

    • 35 Comments

    Here's a question that came in from a customer:

    Is there a way to view all the Windows color schemes at once? We want to display text in the COLOR_BTNTEXT color against a background of COLOR_INACTIVECAPTION, and we want to check that this looks good in all of the themes.

    A mistake I see from some programs is mixing system colors that are not meant to be mixed. The colors I'm talking about are the ones obtained from the GetSysColor function. Here are the text and background color pairs, with a sample of what those colors are on a default install of Windows XP.

    Text Background Sample
    COLOR_WINDOWTEXT COLOR_WINDOW sample
    COLOR_HOTLITE COLOR_WINDOW sample
    COLOR_HIGHLIGHTTEXT COLOR_HIGHLIGHT sample
    COLOR_INFOTEXT COLOR_INFOBK sample
    COLOR_MENUTEXT COLOR_MENU sample
    COLOR_BTNTEXT COLOR_BTNFACE sample
    COLOR_CAPTIONTEXT COLOR_ACTIVECAPTION sample
    COLOR_INACTIVECAPTIONTEXT COLOR_INACTIVECAPTION sample

    If you're going to combine colors, and you need them to contrast against each other (for example, because you're going to draw text with them as the foreground and background colors), choose a pair from one of the rows above. Do not choose colors from different rows because there is no guarantee that they will be readable against each other.

    For example, I like to use black on #71FFFF as my color scheme for highlighted text. I've seen programs which break the above rule and draw text in the COLOR_HIGHLIGHT color against a background of COLOR_WINDOW, on the assumption that the highlight color contrasts against the window color. (They get away with this in the default Windows XP color scheme because the window color is white and the highlight color is medium blue.) Unfortunately, on my machine, this results in text that is extremely painful on the eyes.

    Remember: When it comes to system colors, match. Don't mix.

  • The Old New Thing

    Exploiting the inattentive, episode 3: Confusing movie titles

    • 14 Comments

    In early 1997, the movie Fly Away Home, a film about a teenage girl and her father rescuing a family of geese (inspired by Operation Migration), was released on DVD. the movie was well-reviewed and even earned an Academy Award nomination. The very same weekend, the movie with the very similar name Follow Me Home was released in theaters. Its critical reception was less favorable. Coincidence? Or exploiting the inattentive?

  • The Old New Thing

    Why is my starting directory ignored when I elevate a command prompt?

    • 21 Comments

    Take a shortcut to the command prompt or some other Windows component, right-click it, and select "Run as Administrator." The "Start in" directory from the shortcut is ignored and you are always dropped into the system directory. Why is the starting directory ignored?

    To avoid a category of attacks (current directory attacks).

    According to the dynamic link library search order documentation, the current directory is searched in step five, after the executable directory, and a variety of system-defined directories. If a program calls LoadLibrary and does not pass a fully-qualified path, and the DLL cannot be found in one of the first four locations, the current directory will be searched. An attacker can drop a DLL into a directory and trick you into running a program with that directory as its current directory. When that program tries to load a library that normally doesn't exist, the one the attacker created will be found and loaded. This is bad.

    Note that this behavior applies only to Windows binaries and only if they are launched through an elevation prompt. (Programs that are not a part of Windows do not receive this behavior because compatibility testing showed that third-party application rely heavily on the current directory being preserved across an elevation boundary. For example, installers will unpack their contents into a temporary directory, change to that temporary directory, and then run the main setup program.)

  • The Old New Thing

    What seems obvious today may have been impractical then

    • 25 Comments

    In the discussion of the environment variable problem, BryanK posits that the real mistake was allowing batch files to modify their parent environment in the first place. Instead, they should have run in a sub-process.

    Try saying that when your computer has only 16KB of memory, which is how much memory the original IBM PC came with.

    Heck, try saying that when your operating system doesn't even support sub-processes! It wasn't until MS-DOS 2.0 that the ability to run a process and then regain control after the process exits even existed. MS-DOS 1.0 followed the CP/M model wherein exiting a process freed all the memory in the computer (save for the operating system itself, of course; thank you, nitpickers) and loaded a fresh copy of the command interpreter. There were some checksum hacks to avoid reloading the command interpreter if it didn't appear to have been modified by the program that just exited.

    Besides, if batch files couldn't modify the environment of the command interpreter, the AUTOEXEC.BAT file would be pretty useless.

  • The Old New Thing

    It's amazing you who end up meeting in New York City

    • 18 Comments

    Last night, I had dinner and went bhangra dancing with Larry Page's fiancée's brother's co-worker.

    He's a nice guy.

  • The Old New Thing

    The magical healing properties of safe mode - bonus content

    • 35 Comments

    Okay, so you already read The healing properties of safe mode in TechNet Magazine. Here's the bonus content that was cut for space.

    First, the original title was "The Magical Healing Powers of Safe Mode," but it got trimmed for space reasons. (Ich bin mit der deutschen Übersetzung des ersten Satzes ein bisschen enttäuscht. Die eingeklammerte Phrase bittet um einen von den berühmten nur auf Deutsch gesehenen unverständlich langen adjektivischen Ausdrücken. Anstatt dessen hat der Übersetzer aufgegeben und die Phrase einfach weggelassen. Anderseits benutzt die deutsche Version den ursprünglichen Titel, so vielleicht ist es ja nicht so schlecht.)

    Useless Windows history: The feature now known as safe mode went through many other names before the final name was settled upon.

    • Fail-safe boot
    • FailSafe boot
    • Fail-safe mode
    • Safe mode
  • The Old New Thing

    The Old New Thing (the book) allegedly now stocked at the Microsoft Company Store (Redmond)

    • 14 Comments

    I've been informed that the Redmond branch of the Microsoft Company Store has begun stocking the dead tree edition of my book.

    "But wait, your program isn't printed by Microsoft Press; it's published by Addison-Wesley Professional. I thought the company store only stocked Microsoft Press titles."

    I'm told that this is a pilot program. (And no, I don't know what the success criteria are.)

    When I stopped by the store a few days ago, they were in the process of reorganizing the book section, so not only was my book not up, neither were any others! But it should be there "any day now."

    And remember, I'll gladly sign your book but you have to tell me what to write.

Page 3 of 4 (37 items) 1234