Holy cow, I wrote a book!
One of the recurring themes in the comments to
my explanation of the historical reasons why there are two copies of
was to use a hard link (or possibly a symbolic link)
to save having to waste the disk space for two whole copies of Notepad.
As I like to say, engineering is about tradeoffs.
Let's look at the cost-benefit analysis.
On the one hand: Install two copies of Notepad. Cost: 68KB of disk space.
On the other hand: Use hard links or symbolic links.
Add support for hard links or symbolic links to the FAT filesystem,
to the operating system Setup program,
to file formats such as the Windows Imaging Format,
and to the various disk duplication systems that system builders
(and corporate customers) use for deploying Windows to thousands
Don't forget to count the cost for design and testing.
Imagine you're the scheduling manager for the Setup team.
Which of these two options do you choose?
68KB of disk space or doing all the work to support hard links
during Setup and then waiting for all
the existing customers to upgrade their tools to versions which
support hard links—which could take several years.
Are you going to be the one to have to stand up in the
Ship Room and say,
"We can't ship Windows because ten of our customers hasn't
upgraded their deployment tools yet, and I have no idea how long
we're going to have to wait until they do"?
And for those commenters who said that Windows should just get rid of
one of the copies, you'll be pleased to know that Windows Server 2008
got rid of the copy in the Windows directory.
There is now only one copy¹ of Notepad, and it's the one in the system32
It wasn't long after the product was released that I learned of
a program that hard-coded the one that no longer exists;
I wish the vendors good luck in getting a patch out quickly.
¹Nitpickers not welcome here.
There is only one copy remaining of the two under discussion.
Public Service Announcement:
This weekend marks the start of Daylight Saving Time
in most parts of the United States.
The FILETIME structure records time in the form
of 100-nanosecond intervals since January 1, 1601.
Why was that date chosen?
The Gregorian calendar operates on a 400-year cycle,
and 1601 is the first year of the cycle that was active
at the time Windows NT was being designed.
In other words, it was chosen to make the math come out nicely.
I actually have the email from Dave Cutler confirming this.
The winner completes the race in just ten minutes and seven seconds,
but the vertical climb is a killer:
Straight up the 1576 steps of the
Empire State Building to the Observation deck.
(When I visit the Observation Deck of the Empire State Building,
I use the elevator.)
And when it's over, everybody goes to work.
What else am I going to do,
like go celebrate?
Am I going to go have martinis at 11:30 in the morning?
slink into work and you sit at your desk,
and you work all day,
and when you're done you stand up and your back is stiff,
and you call your wife,
and you get yelled at, and you go home to your three kids.
Just like another day.
I may regret this, but here's something new: A caption contest.
One of my colleagues saw this picture on a company's Web site.
The original caption for this picture was something like
Join our affiliate program
Score big with our affiliate program.
Your mission is to come up with something funnier.
Here are some ideas to get you started:
Now it's your turn.
Keep it friendly.
It was interesting to me reading the reactions to my
adventures driving a manual transmission.
People seemed to be spending a lot of time trying to convince me
that if only I were to expend a bit more effort in learning the
finer points of driving a manual transmission and log enough time
behind the wheel,
then the activity will become less taxing on my mental brainpower.
But why should I care?
To me, driving is not an end in itself.
It is just a tool for solving the problem
of getting from point A to point B.
The less I have to learn about how to accomplish this task the better.
It occurred to me as I read commenter after commenter try to convince
me that my own personal priorities were incorrect
that I drive a car the same way most people use a computer.
They don't want to know about the difference between ROM and RAM
or how many floppy disks you can store in a 6 megabit cable modem.
They just want to surf the web,
send email, and look at pictures of their grandchildren.
(Okay, they may want to do other stuff too, but knowing the
difference between PIO and DMA is definitely not on the list.)
There's no point trying to get these people to learn all these
details about how computers work because they don't care.
They just want to know where they need to click to see
that picture of baby Annie.
You can even tell them that the way they're doing it is suboptimal
and there's a much more powerful way to view those pictures
which also gives them the ability to alter the gamma curve and
apply the correct color adjustment to the image to match their monitor's
but they won't care.
And I don't blame them.
Because I don't care either.
Defense in depth is about protecting against threats that are already
being protected against,
just in case the existing protection fails.
This is why there is not merely a lock on your safety deposit box,
but also a lock on the door to the safety deposit box room,
and then a lock on the doors of the bank itself.
This is why you wear your seat belt even though the car is
equipped with air bags.
This is why
factories have multiple safety systems.
It's why, when you put away a gun,
you set the safety and remove the ammunition
and lock the gun case.
An insistent anonymous commenter
refused to believe in this principle
and couldn't distinguish between
the absence of a known security vulnerability
and the potential for one,
believing that security is a boolean value,
that you're either secure or you're insecure,
and that if two systems are identical except that the second system
has an additional safety check, this is proof that
the first system must have been insecure.
As I described in the comments to the article,
there is the potential for bad things to happen
if a COM data object is allowed into the process.
Even though the CSRSS process never calls any of the
potentially dangerous functions in a dangerous way,
the potential for some other flaw to result in dangerous behavior
creates enough risk that the trade-off tipped toward
removing the potential for problems,
even though the potential is currently (and hopefully will always
Remember that one of the guidelines of security is that
the more valuable the target, the more effort you put into
In this case, CSRSS runs
with System security privileges, which is even higher
You want to erect a lot of barriers for this puppy.
It's like a hospital that has the rule "No cell phones allowed
in hospital rooms because they may interfere with the equipment."
The staff instruct you to leave your phone outside,
but you insist that your phone does not pose a problem because
it's turned off,
and besides, it doesn't use the same radio frequency as the
Tough. Defense in depth.
Even if it's turned off, even if uses a different radio frequency,
they won't let it into the room.
The same thing is true with data objects.
CSRSS is careful to extract only the information it needs,
but that's like walking into a hospital room
with a cell phone whose antenna has been switched off.
Sure, the antenna is off, but somebody might bump into
you and accidentally turn it on,
or there may be some software flaw in the phone that causes
it to turn on spontaneously.
Sure, you might argue that those failures aren't your fault,
so you shouldn't be blamed for them,
but try telling that to the person whose monitoring equipment
failed to notify the hospital staff of an irregular heartbeat.
People who study security vulnerabilities have quite a
wide array of tricks available to them once they find even
the tiniest crack.
Even something as simple as a null pointer fault
(in itself just a denial of service and not a source of pwnage)
can be combined with other techniques and become
a full-fledged exploit.
For example, even though your cell phone antenna is off,
its Bluetooth transceiver may still be on, and somebody might
be able to hack into your Bluetooth headset and convince it
to tell the cell phone,
"Hey, I'd like to make a call. Please turn on your antenna."
Even though this is a security flaw in the Bluetooth headset,
it was used as a stepping stone into hacking your cell phone.
There's also the possibility that you
simply forgot that you had set a text message for delayed delivery,
causing the phone to turn on its antenna
when the delivery time is reached.
You messed up, and now somebody is intensive care.
As of this writing,
there is no known exploit for drag and drop into console windows,
but since drag and drop uses highly extensible technology
(namely COM and data objects),
the possibility that one of those extension points may be used as an attack
vector was deemed too great a risk compared to the benefit of the feature.
The anonymous commenter concludes,
Now if this is not a security hole,
then either Csrss doesn't execute code in OLE objects it receives,
or it doesn't accept any OLE objects received,
or isn't able to receive OLE objects at all. Which one is it?
CSRSS does not execute untrusted code in OLE objects it receives,
but the fact that OLE objects are in the CSRSS process at all
give the security folks the heebie-jeebies.
Although there is no known security hole,
there is great potential for a security hole,
and that's the reason for removing the potentially dangerous code from CSRSS
even though it is (in theory) never executed.
I bet you'd be nervous if somebody pointed a loaded gun at you
even though the safety is engaged.
Other discussion of defense in depth, including more examples:
Commenter Phil Quirk notes via the suggestion box,
"MoveWindow is just a weird function.
I guess it's easier to call than SetWindowPos,
but that's the only thing it seems to have going for it."
Yup, that's about right.
The MoveWindow function doesn't really do anything
you couldn't already do yourself with SetWindowPos.
It's just a convenience function.
And it you look at it pretty closely, it's really not that big
of a convenience either, saving you one parameter
and replacing the flag SWP_NOREDRAW with a boolean
It shouldn't take too much imagination to figure out how
this situation came about.
It's the same reason why you have both
CreateWindow and CreateWindowEx.
When you view a folder for the first time,
Explorer arranges the items in a nice default pattern.
And when items are added to the folder,
they get added to the end.
And when you delete an item from the folder...
the other items auto-arrange to close the gap?
But wait, if you look at the View options,
the Auto-Arrange option is not set.
So are we auto-arranging or not auto-arranging?
Well, yes, but only until you touch it.
As long as you express no interest in the placement of icons
in a folder (and the desktop counts as a folder),
then Explorer will auto-arrange them.
But once you move an icon around,
Explorer will turn off its double secret auto-arrangement
and leave the icon arrangement to you.
this mode is known as
Here are a collection of
brief messages not worthy of a full blog entry.
I think I'm going to call it macro-tweeting.
In economics, the attributive adjective year-over-year
means compared to the same time last year.
"Year-over-year sales show a marked improvement."
"Expenses continue to fall year over year."
(The hyphens disappear when the adjective is used predicatively.)
I have only one citation, but it appears that the term has broadened
its meaning inside Microsoft and is now merely a synonym for annual
or year after year.
We hold decision-makers accountable year over year
for carrying out their plan.
There is no obvious compared to the same time last year
going on here.
It's not like you are 15% more accountable this year than you were last year.
Rather, the sentence merely says that reviewing how well the
decision-makers are carrying out the plan takes place every year.
(It may not be clear from the sentence above that that's what the
sentence means, but it's clearer in the context of the entire
document from which the sentence was extracted.)