September, 2010

  • The Old New Thing

    It rather involved being on the other side of this airtight hatchway: If you grant users full control over critical files, then it's not the fault of the system for letting users modify them


    Today's dubious security vulnerability is another example of If you reconfigure your computer to be insecure, don't be surprised that there's a security vulnerability.

    This example comes from by an actual security vulnerability report submitted to Microsoft:

    I have found a critical security vulnerability that allows arbitrary elevation to administrator from unprivileged accounts.

    1. Grant Full Control of the Windows directory (and all its contents and subdirectories) to Everyone.
    2. Log on as an unprivileged user and perform these actions...

    I can just stop there because your brain has already stopped processing input because of all the alarm bells ringing after you read that first step. That first step gives away the farm. If you grant control to the entire contents of the Windows directory to non-administrators, then don't be surprised that they can run around and do bad things!

    "If I remove all the locks from my doors, then bad guys can steal my stuff."

    Yeah, so don't do that. This is not a security vulnerability in the door.

    Bonus chatter: There are many variations on this dubious security vulnerability. Actual vulnerability reports submitted to Microsoft include
    • "First, grant world-write permission to this registry key..."
    • "First, reconfigure Internet Explorer to allow scripting of ActiveX controls not marked safe for scripting..."
    • "On a compromised machine, you can..."

    That last one is impressive for its directness. "Starting on the other side of this airtight hatchway..."

  • The Old New Thing

    Does anybody actually like Brazil nuts?


    Brazil nuts are perhaps best known for floating to the top of a jar of mixed nuts. According to Wikipedia,¹ the reason for the phenomenon is not well understood.

    At least in my house, the reason for the phenomenon is quite clear: Brazil nuts float to the top because nobody in my house likes Brazil nuts. When you reach in and grab a handful of nuts, you toss the Brazil nuts back into the jar, which is why they end up on top.

    A few months ago, I asked "Does anybody actually like Brazil nuts?" A lot of people agreed with my opinion of them, but there was a notable dissenter: Larry Osterman. There is now a symbiotic relationship between my family and Larry Osterman. Every so often, I will skim off the Brazil nuts and bring them to Larry. Both sides win: We get rid of the annoying Brazil nuts, and Larry gets a small bag of Brazil nuts.

    ¹ Translation: I could just as well be making this up.

  • The Old New Thing

    Pizza: The reference food for young children


    One way to convince a child to try out an unfamiliar food is to say that it's an alternate form of pizza. Here are some examples. Feel free to add more in the comments.

    • Quesadilla: Mexican pizza
    • Dosa: Indian pizza
    • Quiche: French deep-dish pizza

    I had originally listed crêpe as French pizza, then realized it's more like a French pancake. (I wonder what the Italian version of pizza would be...)

  • The Old New Thing

    Where did my mail control panel icon go?


    A customer ran into the following problem:

    I was trying to add another email account to Outlook, and the instructions say that I should go to the mail icon in the Control Panel, which to my surprise is nowhere to be found! How can I figure out what went wrong?

    A little bit of psychic debugging will solve this.

    The customer was running Windows Vista, 64-bit edition. On 64-bit versions of Windows XP and Windows Vista, the Control Panel shows only 64-bit control panels. The 32-bit control panels are off in a separate 32-bit control panel, which you can find by clicking the View 32-bit Control Panel Items icon.

    The separation of 32-bit and 64-bit control panels is an unfortunate consequence of the rule that 64-bit processes cannot load 32-bit DLLs and vice versa. On 64-bit Windows, Explorer is a 64-bit process, which means that it can't load traditional 32-bit control panels. (Recall that control panel applications run as DLLs inside the host process.) Therefore, Explorer has to pass off the work of working with 32-bit control panel applications to a 32-bit alter ego process.

    Fortunately, Windows 7 no longer segregates control panel applications by bitness: They all appear in the main Control Panel. This was done by running a puppet 32-bit copy of the Control Panel behind the scenes and making the puppet do the main Control panel's bidding whenever it needed to access information about 32-bit control panel applications.

    "Hey, go enumerate the 32-bit control panel applications for me."

    "Hey, go get the icon for this 32-bit control panel application."

    "Hey, go launch this 32-bit control panel application."

    "Hey, go make me a sandwich."

    "Hey, give me a backrub."

  • The Old New Thing

    The contractually obligatory beeper, and the customers who demand them


    One of the fun parts of meeting with other developers, either at conferences or on my self-funded book tour, is exchanging war stories. Here's one of the stories I've collected, from somebody describing a former company. As is customary, I've removed identifying information.

    One day, the engineering team were instructed that the team was being issued a beeper, and that a member of the engineering team had to be on call at all times. This new requirement was the handiwork of the sales team, who landed a big contract with a customer, but the customer insisted on a support contract which included the ability to talk to a member of the engineering team at any time, day or night, to be used when they encountered an absolutely critical problem that the support team could not resolve to their satisfaction.

    The engineering team grumbled but knew this was something they had to accept because the customer placed a huge order and the company needed the money. To secure the engineering staff's agreement, management contributed $10 to a pool each week, and whoever was saddled with the beeper when it went off got the pool money as a consolation prize.

    The engineering team drew up a schedule, and responsibility for the beeper rotated among the team members.

    A week went by. The beeper didn't go off.

    Another week. Still quiet.

    Months passed. Still nothing.

    It was over a year before the customer asked to talk to a member of the engineering team. The engineer who received the windfall understood that the prize was a team effort, and as I recall, he spent it by buying beer and snacks for everyone.

    The engineering team figured that the customer had the engineer on call clause on their list of bullet point must-have features, even though they didn't really plan on using it much at all.

  • The Old New Thing

    How do I customize the order of items in the All Programs section of the Start menu?


    The items in the All Programs section of the Start menu are grouped into two sections, although there are no visible divider lines between them.

    1. Non-folders, sorted alphabetically.
    2. Folders, sorted alphabetically.

    We saw earlier that the Fast Items lost their special status in Windows Vista and are sorted with the regular items. Another change from Windows XP is the order of the remaining two groups: Windows XP put folders above non-folders, because that was the sort order imposed by the IShellFolder::CompareIDs method so that folders sorted above files in regular Explorer windows. This deviation from standard sort order starting in Windows Vista was introduced because the guidance for application developers regarding Start menu shortcuts is to place program shortcuts in the Programs folder, with other supporting stuff in subfolders. Given that guidance, it is the program shortcuts in the Start menu that are more important, so they go at the top.

    If you don't like the alphabetical ordering, then you can go the Start menu Properties, select Customize, and then scroll down to the bottom of the options tree and uncheck Sort All Programs by name. If you do this, then you can manually rearrange the items in the All Programs menu via drag/drop to put them in whatever order you like.

    Pre-emptive snarky comment: "Changing the Start menu from a cascading menu to a tree navigation model was the stupidest idea since unsliced bread." Yes, I know you all hate it. Old news. Consider this a tip on how to cope with adversity.

  • The Old New Thing

    Flushing your performance down the drain, that is


    Some time ago, Larry Osterman discussed the severe performance consequences of flushing the registry, which is a specific case of the more general performance catch: Flushing anything will cost you dearly.

    A while back, I discussed the high cost of the "commit" function, and all the flush-type operations turn into a commit at the end of the day. FlushViewOfFile, [see correction below] FlushFileBuffers, RegFlushKey, they all wait until the data has been confirmed written to the disk. If you perform one of these explicit flush operations, you aren't letting the disk cache do its job. These types of operations are necessary only if you're trying to maintain transactional integrity. If you're just flushing the data because "Well, I'm finished so I want to make sure it gets written out," then you're just wasting your (and the user's) time. The data will get written out, don't worry. Only if there is a power failure in the next two seconds will the data fail to get written out, but that's hardly a new problem for your program. If the power went out in the middle of the call to FlushFileBuffers (say, after it wrote out the data containing the new index but before it wrote out the data the index points to), you would've gotten partially-written data anyway. If you're not doing transactional work, then your call to FlushFileBuffers didn't actually fix anything. You still have a window during which inconsistency exists on the disk.

    Conclusion: View any call to FlushViewOfFile, [see correction below] FlushFileBuffers, and RegFlushKey with great suspicion. They will kill your program's performance, and even in the cases in which you actually would want to call it, there are better ways of doing it nowadays.

    More remarks on that old TechNet article: The text for the Enable advanced performance check box has been changed in Windows 7 to something that more accurately describes what it does: Turn off Windows write-cache buffer flushing on the device. There's even explanatory text that explains the conditions under which it would be appropriate to enable that setting:

    To prevent data loss, do not select this check box unless the device has a separate power supply that allows the device to flush its buffer in case of power failure.

    Hard drives nowadays are more than just platters of magnetic media. There's also RAM on the hard drive circuit board, and this RAM is used by the hard drive firmware as yet another buffer. If the drive is told, "Write this data to the hard drive at this location," the drive copies the data into its private RAM buffer and immediately returns a successful completion code to the operating system. The drive then goes about seeking the head, looking for the sector, and physically writing out the data.

    When your program issues a write command to the file system (assuming that file system buffering is enabled), the write goes into the operating system disk cache, and periodically, the data from the operating system disk cache is flushed to the hard drive. As we saw above, the hard drive lies to the operating system and says "Yeah, I wrote it," even though it hasn't really done it yet. The data the operating system requested to be written is just sitting in a RAM buffer on the hard drive, that in turn gets flushed out to the physical medium by the hard drive firmware.

    If you call one of the FlushBlahBlah functions, Windows flushes out its disk cache buffers to the hard drive, as you would expect. But as we saw above, this only pushes the data into the RAM buffer on the hard drive. Windows understands this and follows up with another command to the hard drive, "Hey, I know you're one of those sneaky hard drives with an internal RAM buffer. Yes, I'm talking to you; don't act all innocent like. So do me a favor, and flush out your internal RAM buffers too, and let me know when that's done." This extra "I know what you did last summer" step ensures that the data really is on physical storage, and the FlushBlahBlah call waits until the "Okay, I finished flushing my internal RAM buffer" signal from the hard drive before returning control to your program.

    This extra "flush out your internal RAM buffer too" command is the right thing to do, but it can safely be skipped under very special circumstances: Consider a hard drive with a power supply separate from the computer which can keep the drive running long enough to flush out its internal RAM, even in the event of a sudden total loss of external power. For example, it might be an external drive with a separate power supply that is hooked up to a UPS. If you have this very special type of set-up, then Windows doesn't need to issue the "please flush out your internal RAM buffers too" command, because you have a guarantee that the data will make it to the disk no matter what happens in the future. Even if a transformer box explodes, cutting off all power to your building, that hard drive has enough residual power to get the data from the internal RAM buffer onto the physical medium. Only if your hard drive has that type of set-up is it safe to turn on the Turn off Windows write-cache buffer flushing on the device check box.

    (Note that a laptop computer battery does not count as a guarantee that the hard drive will have enough residual power to flush its RAM buffer to physical media. You might accidentally eject the battery out of your laptop, or you might let your battery run down completely. In these cases, the hard drive will not have a chance to finish flushing its internal RAM buffer.)

    Of course, if the integrity of your disks is not important then go ahead and turn the setting on even though you don't have a battery backup. One case where this may be applicable is if you have a dedicated hard drive you don't care about losing if the power goes out. Many developers on the Windows team devote an entire hard drive to holding the files generated by a build of the operating system. Before starting a build, they reformat the drive. If the power goes out during a build, they'll just reformat the drive and kick off another build. In this case, go ahead and check the box that says Enable advanced performance. But if you care about the files on the drive, you shouldn't check the box unless you have that backup power supply.

  • The Old New Thing

    What's up with the strange treatment of quotation marks and backslashes by CommandLineToArgvW


    The way the CommandLineToArgvW function treats quotation marks and backslashes has raised eyebrows at times. Let's look at the problem space, and then see what algorithm would work.

    Here are some sample command lines and what you presumably want them to be parsed as:

    Command line Result
    program.exe "hello there.txt" program.exe
    hello there.txt
    program.exe "C:\Hello there.txt" program.exe
    C:\Hello there.txt

    In the first example, we want quotation marks to protect spaces.

    In the second example, we want to be able to enclose a path in quotation marks to protect the spaces. Backslashes inside the path have no special meaning; they are copied as any other normal character.

    So far, the rule is simple: Inside quotation marks, just copy until you see the matching quotation marks. Now here's another wrinkle:

    Command line Result
    program.exe "hello\"there" program.exe

    In the third example, we want to embed a quotation mark inside a quotated string by protecting it with a backslash.

    Okay, to handle this case, we say that a backslash which precedes a quotation mark protects the quotation mark. The backslash itself should disappear; its job is to protect the quotation mark and not to be part of the string itself. (If we kept the backslash, then it would not be possible to put a quotation mark into the command line parameter without a preceding backslash.)

    But what if you wanted a backslash at the end of the string? Then you protect the backslash with a backslash, leaving the quotation mark unprotected.

    Command line Result
    program.exe "hello\\" program.exe

    Okay, so what did we come up with?

    We want a backslash before a quotation mark to protect the quotation mark, and we want a backslash before a backslash to protect the backslash (so you can end a string with a backslash). Otherwise, we want the backslash to be given no special treatment.

    The CommandLineToArgvW function therefore works like this:

    • A string of backslashes not followed by a quotation mark has no special meaning.
    • An even number of backslashes followed by a quotation mark is treated as pairs of protected backslashes, followed by a word terminator.
    • An odd number of backslashes followed by a quotation mark is treated as pairs of protected backslashes, followed by a protected quotation mark.

    The backslash rule is confusing, but it's necessary to permit the very important second example, where you can just put quotation marks around a path without having to go in and double all the internal path separators.

    Personally, I would have chosen a different backslash rule:

    Warning - these are not the actual backslash rules. These are Raymond's hypothetical "If I ran the world" backslash rules.

    • A backslash followed by another backslash produces a backslash.
    • A backslash followed by a quotation mark produces a quotation mark.
    • A backslash followed by anything else is just a backslash followed by that other character.

    I prefer these rules because they can be implemented by a state machine. On the other hand, it makes quoting regular expressions a total nightmare. It also breaks "\\server\share\path with spaces", which is pretty much a deal-breaker. Hm, perhaps a better set of rules would be

    Warning - these are not the actual backslash rules. These are Raymond's second attempt at hypothetical "If I ran the world" backslash rules.

    • Backslashes have no special meaning at all.
    • If you are outside quotation marks, then a " takes you inside quotation marks but generates no output.
    • If you are inside quotation marks, then a sequence of 2N quotation marks represents N quotation marks in the output.
    • If you are inside quotation marks, then a sequence of 2N+1 quotation marks represents N quotation marks in the output, and then you exit quotation marks.

    This can also be implemented by a state machine, and quoting an existing string is very simple: Stick a quotation mark in front, a quotation mark at the end, and double all the internal quotation marks.

    But what's done is done, and the first set of backslash rules is what CommandLineToArgvW implements. And since the behavior has been shipped and documented, it can't change.

    If you don't like these parsing rules, then feel free to write your own parser that follows whatever rules you like.

    Bonus chatter: Quotation marks are even more screwed up.

  • The Old New Thing

    What is the effect of the /LARGEADDRESSAWARE switch on a DLL?


    Nothing. Large-address-awareness is a process property, which comes from the EXE.

  • The Old New Thing

    Microspeak: Sats


    I introduced this Microspeak last year as part of a general entry about management-speak, but I'm giving it its own entry because it deserves some attention on its own.

    I just want to have creative control over how my audience can interact with me without resorting to complex hacking in a way that is easy to explain but ups our blogging audiences sats to a new level that may also stimulate a developer ecosytem that breeds quality innovation...

    Ignore the other management-speak; we're looking at the weird four-letter word sats.

    Sats is short for satisfaction metrics. This falls under the overall obsession on measurement at Microsoft. For many categories of employees (most notably the approximately 1000 employees eligible for the so-called Shared Performance Stock Awards program), compensation is heavily influenced by customer satisfaction metrics, known collectively as CSAT.

    Satisfaction metrics are so important that they have their own derived jargon.

    VSATVery satisfied Percentage of customers who report that they are very satisfied.
    DSATDissatisfied Percentage of customers who report that they are somewhat dissatisfied or very dissatisfied.
    NSATNet satisfaction NSAT = VSAT − DSAT

    All of these jargon terms are pronounced by saying the first letter, followed by the word sat, so for example, NSAT is pronounced N-sat.

    You can see some of these metrics in use in a blog post from the Director of Operations at Notice how he uses the terms VSAT and DSAT without bothering to explain what they mean. The meanings are so obvious to him that it doesn't even occur to him that others might not know what they mean. (By comparison, Kent Sharkey includes a definition when he uses the term.)

    And if you haven't gotten enough of this jargon yet, there's an entire training session online on the subject of the Customer Satisfaction Index. If you're impatient, click ahead to section 9.

Page 1 of 4 (31 items) 1234