November, 2010

  • The Old New Thing

    How full does a hard drive have to get before Explorer will start getting concerned?

    • 41 Comments

    The answer depends on which "hard drive almost full" warning you're talking about.

    Note that these boundaries are merely the current implementation (up until Windows 7). Future versions of Windows reserve the right to change the thresholds. The information provided is for entertainment purposes only.

    The thermometer under the drive icon in My Computer uses a very simple algorithm: A drive is drawn in the warning state when it is 90% full.

    The low disk space warning balloon is more complicated. The simplified version is that it warns of low disk space on drives bigger than about 3GB when free disk space drops below 200MB. The warnings become more urgent when free disk space drops below 80MB, 50MB, and finally 1MB. (For drives smaller than 3GB, the rules are different, but nobody—to within experimental error—has hard drives that small anyway, so it's pretty much dead code now.)

    These thresholds cannot be customized, but at least you can turn off the low disk space balloons.

  • The Old New Thing

    If you measure something, people will change their behavior to address the measurement and not the thing the measurement is intended to measure

    • 27 Comments

    We all know that once you start measuring something, people will change the way they behave. We hope that the change is for the better, but that's not always the case, and that's especially true if you are using the metrics as a proxy for something else: People will manipulate the metric without necessarily affecting the thing that your metric is trying to measure.

    I was reminded of this topic when I read a story in The Daily WTF of a manager who equated number of checkins with productivity.

    One metric that nearly all software products use to gauge productivity and product progress is the number of bugs outstanding and the number of bugs fixed. Of course, not all bugs are created equal: Some are trivial to fix; others are substantial. But if you believe that the difficulty distribution of bugs, while not uniform, is at least unbiased, then the number of bugs is roughly proportional to the amount of work. The bug count is just a rough guide, of course. Everybody works together, with programmers promising not to manipulate the metrics, and managers promising not to misinterpret them.

    At least that's how it's supposed to work.

    (All that text up to this point is useless. When you're telling a story, you have to include a lot of useless text in order to motivate or set the scene for the actual story that comes up next or just to make the story sound like an actual story instead of just a sequence of events. What amazes me is that so many people seem to focus on the "literary throat-clearing" and miss the actual story!)

    A friend of mine told me about a project from many years (and jobs) ago. Things were pretty hectic, people were working late, it was a stressful time. The bug statistics were gathered by an automated process that ran at 4am, and every day, management would use those statistics as one factor in assessing the state of the project.

    My friend was wrapping up another late night at the office after polishing off a few bugs, and as a final gesture, re-ran the bug query to enjoy the satisfaction of seeing the number of bugs go down.

    Except it went up.

    What happened is that another member of the project was also working late, and that other member had a slightly different routine for wrapping up at the end of the day: Run the query and look at the number next to your name. If it is higher than you would like, then take some of your bugs and transfer them to the other members of the team. Choose a victim, add a comment like "I think this is a problem with the XYZ module" (where XYZ is the module the victim is responsible for), and reassign the bug to your victim. It helps if you choose victims who already have a lot of bugs, so they might not even notice that you slipped them another one.

    By following this simple nightly routine, you get management off your case for having too many outstanding bugs. In fact, they might even praise you for your diligence, since you never seem to be behind on your work.

    Of course, management looks at these manipulated numbers and gets a false impression of the state of the project. But if you're not one of those "team player" types, then that won't matter to you.

    And if that describes you, then I don't want you working on my project.

  • The Old New Thing

    The program running in a console decides what appears in that console

    • 30 Comments

    James Risto asks, "Is there a way to change the behavior of the CMD.EXE window? I would like to add a status line."

    The use of the phrase "the CMD.EXE window" is ambiguous. James could be referring to the console itself, or he could be referring to the CMD.EXE progarm.

    The program running in a console decides what appears in the console. If you want to devote a line of text to a status bar, then feel free to code one up. But if you didn't write the program that's running, then you're at the mercy of whatever that program decided to display.

    Just to show that it can be done, here's a totally useless console program that contains a status bar.

    #define UNICODE
    #define _UNICODE
    #include <windows.h>
    #include <strsafe.h> // for StringCchPrintf
    
    void DrawStatusBar(HANDLE hScreen)
    {
     CONSOLE_SCREEN_BUFFER_INFO sbi;
     if (!GetConsoleScreenBufferInfo(hScreen, &sbi)) return;
     TCHAR szBuf[80];
     StringCchPrintf(szBuf, 80, TEXT("Pos = %3d, %3d"),
                     sbi.dwCursorPosition.X,
                     sbi.dwCursorPosition.Y);
     DWORD dwWritten;
     COORD coDest = { 0, sbi.srWindow.Bottom };
     WriteConsoleOutputCharacter(hScreen, szBuf, lstrlen(szBuf),
        coDest, &dwWritten);
    }
    

    Our lame-o status bar consists of the current cursor position. Notice that the console subsystem does not follow the GDI convention of endpoint-exclusive rectangles.

    int __cdecl wmain(int argc, WCHAR **argv)
    {
     HANDLE hConin = CreateFile(TEXT("CONIN$"),
                                GENERIC_READ | GENERIC_WRITE,
                                FILE_SHARE_READ | FILE_SHARE_WRITE,
                                NULL, OPEN_EXISTING, 0, NULL);
     if (hConin == INVALID_HANDLE_VALUE) return 1;
    
     HANDLE hConout = CreateFile(TEXT("CONOUT$"),
                           GENERIC_READ | GENERIC_WRITE,
                           FILE_SHARE_READ | FILE_SHARE_WRITE,
                           NULL, OPEN_EXISTING, 0, NULL);
     if (hConout == INVALID_HANDLE_VALUE) return 1;
    

    We start by getting the handles to the current console. Since we are a fullscreen program, we don't rely on stdin and stdout. (How do you position the cursor on a redirected output stream?)

     HANDLE hScreen = CreateConsoleScreenBuffer(
                           GENERIC_READ | GENERIC_WRITE,
                           0, NULL, CONSOLE_TEXTMODE_BUFFER, NULL);
     if (!hScreen) return 1;
    
     SetConsoleActiveScreenBuffer(hScreen);
    

    We create a new screen buffer and switch to it, so that our work doesn't disturb what was previously on the screen.

     DWORD dwInMode;
     GetConsoleMode(hConin, &dwInMode);
    

    We start by retrieving the original console input mode before we start fiddling with it, so we can restore the mode when our program is finished.

     SetConsoleCtrlHandler(NULL, TRUE);
     SetConsoleMode(hConin, ENABLE_MOUSE_INPUT |
                            ENABLE_EXTENDED_FLAGS);
    

    We set our console control handler to NULL (which means "don't terminate on Ctrl+C") and enable mouse input on the console because we're going to be tracking the mouse position in our status bar.

     CONSOLE_SCREEN_BUFFER_INFO sbi;
     if (!GetConsoleScreenBufferInfo(hConout, &sbi)) return 1;
    
     COORD coDest = { 0, sbi.srWindow.Bottom - sbi.srWindow.Top };
     DWORD dw;
     FillConsoleOutputAttribute(hScreen,
         BACKGROUND_BLUE |
         FOREGROUND_BLUE | FOREGROUND_RED |
         FOREGROUND_GREEN | FOREGROUND_INTENSITY,
         sbi.srWindow.Right - sbi.srWindow.Left + 1,
         coDest, &dw);
    

    We retrieve the screen buffer dimensions and draw a blue status bar at the bottom of the screen. Notice that the endpoint-inclusive rectangles employed by the console subsystem result in what look like off-by-one errors. The bottom line of the screen is Bottom - Top, which in an endpoint-exclusive world would be the height of the screen, but since the rectangle is endpoint-inclusive, this is actually the height of the screen minus 1, which puts us at the bottom line of the screen. Similarly Right - Left is the width of the screen minus 1, so we have to add one back to get the width.

     DrawStatusBar(hScreen);
    

    Draw our initial status bar.

     INPUT_RECORD ir;
     BOOL fContinue = TRUE;
     while (fContinue && ReadConsoleInput(hConin, &ir, 1, &dw)) {
      switch (ir.EventType) {
      case MOUSE_EVENT:
       if (ir.Event.MouseEvent.dwEventFlags & MOUSE_MOVED) {
         SetConsoleCursorPosition(hScreen,
             ir.Event.MouseEvent.dwMousePosition);
         DrawStatusBar(hScreen);
       }
       break;
      case KEY_EVENT:
       if (ir.Event.KeyEvent.wVirtualKeyCode == VK_ESCAPE) {
        fContinue = FALSE;
       }
       break;
      }
     }
    

    This is the console version of a "message loop": We read input events from the console and respond to them. If the mouse moves, we move the cursor to the mouse position and update the status bar. If the user hits the Escape key, we exit the program.

     SetConsoleMode(hConin, dwInMode);
     SetConsoleActiveScreenBuffer(hConout);
     return 0;
    }
    

    And when the program ends, we clean up: Restore the original input mode and restore the original screen buffer.

    If you run this program, you'll see a happy little status bar at the bottom whose contents continuously reflect the cursor position, which you can move by just waving the mouse around.

    If you want a status bar in your console program, go ahead and draw it yourself. Of course, since it's a console program, your status bar is going to look console-y since all you have to work with are rectangular character cells. Maybe you can make use of those fancy line-drawing characters. Party like it's 1989!

  • The Old New Thing

    Why does the common file dialog change the current directory?

    • 26 Comments

    When you change folders in a common file dialog, the common file dialog calls Set­Current­Directory to match the directory you are viewing. (Don't make me bring back the Nitpicker's Corner.)

    Okay, the first reaction to this is, "What? I didn't know it did that!" This is the other shoe dropping in the story of the curse of the current directory.

    Now the question is, "Why does it do this?"

    Actually, you know the answer to this already. Many programs require that the current directory match the directory containing the document being opened.

    Now, it turns out, there's a way for you to say, "No, I'm not one of those lame-o programs. I can handle current directory being different from the document directory. Don't change the current directory when using a common file dialog." You do this by passing the OFN_NO­CHANGE­DIR flag. (If your program uses the IFile­Dialog interface, then NO­CHANGE­DIR is always enabled. Hooray for progress.)

    But now that you know about this second curse, you can actually use it as a counter-curse against the first one.

    If you determine that a program is holding a directory open, and you suspect that it is the victim of the curse of the current directory, you can go to that program and open a common file dialog. (For example, Save As.) From that dialog, navigate to some other directory you don't plan on removing, say, the root of the drive, or your desktop. Then cancel the dialog.

    Since the common file dialog changes the current directory, you have effectively injected a Set­Current­Directory call into the target process, thereby changing it from the directory you want to remove. Note, however, that this trick works only if the application in question omits the OFN_NO­CHANGE­DIR flag when it calls Get­Save­File­Name.

    In Explorer, you can easily call up a common file dialog by typing Win+R then clicking Browse, and in versions of Windows up through Windows XP, Explorer didn't pass the OFN_NO­CHANGE­DIR flag.

  • The Old New Thing

    Using delayload to detect functionality is a security vulnerability

    • 45 Comments

    We saw last time that your debugging code can be a security vulnerability when you don't control the current directory. A corollary to this is that your delayload code can also be a security vulnerability, for the same reason.

    When you use the linker's delayload functionality to defer loading a DLL until the first time it is called, the linker injects code which calls LoadLibrary on a DLL the first time you call a function in it, and then calls GetProcAddress on the functions you requested. When you call a delay-loaded function and the delayload code did not get a function pointer from GetProcAddress (either because the DLL got loaded but the function does not exist, or because the DLL never got loaded in the first place), it raises a special exception indicating that a delayed load failed.

    Let's look again at the order in which the LoadLibrary function searches for a library:

    1. The directory containing the application EXE.
    2. The system32 directory.
    3. The system directory.
    4. The Windows directory.
    5. The current directory.
    6. The PATH.

    The code which implements the delayload functionality uses a relative path when it passes the library name to LoadLibrary. (It has no choice since all it has to work with is the library name stored in the IMPLIB.) Consequently, if the DLL you are delay-loading does not exist in any of the first four search locations, the LoadLibrary will look in location 5: the current directory.

    At this point, the current directory attack becomes active, and a bad guy can inject an attack DLL into your process.

    For example, this sample code uses delayload to detect whether the functions in dwmapi.dll exist, calling them if so. If the function IsThemeEnabled is not available, then it treats themes as not enabled. If the program runs on a system without dwmapi.dll, then the delayload will throw an exception, and the exception is caught and turned into a failure. Disaster avoided.

    But in fact, the disaster was not avoided; it was introduced. If you run the program on a system without dwmapi.dll, then a bad guy can put a rogue copy of dwmapi.dll into the current directory, and boom your process just loaded an untrusted DLL. Game over.

    Using the delayload feature to probe for a DLL is morally equivalent to using a plain LoadLibrary to probe for the presence of a debugging DLL. In both cases, you are looking for a DLL with the expectation that there's a good chance it won't be there. But it is exactly in those sometimes it won't be there cases where you become vulnerable to attack.

    If you want to probe for the existence of a DLL, then you need to know what directory the DLL should be in, and then load that DLL via that full path in order to avoid the current directory attack.

    On the other hand, if the DLL you want to delayload is known to be installed in a directory ahead of the current directory in the search path (for example, you require versions of the the operating system in which the DLL is part of the mandatory install, and the directory in which it is installed is the System32 directory) then you can use delayload.

    In other words, you can use delayload for delaying the load of a DLL. But if you're using delayload to probe for a DLL's existence, then you become vulnerable to a current directory attack.

    This is one of those subtle unintended consequences of changing the list of files included with an operating system. If you take what used to be a mandatory component that can't be uninstalled, and you change it to an optional component that can be uninstalled, then not only do programs which linked to the DLL in the traditional manner stop loading, but you've also introduced a security vulnerability: Programs which had used delayload under the calculation (correct at the time it was made) that doing so was safe are now vulnerable to the current directory attack.

  • The Old New Thing

    Your debugging code can be a security vulnerability: Loading optional debugging DLLs without a full path

    • 49 Comments

    Remember, the bad guys don't care that your feature exists just for debugging purposes. If it's there, they will attack it.

    Consider the following code:

    DOCLOADINGPROC g_pfnOnDocLoading;
    
    void LoadDebuggingHooks()
    {
     HMODULE hmodDebug = LoadLibrary(TEXT("DebugHooks.dll"));
     if (!hmodDebug) return;
     g_pfnOnDocLoading = (DOCLOADINGPROC)
                   GetProcAddress(hmodDebug, "OnDocLoading");
     ...
    }
    
    HRESULT LoadDocument(...)
    {
     ...
     if (g_pfnOnDocLoading) {
       // let the debugging hook replace the stream
       g_pfnOnDocLoading(&pstmDoc);
     }
     ...
    }
    

    When you need to debug the program, you can install the DebugHooks.dll DLL into the application directory. The code above looks for that DLL and if present, gets some function pointers from it. For illustrative purposes, I've included one debugging hook. The idea of this example (and it's just an example, so let's not argue about whether it's a good example) is that when we're about to load a document, we call the OnDocLoading function, telling it about the document that was just loaded. The OnDocLoading function wraps the IStream inside another object so that the contents of the document can be logged byte-by-byte as it is loaded, in an attempt to narrow down exactly where document loading fails. Or it can be used for testing purposes to inject I/O errors into the document loading path to confirm that the program behaves properly under those conditions. Use your imagination.

    But this debugging code is also a security vulnerability.

    Recall that the library search path searches directories in the following order:

    1. The directory containing the application EXE.
    2. The system32 directory.
    3. The system directory.
    4. The Windows directory.
    5. The current directory.
    6. The PATH.

    When debugging your program, you install DebugHooks.dll into the application directory so that it is found in step 1. But when your program isn't being debugged, the search in step 1 fails, and the search continues in the other directories. The DLL is not found in steps 2 through 4, and then we reach step 5: The current directory.

    And now you're pwned.

    Your application typically does not have direct control over the current directory. The user can run your program from any directory, and that directory ends up as your current directory. And then your LoadLibrary call searches the current directory, and if a bad guy put a rogue DLL in the current directory, your program just becames the victim of code injection.

    This is made particularly dangerous when your application is associated with a file type, because the user can run your application just by double-clicking an associated document.

    When you double-click a document, Explorer sets the current directory of the document handler application to the directory that contains the document being opened. This is necessary for applications which look around in the current directory for supporting files. For example, consider a hypothetical application LitWare Writer associated with *.LIT files. A LitWare Writer document ABC.LIT file is really just the representative for a family of files, ABC.LIT (the main document), ABC.LTC (the document index and table of contents), ABC.LDC (the custom spell check dictionary for the document), ABC.LLT (the custom document layout template), and so on. When you open the document C:\PROPOSAL\ABC.LIT, LitWare Writer looks for the other parts of your document in the current directory, rather than in C:\PROPOSAL. To help these applications find their files, Explorer specifies to the CreateProcess function that it should set the initial current directory of LitWare Writer to C:\PROPOSAL.

    Now, you might argue that programs like LitWare Writer (which look for the ancillary files of a multi-file document in the current directory instead of the directory containing the primary file of the multi-file document) are poorly-written, and I would agree with you, but Windows needs to work even with poorly-written programs. (Pre-emptive snarky comment: Windows is itself a poorly-written program.) There are a lot of poorly-written programs out there, some of them industry leaders in their market (see above pre-emptive snarky comment) and if Windows stopped accommodating them, people would say it was the fault of Windows and not the programs.

    I can even see in my mind's eye the bug report that resulted in this behavior being added to the MS-DOS Executive:

    "This program has worked just fine in MS-DOS, but in Windows, it doesn't work. Stupid Windows."

    Customers tend not to be happy with the reply, "Actually, that program has simply been lucky for the past X years. The authors of the program never considered the case where the document being opened is not in the current directory. And it got away with it, because the way you opened the document was to use the chdir command to move to the directory that contained your document, and then to type LWW ABC.LIT. If you had ever done LWW C:\PROPOSAL\ABC.LIT you would have run into the same problem. The behavior is by design."

    In response to "The behavior is by design" is usually "Well, a design that prevents me from getting my work done is a crappy design." or a much terser "No it's not, it's a bug." (Don't believe me? Just read Slashdot.)

    So to make these programs work in spite of themselves, the MS-DOS Executive sets the current directory of the program being launched to the directory containing the document itself. This was not an unreasonable decision because it gets the program working again, and it's not like the program cared about the current directory it inherited from the MS-DOS Executive, since it had no control over that either!

    But it means that if you launched a program by double-clicking an associated document, then unless that program takes steps to change its current directory, it will have the document's containing folder as its current directory, which prevents you from deleting that directory.

    Bonus chatter: I wrote this series of entries nearly two years ago, and even then, I didn't consider this to be anything particularly groundbreaking, but apparently some people rediscovered it a few months ago and are falling all over themselves to claim credit for having found it first. It's like a new generations of teenagers who think they invented sex. For the record, here is some official guidance. (And just to be clear, that's official guidance on the current directory attack, not official guidance on sex.)

    History chatter: Why is the current directory even considered at all? The answer goes back to CP/M. In CP/M, there was no PATH. Everything executed from the current directory. The rest is a chain of backward compatibility.

  • The Old New Thing

    The curse of the current directory

    • 44 Comments

    The current directory is both a convenience and a curse. It's a convenience because it saves you a lot of typing and enables the use of relative paths. It's a curse because of everything else.

    The root cause of this curse is that the Windows NT family of operating systems keeps open a handle to the process's current directory. (Pre-emptive Yuhong Bao comment: The Windows 95 series of operating systems, on the other hand, did not keep the current directory open, which had its own set of problems not relevant to this discussion.)

    The primary consequence of this curse is that you can't delete a directory if it is the current directory of a running process. I see people stumble upon this all the time without realizing it.

    I am trying to delete a directory X, but when I try, I get the error message The process cannot access the file because it is being used by another process.. After some hunting around, I found that directory X is being held open by someapp.exe. Why the heck is someapp.exe holding my directory open, and how do I get it to stop?

    The value of someapp.exe changes over time, but the underlying problem is the same. And when this happens, people tend to blame someapp.exe for stupidly holding a directory open.

    Most of the time, someapp.exe is just a victim of the curse of the current directory.

    First, let's take the case where someapp.exe is explorer.exe. Why is the current directory of Explore set to this directory?

    Well, one reason might be another curse of the current directory, namely, that the current directory is a process-wide setting. If a shell extension decided to call SetCurrentDirectory, then that changes the current directory for all of Explorer. And if that shell extension doesn't bother to call SetCurrentDirectory a second time to reset the current directory to what it was, then the current directory gets stuck at the new directory, and Explorer has now been conned into changing its current directory permanently to your directory.

    Mind you, the shell extension might have tried to do the right thing by setting the current directory back to its original location, but the attempt might have failed:

    GetCurrentDirectory(Old) // returns C:\Previous
    SetCurrentDirectory(New) // changes to C:\Victim
    .. do stuff ..
    SetCurrentDirectory(Old) // changes to C:\Previous - fails?
    

    That second call to SetCurrentDirectory can fail if, while the shell extension is busy doing stuff, the directory C:\Previous is deleted. Now the shell extension can't change the directory back, so it's left stuck at C:\Victim, and now you can't delete C:\Victim because it is Explorer's new current directory.

    (The preferred behavior, by the way, is for the shell extension not to call SetCurrentDirectory in the first place. Just operate on full paths. Since the current directory is a process-wide setting, you can't be sure that some other thread hasn't called SetCurrentDirectory out from under you.)

    Mind you, making the current directory a per-thread concept doesn't solve this problem completely, because the current directory for the thread (if such a thing existed) would still have a handle open until the thread exited. But if the current directory had been a per-thread concept, and if the thread were associated with an Explorer window, then closing that window would at least encourage that thread to exit and let you unstick the directory. That is, unless you did a Terminate­Thread, in which case the handle would be leaked and your attempt to release the handle only ensures that it never happens. (Note to technology hypochondriacs: This paragraph was a hypothetical and consequently will be completely ineffective at solving your problem.)

    The story isn't over yet, but I'll need to digress for a bit in order to lay the groundwork for the next stage of the curse.

    Bonus chatter: Hello, people. "The story isn't over yet." Please don't try to guess the next chapter in the story.

  • The Old New Thing

    Is there any vendor bias in the way the Start menu determines which programs are most frequently used?

    • 39 Comments

    Chrissy wants to know if there is a bias towards Microsoft products in the selection of most frequently used programs on the Start menu.

    The only bias is in the initial default MFU list, the one that appears upon a fresh login. In Windows XP, the default Start menu MFU contains six slots. The first three point to Windows applications, and the second three point to programs chosen by the OEM. (If the OEM chooses not to take advantage of this feature, or if this is a boxed version of the product, then the second three slots also point to Windows applications.) Which specific three (or six) programs get displayed depend on the system configuration, so it's not like there's a single initial Start menu that applies to everyone.

    Once those initial MFU items are selected, the Start menu algorithm proceeds in a vendor-blind manner. (Indeed, it doesn't even know who the vendor is; no part of the algorithm looks at file version information.)

    The precise algorithm that is used for determining which programs go on the MFU over time has been reviewed by government-appointed regulators, who have not raised any concerns over vendor bias.

    So I hate to say it, Chrissy, but I think it's all in your head.

  • The Old New Thing

    Why does the Win32 Time service require the date to be correct before it will set the time?

    • 43 Comments

    Public Service Announcement: Daylight Saving Time ends in most parts of the United States this weekend.

    Andy points out that if you attempt to synchronize your clock when the date is set incorrectly, the operation fails with the error message "An error occurred while Windows was synchronizing with time.windows.com. For security reasons, Windows cannot synchronize with the server because your date does not match. Please fix the date and try again." He wonders what the security risk is.

    First of all, for people who are trying to solve the problem, the solution is to follow the steps in the error message. Set your date to the correct date, then try again. If that doesn't help, also set the time to something close to the correct time. Once your time gets close, the time server can nudge it the rest of the way.

    Back to the original question: What is the security risk being defended against, here?

    At first glance, you might think that the server is attempting to defend itself against a client whose time is set incorrectly, but actually the potential attack is in reverse: Your computer is protecting itself against a rogue time server.

    The Kerberos authentication protocol relies heavily on all participants agreeing on what time it is (with some slop tolerance). If somebody manages to fool the client into synchronizing its time against a rogue server (for example, by using a DNS poisoning attack), the attacker can use that invalid date (typically a backdate) as a foothold for the next level of attacks.

    The default configuration for the Windows Time service is to reject attempts to change the clock on domain-joined machines by more than 15 hours. You can change the configuration settings by following the instructions in this KB article (which happens also to have been the source material for most of this article).

  • The Old New Thing

    The story of MUI, as told by others (with some commentary)

    • 33 Comments

    First, the story as told by others:

    Now the question you're all going to ask so I may as well answer it: Why is this information kept in a desktop.ini file instead of being attached to the file itself (say, in an alternate stream)? If it were in an alternate stream, then it would track the file when it was moved or copied.

    First answer: Because alternate streams require NTFS. Localized names were introduced in Windows 2000, and Windows 2000 gave you the option of formatting your drive as FAT or NTFS. (It wasn't until Windows Vista that NTFS became mandatory.) Therefore the mechanism for localized names needed to work when your drive was formatted as FAT.

    Okay, fine, maybe you tell people, "Sorry, this feature requires NTFS." All those multinational corporations who use FAT-formatted drives in the year 2000 are screwed.

    Well, placing the information in an alternate data stream means that each file would have to be accessed just to get its name. Remember, it's more efficient when you buy in bulk. Consider a directory with 500 files. A simple directory listing like one provided by cmd.exe takes, say, seven I/O requests (open directory, five "give me the next 100 files", close directory). If each file had to be opened in order to probe for an alternate stream, you now have 507 I/O requests: open directory, five "give me the next 100 files", close directory; and then 500 "open alternate stream on this file" calls that fail. And that was the optimistic case where the localized name doesn't exist. For the pessimistic case where every file has a localized name, the I/O count balloons to 1507: open directory, five "give me the next 100 files", close directory; and then 500 × (open alternate stream, read localized name, close alternate stream).

    You increased the number of I/O requests by a factor of over 200. And when you are looking at files on a slow network (hello, multinational company with servers all over the world), that factor can be deadly. Suppose the ping time to the server is 500ms. The cmd.exe program gets you the directory listing in three and a half seconds. The alternate data stream localized name version takes twelve minutes.

    On the other hand, if all the localized names are placed in a single file, then the I/O count is only 10: open directory, five "give me the next 100 files", close directory; open desktop.ini, read contents, close desktop.ini. We're down to five seconds. Not as good as three and a half seconds, but way better than twelve minutes. And if, in the common case, the directory contains no localized names, the open desktop.ini step fails, and we save two I/O's, bringing our time down to four seconds. And then you can be clever and say, "Wait a second, I already have the directory listing; I can just look at the results to see if desktop.ini is on the list. If not, then I don't even have to bother trying to open it!" Now you are back to three and a half seconds.

    Okay, maybe you tell people, "Sorry, this feature requires a high-speed network." All those multinational corporations with servers around the world are screwed. The theoretically highest-speed network connection between New York and Tokyo has a 72ms ping time because that's how fast it takes light itself to travel that distance and back. Your 500-file directory takes nearly two minutes to display.

    Seeing as multinational corporations were the initial target audience for the MUI feature (since they're the ones who are most likely to have users with different language preferences), designing your feature so that your target audience can't use it seems like a pretty bad execution plan.

    A file's name is traditionally considered metadata, and traditionally, metadata is visible without requiring access to the file. A file can show up in a directory listing even though you don't have access to it. But if the file's localized name is stored in the file itself, you now have the situation where you don't even know the name of the file because you can't access it. This is even worse than I'm sorry, you don't have permission to know where this shortcut file should show up in the Explorer window. This would be I'm sorry, you don't have permission to know the name of the file in this directory listing.

    Remember that reading from an alternate data stream triggers a recall if the file had been archived to tape. You don't want to have to restore an entire directory from tape just because somebody opened the folder in Explorer.

    And finally, alternate data streams are very fragile. Any tool that processes a file has a decent chance of inadvertently destroying the alternate data streams. (And good luck if your backup program doesn't preserve the alternate data streams.)

Page 2 of 3 (24 items) 123