• The Old New Thing

    The procedure entry point SHCreateThreadRef could not be located...


    Some people smarter than me have been working on this problem, and here's what they figured out. First, I'll just reprint their analysis (so that people with the problem and are searching for the solution can find it), and then we can discuss it.

    Update (18 October 2005): The official version of this document is now available. Please use that version instead of following the steps below, which were based on a preliminary version of the instructions.

    If you receive an error message: "Explorer.EXE - Entry Point Not Found - The procedure entry point SHCreateThreadRef could not be located in the dynamic link library SHLWAPI.dll", this information will help resolve the issue.

    This appears to have been caused by the following sequence of events:

    1. You installed Windows XP Service Pack 2
    2. The installation of Service Pack 2 failed due to a computer crash during the installation which resulted in the automatic Service Pack Recovery process. On next boot, you should have received an error message telling you that the install failed, and that you need to go to the control panel and uninstall SP2 and then try re-installing it. This message may have been dismissed accidentally or by another individual using your computer. In any event, the Service Pack recovery process was not completed by uninstalling the service pack from the Add/Remove Programs control panel, and the system is consequently in a partially installed state which is not stable.
    3. You then installed the latest security update for Windows XP, MS04-038, KB834707. Because your system is still partially SP2, the SP2 version of this fix was downloaded and installed by Windows Update or Automatic Updates. However, the operating system files on the system are the original versions due to the SP Recovery process. This results in mismatched files causing this error.

    To recover the system, carefully perform the following steps:

    1. Boot normally and attempt to log in to your desktop. At this point you should get the error message listed above.
    2. Press Control+Alt+Delete at the same time to start the Task Manager. (If you are using classic logon, click the "Task Manager" button.) You may get additional error messages but Task Manager will eventually start.
    3. On the menu bar, select File and then New Task (Run).
    4. Type in control appwiz.cpl into the new task box and hit OK. You may get additional errors that can be ignored.
    5. The Add/Remove Control Panel should now be running. You can close Task Manager.
    6. Near the bottom of the list, find the entry titled "Windows XP Hotfix – KB834707".
    7. Click on it and click the "Remove" button. It will take some time to complete. Once the "Finish" button is visible, click on it and reboot your system. If you get messages about additional software or hotfixes installed, you can safely ignore them.

    Do NOT stop now! Your system is still in the "failed SP2 install" state. You MUST complete the SP2 uninstall, and then re-install SP2.

    1. Start the system and log in.
    2. Click on Start and then Control Panel.
    3. Click on the Add/Remove programs item.
    4. Near the bottom of the list, find the entry titled "Windows XP Service Pack 2".
    5. Click on it and remove Service Pack 2. You may get a warning about software you have installed after SP2. Make a note of it as you may need to reinstall some of them after the uninstall operation.
    6. After Service Pack 2 has been successfully removed, you should visit for instructions on installing Service Pack 2. You can get SP2 from
    7. After Service Pack 2 has been successfully re-installed, you should re-visit Windows Update to get the proper version of the latest critical security updates.


    Q: I don't believe I am in the "partially installed SP2" state. Is there any way to check that?

    A: After step 7, your system should be able to log in. There are several ways to check.

    1. Open the file c:\windows\svcpack.log, and scroll to the very bottom of the file. About 10 lines from the end, you should see: Executing script \SystemRoot\sprecovr.txt In cleanup mode. System will not be rebooted.
      If you have these lines in svcpack.log, and you did not uninstall Service Pack 2 in Add/Remove Programs, you definitely have a machine in this partially installed state.
    2. Click on the Start button, then Run, and type winver, then click OK. If the version is "Version 5.1 (Build 2600.xpsp_sp2_rtm.040803-2158: Service Pack 2" then you have the correct SP2 install. If, however, it has a number that is less than 040803 after the xpsp2, such as "Build 2600.xpsp2.030422-1633 : Service Pack 2" then you definitely have a machine in the partially installed state. [Corrected typo in version numbering, 11am.]

    Notice that the default answer to every dialog box is "Cancel". The Service Pack setup program detected a problem and gave instructions on how to fix it, and yet people just ignored the message.

    The result of not fixing the problem is that you are left with a machine that is neither Service Pack 1 nor Service Pack 2 but instead is a Frankenstein monster of some files from Service Pack 1 and some files from Service Pack 2. This is hardly a good situation. Half the files are mismatched with the other half.

    There was enough of Service Pack 2 on your machine that Windows Update downloaded the Service Pack 2 version of the security patch and tried to install it. This made a bad situation worse.

    What's the moral of the story?

    First, that users ignore all error messages. Even error messages that tell how to fix the error! Second, that ignoring some error messages often leads to worse error messages. And third, that once you get into this situation, you're off in uncharted territory. And there are only dragons there.

    (These are the types of problems that are nearly impossible to debug: It will never happen in the test lab, because the test lab people know that when an error message tells you, "The install failed; you need to do XYZ to fix it," you should do it! All you can work from are descriptions from people who are having the problem, and a lot of creativity to try to guess "What happened that they aren't telling me?")

  • The Old New Thing

    How to edit the security attributes of more than one file at a time


    In Windows XP, you could select multiple files, right-click them, then select Properties. The resulting property sheet includes a Security page which lets you edit the security attributes of those files. But when you repeat this exercise on Windows Vista or Windows 7, the Security page is missing. Why doesn't Explorer let you edit the security attributes of more than one file at a time?

    Windows might need to display an elevation prompt if any of the files in the collection require administrator privileges in order to modify the security attributes. The security prompt needs to tell you why you are elevating, but if you selected twenty files, there isn't room to display all twenty of them in the elevation dialog. Truncating the results means that users may be tricked into changing the security of files they didn't intend. "Grant everyone full access to X, Y, Z, and 17 other files?" How do you know your multiselect didn't accidentally include MergerPlans.doc? (Maybe there's some malware that waits for people to change security on multiple items and quietly sneaks NTOSKRNL.EXE into the file list.) Alexander Grigoriev says, "Holding forever to dangerous features is BAD BAD BAD."

    If you need to modify the security attributes on a whole bunch of files, you can use the CACLS program, one of the command line tools that messes with security descriptors. If you want to modify the attributes of all the files in a directory tree, you can edit the security attributes of the root of the tree and indicate that you want to propagate inheritable attributes.

    Pre-emptive hate: "I hate Microsoft for removing this feature." (Okay, that was too tame. A PROPER HATE REQUIRES SENTENCES IN ALL-CAPS.) And you wonder why I don't do Tips/Support topics often. Whenever I provide a tip that lets you work around something, everybody rants about the problem the workaround exists to address.

  • The Old New Thing

    At last you can turn off the USB 2.0 balloon


    One of the more annoying messages in Windows XP¹ is the "This USB device can perform faster" balloon that appears whenever you plug in a USB 2.0-capable device into a USB 1.0 port. When I click on that balooon, I get a message that says, "Sorry, you don't have any USB 2.0 ports. You'll have to install one to be able to take full advantage of this device."²

    Yeah, that's really nice, but one of my machines is a laptop, so its USB ports can't be upgraded. And my desktop computer at the time had an older motherboard that predated USB 2.0. The really annoying part was that there was no way to turn off the balloon. "Yes, I know I inserted the device into a USB 1.0 port, but this computer doesn't have any USB 2.0 ports, so stop bugging me already."

    It actually got the point that I went out and bought a USB 2.0 adapter card just to shut up the stupid balloon.³

    Thank goodness that in Windows Vista, the USB folks realized how annoying it is to show a balloon that yells at you for something you can't do anything about, and they added a way to disable the pop-up.

    Nitpicker's Corner

    ¹Although this statement takes the grammatical form of a statement of fact, it is actually a statement of opinion. Other people may legitimately disagree with this opinion. Whether the message is in fact "one of the more annoying messages in Windows XP" is irrelevant to the story; the employment of this statement of opinion is rhetorical and serves a useful storytelling purpose, namely to serve as an interesting introduction and to establish a context for elaboration. It does not establish the official position of Microsoft Corporation regarding how annoying that message is.

    ²That is not literally what the message says, but the underlying meaning is comparable. The message text has been paraphrased for rhetorical purposes (to create a more informal tone) and for time-saving purposes (to save me the trouble of having to re-create the message and carefully transcribe the message word-for-word).

    ³Again, the use of the word "stupid" here is rhetorical, indicating my level of frustration and not attempting to establish the official Microsoft position on the intelligence of the balloon or the people responsible for it.

  • The Old New Thing

    Will dragging a file result in a move or a copy?


    Some people are confused by the seemingly random behavior when you drag a file. Do you get a move or a copy?

    And you're right to be confused because it's not obvious until you learn the secret. Mind you, this secret hasn't changed since 1989, but an old secret is still a secret just the same. (Worse: An old secret is a compatibility constraint.)

    • If Ctrl+Shift are held down, then the operation creates a shortcut.
    • If Shift is held down, then the operation is a move.
    • If Ctrl is held down, then the operation is a copy.
    • If no modifiers are held down and the source and destination are on the same drive, then the operation is a move.
    • If no modifiers are held down and the source and destination are on different drives, then the operation is a copy.

    This is one of the few places where the fact that there are things called "drives" makes itself known to the end user in a significant way.

  • The Old New Thing

    How do I put a different wallpaper on each monitor?


    When you set a wallpaper on a multi-monitor system, that wallpaper goes onto each monitor. For example, if your wallpaper is a picture of a flower, each monitor shows that same flower. Commenter David Phillips wonders whether there is a way to set a different wallpaper on each monitor, or whether it is some sort of trick.

    It's some sort of trick.

    And it's a trick because it's not something that the window manager folks intended to happen; rather, it's just an artifact of how wallpapers work.

    The trick is to set your wallpaper to "tile" rather than "center" or "stretch". When the window manager draws a tiled bitmap, it places the tiles so that the upper left corner of the primary monitor exactly coincides with the top left corner of a tile. The remaining tiles are then arranged around that anchor tile.

    You're not listening. I said that I wanted a different picture on each monitor, not the same picture tiled across all of my monitors.

    Yes, I know. Here comes the trick: Create a "monster tile". For example, suppose you have two 800×600 monitors arranged side by side (primary on the left), and you want a tropical island on the primary monitor and a country road sunset on the second, like this:

    Create a single bitmap that consists of the two images side by side. In our case, it would be a single 1600×600 bitmap.

    When this bitmap is tiled, the "virtual infinite screen" looks like this:

    And the upper left corner of the primary monitor lines up against the upper left corner of a tile, like so:

    If your monitors aren't the same size, you can still use this trick; you just need to add some dummy space to get the tiles to line up the way you want. For example, suppose your secondary monitor is smaller than your primary, positioned so that its top edge lines up with the top edge of the primary. Your "monster bitmap" would place the country road sunset in the corresponding position next to the bitmap you want to use for your primary monitor.

    When this bitmap is tiled and the upper left corner of the tile is placed at the upper left corner of the primary monitor, you get the desired effect:

    Ah, but what if you have a monitor above or to the left of your primary monitor? Since the bitmap is tiled, you just "wrap around" from the left of the "monster bitmap" to the extreme right. For example, if your monitors are arranged side by side but you have the secondary monitor on the left, then you still put the image for the secondary monitor on the right; that way, when the origin of your monitor system is placed against a tile, the image from the tile to the left is the one that shows up on your secondary monitor.

    Given these examples, I leave you to develop the general algorithm.

  • The Old New Thing

    What do the colors in the elevation dialog mean?


    On Windows Vista with User Account Control enabled, when you right-click a program and select Run as Administrator, the elevation prompt contains a particular snippet of warning text and a corresponding color-coding. Here are what the four colors mean.

    Windows needs your permission to continue
    A blue-green banner indicates that the program is a Windows operating system component. Remain calm.
    A program needs your permission to continue
    A gray banner indicates that the program has been signed but is not part of Windows. Be cautious.
    An unidentified program wants access to your computer
    A yellow banner indicates that the program's identity cannot be digitally confirmed. Be suspicious.
    This program has been blocked
    A red banner indicates that the program has been blocked from running. Run away.

    You can learn about the philosophy behind UAC in this Channel9 interview.

    Pre-emptive snarky comment: "UAC sucks!"

    The purpose of this entry is not to discuss whether UAC is a good idea or not. I'm just trying to help by providing information on what the colors mean. This is one of the entries that I was afraid to write. On its own, it's useful information, but I anticipate a torrent of nasty comments from people who see it as an opportunity to start flaming. I have other tips and stories related to controversial topics; this is a trial balloon entry. If I get a bad experience from this entry, I'll delete the others. Just like how I deleted all my stories about Bob.

    Update: Okay, just to make it clear (since I'm told that people don't read other comments before posting their own). I did not work on UAC. If you ask me a question about its design or how it works, the answer will be "I don't know." That's why I included a link to a talk from the people who actually know something about it.

  • The Old New Thing

    Dangerous setting is dangerous: This is why you shouldn't turn off write cache buffer flushing


    Okay, one more time about the Write-caching policy setting.

    This dialog box takes various forms depending on what version of Windows you are using.

    Windows XP:

      Enable write caching on the disk
    This setting enables write caching in Windows to improve disk performance, but a power outage or equipment failure might result in data loss or corruption.

    Windows Server 2003:

      Enable write caching on the disk
    Recommended only for disks with a backup power supply. This setting further improves disk performance, but it also increases the risk of data loss if the disk loses power.

    Windows Vista:

      Enable advanced performance
    Recommended only for disks with a backup power supply. This setting further improves disk performance, but it also increases the risk of data loss if the disk loses power.

    Windows 7 and 8:

      Turn off Windows write-cache buffer flushing on the device
    To prevent data loss, do not select this check box unless the device has a separate power supply that allows the device to flush its buffer in case of power failure.

    Notice that the warning text gets more and more scary each time it is updated. It starts out just by saying, "If you lose power, you might have data loss or corruption." Then it adds a recommendation, "Recommended only for disks with a backup power supply." And then it comes with a flat-out directive: "Do not select this check box unless the device has a separate power supply."

    The scary warning is there for a reason: If you check the box when your hardware does not satisfy the criteria, you risk data corruption.

    But it seems that even with the sternest warning available, people will still go in and check the box even though their device does not satisfy the criteria, and the dialog box says right there do not select this check box.

    And then they complain, "I checked this box, and my hard drive was corrupted! You need to investigate the issue and release a fix for it."

    Dangerous setting is dangerous.

    At this point, I think the only valid "fix" for this feature would be to remove it entirely. This is why we can't have dangerous things.

  • The Old New Thing

    If NTFS is a robust journaling file system, why do you have to be careful when using it with a USB thumb drive?


    Some time ago, I noted that in order to format a USB drive as NTFS, you have to promise to go through the removal dialog.

    But wait, NTFS is a journaling file system. The whole point of a journaling file system is that it is robust to these sorts of catastrophic failures. So how can surprise removal of an NTFS-formatted USB drive result in corruption?

    Well, no it doesn't result in corruption, at least from NTFS's point of view. The file system data structures remain intact (or at least can be repaired from the change journal) regardless of when you yank the drive out of the computer. So from the file system's point of view, the answer is "Go ahead, yank the drive any time you want!"

    This is a case of looking at the world through filesystem-colored glasses.

    Sure, the file system data structures are intact, but what about the user's data? The file system's autopilot system was careful to land the plane, but yanking the drive killed the passengers.

    Consider this from the user's point of view: The user copies a large file to the USB thumb drive. Chug chug chug. Eventually, the file copy dialog reports 100% success. As soon as that happens, the user yanks the USB thumb drive out of the computer.

    The user goes home and plugs in the USB thumb drive, and finds that the file is corrupted.

    "Wait, you told me the file was copied!"

    Here's what happened:

    • The file copy dialog creates the destination file and sets the size to the final size. (This allows NTFS to allocate contiguous clusters to the file.)
    • The file copy dialog writes a bunch of data to the file, and then closes the handle.
    • The file system writes the data into the disk cache and returns success.
    • The file copy dialog says, "All done!"
    • The user yanks the USB thumb drive out of the computer.
    • At some point, the disk cache tries to flush the data to the USB thumb drive, but discovers that the drive is gone! Oops, all the dirty data sitting in the disk cache never made it to the drive.

    Now you insert the USB drive into another computer. Since NTFS is a journaling file system, it can auto-repair the internal data structures that are used to keep track of files, so the drive itself remains logically consistent. The file is correctly set to the final size, and its directory entry is properly linked in. But the data you wrote to the file? It never made it. The journal didn't have a copy of the data you wrote in step 2. It only got as far as the metadata updates from step 1.

    That's why the default for USB thumb drives is to optimize for Quick Removal. Because people expect to be able to yank USB thumb drives out of the computer as soon as the computer says that it's done.

    If you want to format a USB thumb drive as NTFS, you have to specify that you are Optimizing for Performance and that you promise to warn the file system before yanking the drive, so that it can flush out all the data sitting in the disk cache.

    Even though NTFS is robust and can recover from the surprise removal, that robustness does not extend to the internal consistency of the data you lost. From NTFS's point of view, that's just a passenger.

    Update: It seems that people missed the first sentence of this article. Write-behind caching is disabled by default on removable drives. You get into this mess only if you override the default. And on the dialog box that lets you override the default, there is a warning message that says that when you enable write-behind caching, you must use the Safely Remove Hardware icon instead of just yanking the drive. In other words, this problem occurs because you explicitly changed a setting from the safe setting to the dangerous one, and you ignored the warning that came with the dangerous setting, and now you're complaining that the setting is dangerous.

  • The Old New Thing

    Why does my mouse/touchpad sometimes go berzerk?


    Each time you move a PS/2-style mouse, the mouse send three bytes to the computer. For the sake of illustration, let's say the three bytes are x, y, and buttons.

    The operating system sees this byte stream and groups them into threes:

    x y b x y b x y b x y b

    Now suppose the cable is a bit jiggled loose and one of the "y"s gets lost. The byte stream loses an entry, but the operating system doesn't know this has happened and keeps grouping them in threes.

    x y b x b x y b x y b x

    The operating system is now out of sync with the mouse and starts misinterpreting all the data. It receives a "y b x" from the mouse and treats the y byte as the x-delta, the b byte as the y-delta, and the x byte as the button state. Result: A mouse that goes crazy.

    Oh wait, then there are mice with wheels.

    When the operating system starts up, it tries to figure out whether the mouse has a wheel and convinces it to go into wheel mode. (You can influence this negotiation from Device Manager.) If both sides agree on wheeliness, then the mouse generates four bytes for each mouse motion, which therefore must be interpreted something like this:

    x y b w x y b w x y b w x y b w

    Now things get really interesting when you introduce laptops into the mix.

    Many laptop computers have a PS/2 mouse port into which you can plug a mouse on the fly. When this happens, the built-in pointing device is turned off and the PS/2 mouse is used instead. This happens entirely within the laptop's firmware. The operating system has no idea that this switcheroo has happened.

    Suppose that when you turned on your laptop, there was a wheel mouse connected to the PS/2 port. In this case, when the operating system tries to negotiate with the mouse, it sees a wheel and puts the mouse into "wheel mode", expecting (and fortunately receiving) four-byte packets.

    Now unplug your wheel mouse so that you revert to the touchpad, and let's say your touchpad doesn't have a wheel. The touchpad therefore spits out three-byte mouse packets when you use it. Uh-oh, now things are really messed up.

    The touchpad is sending out three-byte packets, but the operating system thinks it's talking to that mouse that was plugged in originally and continues to expect four-byte packets.

    You can imagine the mass mayhem that ensues.

    Moral of the story: If you're going to hot-plug a mouse into your laptop's PS/2 port, you have a few choices.

    • Always use a nonwheel mouse, so that you can plug and unplug with impunity, since the nonwheel mouse and the touchpad both use three-byte packets.
    • If you turn on the laptop with no external mouse, then you can go ahead and plug in either a wheeled or wheel-less mouse. Plugging in a wheel-less mouse is safe because it generates three-byte packets just like the touchpad. And plugging in a wheeled mouse is safe because the wheeled mouse was not around for the initial negotiation, so it operates in compatibility mode (i.e., it pretends to be a wheel-less mouse). In this case, the mouse works, but you lose the wheel.
    • If you turn on the laptop with a wheel mouse plugged in, never unplug it because once you do, the touchpad will take over and send three-byte packets and things will go berzerk.

    Probably the easiest way out is to avoid the PS/2 mouse entirely and just use a USB mouse. This completely sidesteps the laptop's PS/2 switcheroo.

  • The Old New Thing

    Why doesn't the Low Disk Space warning balloon show up as soon as I run low on disk space


    A customer reported an issue with the title "The notification balloon for Low Disk Space does not appear even if the free disk is very low." They provided the following steps:

    • Install Windows 7 64-bit on a SATA drive.
    • Copy files to the system drive until disk space becomes low.
    • Observe that the notification balloon for Low Disk Space does not immediately appear.
    • The balloon appears approximately ten minutes later.

    You read through the steps nodding, "uh huh, uh huh", and then you get to the last step and you say, "Wait a second, the subject of your report was that the balloon doesn't appear at all, and now you're saying that it appears after ten minutes. So it does appear after all. What is the problem?"

    The customer explained that on earlier versions of Windows, the Low Disk Space warning balloon appeared within one minute, whereas in Windows 7 it can take up to ten minutes for the balloon to appear.

    Yup, that's right.

    In previous versions of Windows, Explorer checked for low disk space once a minute. The Windows performance folks requested that the shell reduce the frequency of checks to improve overall system performance, and the shell team agreed to reduce the frequency to once every ten minutes. (The performance team made other suggestions to reduce the impact of that code that runs every ten minutes.)

    So yes, in Windows 7, it may take up to ten minutes for Explorer to report that you are low on disk space. But Explorer never promised that those reports would be timely. Or that they would even appear in the first place. The behavior is not contractual; it's just a courtesy notification.

    Related: How full does a hard drive have to get before Explorer will start getting concerned? and How do I disable the low disk space notifications?

Page 1 of 27 (263 items) 12345»