Tips/Support

  • The Old New Thing

    What does it mean when the Advanced Security Settings dialog says that an ACE was inherited from "Parent Object" without naming the specific parent?

    • 8 Comments

    The Advanced Security Settings dialog shows the ACEs in an object's ACL, and one of the pieces of information is a column labeled Inherited from which identifies whether the ACE was inherited, and if so, from where. A customer observed that when they opened the Advanced Security Settings dialog, one of their objects had an ACE that showed Parent Object as the Inherited from.

    Name: C:\dir1\dir2\dir3\dir4\file
    Type Principal Access Inherited from Applies to
    Allow Administrators Full control None This folder only
    Allow Administrators Full control C:\dir1\dir2\ This folder, subfolders and files
    Allow SYSTEM Full control C:\dir1\dir2\ This folder, subfolders and files
    Allow CREATOR OWNER Full control C:\dir1\dir2\ Subfolders and files only
    Allow Users Read & execute C:\dir1\dir2\ This folder, subfolders and files
    Allow Users Special C:\dir1\dir2\ This folder and subfolders
    Allow Authenticated Users Full control Parent Object This folder, subfolders and files

    However, when they went to the parent object C:\dir1\dir2\dir3\dir4, that ACE is nowhere to be found.

    Name: C:\dir1\dir2\dir3\dir4
    Type Principal Access Inherited from Applies to
    Allow Administrators Full control None This folder only
    Allow Administrators Full control C:\dir1\dir2\ This folder, subfolders and files
    Allow SYSTEM Full control C:\dir1\dir2\ This folder, subfolders and files
    Allow CREATOR OWNER Full control C:\dir1\dir2\ Subfolders and files only
    Allow Users Read & execute C:\dir1\dir2\ This folder, subfolders and files
    Allow Users Special C:\dir1\dir2\ This folder and subfolders
    Allow Everyone Full control C:\dir1\dir2\ This folder, subfolders and files

    How can an ACE be inherited from its parent, when it doesn't exist in the parent?

    The Advanced Security Settings dialog is trying to be helpful, but in doing so, it implies a greater level of confidence than it actually offers.

    ACEs do not specify where they were inherited from. There is merely a bit in the ACE called INHERITED_ACE which means, "This ACE was created via inheritance." Not only does this bit not tell you where the ACE was inherited from, but the bit might even be wrong! Anybody can go in and toggle the bit, and bingo, you now have forged the "I was created via inheritance" flag. Another way this flag could be out of sync is if the user started an ACL update operation and then canceled it partway through.

    The Advanced Security Settings dialog uses the Get­Inheritance­Source function to determine the source of each ACE. That function walks up the parent chain looking for matching inheritable ACEs. If a match is found, then the Advanced Security Settings dialog shows that parent as the Inherited from. Otherwise, it shrugs its shoulders and says Parent Object.

    The string Parent Object means "This ACE claims to have been inherited from somewhere, but I can't figure out where, so I'm just going to be vague and say that it came from some parent object somewhere." Perhaps a less confusing string would have been Ancestor Object or even simply Unknown.

    The Advanced Security Settings dialog figured that it would go the extra mile and instead of merely saying Inherited = Yes, it would try to find a parent object that was the most likely source of the inheritance. But by doing that, you came to expect it, and then you got upset when it wasn't able to come through for you. No good deed goes unpunished.

  • The Old New Thing

    Access to a file's attributes is controlled by two things

    • 20 Comments

    We saw some time ago that permission to delete a file is granted either

    • if you have DELETE access on the file, or
    • if you have FILE_DELETE_CHILD access on the containing directory.

    File attributes behave in an analogous way.

    Permission to read a file's attributes is granted either

    • if you have FILE_READ_ATTRIBUTES access on the file, or
    • if you have FILE_LIST_DIRECTORY access on the containing directory.

    If you want the file's attributes, you could always get it by reading the directory, because one of the pieces of information you get from Find­First­File is the file attributes. Therefore, having permission to read a directory implicitly gives you permission to read the attributes of any file in that directory.

    (Note, of course, that write permission on attributes is another story.)

  • The Old New Thing

    When I set the "force X off" policy to Disabled, why doesn't it force X on?

    • 18 Comments

    A customer was using one of the many "force X off" policies, but instead of using it to force X off, they were trying to use it to force X on by setting the policy to Disabled. For example, there is a "Hide and disable all items on the desktop". The customer was setting this policy to Disabled, expecting it to force all icons visible on the desktop, removing the option on the desktop View menu to hide the icons.

    As we discussed some time ago, group policy is for modifying default behavior, and interpreting them requires you to have a degree in philosophy.

    In particular, a policy which forces X off has three states:

    • Enabled: X is forced off.
    • Disabled: X is not forced off.
    • Not configured: No opinion. Let another group policy object decide.

    Disabling a policy means "Return to default behavior", and the default behavior in many cases is that the user can decide whether they want X or not by selecting the appropriate option. In philosophical terms, "Not forced off" is not the same as "Forced on."

    If you want to force X on, then you have to look for a policy that says "Force X on." (And if there isn't one, then forcing X on is not something currently supported by group policy.)

  • The Old New Thing

    Why does the copy dialog give me the incorrect total size of the files being copied?

    • 31 Comments

    If you try to copy a bunch of files to a drive that doesn't have enough available space, you get an error message like this:

    1 Interrupted Action

    There is not enough space on Removable Disk (D:). You need an additional 1.50 GB to copy these files.

    ▭  Removable Disk (D:)
    Space free: 2.50 GB
    Total size: 14.9 GB
    Try again Cancel

    "But wait," you say. "I'm only copying 5GB of data. Why does it say Total size: 14.9 GB?"

    This is a case of information being presented out of context and resulting in mass confusion.

    Suppose you saw the information like this:

    Computer
    ◢ Hard Disk Drives (1)   
     
    ▭  Windows (C:)
    Space free: 31.5 GB
    Total size: 118 GB
    ◢ Drives with Removable Storage (1)   
     
    ▭  Removable Disk (D:)
    Space free: 2.50 GB
    Total size: 14.9 GB

    In this presentation, it is clear that Total size refers to the total size of the drive itself.

    So the original dialog is not saying that the total size of data being copied is 14.49 GB. It's trying to say that the total size of the removable disk is 14.9 GB.

    Mind you, the presentation is very confusing since the information about the removable disk is presented without any introductory text. It's just plopped there on the dialog without so much as a hello.

    I'm not sure how I would fix this. Maybe reordering the text elements would help.

    1 Interrupted Action

    There is not enough space on Removable Disk (D:).

    ▭  Removable Disk (D:)
    Space free: 2.50 GB
    Total size: 14.9 GB

    You need an additional 1.50 GB to copy these files.

    Try again Cancel

    However, the design of the dialog may not allow the information tile to be inserted into the middle of the paragraph. It might be restricted to a layout where you can have text, followed by an information tile, followed by buttons. In that case, maybe it could go

    1 Interrupted Action

    You need an additional 1.50 GB to copy these files. There is not enough space on Removable Disk (D:).

    ▭  Removable Disk (D:)
    Space free: 2.50 GB
    Total size: 14.9 GB
    Try again Cancel

    But like I said, I'm not sure about this.

  • The Old New Thing

    Why does Outlook use a semicolon to separate multiple recipients by default?

    • 35 Comments

    Microsoft Outlook by default uses a semicolon to separate multiple recipients. You can change this to a comma, but why is the semicolon the default?

    Microsoft Outlook was originally positioned as a business product, and many businesses complained that the use of a comma as a separator created havoc because they have a policy of setting names in the address book as "Last, First".

    In 2000, the Outlook folks tried to change the default, but the outcry from corporations made them go back to having the semicolon be the default separator.

    Besides, there are a lot of people who have commas in their names, such as Martin Luther King, Jr.

  • The Old New Thing

    How did that program manage to pin itself to my taskbar when I installed it?

    • 27 Comments

    Occasionally, somebody will notice that upon installing a program, it managed to pin itself to the taskbar. But just like there is no Pin­To­Start­Menu function, there is also no Pin­To­Taskbar function, and for the same reason: Because applications would abuse it and auto-pin themselves because they are so awesome, and so that the developer could get a nice bonus.

    In spite of these roadblocks, some applications manage to pin themselves to the taskbar anyway, typically by programmatically driving the shortcut context menu. The developer then collects their bonus and goes out and gets drunk.

    There is no real way of blocking this behavior other than giving guidance not to do that. Customers who complain to the vendors about their presumptiveness may help. Scornful looks and ignoring them when they walk by the lunch table looking for a place to sit may also work. (But since they're drunk, they may not care.)

  • The Old New Thing

    How can I let my child use an app that I bought from the Windows Store?

    • 38 Comments

    If you buy an app from the Windows Store, you can make it available to other users on the same Windows PC. This is useful if you, say, buy an app for your child to use. Here's how you do it. (This is all explained on the Windows Store blog, but I've converted it into a step-by-step and updated it for Windows 8.1.)

    First, sign on as yourself and install the app under your own account.

    Next, sign on as the child (or whatever other account you want to share the app with), and launch the Store from that second account.

    In the Store app, go to the top of the screen and hit Account, then My account.

    From the My account page, use the Change User button to sign out as the child account and sign in as yourself.

    Once signed in as yourself, you can reinstall the app into the child account. You can do this the hard way, by searching for the app, or the easy way by hitting Account at the top of the screen, and then choosing My Apps. Tap the app you want to reinstall, then hit the Reinstall button. (Since the app is already installed, all this does is increment the reference count on the app.)

    When finished, sign out of the Store from the child account.

    In Windows 8, each purchased app could be used on up to five PCs, regardless of how many times it was installed on each PC, so adding an app to a second account did not eat into your device quota. In Windows 8.1, the limit was bumped to 81 PCs, which means that for most people, the device limit will not be problem.

  • The Old New Thing

    If you set up roaming profiles, you are expected to set up each machine identically, for the most part

    • 17 Comments

    A customer discovered the following behavior when they set up roaming user profiles on their domain. Consider two machines, 1 and 2. An application A is installed on machine 1, but not machine 2. A user with a roaming profile logs onto machine 1 and pins application A to the taskbar. That user then logs off of machine 1 and logs onto machine 2.

    Now things get interesting: The taskbar on machine 2 initially shows a white icon on the taskbar, representing the nonexistent application A. A short time later, that icon vanishes. When the user logs off of machine 2 and back onto machine 1, the pinned icon is missing on machine 1, too.

    The white icon is deleted automatically by the system because it sees that you pinned an application which is not installed, so it unpins it too. This general rule is to handle the case where you install an application and pin it, then somebody else unninstalls it. The taskbar removes the now-broken icon to reflect the fact that the application is no longer installed. There's no point having a shortcut to a nonexisting program, and it relieves application vendors the impossible task of cleaning up pinned icons upon uninstall. (It's impossible because some users who pinned the application may not have their profile locally present because it roamed to another machine. Or worse, the uninstaller tries to edit a profile that is not active and ends up corrupting the master copy when the two versions reconcile.)

    The user profiles team explained that one of the assumptions behind classic roaming user profiles is that the machines participating in roaming be semantically identical: They must be running the same operating system on the same processor architecture. They must have the same set of applications installed into the same locations. And they must have the same drive letter layout.

    But that's just classical roaming profiles. There are other roaming profile solutions, such as User Experience Virtualization, which may meet the customer's needs better. (I'm told that there are also third-party roaming solutions, though I don't know of any offhand, this not being my area of expertise.)

  • The Old New Thing

    What is the difference between Full Windows Touch Support and Limited Touch Support?

    • 19 Comments

    In the System control panel and in the PC Info section of the PC & Devices section of PC Settings, your device's pen and touch support can be reported in a variety of ways. Here is the matrix:

    No pen Pen
    No touch No Pen or Touch Input Pen Support
    Single touch Single Touch Support Pen and Single Touch Support
    Limited multi-touch Limited Touch Support with N Touch Points Pen and Limited Touch Support with N Touch Points
    Full multi-touch Full Touch Support with N Touch Points Pen and Full Touch Support with N Touch Points

    The meaning of No touch and Single touch are clear, but if a device supports multiple touch points, what makes the system report it as having Limited versus Full touch support?

    A device with Full touch support is one that has passed Touch Hardware Quality Assurance (THQA). You can read about the Windows Touch Test Lab (WTTL) to see some of the requirements for full touch support.

    If you have a touch device without full touch support, then Windows will lower its expectations from the device. For example, it will not use the timestamps on the device packets, and it will increase the tolerances for edge gestures.

    Note that if test signing is enabled, then all multitouch drivers are treated as having full touch support. (This lets you test your driver in Full mode before submitting it to THQA.)

  • The Old New Thing

    File version information does not appear in the property sheet for some files

    • 26 Comments

    A customer reported that file version information does not appear on the Details page of the property sheet which appears when you right-click the file and select Properties. They reported that the problem began in Windows 7.

    The reason that the file version information was not appearing is that the file's extension was .xyz. Older versions of Windows attempted to extract file version information for all files regardless of type. I believe it was Windows Vista that changed this behavior and extracted version information only for known file types for Win32 modules, specifically .cpl, .dll, .exe, .ocx, .rll, and .sys. If the file's extension is not on the list above, then the shell will not sniff for version information.

    If you want to register a file type as eligible for file version extraction, you can add the following registry key:

    HKEY_LOCAL_MACHINE
     \Software
      \Microsoft
        \Windows
          \CurrentVersion
            \PropertySystem
              \PropertyHandlers
                \.XYZ
                 (Default) = REG_SZ:"{66742402-F9B9-11D1-A202-0000F81FEDEE}"
    

    (Thanks in advance for complaining about this change in behavior. This always happens whenever I post in the Tips/Support category about how to deal with a bad situation. Maybe I should stop trying to explain how to deal with bad situations.)

Page 2 of 27 (264 items) 12345»