• #### "Friends" is so trendsetting

The characters on the television program "Friends" are apparently trendsetters in the use of the word "so".
[People with way too much time on their hands] spent a year going through transcripts from each episode of the first eight seasons of Friends, taking note of every single adjective...

[T]he show's popularity peaked at the same time the characters said "so" the most, and as the use of the word declined, so did the show's popularity.

So that's how to rescue the show: Make people say "so" more.

So if I use the word "so" more, maybe that'll increase my popularity. Yes, it's so shallow of me, but so what?

Grammar nitpick: "so" in the phrase "so cool" is an adverb, not an adjective.

Raymond's brush with fame: I actually know one of the writers on "Friends".

• #### How do I convert a SID between binary and string forms?

Of course, if you want to do this programmatically, you would use ConvertSidToStringSid and ConvertStringSidtoSid, but often you're studying a memory dump or otherwise need to do the conversion manually.

If you have a SID like S-a-b-c-d-e-f-g-...

Then the bytes are

 a (revision) N (number of dashes minus two) bbbbbb (six bytes of "b" treated as a 48-bit number in big-endian format) cccc (four bytes of "c" treated as a 32-bit number in little-endian format) dddd (four bytes of "d" treated as a 32-bit number in little-endian format) eeee (four bytes of "e" treated as a 32-bit number in little-endian format) ffff (four bytes of "f" treated as a 32-bit number in little-endian format) etc.

So for example, if your SID is `S-1-5-21-2127521184-1604012920-1887927527-72713`, then your raw hex SID is

010500000000000515000000A065CF7E784B9B5FE77C8770091C0100

This breaks down as follows:

 01 S-1 05 (seven dashes, seven minus two = 5) 000000000005 (5 = 0x000000000005, big-endian) 15000000 (21 = 0x00000015, little-endian) A065CF7E (2127521184 = 0x7ECF65A0, little-endian) 784B9B5F (1604012920 = 0x5F9B4B78, little-endian) E77C8770 (1887927527 = 0X70877CE7, little-endian) 091C0100 (72713 = 0x00011c09, little-endian)

Yeah, that's great, Raymond, but what do all those numbers mean?

 S-1- version number (SID_REVISION) -5- SECURITY_NT_AUTHORITY -21- SECURITY_NT_NON_UNIQUE -...-...-...- these identify the machine that issued the SID 72713 unique user id on the machine

Each machine generates a unique ID that it uses to stamp all the SIDs it creates (-...-...-...-). The last number is a "relative id (RID)" that represents a user created by that machine. There are a bunch of predefined RIDs; you can see them in the header file ntseapi.h, which is also where I got these names from. The system reserves RIDs up to 999, so the first non-builtin account gets assigned ID number 1000. The number 72713 means that this particular SID is the 71714th SID created by the issuer. (The machine that issued this SID is clearly a domain controller, responsible for creating the accounts of tens of thousands of users.)

(Actually, I lied above when I said that this is the 71714th SID created by the issuer. Large servers can delegate SID creation to helpers, in which case SID issuance is no longer strictly consecutive.)

Security isn't my area of expertise, so it's entirely possibly (perhaps even likely) that I got something wrong up above. But it's mostly correct, I think.

• #### "Section 419" scammers arrested in Netherlands; Danish flag flies proudly

Dutch police have arrested 52 people suspected of defrauding gullible Internet users in one of the largest busts of the infamous "Nigerian e-mail" scam.
Hooray for the Dutch police. Their next target: Web sites that illustrate a Dutch article with the Danish flag.

(I must sheepishly admit that I too mistakenly identified the home of Ikea as Denmark rather than the Netherlands.)

• #### Rip-it

Last night I had to frog several dozen rows of knitting because I forgot to change needles. Color changes I remember. Needle changes I always forget. Probably because color changes are much more exciting.
• #### Why is a registry file called a "hive"?

Useless trivia day.

Why is a registry file called a "hive"?

Because one of the original developers of Windows NT hated bees.  So the developer who was responsible for the registry snuck in as many bee references as he could.  A registry file is called a "hive", and registry data are stored in "cells", which is what honeycombs are made of.

• #### Improving the world one bad analogy at a time

One thing I am known for at Microsoft is my frequent use of bad analogies. Everybody else at work has had to suffer; now it's your turn.

Why are there so many copies of svchost.exe running? What is svchost.exe anyway?

Traditionally, each service runs in its own process. When you are developing and testing your service, having it in its own process makes debugging a lot easier.

But if you look at your list of services (in Computer Management, Services), you can see that if each one got its own process you'd sure have a whole lot of processes lying around. Since there is a cost to each process merely for existing, having so many processes running would be a waste, since many services are used only sporadically. Tapisrv, for example, is active only when you are doing things with your modem.

For performance reasons, groups of services are thrown together and run in a shared process called svchost. Sort of like a reality TV show, but without the voting.

This means that if you see a copy of svchost.exe going a bit haywire in Task Manager, you can't really tell which service inside it is responsible. For performance reasons, groups of services are thrown together and run in a shared process called svchost. Sort of like a reality TV show. Knowledge Base article 314056 describes how you can dig into each svchost to see which services are running inside it. This will at least narrow the problem down to a subset of all the services.
• #### Stupid memory-mapping tricks

Shared memory is not just for sharing memory with other processes. It also lets you share memory with yourself in sneaky ways.

For example, this sample program (all error checking and cleanup deleted for expository purposes) shows how you can map the same shared memory into two locations simultaneously. Since they are the same memory, modifications to one address are reflected at the other.

```#include <windows.h>
#include <stdio.h>

void __cdecl main(int argc, char **argv)
{
HANDLE hfm = CreateFileMapping(INVALID_HANDLE_VALUE, NULL,

LPDWORD pdw1 = (LPDWORD)MapViewOfFile(hfm, FILE_MAP_WRITE,
0, 0, sizeof(DWORD));

LPDWORD pdw2 = (LPDWORD)MapViewOfFile(hfm, FILE_MAP_WRITE,
0, 0, sizeof(DWORD));

printf("Mapped to %x and %x\n", pdw1, pdw2);

printf("*pdw1 = %d, *pdw2 = %d\n", *pdw1, *pdw2);

/* Now watch this */
*pdw1 = 42;
printf("*pdw1 = %d, *pdw2 = %d\n", *pdw1, *pdw2);
}
```

This program prints

```Mapped to 280000 and 290000
*pdw1 = 0, *pdw2 = 0
*pdw1 = 42, *pdw2 = 42
```

(Missing asterisks added, 8am - thanks to commenter Tom for pointing this out.)

The addresses may vary from run to run, but observe that the memory did get mapped to two different addresses, and changing one value to 42 magically changed the other.

This is a nifty consequence of the way shared memory mapping works. I stumbled across it while investigating how I could copy large amounts of memory without actually copying it. The solution: Create a shared memory block, map it at one location, write to it, then unmap it from the old location and map it into the new location. Presto: The memory instantly "moved" to the new location. This a major win if the memory block is large, since you didn't have to allocate a second block, copy it, then free the old block - the memory block doesn't even get paged in.

It turns out I never actually got around to using this trick, but it was a fun thing to discover anyway.
• #### Curling anyone?

The Granite Curling Club is having their annual open house today, October 18th 2003, from 2pm to 8pm. The Seattle facility is the only dedicated curling facility in the United States west of the Rockies. Bring sweatpants, flat-soled shoes, and \$5. They'll provide the brooms and duct tape.

I became fascinated with curling many years ago when I would run across curling tournaments on Canadian television. The only chance to see curling on television in the States is maybe if you're lucky a match or two during the Winter Olympics.

• #### Why don't notification icons get a message when the user clicks the "X" button?

If such a notification were generated, ill-behaved programs would just react to a click on the balloon's "X" button with an annoying follow-up dialog like, "Are you sure you want to ignore my wonderful message?" So there was a conscious decision not to give them the chance.

In the Before Time, software was trusted not to be actively evil, not to second-guess a user's action, not to invade a user's private space.

Over the years, we've learned that this was a naïve position to take. So now, when we decide that something is an end-user setting, we actively avoid giving programmatic access to it, so programs won't be tempted to weasel themselves into it.
• #### It's a lot easier to write a column if you don't care about accuracy

Now that Longhorn Rumor Season seems to have kicked up, I'm reminded of Windows 95 Rumor Season. The great thing about writing a rumors column is that you don't have to be right! Even if you're wrong, you can just say, "Well, Microsoft changed it before they shipped," and nobody can say you were wrong. It's a victimless crime! The only victim is Microsoft!

Here's a classic example from early 1995:

Notes from the Field
Microsoft's latest security scheme could leave users of Windows 95 dongling

BY ROBERT X. CRINGELY

One thing that will be pretty darned hard to steal, come Aug. 24, is a renegade copy of Windows 95. Just before heading to the DMV, I heard that the kids in Redmond plan to cut Win95 piracy to zilch by requiring the use of a dongle. Yes, a dongle.

Just in case you've led a charmed or boring life, a dongle is a thingamajig that plugs into one of your PC I/O ports. One dongle is shipped for each copy of the OS and the software won't work if it can't detect the proper dongle.

The upshot of this plan is that you can load as many copies of Win95 as you like, but only the machine with the dongle will work.

Now the requisite qualifiers, pre-paid backpedaling, and so on: I believe this information to be true, but I have it from only one source, so it should be classified as a rumor. Microsoft could change its mind on the dongle security strategy tomorrow.

Emphasis mine. And the great thing is, if the story turns out untrue, you can even take credit for it! "Thanks to public uproar over my amazing scoop, Microsoft changed their mind and decided not to do this thing" (that they weren't planning on doing anyway).