In recent past, I have seen few question coming to me asking, “How do I write data on the CD/DVD disk programmatically?” . During my research, I have good introduction to the interfaces available on Windows for burning CD/DVD programmatically that I want to share with all.

There are two basic way to burn CD/DVD. One question can come pretty early, How does Windows OS in-built functionality works? On Windows XP onwards ( could not check on Windows 2000 or earlier, probably there is none ) we can burn the disc by dragging the files/folders on to the disc. OS does it with the shell interface ICDBurn Interface. If you want to burn the files/folders in your program you can use ICDBurn interface but before calling ICDBurn::Burn Method, you need to copy the files/folders in a specific location called CD Staging Area. Once your application selects the files/folders to be written in the CD/DVD and copied to the CD Staging area, calling ICDBurn::Burn Method will burn the CD/DVD, same as OS and delete the files from that location automatically. CD Staging area can be determined by the application by the information available in MSDN documentation as below --

The staging area has a default location of %userprofile%\Local Settings\Application Data\Microsoft\CD Burning. Its actual path can be retrieved through SHGetFolderPath, SHGetSpecialFolderPath, SHGetFolderLocation, SHGetSpecialFolderLocation, or SHGetFolderPathAndSubDir by using the CSIDL_CDBURN_AREA value.

Other way to burn CD/DVD is using Image Mastering API or IMAPI in short. IMAPI comes in two versions IMAPIv1 and IMAPIv2. IMAPIv1 is available for application to be used on Windows XP and Windows Server 2003 and IMAPIv2 is available on Windows Vista onwards, in-box. You can also get the IMAPIv2 available on Windows XP and Windows Server 2003 after installing a package, links and information are below--

What's New

IMAPI 2.0 is included in Windows Vista. Enabling the same functionality for Windows XP and Windows Server 2003 requires the installation of the KB932716 update package.

After installing Description of the Image Mastering API v2.0 (IMAPIv2.0) update package that is dated June 26, 2007 on Windows XP or  Windows Server 2003, application can use the interfaces exposed by IMAPIv2.

Note – Before burning any CD/DVD please see through documentation that which filesystem you want the IMAPI interfaces to be written on the disc? There are few options available like ISO9660, Joliet and UDF.

Next, few links to be shared for IMAPIv1 interfaces available.

IDiscMaster Interface

IDiscMaster::Open Method

IDiscMaster::RecordDisc Method

Next, few links to be shared for IMAPIv1 interfaces available.

IDiscMaster2 Interface

IDiscRecorder2 Interface

Also, IMAPIv2 has multisession support and interfaces are available.

Samples- While there are code snippet sample available on MSDN documentations of the interface/method, there are 2 complete sample applications available in Windows SDK for Vista ( onwards ). Sample locations are below after you install Windows SDK on the dev machine ---

%program files%\Microsoft SDKs\Windows\v6.0\Samples\WinBase\imapi\imapi2sample

%program files%\Microsoft SDKs\Windows\v6.0\Samples\WinBase\storage\IBurn

While imapi2sample is native code in C++, IBurn sample is managed in C#. Please refer to the samples for more understandings of the IMAPI, that can give good start if you want to develop a feature/application for CD/DVD burning.

Nitin Dhawan

Windows SDK – Microsoft

Sometime you may be in a situation to get the MAC address of a machine/device whose IP Address is known. Conventional way like using NetBios or GetAdaptersInfo or GetAdaptersAddresses can give the MAC address of the same machine where the code is running, does not solve the purpose because the machine where the code is executing is not the one for which you have the IP Address and need MAC address. You need API like below --

GetmeMACAddress_IgaveYouIP(&Mac,&IP);  , then life will be easy.

It was clear that ARP protocol will be used for this purpose, but I need to find the programmatic way.

There is a command “arp” that does it, so definitely it is possible to do that. ( arp –a <IP Address> ) will give the MAC address of the machine/device.

Initially when I searched on Internet to find the answer, there were some manual ways and couple of tools, but I want to program it myself, so not of much use.

Later, going though the documentation of Network functions on MSDN site, SendARP Function from IpHelper library, was looking closer. Testing with the sample application available on MSDN page, it works just fine and solve the purpose.

Please read the Remarks section of the API documentation.

Nitin Dhawan

Windows SDK – Microsoft

Question may be, I need to check If the user belong to a particular group or not? There are NetUser* APIs available in NetApi32.lib to list the groups a user belong to a group. You can actually check but then you will need to compare the string of the group you are interested to check and the list returned by the NetApi. Please see the sample available on NetUserGetGroups Function. This approach can be acceptable in some scenarios, but may not work in other.

In a domain environment, there are two domains A and B and have trust relationship in between them. An user of domain A, logged on to a machine in domain B. The application running as domainA\UserA, calls NetUserGetGroups to get the global groups of the user, for any purpose. Generally it should work fine and works fine, I have tested it on many environments, but this approach may fail as well. If the domain where the query should go, has not opened the port ( by firewall ) the API is going to use, then API will not able to get the list of groups for the user. To solve the problem, you need to open the port, which may not be possible because the management of DC on other end not want to do it at all. Now, How to solve it?

When the user logs on providing credentials, authenticated by the AD on DC successfully, gets the logon token, profile is loaded, desktop is created etc etc. The logon token has the information about the user, for what groups it belong to. When user launched any application, it will be launched by this logon token. So, the information about the groups is already within the process itself. You can check it with a tool called whoami (/all) in Windows directory. If we have any API to read this list then we don’t have to go to network again or use NetAPIs. GetTokenInformation Function can be used to list the groups and for other purposes. Is there an API to actually check if the user belong to a particular group? CheckTokenMembership Function can be used for this purpose. API does not look for the group by its name, but by SID. If we have the name, we can convert to SID and pass to CheckTokenMembership. Demo sample code will look like below--

#include<windows.h>
#include<Sddl.h>
#pragma comment(lib,"Advapi32.lib")
int main (int argc, CHAR * argv[]) 
{
BOOL bStatus;
BOOL bIsMember;
SID_NAME_USE sid_name_use;
DWORD dwDomainNameSize;
TCHAR tszDomainName [256];
PSID pSidToCheck;
DWORD cbsid=1024;
LPBYTE pPDC = NULL;
HANDLE hToken;

    if (argc != 2){
        printf("\nUSAGE: %ls grouptocheck\n\n", argv[0]);
        return 1;
    }

    bStatus = OpenProcessToken(OpenProcess(GENERIC_ALL, FALSE, GetCurrentProcessId()), GENERIC_ALL, &hToken);
    if (!bStatus){
        printf("OpenProcessToken failed: %u\n", GetLastError());
        return 1;
    }

    pSidToCheck = malloc (cbsid );
    dwDomainNameSize = sizeof(tszDomainName);
    bStatus = LookupAccountName(
        NULL,       // address of string for system name
        argv[1],      // address of string for account name
        pSidToCheck,      // address of security identifier
        &cbsid,      // address of size of security identifier
        tszDomainName,      // address of string for referenced domain 
        &dwDomainNameSize,      // address of size of domain string
        &sid_name_use       // address of SID-type indicator
    );

    if (!bStatus){
        printf("LookupAccountName failed: %u\n", GetLastError());
        return 1;
    }

    bStatus = CheckTokenMembership(/*hToken*/ NULL, pSidToCheck, &bIsMember);
    if (!bStatus){
        printf("CheckTokenMembership failed: %u\n", GetLastError());
        return 1;
    }

    if (bIsMember)
        printf("The user is a member of the group.\n");
    else
        printf("The user is NOT a member of the group.\n");    
    
    return 0;

}

Nitin Dhawan

Windows SDK - Microsoft

Many times I came to situation that someone don’t know a good way to call an exported function of unmanaged dll from a managed application C# or VB. Person might not have any working knowledge of unmanaged dll, if they are required to create one.

I am writing this post just to demonstrate, how to create a unm

anaged dll and then export a function from it and call that function from the managed C# application.

Create unmanaged dll to export a function

First of all, I create a dll project that exports symbols. I will get the default template project which is ready to export a function, but I will create my own function.

int MyWin32Function()
{
    return 22;
}

If the declaration of the function is int MyWin32Function(); , then it will not be exported from the dll. You can check it from the dumpbin utility or Dependency Walker tool. How to make function exportable/visible to application? __declspec(dllexport) will be used to mark the function exportable. If the function declaration looks like below -__declspec(dllexport) int MyWin32Function(); , Is it exportable? Now if you compile it again and see from dumpbin, you see that the function is exported, but the name of the function is decorated. MyWin32Function will look like ?MyWin32Function@@SoMeChArS. This name decoration is because of name mangling of C++ compiler. It is not possible from the application to call the function with this name, the exported function from dll should be in human readable form, which is convenient, easy to document and easier to use. So, now the problem is, function is exported but with name decoration. We will need to eliminate name decoration so that application can use it easily. extern "C" will be helpful here, asking the C++ compiler to compile as C and no name decoration. Now, function declaration will look like below --

extern "C" __declspec(dllexport) int MyWin32Function();

The dll is ready to be used with exported MyWin32Function. Now, we need to call it from C# application.

 Now, you will need to call a unmanaged function from custom dll from a managed app, C#, need P/Invoke. I have discussed about the P/Invoke in my previous post. You can download P/Invoke Interop Assistant tool. You will need to create the signature of MyWin32Function(). I will use the declaration of my function in the tool and create a signature.

For simplicity, I will use the code in same class. Copy below code to C# application.

/// Return Type: int
[System.Runtime.InteropServices.DllImportAttribute("<Unknown>", EntryPoint = "MyWin32Function")]
public static extern int MyWin32Function();

I will need to change the dll name to my dll name rather than <Unknown>.  

/// Return Type: int
[System.Runtime.InteropServices.DllImportAttribute("MyWin32Dll.dll", EntryPoint = "MyWin32Function")]
public static extern int MyWin32Function();

 Now, You can call this function from C# application below-

int a = 0;
a = MyWin32Function();
Console.WriteLine("returned from dll {0}",a);

To pass parameters from managed application to unmanaged dll function, you will need to work on marshalling the data structures.

Nitin Dhawan

Windows SDK - Microsoft

Windows Sysinternals: Documentation, downloads and additional resources provides a set of tools to get information about various functionalities on the system. The area of information include , process running on the system, file operations, registry operations, TCP/IP related tasks, security etc. The complete list of the tools available can be found here, Sysinternals Utilities. Though there are separate web-pages to view the introduction of each tool and download the tool, there is a dedicated page to download all the tool at once, Sysinternals Suite .

Sysintenals Live, Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or  \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

The tools available through sysinternals are very helpful in various troubleshooting scenarios, and I use some of them on daily basis. Here I will try to explain my understanding about the tool and How to I get a particular information through them. It is not possible to demonstrate all of them at once, so this blog-post will get updated over-time whenever I have something to add or edit to it.

Process Explorer

Process Explorer is similar to Windows Task Manager, but shows more information and has extra functionalities to display more information about a process. On display of all the running processes, rather than showing the list of processes, it shows them as tree structure. With tree structure, it is easy to identify which process is parent process and which is child process. For example, If you launch cmd.exe from Start->Run, you will see that the Explorer is the parent process of cmd.exe .

The other cool thing I like about Process Explorer is, it give the handle information, which are held by the process, with the type of the handle and which different dlls are loaded in the process address space and their path. It is very helpful in certain scenarios. The type of handle may be, File, Event, Mutex, Registry, Process etc etc.

How to view handles for a process?

View-> Lower Pane view->Handles , there will be a windows in lower half of the process explorer. Select a process from top windows, to view its handles.

It get refreshed frequently, when a handle is created or deleted, it displays with green or red color.

How to view Dlls loaded within a process?

View-> Lower Pane view->Dlls , there will be a windows in lower half of the process explorer. Select a process from top windows, to view its loaded dlls.

There is no 64bit version of process explorer, so how a downloaded version which is 32 bit binary can walkthrough the 64 bit process address space and list all the dlls? This is solved by process explorer by a trick. I would assume, When process explorer is launched on a 64bit machine as a 32 bit binary, it checks through it code if it is running on a 64bit machine. If yes, it launches a 64 bit binary from within a 32 bit binary. As below—

And procexp.exe has a handle to the process as well.

The 64 bit exe will get deleted when process explorer is closed.

Search is a vast business today and an important feature for any product. Process Explorer has a search only for handles or dlls, in all the processes. Standard Ctrl+F will give below dialog. The Find feature has always saved a lot of time for me, to pin point the exact process, rather than search manually for each process.

Help file is available for Process Explorer.

TCPView

TCP View is another tool which I use frequently to troubleshoot issues with Network programming. Often, it is needed to know that which port has been used by which process and with protocol and who is at the other end. While the same can be retrieved by netstat , but TCP view provides this information in GUI format and with refreshing screens. It is easy to view the behavior of the connections with TCP View in their different states.

The IP Address can be resolved in machine names as well through options menu.

The same can be achieved by your own program as well using below APIs.

GetExtendedTcpTable Function (Windows) and GetExtendedUdpTable Function (Windows).

Help file is available for TCPView.

Process Monitor

Process Monitor is another very popular tool which is widely used. Initially there were tools like Filemon and Regmon but later integrated as Process Monitor. Filemon was used for tracing file related operations and Regmon was used for registry related operations. Now, with Process monitor, we have file and registry related operation in one tool and added network and process related operations. As a simple example, if a file has been created, opened, read, write, close or delete on file system, process monitor can record all these activities and can show the details with time, process name, which operation, on which file, the result of the operation and the details of the operation. The same applies to the registry activity. The cool point is, it can show that which threadID of a process has actually performed this activity.

Using Filter menu, you can restrict your capture, all activities by a particular process, all activities on a particular file or all activities by a particular process on a particular file. It has a lot of filters that can be applied to capture only what we want. Generally I get the complete capture from customer’s site, get the files and then apply needed filters here. Applying the correct set of filters will exactly show you what you want to see in the capture. Network activity can also be monitored from send or receive protocol packets, but I generally used Network Monitor from Microsoft.

Help file is available for Process Monitor.

VMMap

The other tool is VMMap. VMMap is for Virtual Memory Map. VMMap is used to walk through the virtual address space of the process when selected and gathers the information about which memory is used for which purpose, displays with addresses in different colors. VMMap is helpful to look inside the process, and track any changes.

By default it displays the “Total” virtual memory in the lower pane. If you want to see only the loaded images (dlls), then you can select the “Image” from the upper pane list and it will convert as below—

Help file is available for VMMap.

Nitin Dhawan

Windows SDK - Microsoft

Possible Scenario:  On Windows XP or Windows Server 2003 by default IGMPv3 is enabled. When you send a IGMP multicast packet after joining the multicast group using IP_ADD_SOURCE_MEMBERSHIP and setsockopt(), you see that IGMPv2 packet is going out of the machine, while you are expecting IGMPv3 to go out. What’s wrong?

Then you check the registry key below to see if you are actually on IGMPv3 or not—

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

IGMPVersion                DWORD            4

Or as per the KB below in “Configure the registry” section.

You Cannot Configure Windows XP or Windows Server 2003 to Use IGMP Version 1 or Version 2 Support

If the value is 4 for IGMPVersion, then your machine is using IGMPv3, your code is correct because may be it is giving right result for some other customer or network. Now what is wrong?

The reason is, if any machine or router in the network is using lower version of IGMP than v3, then the complete network falls back to that version. So, your machine/interface will start using lower version of the IGMP. This is by design. This is clearly demonstrated in ietf website.

IGMP Mixed Version Proxying , see slides 11, 12 and 13.

But I want to send only IGMPv3, no matter if network falls back to lower version if other machine/device is using lower version, What to do?

No, there is no way to do that. This is by design and as per the RFC.

Other scenario, my machine is configured for IGMPv3, but I am getting the problem as above. Now, if I disable and then enable the interface, I see some IGMPv3 packets going out, but later I get IGMPv2 only, Why?

When interface get enables and machine is configured to use IGMPv3, it starts sending IGMPv3 packets, but as soon as an IGMPv2 query is received on the interface, it falls back to IGMPv2. Later, it’s all sending out IGMPv2 packets.

Nitin Dhawan

Windows SDK- Microsoft

Mapped drives can’t be created after Microsoft Security Update from code running under Network Service account

MS09-012: Description of the security update for Windows Service Isolation: April 2009 ( KB 956572 )

Possible scenario: You are using web application running under Network Service account and the code creates mapped drives using WNetAddConnection* APIs and fails stating ERROR_ALREADY_ASSIGNED error 85.

With this update installed on the machine, you will not be able to create mapped drive from the Network Service account. This is intentionally blocked for Network Service account.

Uninstalling the security update, Network Service account is able to create the mapped drive through WNetAddConnection* API successfully.

Verify if this is the case and options to workaround--

#1, If you have this issue, see if the update is installed on your machine. Check though Control Panel Installed Programs and updates or type “systeminfo” on command prompt.

#2, To make sure this is the issue, see if you can uninstall the update. If after uninstalling the update, if your code in Network Service is able to create the mapped drive, then security update was causing it to fail.

#3, Recommendation is, try using a different account to run the application which will make the application and security update to co-exist on the machine.

#4, else If it is not at all possible then try below registry change to revert back the changes of update in this regard.

Key-       “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager”

                                ProtectionMode              DWORD                0

Restart the machine to take it in effect.

Thanks.

Nitin Dhawan

Windows SDK - Microsoft