Monday, December 12, 2005

TANSTAAFL or TANSTAAFG

My first exposure to the term TANSTAAFL or "There ain't no such thing as a free lunch" was in Robert Heinlein's classic "The Moon is a Harsh Mistress" and again in his later, "The Cat Who Walks Through Walls". Yesterday, I had reason to recall the term - or at least its derivative "There ain't no such thing as a free game".

I had just been up removing spyware from my daughter's computer (again!), when I noticed my son playing that old classic "Elf Bowling 3" from nStorm. I started thinking about when that one came out and whether there might be newer ones available. Later that evening I went to the nStorm site to find out.

Testing Safely
Sure enough, there were two newer versions: Super Elf Bowling, and Elf Bowling Bocce Style. I downloaded them and realized they were installers. The old versions were just exe's that would run without dropping anything on your system. I was a bit put off that they wanted to actually install. So, I installed them on a clean Virtual Machine. The bocce style one wouldn't even run. I've tried it on three machines now (the VM, my son's machine, and a Windows Vista box). It just crashes on start. Nothing to see there - it's junk. The Super Elf Bowling though ran fine. Each version of the Elf has gotten to be more and more just an advertisement for buying unlocked versions of the game. They've had more and more functions not available unless you buy. This one had even more, but if you clicked continue enough times it would eventually let you play a game that was at least OK.

Installing for real
After testing this in the virtual machine, I installed it for my son. Immediately his SpySweeper (http://webroot.com) started complaining about NavExcel NavHelper. Looking up NavExcel showed that it is AdWare capable of hijacking your browser (directing you to places that are not what you typed in) and also showing popup ads. Now, I don't normally install a spyware removal tool into clean test VM's - but this showed me that I should start doing that. I'd unwittingly installed AdWare onto my son's machine! (About this particular AdWare: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928)

Removed and banned
Fortunately SpySweeper had actually prevented most of the NavExcel thing from installing. It cleaned the rest of it with no problem. Armed with the information from SpySweeper, we cleaned up my virtual machine manually. Who knew that nStorm had morphed from a company that produced cute, free games into a company that distributes AdWare with their new "buy me, buy me" limited games. If they don't want to send out free games anymore - hey, that's cool. But installing AdWare on people's machines is just plain wrong. nStorm is relegated to a memory: we won't be visiting the site or installing anything they produce. The upside is that now my son knows TANSTAAFL and he hasn't even read the book yet!

Sunday, November 27, 2005

Software like ET: Phone Home

I'm getting to really hate all of the software out there that wants to "phone home" (contact a server somewhere) all the time. There are levels to this of course. I think everyone can agree that they hate the crapware / foistware typically known as spyware. But how about other classes? Here's a quick, non-scientific catergorization:

Programs that check for updates for their software
These would be like Quicktime, Flash Player, Adobe Acrobat Reader, etc. I think those yokels need to understand that their junky software is just a small piece of what computer users have installed and we don't want to have their little stub programs checking for updates all the damn time. In fact, if it weren't required by so many web sites and other programs we'd probably prefer not to have the software itself installed. These things annoy the heck out of me, always wanting to update themselves. Wasting my bandwidth for a purpose that just seems to be a bunch of hooey.

Programs like Microsoft's CEIP
What about the ones that do things like the Microsoft "Customer Experience Improvement Program" (or, "we watch what you click")? In the past, these tended to be opt-in, but lately some of them have been on by default. They also have a habit of not clearly disclosing what in the heck they are going to send. Are they sending my menu clicks? Are they sending my files? Who knows with most of them. Maybe the Shadow knows. One of the things I've been evangelizing with Microsoft in particular is that they should never ship one of these things unless there is a group policy setting to turn it the heck off.

Programs that are absolutely Helpless

I think the worst ones are where they try to go online to show help. For example, Microsoft Office Communicator. Seems OK, until you realize that they forgot to ship a help file and it just goes onto the internet to get help. Not cool; not by a long shot. Why should they assume I have an internet connection? I mean the software is designed to be used on an Intranet, not the internet. I've been noticing more and more programs like this - in fact in testing Windows Vista I see that the main source of help (at least the first one searched) is online. It eventually times out and shows you local help, but with a notice at the top that you are not connected and to retry. Guess what? Just try to find the policy to turn that off! So far, I can't find it. There doesn't appear to be one, although there is a per-user setting that changes it to local help only. Get with it MS: create that policy to make help local only!

Programs that "enhance" themselves online
Microsoft Office anyone? Gotta love those task panes always wanting to get content from the internet. Or what about the templates online? You like clipart? Remember when it used to come on a CD? Not anymore: it's online! Ugh!

So, is anyone else worried about all this? Do you have satellite links in your organization? Any microwave? How about lusers using dialup? Do any work in countries where the goverment owns the bandwidth and it doesn't matter how much you pay - you only get so much of it? As Andy Rooney would say, "Well I do." And as your friendly neighborhood GILDude says, "Give me back my bandwidth!"

Sunday, November 06, 2005

Visual Studio 2005 and Vista - Clearly a challenge

Anyone out there used Visual Studio 2005 RTM? Like it? So far I've been quite happy with it, except for an annoying little (minor) quirk where it likes to give the "green squiggly" to certain variables in "Finally" blocks.

How about on Vista? Have you tried to use VS 2005 there? Or perhaps just tried to run the compiled code on Vista? It didn't work, right? I've been fighting this annoyance with some code that I am working on that needs to work on both XP and Vista. Since Vista build 5231 is not very stable (OK, well the truth is not stable at all), I don't want to try to do the dev work on Vista. So I have been building on Windows XP, and debugging and testing on XP. Then I move the EXE over to Vista 5231 and it won't run. It turns out the runtime version of the RTM Visual Studio is v2.0.50727.42. The version on Vista build 5231 is v2.0.050727.20. So the EXE's just crash.

Not a problem, right? Just upgrade the runtime on Vista and it'll work like a champ. Not so fast... Microsoft has made the runtime part of the operating system. So the only way to upgrade it is via an OS Service Pack or patch. Nasty! So, what's a poor enterprising developer to do? Wait for a new build of Vista?

Not likely! What I've been doing is to install the RC of Visual Studio onto my Vista machines. It will run with the version of the runtime installed on 5231. Then, after coding and debugging on Windows XP, I copy the whole project over to the Vista machine and recompile it using the RC version of Visual Studio. So far I've only run into one code change I had to make in order to do that. Opening one of my projects and compiling it in the RC version gave an error on a line of code that the designer had created. The line was:

Me.lvItems.UseCompatibleStateImageBehavior = False

I was able to just rem that line out and the project worked in the RC version and could be tested on Vista.

Kind of a pain to do dev work and testing on both platforms at this point, but at least it is working for me. I can't wait for the next CTP build of Vista as it will be sure to have the RTM version of the runtime and I can quit using the compiler version shuffle to do testing.

Sunday, October 23, 2005

Death of a killer app

The headlines may soon read "Microsoft gives death sentence to killer app.".

That's right: an application used by millions has been given the boot. This application is used today on Windows 98, Windows 2000, Windows XP and Windows Server 2003. It's very ability to provide services across these platforms has been part of its longstanding appeal. In recent years, Microsoft has de-emphasized it - covering up its UI is different ways. Now Windows Vista has killed it.

What is this mystery application? How did its death come about? And - more importantly - what does it mean to you? It's NetMeeting. Used by millions for that peer-to-peer meeting in an ad-hoc fashion. Used by millions of others in its more recent branding as the app hidden behind the smoke and mirrors in things like Windows Messenger, Office Communicator, and others. That's right: Do you ever hit that "share application" button in one of those tools? If so, you use NetMeeting even if you didn't know it. As for how it died, that's best left to the consipiracy theorists. However, here's a couple of reasons I've heard from various places:

  • The code was too old and broken to be easily brought forward into Windows Vista
  • It competes with a forthcoming fee-based Microsoft product and had to be dropped
  • It couldn't be retrofitted for IPv6 and the new driver model on Vista

If any of those are accurate, it's most likely a fortuitous accident. However, that's what people are saying.

More important than the why question is the "what now?" question. How are people to do any real time collaboration between say a Windows XP machine and a Vista machine? It's impossible; at least using in-box tools. If you want true peer-to-peer like NetMeeting gave you, you need to find a third-party product. Be sure to add the project costs for evaluating, selecting, purchasing, and deploying such a product into the mix for cost-justifying any planned upgrades to Windows Vista. As most people understand, putting in a new OS doesn't happen overnight (unless you have a company of 10 people in which case it just might). So the reality is that people who collaborate freely today will not be able to once one of them is "upgraded" to Vista. In fact, this feature deprecation has the potential to delay (perhaps indefinitely) the adoption of Windows Vista in many corporations.

In this case the jaded, "Where do you want to go today?" seems to be a rhetorical question. Instead, Microsoft's taking you where they want you to go - into a brave new world where you have to spend money to collaborate.

Sunday, October 09, 2005

LUA, UAP, and the restricted token


Is your token chokin'?
With Windows Vista, you now have UAP or "User Access Protection", sometimes known as PA or "Protected Admin". What does this mean in a practical sense? Well, for instance let's say you take a domain account (or a new local account) and place it in the Administrators group. With all prior versions of Windows based on Windows NT, that would be it - that user would be an Administrator when they logged on and could install all the spyware and trojan horses they wanted. When they clicked on "<SomeFamousPersons>Boobs.jpg.exe", it could do anything it wanted to the system. The least likely thing it would do is display what it sounds like it would in the title, right? Now, your account won't really BE an admin - at least not all the time.

A different style of logon
The login process now creates two tokens. The normal one that in our sample case would have granted admin rights (this one is held onto by the kernel and used when you need to elevate), and a new token - based on the standard one - that is used for UAP. This new token has the Administrators group set as a restricted group or "deny only". So if you run "whoami /groups", you'll see "BUILTIN\Administrators S-1-5-32-544 Group used for deny only" (I chopped a bit of extra text out of that to simplify it, but it's clear that the token has been restricted. If you were to then run a command prompt elevated (by right-clicking the shortcut for the command prompt and choosing "elevate"), you'd get a different token. Run the "whoami /groups" again and you'll see that you now have "BUILTIN\Administrators S-1-5-32-544 Mandatory Group, Enabled by default, Enabled Group". As you can see - a different token.

All of the whining on the newsgroups and other places on the net that reduce to "my account is supposed to be an admin, but it can't do anything" are about either bugs or design elements with UAP and the restricted token. Take for example control panel applets. By the time we see final versions of Vista, the built in control panel applets will either prompt for elevation immediately when they are opened (if they have to; generally if all of their functions are administrative), or they will be re-factored to seperate any admin-required functions from their "per user" functions and will show a lock symbol and button to "enable" the admin functions. You'll need to click the lock and either hit ConsentUI (for users who are in the Administrators group but have the restricted token; this is just a "is it OK to do admin things" dialog), or hit CredUI (this is for folks who are not admins; they can then enter alternate credentials if they have them in order to elevate).

I know today there are a huge number of scenarios where this just isn't implemented yet, or doesn't work. Many are due to "we haven't gotten to that yet", while others are just plain bugs. One of the first things I happened to encounter was when I logged on as a standard user, then needed to do some administrative work. I used my trusty method of starting a command prompt as the standard user, executing "runas /u:\ cmd.exe". When I got my new command prompt, it should have admin rights since that domain account is my admin one and is in the administrators group. When I tried to run something that was on the standard user's desktop (by CD \users\...) I got access denied! But I was an Admin! Not anymore, Vista says. My runas had activated my restricted token. Not the most usable thing; the only reason I had done the runas was to get credentials that had admin rights. This, and other scenarios are ones that we need to see fixed before Vista RTM's. Today, with UAP on the only account that never gets a restricted token is the builtin adminstrator account. That one, in our environment - following best practices, is scrambled. Both the name of the account and the password are 25 random characters and nobody knows them. No escrowing them, nothing. Domain accounts are used for all admin tasks.

Come on Microsoft; step up to the plate and get these scenarios working.

Those of you who managed to get through my previous posts know that I was working on the ability of my service to be able to use WTSQueryUserToken to get the user's token so that it can execute code on behalf of the user. This works (finally). Anybody care to guess which token is retrieved in this way? The restricted one? The regular one? Well, I've tried it - and it is the restricted one. So if the user is an administrator, they won't really be until they've hit ConsentUI and agreed that your code can perform administrative tasks.

Wednesday, September 28, 2005

OK, I C how it is...

So, it turns out that creating a service that uses RegisterServiceCtlHandlerEx in VB.Net is in the realm of the "not really possible". It's impossible, except as a theoretical case where you re-write service base yourself. So, I had to "C" the light and just write a darn service from scratch using my arch-nemesis C.

Interestingly enough, I went ahead and started the service using the sample service provided by Microsoft in the Platform SDK. Believe it or not, that one uses the older RegisterServiceCtlHandler too instead of the Ex version. But, it wasn't much work to update their handler routine and rip out the named pipes demo stuff and just make use of their service shell. Saved me a bit of time anyway.

Now, the interesting thing is: this thingy works. Oh, I went through the normal crash, crash, crash while I figured out how to get my pointers in a row and remembered that C doesn't initialize your variables to nulls for you (nasty bug when I was trying to strcat to a non-initialized string and kept overflowing my damn buffer just like Microsoft). That's all just due to my relative unfamiliarity with the C language itself. However, I perservered and got the damn thing running.

On the home front, I just had my new Dell (new to me anyway, I bought it in Feb 2005) crap out on me. I have 5 Dells in the house, from an old XPS-T 850 Mhz P3 model to this new one and this is the first to up and crap out. I blame Maxtor. Their drives seem to be the only ones that ever fail. I bought this machine with the dual SATA drives in the mirroring or RAID 1 configuration figuring I could go a bit easier on the backups with TWO drives looking out for my important stuff. Sounded good at the time. So, the other evening we had some power lags or whatever they are - maybe brownouts is the term. This is where the lights go down a little dimmer for a second or two. We were watching a DVD and the TV and DVD player never had a problem. After 3 of these "lights down" events in 5 minutes, my wife and I went to turn off our computers. Both run through this huge (really about 60 pounds) power conditioner with a gigantic transformer and all in it. Mine then has a UPS connected to it too. So we shut them down. We left the kids machines up.

So, guess which one bit the dust? Yep, the NEW one; the one with the power conditioner AND the UPS. I boot it up in the morning and the array shows "degraded" and one of the drives shows "Error Ocurred". I let it boot, and it comes up with one drive. So I get on the Dell tech chat on another machine to get support. They want me to run diags. But I don't have the CD. So I download it. It wants to make a boot floppy. But the machine didn't come with a floppy drive. Ugh! So I made a boot CD and ran the diag only to find, yep: unrecoverable read error about 5 minutes unto the read test. So Dell agrees to send a person with a replacement drive. So far so good.

Then, I figure I should boot back into Windows to take a final backup from my one good drive. I boot and now the array says "failed" and shows BOTH drives with an error. It says I can pick one to mark as "normal" and it can correct the problem. OK, I figure this one is easy: pick the one that worked a little bit ago. BBZZZZT!!! Wrong answer. Ever seen "can't find NTLDR"? Well I have! So I give it 5 minutes to cool off and boot again. Back to both drives with an error and that helpful message that it can fix this. OK, why not - I pick the other drive. Hey! It finds the boot loader! Ever seen Galaxy Quest? You know the line: "Then it exploded"... Kind of like this... NTOSKRNL.EXE is missing or corrupt. Damn! OK, so now I know. The mirroring bought me all of one extra boot - which Dell used up by making me boot into the diagnostics. I was so pissed by this time I didn't even call Dell and ask for TWO drives until the next evening.

I'm still waiting on the drives. Then it gets fun: you get to press F6 during the Windows install and have it ask for a floppy disk (in that drive that doesn't exist). Fortunately I have an inside source: a hardware god at work named Kevin that can loan me a drive to get through that idiotic thing where the F6 to add a driver ONLY recognizes a floppy disk. Hopefully in a few days I'll be back up and running...

Saturday, September 17, 2005

Winlogon and Vista - stuck in the mud again

If you've been following my trials and tribulations with the changes to Winlogon in Windows Vista you know that winlogon notification packages are no longer supported. If you haven't been following this - then get with it and read the back issues.

In my last post on this topic, I mentioned that I now had basic rights elevation (as LocalSystem) working and was going to move on to replace the winlogon notification functions. Well I hit a nice big fat stumbling block on that! It turns out that in order to register for winlogon to provide your service with notifications of changes like logons, logoffs and the like you need to register to accept SERVICE_CONTROL_SESSIONCHANGE. To do this, you call RegisterServiceCtrlHandlerEx with one of the flags having the SERVICE_ACCEPT_SESSIONCHANGE bit set. I've been doing this in Visual Basic.Net so that it can be maintained easily in the company. I've done very little work with C (only a couple of smaller project like my original winlogon notification package and a windows password filter), so I don't really want to dig in and create a whole service using C.

It turns out that the thoughtful folks at Microsoft designed the .Net Framework to call RegisterServiceCtrlHandler instead of RegisterServiceCtrlHandlerEx. I'm going to presume this is so that it works on NT 4.0, since the Ex version is available on Windows 2000 and greater. This, like the bit about not supporting reg_expand_sz in the framework, is a killer. It means I can't find a way to get the VB.Net "Windows Service" base class "servicebase" to call the "ex" version of the API and hence I can't receive winlogon notifications. I'm waiting on a definitive answer back from Microsoft (it seems some of the folks "in the know" were off gallivanting at the PDC this past week). However it is looking more and more like I am going to have to hack this together myself in C instead of being able to rely on the .Net Framework for the plumbing stuff and just do the business logic and a few API's like you should be able to do.

This seems to be a recurring theme. The .Net Framework has all these cool classes that all almost let you do something. They tend to just fall short of the mark at actually letting you do something useful. You almost get there, then find limits. For instance, in VB.Net 2003, you can do cool owner draw menus and put an icon on them. Great! Now, try doing that with a TrayIcon. Oops! It won't work. Again, you almost get there. Anyone else have these same frustrations? Anyone else find they call Windows APIs in VB.Net darn near as frequently as they did in VB6? I know I sure do, but then again I am usually doing something like calling the security APIs which haven't really gotten much treatment at all in .Net.

Even more important: Anyone out there know how to get VB.Net to use RegisterServiceCtrlHandlerEx in a Windows Service and get access to the additional notifications? Post a comment with a sample if you do...

Monday, September 12, 2005

Spyware, Adware, and PUS oh my

Last night I was working quietly on my computer when a voice of sheer terror rang out from upstairs - "Dad, I need your help right now!!!". Not wanting to match the raw power of my daughter's screech, I calmly typed into Windows Messenger, "Please stop screeching and what is the problem?". I recevieved back, "My stuff is all rearranged and there are extra ones. And popups". Oh, boy sounds like Spyware I thought to myself. I typed back, "OK, I will be right there."

Girding for battle, I marched resolutely up the stairs steadfast in my belief that this would be a short, satisfying encounter ending in the well deserved death of YASP (Yet Another Spyware Program). Little did I know that these vermin and the a$$holes that create them are getting a bit smarter at avoiding removal. Last year I had an outbreak that cropped up on my son's machine after he made the mistake of letting a friend visit some stupid video game "cheat" site (one of these places that lists the cheat codes you type into video games). That one took a bit of work since two of the processes kept starting each other up if you killed one - but all in all took only about 30 minutes. This one got downright nasty.

First, the machine is at Windows XP SP2, is current on patches and does have SpySweeper on it. Running Spysweeper showed about 4 pieces of software. A manual look through task mangler showed at least 10 processes that were surely spyware. A partial list: InSearch.exe, MediaAcck.exe, thin-138-1-x-x.exe, svcproc.exe, vidctrl.exe, MediaAccess.exe, command.exe, jdzryj.exe, wintask.exe, casclient.exe, gms2.exe, and a scourge called "NewDotNet_36_8.dll" that had inserted itself in as a network provider. I didn't even bother looking up all of these, but some of the names were: Surf Sidekick3, CmdService (the one that launched command.exe), Casino Client.

Not being an expert on Anti-PUS (by the way, PUS is "Potentially Unwanted Software"), I figured it would still be no problem since I am pretty damn savy with Windows in general. I knew that some of these would have two components and re-launch themselves if killed, but I went ahead and started killing things with task mangler to see which ones were going to do that. After I found the EXE's that were re-starting, I decided to try a trick that I thought up on the spur of the moment - setting the ACL with a DENY on execute for the user ID I was logged on with and then killing the damn thing. (Please - I told you I am not an expert - don't tell me about your web site that has had this technique on it since 1999. I believe you, however it's still possible for others to discover the technique on their own, OK?). Well - that worked for some of them. One of the other ones (I think it was Surf Sidekick 3) noticed the ACL change and immediately threw out the ACL and replaced it with one that had only Everyone Full Control and of course it got launched again.

Next, I decided to clean any that I could out of the registry and reboot. I had put a deny execute on NewDotNet and several others. I cleaned out all of the registry entries from HKLM\...\Run and HKCU\...\Run, set items that were BHO's (Browser Helper Objects) to disabled and all that fun stuff. Rebooted, and presto - we were down to three things. CasClient was still there, Surf Sidekick 3 was there, and while NewDotNet was not running it's absence had made AD functions not work correctly (could no longer do ACL tricks with domain accounts as the lookups woudld fail even though GPO and mapped drives all worked). I then ran a "netsh int ip reset" or whatever that command is that removes the network add-ins and then ran the NewDotNet uninstaller. That issue was resolved.

One of the harder ones was the command.exe program. This was setup as a service! First time for ME to see spy/ad ware that was smart enough to do this. I tried to stop or pause the service, but the sneaky ba$tard$ had coded the service such that those control codes were not valid. So I tried to terminate the program and got access denied. I then used a sneaky trick to pull up a cmd.exe prompt as local system, and used "TaskKill /f /im command.exe" to nuke it. Then used "SC.exe delete cmdservice" to remove it from the registry's service database. Deleted the file, rebooted again and that one was sent packing.

Then I had to get nasty. About then I went to find my daughter and told her that it was down to this: Either I could kill the remaining vermin with WinPE or I would re-image her machine. I stalked down to my office to get a WinPE boot CD - not defeated but now knowing that this was not going to be the short battle I had anticipated.

I booted to WinPE and deleted the offending files. "Try to start back up now, you pile of rubbish!", I exclaimed. I then mounted up the HKCU registry hive for my daughter's account and the HKLM\Software hive for her machine into the WinPE regedit. It took just a couple of more minutes to hunt down and destroy the few remaining registry entries for this stuff.

I rebooted one more time and installed the latest version of Firefox and set it as the default. I gave my daughter the instruction that she is not to use Internet Explorer to work around a page that doesn't work in FireFox without checking with me first!

Elapsed time: 2 stinking hours! All wasted on this crap. Boy, if we knew who the developers for this stuff were - it sure would be satisfying to get back at them some way.

Friday, September 09, 2005

Winlogon and Vista - seeing clearly (as clear as mud)

Awhile back I was posting on the trials and tribulations I've been going through in trying to replace the functionality of a Winlogon Notification DLL and a third party product for rights elevation. After some helpful pointers from Microsoft, I now have a minimalist version of this working. It's been painful, but instructive. The main things that were missing were the dwFlags of the STARTUPINFO structure was not set to STARF_USESHOWWINDOW (all that means is 1), and in the client piece I needed to set the "Global\" prefix specifier in front of the name of the memory mapped file I was using. In Windows XP you didn't need to do this because everything essentially ran in session 0 and hence defaulted to Global. It was only if you were doing something for terminal services that you needed to watch out for the proper use of "Global\" and "Local\" for your kernel objects (like memory mapped files).

Thanks to Eric for straightening me out on those two issues.

So far, the replacement service does a nearly adequate job of replacing the third-party rights elevation tool. I still have to incorporate a callback in the service to get notified of winlogon messages so that I can finish the functionality of the rights elevation (noticing a new user logon is important there) and add the piece that replaces the Winlogon Notification DLL. Remember, those DLL's got notified of startup, shutdown, shellstart, logon, logoff, lock, unlock, screensaverstart, screensaverstop and about 2 others. Under Windows XP, we used our custom notification dll to be able to run arbitrary code either as local system or as the end user during any of those events. (by arbitrary, I mean an administrator could make registry entries to cause code to run).

I'll post updates on how the additions to the service come as I add them.

Saturday, September 03, 2005

If there's smoke, then there's fire

OK, time to rant again...

<rant>
Does anyone else have any problem with all these people who smoke just throwing their burning cigarettes out the car window? I live in a state (California) that is able to boast one of the lowest percentages of smokers per capita in the US (which has a lower percentage per capita than many places in Europe and from what I understand all of Asia), yet I still see numerous people ignore those ubiquitous signs along the highways that say "Unlawful to throw flaming or burning objects...". It's as if these people (shall we call them inDuhviduals like Scott Adams) can't recognize that these signs are talking about cigarettes. They also ignore the signs that show that littering is a crime worthy of a $1,000 fine - in most jurisdictions more than a speeding ticket or a red light running ticket.

On my way to work (at 4:15 am) I generally see about 150 cars (tops) on my 38 mile drive. Only a few of those cars have the pleasure of being the car directly in front of me, or in the lane next to me where I can see the driver window. But, even with this small sample I see usually 2 to 3 cigarettes flung from windows every morning. On the way home - when it is light - I see the burned areas alongside the road that these inDuhviduals seem to delight in creating. I also see more of these scofflaws throwing out their unwanted stubs. Of course then, at that time that same commute is riddled with cars - just about the worst traffic in the area and we are going about 5 miles per hour - so at least I can yell at the jokers.

I also see in gas stations the way these folks seem to think it is acceptable to just open their door and dump their ash tray on the cement. I guess with the scarring of their lungs from the cancer sticks it would be too hard to walk over to the garbage can that is right next to the damn gas pump and dump their ash tray.

Any ideas on how to combat this?

  • Have a web site that we can post license plate numbers to of cars we see with people doing this? When you get reported a couple of times you get a ticket?
  • Design cars so that the windows won't roll down when there is cigarette smoke in the car?
  • Something better?
What's your favorite thing to yell at these people when you see them?


</rant>

Friday, August 26, 2005

Logon's long gone

Admittedly most people never find the need to write a Winlogon Notification DLL. However, if you were tempted to: stop. Microsoft no longer supports them in LongHorny. Yes, they had a good run beginning with Windows 2000, continuing into Windows XP and Windows 2003 server. But, like many things where Microsoft just up and decides that "those darn developers out there crash our crap too much" they've pulled the plug on Winlogon Notification DLL's. Apparently too many people didn't free their pointers or something and caused Winlogon crashes. GINA's have been pulled too, but I imagine the GINA's of the world will unite in protest - maybe even the Regina's too.

So, if you want to acheive the same results that you used to be able to do with a Winlogon Notification DLL what's a poor developer to do? Never fear, some more difficult code is here! Instead of simply running a CreateProcess with the lpDesktop parameter of the StartupInformation structure set to "Winsta0\Default" like you could in the Notification DLL, you now have to create a service. The service must be setup to handle SERVICE_ACCEPT_SESSIONCHANGE and has a callback to get notified of logons, logoffs, etc. Now, due to some further changes in Windows, services can't easily put things on the user desktop. Simple things like what SMS does - deliver packages to the user desktop running as Local System are now more difficult because if you just launch them on WinSta0\Default they will run on the "services" session and not on the user console.

So how do you get them onto the user desktop?
Well, to quote Microsoft: "It becomes more difficult if you want to start LocalSystem code on the user’s “Default” desktop. That’s actually something that we would strongly discourage because of things like shatter attacks. So if you are calling CreateProcess and specify Winsta0\Default as the desktop, that won’t work as is from a service. It is still possible to do this, but as mentioned, that approach is strongly discouraged for security reasons..". It's always funny to then tell them, but you sell a product called SMS that does this. Anyway, since I still need that functionality I need to write this service. Besides isn't William Shatner getting too old to attack things anymore?

Can we get there from here?
It turns out that you need to do things like create a Security Descriptor (which is no simple task for VB.Net people like me), Duplicate the token, modify the token to be associated with a different session, and then call CreateProcessAsUser using your newly minted token (no, not a fake video game token; just a fake Windows token). All this uses some of the obtuse security API's that most people hope that they never even have to read about, let alone understand. So, I've done that (read about it, don't understand it). The good news is that it doesn't crash. The bad news is that it doesn't do much of anything at all. When debugging it under Vista, it shows "True" for the result codes of all of the calls. In fact, I even get a PID back in the ProcessInformation structure after the call to CreateProcessAsUser. The only problem is that the app never starts, even though I get thread handles, process handles, PID, etc. and a true result code. Boy this was simple before! Now its quite complicated. I'll let you know if I ever get this working. So far this has left me wondering if a shatter attack is what happens to your monitor when you get frustrated writing code for Windows.

Saturday, August 13, 2005

AD, LDAP and the urge to merge

Lately I've been working on code (don't call it a script - this is real code) to "migrate" user profiles to a new domain as part of a merger. Both companies have large Active Directory infrastructures, but one had to be chosen as the "post merger domain". However, it isn't physically possible to re-image everyone's machine the same day and just magically have them all logging on to a new domain as soon as regulatory and stockholder approvals are done. During that interim state that comes after the approvals, but before everyone is in one happy domain - there exists a need for certain tools.

Let's say that a user from company A is has a machine in domain a.company.com. He logs on to that same domain. However, after the merger he wants to logon to company B's domain - b.company.com. Put up the requisite trusts, migrate the groups and accounts with SID History and he can certainly do that, right? But - what happens to his "My Documents" folder, his application configurations and special toolbars, and most importantly of all the pictures of his kids that he uses as a screensaver? Logon to a brand new domain - you get a brand new NT profile, right? All that other stuff is MIA.

Enter profile migration. As I'm sure everyone knows, Windows NT based systems like Windows 2000 and Windows XP store pointers to your profile on disk. Browse to HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList and you'll see what I mean. Each SID shown there is the SID of a user (or system account). Under each is a "ProfileImagePath" that shows where the NTUser.dat (current user registry hive) and application settings, "my documents" etc. live. So, assuming the correct SID History migrations were done, all you need to do is get the NEW SID into the registry here and copy the info from the OLD SID over, reboot the machine and have them login with their new account. Presto! Their ugly kids are still on their desktops! The trick, when working with non-Admin accounts is to actually GET the new sid in there and copy the data over.

First, you need to locate the NEW account. Realize that in a large merger it is very likely that you will hit at least some name collisions between the two domains, so you can't just assume that user A\username should now logon as B\username. You have to find them by sid history since their new account may be named something different. I first tried "LookupAccountSID" since it was a Windows API call that was kinda short (unlike the horrible "ConvertStringSecurityDescriptorToSecurityDescriptorW" - how's that for a verbosity monstrosity, huh?). LookupAccountSid seemed good since it is documented as being able to lookup by primary SID or SID history. However, in practice - since you will need to have a trust up - it finds the old SID back in the old domain, even when you take pains to force the lookup to happen on a DC in the new domain. So, scratch that one.

Next, I thought I'd try LDAP instead. Turns out that LDAP is really only good at searching string data. So, when you have a blob type object like a SID, you have to mangle into a strange looking string first that looks something like this: \00\05\01\EA\... To do this, pass the SID pointer to ADsEncodeBinaryData which will convert it to a "funny string" for use in an LDAP query filter. Now, you can try something like "(ldap://dc=b,dc=company,dc=com");(&(objectClass=User)(sidHistory=" & sSID & "));name,samAccountName,ADsPath;subtree" to lookup that pesky primary SID from domain a.company.com in domain b.company.com. Except - you can't!

Nope, you can't make that query. Remember, the computer is in domain a.company.com, the user is logged on with their old account in a.company.com, and if you try that LDAP query against the domain that trusts yours b.company.com you get a "table does not exist" error. Thanks AD!! Thanks LDAP!! Nope, you end up having to first call DsGetDcName to find a domain controller in the other domain and send the LDAP query directly to it like this: "(ldap://somedomaincontroller.b.company.com);(&(objectClass=User)(sidHistory=" & sSID & "));name,samAccountName,ADsPath;subtree". Now, you've got the ADsPath of the user, you can use GetObject to get that user object, grab off the primary SID of the user, convert it to a string and... Whoops, you don't have Admin rights so you can't just pop that into the registry...

Now, what you have to do is ask the user for their password in the new domain and call CreateProcessWithLogonW to run your code again as the NEW user - passing in the old SID as a string on the command line. (Hopefully your user didn't run your code from a mapped drive: the reason for this is left as an excercise for the reader). Make sure to use the proper parameters to cause a user profile to be created. This will create those entries needed under ProfileList in the registry. Now that they exist, you just update them. Meanwhile, the first copy of your program is waiting for the second new one to exit. Since you have the old SID from the command line, you simply replicate the ProfileList values from the old to the new in the registry. Then the second copy can exit. The first copy might not have rights to create the new entries, but it DOES have read access. So the first copy reads the entries to make sure that they are correct. Now it can notify the user of success, inform them that they must logon with their new account and reboot the machine.

The user logs on with their new account, sees their ugly kids on their desktop and all is right with their world. They never knew the work that their friendly neighborhood geek had to go through to make this stuff work. They probably think the feature was built into Windows.

Saturday, August 06, 2005

The slide show that wouldn't quit

I'm just back from the event with Microsoft in Redmond that we have been asked not to blog about. So I certainly won't blog about the content of those sessions; that stuff is still NDA. However, I can certainly talk about how the sessions themselves went. I was pretty excited after the first day of seeing the unmentionable product. There were a lot of PowerPoint slides, but there was also some live demo. The live demo goes a long way towards proving that there is actually some code written and a product will exist soon (the demos hardly ever crashed).

By the end of the second day, I was beginning to suffer from that oft endured PowerPoint poisoning. Yes, that state you get into where there have just been too many slides and you stop paying attention to them at all. By the third day, it got worse and I was thinking, "Just give me the bits and stop with these presentations; I'll test the thing myself." (OK, so I had to skip out on the last two sessions - I have a feeling I would have left those ones saying "Just kill me".)

It's funny how the PowerPoint poisoning was made worse by an internal Microsoft competition. They were competing to see who could make the best "PowerPoint animation" (I don't think I even heard them say "The best use of a PowerPoint animation"). Now this thing was multi-track with up to 5 sessions going at once. I could only attend one at a time, so can't pretend to judge them all. But the animations made me think of that scene in the movie Galaxy Quest where "Crewman number 6" (Guy) asks the characters "Have you ever watched the show?". I was thinking of these MS PM's - "Have you ever used PowerPoint animations?" I mean most were rudimentary. The way they were plugging each one we needed to have someone with a buzzer and have Tommy Lee Jones (Men in Black II) come out and say "This one's an example of 'Go home and do it again'." Anyway, they were "Not Guud" (as Jim Carey would say in Bruce Almighty).

Now that I have begun to recover from the PowerPoint poisoning I have begun getting very excited to get hold of the product that was being shown. I think it must have been the coolaid. I had heard you weren't supposed to drink it...

By the way, thanks to some Microsoft folks who made the trip quite interesting (in no particular order): Sloan, Tony, Nick, David, Iuliana, Ronna, Dan, Maria, Joe. Thanks - you guys rock.

Wednesday, August 03, 2005

The View from afar

I've been attending a session at Microsoft this week that the attendees have been asked not to blog about. So I won't. However, there have been some discussions with other attendees that have nothing to do with the actual sessions that aren't covered by the prohibition against comment. So those are fair game.

Yesterday, I got the chance to catch up with an influential IT person from a really large company and chat about Vista. He was concerned that there really weren't enough business drivers for moving his machines over to Vista. We talked about the important fixed features like the improved cache manager / offline files that brings all documents that you open on the network local and manipulates them on your local drive (a big win for slower links), the destkop composition engine and the ability to run applications at different apparent resolutions, etc. However, at this point there still isn't enough Vista "there" for him to be convinced. Not being an MS evangelist (at least not being paid to be), I was pretty much done. We talked about Vista being the right answer for new hardware purchased in 2007, but that was as far as he'd go.

Sounds to me like MS needs to pump up the marketing machine and make any wins that are there in the product more obvious to IT managers and CIO's. If they don't, there will be a hard sell getting senior management to approve upgrading.

Sunday, July 31, 2005

LUA LUA, oh baby - you've got to grow

As I mentioned, I've been playing with the OS formerly known as Longhorn. One of the key deliverables this time around is that it is now supposed to be actually possible to run as a "User" or in LUA (Least-privileged User Access or Limited User Account depending on who you talk to) mode. With LUA, apparently we won't all laugh when MS publishes a security bulletin claiming that if we were running as a limited user, we would not be vulnerable to a certain issue. Today we all do laugh as next to nobody actually runs as a LUA user (outside of kiosks and the like) because nothing works correctly.

So, as part of the testing I tried to change the Time Zone. Nope, NADA, not gonna do it. Since the TIME can be security critical, but the Time Zone itself CANNOT (on NTFS, file time stamps are stored as GMT and the display in explorer adds offsets for the current time zone, also Kerberos uses GMT and ignores time zone offsets) it should be something that a LUA user can change. After all, when they travel from the US to Kazakhstan their appointments in Outlook should show in local time - not 12 hours off from local time. So changing the Time Zone is a fairly critical operation for people who globe-trot.

Lest you ask - I did go through the policy settings and found that although there is a setting to allow either just Administrators or Administrators and Power Users to change the system time - there is nothing about the time zone and lowly LUA folks.

Come on MS - let's not screw this up yet again. We really do WANT to run as LUA users. Let us do it this time.

Friday, July 29, 2005

The Horn of Plenty?

Recently (like most of the rest of the IT universe) I've been playing with Windows Vista™ Beta 1 build 5112. The OS formerly known as LongTime, ah, I mean LongHorny, er make that Longhorn. Actually, they might as well have kept the name since IT geeks like me keep working with it until the cows come home.

A couple of cohorts and I have tried it on about 7 different hardware types so far. We've seen a couple of blue screens, some installs of various programs that make Vista reboot over and over, some annoyingly large icons on the desktop (that are nigh impossible to shrink down to regular old 32x32 size) and a virtual plethora (yes, that's for you Steph - think I wasn't paying attention to your presentation? Call my picture stuffy and get razzed, right?) of other issues both minor and major.

So far the biggest let down has just been the lack of features. You name it and feature X is shipping in the "Beta 2 timeframe". That and I think I'd kill for a working VPN client about now. Oh, and maybe some Anti-Virus that works - right, that would be good.

So I brought a notebook home running Beta1 to show off (damn, I'm a geek) and my wife and kids got that "oh, no, here he goes again" expression on their faces and came up with any excuse to get the heck away from me and the shiny new OS. You know, the "I have to take the garbage out", or the "I had better go do my homework." Is it just me, or could it have been the large icons that scared them off?

So - good experiences with Beta1? Bad ones? I'll be reading about them and publishing more of the things I run across here.

Tuesday, July 26, 2005

Do you see OWC?

From the rant of week dept...

Recently we've been pushing sites on our network to hurry up and deploy Office 2003 already. Our original image was built with Office XP and we have had the 2003 version availble for the users to install for almost a year. It won't be mandatory until later this year due to corporate politics. However, one of the fun things we've been encountering is the lack of consistency provided by Microsoft in their OWC or "Office Web Components". Office XP shipped with "OWC10" which has a unique CLSID and does not have a version independent ProgID. Now Office 2003 Standard comes with OWC11, and Office 2003 Pro - mostly because the MS Access team couldn't get their act together - comes with OWC10 and OWC11. Guess what? OWC11 has a new CLSID and still has no version independent ProgID. So to instantiate them, you have to use the actual CLSID. It's created a problem for those folks who actually used the Office Web Components to do spreadsheet type things on their web sites. They end up having to change their code on their production sites to do an instantiation of the CLSID for OWC11, then check the object to see if it is == Nothing. If it is, try an instantiation of OWC10 instead. Seems a bit silly - and unfortunately the people who built the pages are never around anymore so maintenance can be iffy.

Why Microsoft, why? Why can't you create version independent ProgID's for these things like you do for say Excel? It's almost like the OWC team likes to physically hurt their customers (similar to Dilbert's boss). Couldn't those folks have just went into dentistry or something and let people who actually like customers write the OWC code?

Sunday, July 24, 2005

Virtual History...


Well everyone is talking about the supposed "Google Maps killer" Microsoft Virtual Earth. As many people know, it was up for several hours to test the production servers and is coming back Monday. I took a few moments to check it out, and came away with a sense that it is really more like virtual history; at least in the satellite imagery department. This is due to the obvious age of many of the satellite (or aerial) images available. As many noted, this seems endemic to the service and not just to one or more particular areas. However for my own home region it is at a minimum 10 years out of date (and in black and white or greyscale) while the analogous Google satellite image (same approximate size and exact same region) is in color and seems to be from about 18 months ago. A couple of schools, a Wal-Mart, an Orchard Supply, a Water-Park are just a few of the things missing from the Microsoft Virtual Earth satellite image.

Earth to Microsoft: It's all about the data dummy! You can stick a great UI, perfect UX, etc. onto the thing - but at the end of the day you need to have great data or nobody will use you a great deal. Hopefully that's something they'll get right soon. Although for now I can enjoy seeing my home region as it looked in days gone by...

Saturday, July 23, 2005

While on the ranting path...

Our company setup a deal with some people that provide little clip on pedometers (with our company name on them) and a web site that allows you to track your steps as miles on one of several famous paths. You go to the web site to sign up for the free deal and they send you your unit. So far, so good.

One of the first things you are supposed to do is calibrate your pedometer to your "steps". Now, one of my friends at work went into a whole spiel about how the mile came from the Romany military where 1,000 steps was a "mil" which became a mile. Pretty cool, and neat to learn some history as part of this. He mentioned that the way they counted was each time their right foot came down was 1. Great. So I look through the manual that is telling us to set the thing to low sensitivity and then take 100 steps and see what it says. If it is saying something too low, up the sensitivity. OK, fine. Not hard. But first, how about if you define a step? Turns out that I couldn't find out from their manual OR their web site what the heck a step is (each time you put a foot down or each time the right foot comes down like those Romans). So I finally find on their web site - not the definition of a step - but a statement that 2,000 steps is roughly a mile. OK - so now I know - I have it set wrong because it is counting like them pesky Romans. My friend had his set that way all weekend. We had to re-calibrate the things (again not hard).

But --- how hard could it have been to put in that darn manual or even on that web site what the heck they counted as a step? Come on, that's pretty lame.

So, anyway the family and I took a nice walk this morning before it got hot (It's 106 now) and I got in 11,147 steps. Measured the way the web site people want it.

Update: OK today the thing started counting about twice the steps it should have and I had to change the calibration again. It is still clipped onto the same shorts in the same spot as it was yesterday - but apparently that isn't good enough. Seems these units aren't very good at counting steps...

There oughta be a Law...

<rant>

So what is it with these non-techie internet users anyway?
And the companies that "provision" them (set them up to be
pwned)? I've gotten tired of hearing from people that take their corporate notebook or corporate home machine (you know, the one the team I am on worked hard on creating a solid image for), and try to load PPoE or some lame ass cable company software on it. Fortunately most of them fail as they aren't administrators. Some folks however have gotten admin rights and screwed up their machines royally loading this crap.

Then comes the really unpardonable part - the installer hooks them up on the raw naked internet. No firewall, no NAT router, just "we like SPAM and you'll be sending it in 10 minutes". Sometimes the user does this hookup themselves. Don't these people realize that this is dangerous? How many of those same folks would leave their car parked and unlocked at night in an inner city? Why haven't they "gotten" it yet that you have to treat the internet the same way?

I mean come on - a basic Linksys or Netgear type NAT router is what $39? Is there some reason the installer doesn't bring one with them? Or build NAT into the darn cable/dsl modem? If the user does install a firewall and the ISP's service in the area goes down - what happens? The user call some tech support script reading drone in some other country who tells them they have to disable their firewall and anti-virus.

Let's examine a few other things people want to do:
  • If you want to drive a car in most places, you take a written test and an actual driving test so that they can confirm that you actually do know you aren't supposed to speed up and go through red lights, cut other cars off, get drunk and drive, etc. Flunk the test, no drivers license.
  • If you want to operate a HAM radio, you take a written test, and... - hey seems to be a theme here - you need a license for this stuff and you have to be tested to get one.
  • If you want to be an internet user, you get out your wallet and give some money to an ISP. Wait a minute? That's IT? Where's the mandatory testing?
The problem becomes more clear. We let people (synonym Idiots or as Scott Adams says "InDuhviduals") connect up and start surfing with no actual knowledge of correct or safe behaviors.

Any takers? There oughta be a law...

</rant>

Friday, July 22, 2005

RSS Bandit

I'd been using SharpReader for quite some time for RSS feeds and had been pretty happy with it. I had just "stumbled" into it when reading about MSDN RSS Feeds. SharpReader was the first one on the list, so it had to be the best, right? Well today my buddy at work Josh pointed out RSS Bandit. It seems to be a more friendly UI and the way it hosts the browser in its own tabs "holds" the UX together better than SharpReader does. If you've been using SharpReader, you may want to give RSS Bandit a try.

Testing the System

OK, I just wanted to see if I was able to email in a blog post. It is supposed to work - but who knows: I might have set the thing up incorrectly. We will see if it works.

What's in a name?

It's hard to believe after a couple of years of "Windows Longhorn" and "...in the Longhorn timeframe" that it is now Windows Vista. We're already seeing all the jokes about "Hasta la Vista" and how one of the meanings of Vista - "A distant view or prospect" means it will be even later than expected.

It'll take some getting used to - I seem to remember that Windows XP seemed like a really stupid name too when that first came out. Of course at that time, Windows XP was a lot closer to shipping when it changed from "Whistler" to "Windows XP". Names like that just make you think that Marketing (for most companies, not just Microsoft) has a two drink minimum.