Inspecting Windows Updates

If you're curious or paranoid, you might want to know what files a certain Windows update contains. Every Windows update has a KB article number, and that article - publicly accessible online (support.microsoft.com/kb/number) - contains a list of affected files. Sometimes this list is in the article itself as a table; sometimes it's downloadable in CSV form.

If you're extra paranoid, you can download the MSU (standalone update package) from the KB article. Use wusa to expand it, like so:

wusa C:\full\path\to\update.msu /extract:C:\path\to\destfolder

That folder will then contain an XML document listing the CAB packages to install as well as an install order text file if the update runs commands directly. You can extract the CAB files with WinRAR or the expand utility. Inside each of those is one XML document listing the affected files (usually inside WinSxS); many files have a manifest that does things like creating hardlinks or shortcuts.

This post was adapted from an answer I wrote on Super User.

Application-Authenticated Databases

I discovered today that Sybase SQL Anywhere has a feature that attempts to authenticate applications. It appears that "OEM Authenticated Edition" is designed to be shipped as a component of other products. If you're only reading from the database (as I was for a long time), you won't notice anything special. 

The "authenticated" part comes into play when clients attempt to write to the database. Writes fail with an "authentication violation" unless a connection variable has been set that identifies the client program. The command to authenticate looks like this:

set temporary option connection_authentication='Company=companyname;

Application=applicationname;

Signature=hexstring'

Once the right authentication string is sent, writes are enabled. Interestingly enough, writes are always allowed in the first 30 seconds of the connection, a kind of grace period. Since I didn't know about this initially, I was very confused as to why some writes would work and then the rest would fail.

Now, you might think that this is a security feature, but it's basically completely pointless in that role. No connection can be established to the database without a username and password, and in most cases read access is plenty. The authentication string is constant for each application and can't be easily changed, so once it's extracted from a client program (or from the network), other applications can just send the right string and be on their merry way. I believe this feature is actually designed to combat piracy, making it a little more difficult to use a database that came as part of a certain application as a generic database server.

Checking what program owns a handle

It may, from time to time, be useful to determine what program has a handle to a certain resource open. The most well-known type of handle is a file handle, but there can be handles to all manner of objects, like registry keys, desktops, and processes.

Process Explorer has a pane in its window specifically for handles, but you have to enable it by checking Show Lower Pane under View and making sure that Lower Pane View is set to Handles. Clicking on a process running under a security context you have access to produces a list of handles that process has open. You can search for a handle by using Find Handle or DLL under Find; it will search the Name column of the handles pane, so you can search for files, processes, or anything that has a unique name.

Aside: Process handles are interesting because a process won't vanish from Task Manager until [1] it exits/terminates and [2] all handles to it and its threads are closed. Therefore, it's possible for programs to keep the corpse of a dead process around by leaking/holding handles to the process object.

SMS web service that allows polling for replies

I have no affiliation with any of the companies mentioned here.

I have recently become interested in sending and receiving SMS messages from .NET applications. I looked at several, including the ever-popular Twilio. It looked good, but there was one problem: incoming messages are only accessible by registering a URL that Twilio will make a web request to upon receipt. That's a showstopper for me because I really don't want to fiddle around with web applications or try to get my application to talk to an ASP.NET server.

Several searches later, I found ClickSend, which does exactly what I want. They allow me to poll their website, which results in an XML document containing replies that I haven't seen yet. Perfect.

Application Compatibility Toolkit: Fixing other people's mistakes

While doing research for a Super User answer, I reminded myself of the existence of the Application Compatibility Toolkit. The ACT is highly interesting in that it exists only because software developers wrote buggy code that worked by chance at one point but then broke in a later version of Windows. It's not intended to be used by normal users, but it doesn't hurt to have a little knowledge about the ACT.

Some Compatibility Fixes in the Compatibility Administrator

Perhaps the most interesting part of the ACT is the Compatibility Administrator, which is used to apply fixes to programs. If you look in the "Compatibility Fixes" entry in the left pane, you'll see a big list of fixes that Microsoft has developed to address common issues. Under Applications, you'll see a surprisingly massive list of buggy programs and the fixes Microsoft applied to them. I noticed a couple well-respected programs that I have personally used.

You can apply fixes (or compatibility modes, which are groups of fixes) to arbitrary applications by adding entries to a custom database. Once you're done, you can install it on the machine and/or save it for use on other computers.

JPG Surprise: Rotation might not be real

Today I was working with a Micca M703, a digital picture frame that does slideshows from JPG files on flash drives. It gave me some problems with image rotation; some images displayed sideways on the Micca but correctly on my computer. Research indicated that the Micca doesn't do any auto-rotation to fit the screen, so I was quite confused.

It turns out that I when I rotated the images on my computer (using the convenient context menu items Windows provides for pictures), the image data wasn't transformed, but some bit was set somewhere that causes well-behaved programs to treat the image as if it had actually been rearranged. The Micca doesn't, apparently, respect that option.

So, I had to open each such picture and resave it with Paint.NET to actually rotate the image in its data.

Abiathar Christmas 2015

Merry Christmas!

During December 25, 2015 (my time), Abiathar's "empty workspace" background image will be this:

The Abiathar background, but in red and green

Solving the runas.exe mystery

Last time, I presented a strange problem I was having with runas.exe. I believe I have found the answer:

"Run as different user" sets the startup directory of the new process to the directory that contains the executable. runas.exe, however, always sets the startup directory to System32.

The unexpected current directory confused the program in question, which explains why only "Run as different user" worked. In fact, runas.exe requires a fully-qualified path if the target program is not on the system path, even if launched from the directory containing the EXE.

Runas.exe not working? "Run as different user" might

I am currently experiencing a strange phenomenon. I'm trying to use runas.exe to run a certain program as a domain user while logged in as a local user on a domain-joined machine. The application launches, but it misbehaves in an unusual fashion. (It wouldn't launch at all if ran as a local user.) However - here's the strange part - it works just fine if I Shift+right-click it and use "Run as different user."

Currently, I'm researching/investigating the difference between runas.exe and that option; the best leads I have at the moment are the /env and /profile (or /noprofile) switches for runas.

I guess what I've learned so far is that "Run as different user" might work if runas.exe doesn't.

Updated 12/24/2015: I solved the mystery.

Forcing Domain Workstations to Show Local Users on the Sign-in Screen

Your domain users may find it necessary to log back into a local account. This is simple enough with the .\ trick (prefixing a username with that in the Windows logon UI makes Windows look for a local account instead of one from the domain), but your users might be confused or just inconvenienced by typing weird characters in the username field, or they might not remember their username (especially if it was created as a Microsoft account).

There is a Group Policy setting that can help with this. It's called "Enumerate local users on domain-joined computers" in Logon under System in the Computer Configuration's Administrative Templates. Enable that, and the logon UI will display all local user accounts.

Note that this only works for Windows 8 and above.

Testing for membership in a certain domain in Windows batch script

If you want to test for the current user's membership in a certain domain in a Windows batch script, the whoami utility has you covered. Pipe it into findstr /i "domainname\\" to test whether the output includes your domain's name. The double backslash is there to represent a single backslash (escaping), the one that separates the domain component from the username component.

findstr sets the errorlevel to 1 if the string is not found or to 0 if it is. So, you can use an if statement to act on the domain membership or lack thereof:

whoami | findstr /i "kingdom\\"
if errorlevel 1 (
 REM do some non-domain business
) else (
 REM do some domain business
)

Icon Impersonation

Some software companies give their programs an icon in the style of more popular software suites. I have on my desktop at the moment a program that tries to look like part of the Office 2013 suite.

The problem? Such false icon associations might initially make the user feel good ("oh, I know how to use Word, I can do this too!"), but the user will soon be confused, disappointed, and upset when the program fails to adhere to all the UI patterns of the suite it's imitating. Also, experienced users will just think it's silly.

The moral? Develop your own look, and do your best to have an intuitive interface that won't leave the user disillusioned when it is discovered that you're not really part of what you're impersonating.

Windows 8 Surprise: Domain Membership Disables PIN Login

If you join a Windows 8 machine to a domain, you'll notice that you lose the ability to sign in with a four-digit PIN. If you want to re-enable PIN login, you'll need to enable a Group Policy setting:

Computer Configuration\Administrative Templates\System\Logon\Turn on PIN sign-in

There is a good reason, however, for not allowing PINs. Even if you log in with a PIN, the domain controller needs your full password to let you touch domain services. So, the machine on which you configured the PIN has to store your password and give it to the domain controller when you log in with a PIN.

Since the local system needs access to the password (because you don't enter it), it has to keep it unhashed, using reversible encryption. An attacker with physical access to the machine could find the encrypted password and decrypt it with the machine's key, which also has to be stored somewhere. There are only ten thousand possible PINs, so offline cracking of the password would not be hard. It is generally considered A Bad Thing for access to a single workstation granting access to a domain secret.

You might not want to allow PIN sign-in for your domain.

Netstat Surprise: Process Headers are Footers

Sometimes I need to examine the list of network connections/listeners and what process created them. For that, I generally use netstat -bna because the netstat utility is guaranteed to be on every modern Windows machine. However, the output format recently caused me a good deal of confusion and some lost time.

See, the utility prints the name of the owning process on the line after all the connections it owns. I would expect those headers to be, well, headers, but no no, they are footers. I suppose I should have seen this - it's reasonably intuitable if you check the top or bottom of the list - but in my defense, I was dealing with a massive amount of connections, so I had to Ctrl+C the program so as to not scroll the interesting ones out of the console buffer.

It would make more sense, in my opinion, for these markers to actually be headers.

Using Windows EFS with the SYSTEM Account

Recently I found myself wanting to encrypt files that would be used by a service running as SYSTEM. I didn't want to use BitLocker on the drive, so the Encrypting File System (EFS) seemed like the easiest option.

The first order of business was to get an EFS certificate for the machine account. There's probably a fancy way to do this if you have a domain, but I just fired up a SYSTEM command prompt with psexec /s /i cmd.exe. In that prompt, I ran the cipher /e /s:folder with "folder" replaced with the name of the directory containing all the files that needed encryption. That generated an EFS certificate and key for the computer account and then encrypted the directory and its files.

If you're curious, you can examine the machine's certificate store by running certlm.msc. EFS certificates (for all enrolled users) appear under Trusted People. A certificate's thumbprint can be retrieved by opening its properties and looking at the Details tab.

EFS certificates in certlm.msc

Then, I needed to grant some users access to the encrypted data. That's rather simple if you have domain; you can use cipher /adduser /user:domain\username /s:folder. If you don't, you'll need to retrieve the certificate thumbprint for the user. In that case, the command is cipher /adduser /certhash:thumbprint /s:folder. If you copy the thumbprint from the certificate management MMC window, you'll need to remove the spaces from between the hexadecimalized bytes.

Now system services can access encrypted files and selected standard users can touch them too.

URLs Are More Than Strings

Every so often, I see a program that assumes one page/site is represented by exactly one URL. That's not right because of things like extra slashes and percent-sign escape characters. Now, it's perhaps unreasonable to expect every application to condense URLs into some standard form (and avoid breaking them in the process), but I just noticed this in Blogger's statistics page:

What's up with those two Google entries? One has a trailing slash, one doesn't. If I was direly needing to analyze my traffic sources, this would make it a bit more complicated. URLs are more than strings, they are the string representation of pages.

IPsec Surprise: Endpoint IP Required

I recently set up an IPsec environment (specifically, server isolation) on Windows Server 2012 R2, and had a hard time getting clients to talk to the server. The last problem I had to solve involved the endpoint configuration in the Connection Security Rules. Initially, I had set both endpoints to be any address, thinking that the port and protocol rules would make the rule apply to what I wanted. Making Endpoint 1 be the machine running the isolated service made the connections work.

This may or may not be a bug/surprise in Windows Server, but it looks like it fixed my problem. At least it's another thing to try if you're having IPsec issues.

Transferring Profiles to New Accounts with Windows Easy Transfer

Or, "Windows 10 Easy Transfer: Missing in Action."

Today I found myself needing to move a Windows profile to a new account on the same machine. That is, I wanted a new domain user account to have the same stuff (documents, settings, etc.) as an existing non-domain user. Some Internet searching turned up Windows Easy Transfer, a utility that comes with Windows 7 and is usually used for moving files to new computers.

First, you'll need to log into the machine with the new account so it has a profile. Then, switch to any account that is a local administrator, and open Windows Easy Transfer.

On startup, Windows Easy Transfer lets you choose your transfer medium - Easy Transfer cable, network, or external drive. The external drive option actually lets you store the MIG (migration) file anywhere, including the current drive. To start out, tell Windows Easy Transfer that the machine is the "old" computer. Select just the profile that needs to be transferred. There's not much purpose in securing the MIG with a password, so you can skip that. The program will write that profile's documents and settings to the MIG file.

Close Windows Easy Transfer, then open it again. This time, tell it you're on the "new" computer. Open the MIG. The trick in cross-account profile transferring is to press the "Advanced settings" link, which lets you change the account mapping. Map the old account to the new account, and start the process. Depending on the size of all the things, it could go quickly or take a while. You can erase the MIG once it's done.

Now the wrinkle: In Windows 8.1, Easy Transfer was gutted. There's no longer any option to create a MIG file or otherwise be the "old" computer, so the above procedure is impossible. In Windows 10, Easy Transfer is completely absent. I believe the recommended alternative for system administrators is the User State Migration Tool, which comes with the Windows AIK, and is supremely difficult to use compared to Easy Transfer. Clearly they should rename it to Hard Transfer.

If there are secrets in your client, you're toast

Programs that communicate over a network to a central server tend to have some type of authentication and access control. That's great, but I've seen several implementations that have no real security, only the appearance of it. Such software usually fits into one of two categories:

1. Client-side security. Programs with this problem rely entirely on the client to check access controls. The absence of checks on the server side means that anybody can bypass the authentication or authorization by throwing together their own client that talks to the server directly, issuing whatever commands the user feels like. Moving the security into the server will probably be a large undertaking for the developers, but it's absolutely essential.
2. Client-held secrets. By "client-held" I mean "burned into the client program." This is a distinct issue from problem #1, though programs with the first often have the second too. Some developers think that obfuscation (to make, say, a string not visibly appear in the EXE) will sufficiently protect any sensitive configuration/information. It won't. A sufficiently determined user can get access to any data that flows through a program running under their own local security context. (Try creating a dump file of a running program and then inspecting that.) This issue also covers "encryption" algorithms that rely on the secrecy of the algorithm to be secure. To remedy this, I suggest using asymmetric-key cryptography and well-known algorithms.

Chrome Surprise: "Prevent this page from creating additional dialogs" Not Taking Effect

Some annoying web pages, upon being exited, produce dialog boxes begging you to not leave. Somehow, the pages manage to produce yet another, similar dialog after you choose to indeed leave. Chrome, fortunately, has a checkbox called "Prevent this page from creating additional dialogs" designed to combat such behavior.

Interestingly, though, checking that box and then pressing the X in the upper-right of the JavaScript dialog seems to cancel the entire closing action. The checkbox, if the page produces another dialog, is still unchecked. That's understandable, given that the user chose to remove the entire dialog and not save what was in it. I do wish, however, that the checkbox's state would be saved, as I believe it would lessen the confusion of panicked novice users.

Creating Video Series Thumbnails with Paint.NET

For my YouTube videos that are part of a series, I like to overlay an image specific to the episode with a series image. This lets people get a glimpse of what an episode is about while also making the video's membership in the series immediately visible. To create such images, I use Paint.NET. First, for each series, I prepare the overlay:

1. Put together an overlay. It can even be translucent in some parts!
2. Create a new Paint.NET image with the same size as your episode images.
3. Make the first layer completely transparent.
4. Add a new layer above the first layer and paste the overlay into it.
5. Save it as a PDN.

When this image project is opened, Paint.NET makes the bottom (empty) layer the default. That's really convenient, because it lets me do this:

1. Prepare an episode image.
2. Open the base PDN file.
3. Paste the episode image. It goes into the bottom plane.
4. Do a Save As to produce a flattened, final thumbnail.

This process is nothing revolutionary; it's just that Paint.NET has all this polish that makes it great for these things.

ASCII 255: "I Can't Believe It's not a Space!"

Character 255 has two uses of which I take advantage frequently. (As frequently as one can take advantage of nonstandard characters.) It looks just like a space, but has these special properties:

1. It doesn't get eaten by applications that try to remove extra space. If you're trying to hand-align some text, you might need character 255 to stop your fancy diagram from getting crushed against the left margin.
2. It prevents words around it from being broken across lines. If you have, say, a name that contains initials ("C. K. Williams", for instance), you might want a 255 between the initials and maybe also between the last initial and the written-out component.

You can insert a 255 by pressing 2, then 5, then 5 again on your numeric keypad while holding the right-hand Alt key. NumLock probably has to be on. The HTML entity is   - "non-breaking space."

DirectoryServices.AccountManagement Surprise: FindByIdentity Can Throw

The convenient, high-level feel of .NET's System.DirectoryServices.AccountManagement classes would make one think that they shield you from the internals of LDAP. That does not appear to be the case. Passing a string with unusual characters as a username to the FindByIdentity function on a principal class results in a DirectoryServices exception. (I used non-printing ASCII, accidentally.) The message contains an LDAP query, indicating that special characters are not always escaped correctly.

Where's My BIOS Setup Key?

I have noticed a disturbing trend in modern BIOSes. It has been a good long while since I've seen a machine that says "Press [key] to enter Setup." The lack of message would be fine if BIOS manufacturers decided on a setup key, but they haven't. I've seen Delete, Enter, F12, F10, F1, and F2. The result of these circumstances is that I end up pressing all the keys hopefully quick enough to make the computer give me a menu before the OS starts.

I'm sure the manufacturers removed the message because it was scary, or ugly, or something, but could we please either have a subtle message or a standard key?

Finding Strings in a Running Program's Memory

There is a simple, effective tool from Sysinternals called Strings that examines a binary file for textual strings. If you want to look for strings in the memory of a process, you'll need to get a dump of its memory. That can be accomplished very easily by selecting the process in Task Manager, right-clicking its entry, and choosing "Create dump file." Run the resulting file through strings.exe, optionally with a custom minimum string length specified with -n.

Since most processes (even the simple Notepad) will have lots of strings in their memory, you might want to pipe the output into findstr. Example command:

strings notepad.DMP | findstr Important

That will print every string in the dump file (i.e. process's memory at the time of the dump) that contains the word "Important".

(I am aware of the strings view in the VMMap utility, but it appears to not always work.)

Windows 10 Server Wi-Fi: Missing in Action

I have a laptop on which I installed the Windows Server Technical Preview 3, the third preview of the Windows 10 server OS. Today I found myself without a spare Ethernet cable for it, but I figured Wi-Fi would do the job. Apparently it won't - Windows always says "no connections available", even though I've confirmed that the Wi-Fi adapter/driver is present and enabled. Even pressing "Connect to" in Network Connections with it selected does nothing. I guess WSTP3 doesn't support Wi-Fi? That would be a shame.

Blogger UI Glitch: Overlapping Highlight

I just noticed while examining my blogs' statistics that mousing over an element in the left menu produces a highlight box that appears over the content in the main pane:

Notice how the gray highlight around "Stats" spills over into the URL section. It's not important in the least, but it's interesting to note.

What's in Your Downloads?

Many Internet surfers download numerous files over the years. Those files usually go into a Downloads folder, are run/installed/examined, and then ignored. I just noticed that my Downloads folder contains over 9000 files, if you count extracted subfolders, totaling more than 22 GB. (That's only a little more than 1% of my hard drive's capacity, but still. 22 GB.)

The Properties window of my Downloads folder

The vast majority - perhaps even all - of those files are no longer needed. If they are needed, I should organize and move them to a more suitable location so I can find them later. If they were just a one-off thing, well, the space could go to something useful.

What's in your Downloads?