tisdag 20 mars 2018

Application restart #1

I'm a pretty carefree guy, experimenting with all kinds of weird applications from dubious sources. The domain and the network is pretty well secured, but my virtual lab computers are like people in the old west; unregulated and easily killed off if they become to unwieldy.

Still, when something suspicious happens I wan't to know why, because of course I wan't.

Some time ago the following dialog suddenly popped up when I logged in to my work computer;



What? No, I would not like to allow Regedit.exe to make changes to my device. Searching through the startup locations with Sysinternals excellent Autoruns didn't reveal anything and concurrent logons did not start Regedit.exe. Probably, it was launched by the RunOnce registry key. Difficult to troubleshoot when the traces are gone.

Weeks later it appeared again! What program is causing this? Why does it want to start Regedit.exe? How do I find out when it only happens once every month or so? None of my coworkers have had the same experience and even though I have a black belt in Google-fu searching the web was hard, only resulting in how to use Regedit. I know this already!

Then it appeared on my clean virtual lab computer, not in any way related to my domain joined work computer. Luckily I had just done a snapshot of it and Regedit.exe wanted to start every time I restored. Finally some progress! Using my incredible skills I finally found the culprit using Procmon, the greatest tool of all time;



Indeed it was a RunOnce registry key and the name of it, "Application Restart #1" is the clue. Since some version ago (who knows which, versioning sucks) Windows restarts select applications that were running when the computer was shut down. Not only during forced restarts from updates, but when you manually shut down the computer. Apparently I am not very good at closing programs before shutting the PC down.

Not all programs are restarted and how Windows decides this is still a mystery to me. It's a badly documented feature with a badly thought through workaround. This is what Microsoft Answers says about it.

Regardless, Regedit.exe, or any program requiring elevation, should not be started automatically!

Or is it requireing? Require-ing? Reqiruing? My Google-fu might not be as advanced as I thought.




onsdag 14 mars 2018

Mismanaged code

Managed code is all the rage. Once long ago we had either slow code that was interpreted during runtime or fast compiled code that was built into a binary which the processor could execute natively. Microsoft said fuck this shit and introduced a middle ground. Probably to combat their mess of an operating system. To be fair, Microsoft wasn't first, they were just the ones to come up with the name.

Managed code does compile, not into something that is understood by the hardware CPU, but by a virtual processor. This way the program can be made more secure and portable between different architectures among other things. Java and dotNet are the most common platforms for managed code.

One of the many many problems with Windows is the convoluted way it runs and separates the 32 and 64 bit environment. Adding a third architecture, code that compiles into something that is neither 32 nor 64 bit Intel instructions adds to the confusion.

I wrote earlier about how a 64 bit Windows is really two Windows in one, Windows On Windows. As you might remember in the unlikely case you read that post, 32 bit processes access the 32 bit operating system, and 64 bit processes access the 64 bit one.

So, which OS is accessed by a program written in managed code?

It depends.

Lets say you need to deploy a program that requires some third party database client for an ODBC connection. The supplier tells you it needs the 64 bit version, "or it wont work". You have the 32 bit one installed sitewide already and you know they don't play well together. You know this, because you are an ORACLE.

Luckily, the program you need to deploy is written in C#. If a dotNet program utilize the 32 or 64 bit environment is decided by the programmer at compile time by setting the target platform. If he does not, it compiles to AnyCPU which chooses the 64 bit platform if available.

With the Microsoft tool corflags this can be changed after the fact! Flags in the file header tells the runtime environment if 32 bit is preferred or required and voila the program works well with the already installed 32-bit ODBC, saving me a lot of future work and headaches.

Java programs can be launched with either a 32 or 64 bit javaw.exe. Most Java programs can be launched with a specific client, bundled with the program itself. This is useful since most Java versions are incompatible with anything. But that's a different blog post.

Right now I'm working on something that is going to bring a different kind of headache. Cheers!

fredag 2 mars 2018

Different minds, different worlds. A case study.

The giants in the new world are called Google, Apple or Microsoft. In the old ages, they were called Siemens or Asea Brown Boveri.

Lets compare their philosophy when it comes to deliver software products. I've made an easy to understand table comparing a typical Google program, such as Google Earth, with software from ABB or Siemens, such as ABB Automation Builder or Siemens Totally Integrated Automation Portal (say it quickly five times).


Google ABB and Siemens
Small msi or single file setup. Ginormous installer, dozens or even hundreds of smaller setups, wrapped in a launcher, difficult or impossible to install without the wrapper.
Installs in under 1 minute. Takes hours. Often takes a different amount of time to install each time, even on the same clean computer. Fails unpredictably.
Silent install with simple parameters. Nope, never in a million years. Even autoclicking through the install is difficult, because the control IDs change or buttons are not real buttons.
Just works. Doesn't work. Drivers bluescreen! Actually crashes regsvr32! Has issues with UAC and Credential Guard, can't install in Console 0, and even has problems with long filenames. I mean, long filenames, seriously?
Seamless automatic updates. Requires elevation for updates nobody is asking for, and also for add on modules you are asking for but are not included in the offline install.
Secure. Requires full permission in its many many Program Files folders and can't be installed elsewhere, breaking AppLocker security. Confusing number of processes requiring firewall exceptions.
Distinctly different programs each with a clear purpose. Several identical looking programs with no description of what they are for or what the differences are.
Just download. After registering an account and finally finding the correct program using a horrible search engine, you are told you don't qualify to download their precious software.
Just install and run. After finally installing you are told you need to apply for a license or to put a hardware dongle into the USB. Who pirates engineering software?
Usually a free version, the paid version costs a few dollars. Costs a fortune.
Program is contained in one folder. Installs everywhere, including the root of the drive. Computer is never the same again.
Modern look and feel. GUI like it's 1999.
Explore the entire world. Automates something something, except itself.
Steals your soul. Forces you to slowly descend into madness.


torsdag 15 februari 2018

Prepare deployment by reading these two thousand pages

Some companies think their product is the best. It's da bomb as they might say, if bombing was a positive thing for software to do.

They think their product is such a gift to humanity they expect you to read through dozens or hundreds of pages even to just get past the EULA.

This might be fine for the user who purchased the application who then spend days excitingly exploring this new wonderous program.

It is not fine at all for the application deployer who has 550 other applications to manage and can't spend his full time job just on your special snowflake and don't give a shit about how great it is, or even what it does or why. Yes, 550 is the actual number of applications that I manage.

This is the Oracle Database Client Installation Guide. Also available as PDF it is 84 painfully boring pages, and yet when it comes to the most critical part of the installation, what components to include or not include, all it says is;

If you selected Custom as the type of installation in step 4, then the Available
Product Components screen is displayed. Select the products that you want to
install and click Next. 

What? How the fuck am I supposed to know what "Product Components" that "I want"? I don't want to install anything, I have to. What I want is to know what the fuck I have to install and why. Do my clients need "Oracle SQLJ"? How am I supposed to know that?



What I want. Apparently.


This is the Deployment guide for Office 365 ProPlus. Who on Earth has the time to read that through? Does it say anything about how licensing works on shared computers? I don't know because there is too much text.

The Overview: Deploying Creative Cloud for enterprise starts with a seven and a half minute long video. That is the overview. The full guide is found here with more pages than I care to count.

A deployment guide should consist of a single page. This is what I need to know:
  • Prerequirements. Do your program require some other program?
  • What the components are for and which are required.
  • How to configure the install. If it's an MSI, use properties.
  • What the error codes mean. ALL of them.
That is it. Most companies fail on all but the first bullet point and many even fail on that one.

What do these companies think I do at work all day long?

Not working, that's what.

fredag 9 februari 2018

Globally Unique Identifier

Globally Unique Identifier is a genious thing when you need a globally unique identifier! They are not as brilliant when they are used everywhere you would need a human-readable name, because of laziness.

If you've ever been troubleshooting a Windows program, and you have if you are reading this blog, you are fully aware of the frustration you feel trying to find the associated file from a class identifier in the registry or when figuring out which program C:\Windows\Installer\{136688F1-EF42-414E-92D6-BFF4D25EE688}\ARPPRODUCTICON.exe belongs to.

Usually you just copy the GUID into the clipboard and paste it into an appropriate search box. Isn't obvious that {25336920-03F9-11cf-8FD0-00AA00686F13} is the CLSID for "Browse in place"?

It doesn't help then, at all, that there are two ways of storing the GUID, either normally or compressed. And by "compressed" I mean "not really compressed, just a little different to annoy people and make their life harder".

How to convert between a standard and a compressed GUID:


Have you seen anything dumber than this, lately?

Also note that the "Browse in place" GUID, usually found under keys such as HKCR\htmlfile or HKCR\jpegfile, have two lowercase letters for no reason. It's likely true on your Windows too. To be truly globally unique, GUIDs should be generated by an algorithm standardized by ISO, IEC or someone with power to standardize. I am not sure, but I doubt the algorithm is inconsistent with upper and lower case.

Sometimes it is obvious the GUID is not random, as in the case with Microsoft Office;

The product code for Office consists of it's version and language and such, ending in "0FF1CE" as Microsoft describes here. My Office 2016 Pro has a GUID of  {90160000-0011-0000-0000-0000000FF1CE}.

Older Java clients had class IDs starting with "CAFE"; {CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}, or maybe it should read "Café fuck", because that is how I read it.

Finding the product code for an msi install is trivial when the program is already installed, but often you would like to avoid littering your computer, even your virtual one, with garbage unless you really have to.

I wrote a tool to list the product codes of all msi files in a folder, and also put them in the clipboard for easy pasting into your uninstall-script. Download it here.

If you don't dare to download unknown programs and run them on your computer you are not an application deployer.

onsdag 31 januari 2018

What version is this?

Everybody hates versioning. Everybody.

You can easily tell this by the fact that nobody does it unless forced to do so, and mostly not even then.

There is a long and very boring Wikipedia-page about versioning but let me sum it up for you without ever having read it. Your software should have a version number in a format like this:

major.minor.build.revision

Swap build and revision if you like, or disregard them altogether, but keep your major and minor versions consistent! However, there have never been a program that follows this scheme successfully over several versions during it's existence. Let me give some examples:



Windows 10 Version 1709 is version 10.0.16299.192. Windows 8 is version 6.


Java Development Kit 7 for Java 7 is not version 7 but 1.7.0.0.


Two different and incompatible ocx-files with the same name and version, from the last century but somehow still in use in some programs today. That is good work, mr McMahon, but you obviously hate versioning as much as everyone else!


This office plugin is either version 10 or version 1.0.10 depending on who you ask. About Office; Office 2003 is version 11, Office 2007 is version 12, 2010 is version 14. I see what you did there, Microsoft, you don't want any bad luck! But how the hell am I supposed to remember that version 15 is Office 2013? Finally version 16 is actually Office 2016, but then again, Office 365 is ALSO version 16!


Some of the many, many, many vc-redists required, it quickly becomes ridiculous. When you get an error and the Event viewer tells you that Microsoft.VC80.MFC is missing, you immediately know you need to install Microsoft Visual C++ 2005 Redistributable, don't you?

I think I got my point across.

Happy versioning!