Application restart #1

I'm a pretty carefree guy, experimenting with all kinds of weird applications from dubious sources. The domain and the network is pretty well secured, but my virtual lab computers are like people in the old west; unregulated and easily killed off if they become to unwieldy.

Still, when something suspicious happens I wan't to know why, because of course I wan't.

Some time ago the following dialog suddenly popped up when I logged in to my work computer;

What? No, I would not like to allow Regedit.exe to make changes to my device. Searching through the startup locations with Sysinternals excellent Autoruns didn't reveal anything and concurrent logons did not start Regedit.exe. Probably, it was launched by the RunOnce registry key. Difficult to troubleshoot when the traces are gone.

Weeks later it appeared again! What program is causing this? Why does it want to start Regedit.exe? How do I find out when it only happens once every month or so? None of my coworkers have had the same experience and even though I have a black belt in Google-fu searching the web was hard, only resulting in how to use Regedit. I know this already!

Then it appeared on my clean virtual lab computer, not in any way related to my domain joined work computer. Luckily I had just done a snapshot of it and Regedit.exe wanted to start every time I restored. Finally some progress! Using my incredible skills I finally found the culprit using Procmon, the greatest tool of all time;

Indeed it was a RunOnce registry key and the name of it, "Application Restart #1" is the clue. Since some version ago (who knows which, versioning sucks) Windows restarts select applications that were running when the computer was shut down. Not only during forced restarts from updates, but when you manually shut down the computer. Apparently I am not very good at closing programs before shutting the PC down.

Not all programs are restarted and how Windows decides this is still a mystery to me. It's a badly documented feature with a badly thought through workaround. This is what Microsoft Answers says about it.

Regardless, Regedit.exe, or any program requiring elevation, should not be started automatically!

Or is it requireing? Require-ing? Reqiruing? My Google-fu might not be as advanced as I thought.

Mismanaged code

Managed code is all the rage. Once long ago we had either slow code that was interpreted during runtime or fast compiled code that was built into a binary which the processor could execute natively. Microsoft said fuck this shit and introduced a middle ground. Probably to combat their mess of an operating system. To be fair, Microsoft wasn't first, they were just the ones to come up with the name.

Managed code does compile, not into something that is understood by the hardware CPU, but by a virtual processor. This way the program can be made more secure and portable between different architectures among other things. Java and dotNet are the most common platforms for managed code.

One of the many many problems with Windows is the convoluted way it runs and separates the 32 and 64 bit environment. Adding a third architecture, code that compiles into something that is neither 32 nor 64 bit Intel instructions adds to the confusion.

I wrote earlier about how a 64 bit Windows is really two Windows in one, Windows On Windows. As you might remember in the unlikely case you read that post, 32 bit processes access the 32 bit operating system, and 64 bit processes access the 64 bit one.

So, which OS is accessed by a program written in managed code?

It depends.

Lets say you need to deploy a program that requires some third party database client for an ODBC connection. The supplier tells you it needs the 64 bit version, "or it wont work". You have the 32 bit one installed sitewide already and you know they don't play well together. You know this, because you are an ORACLE.

Luckily, the program you need to deploy is written in C#. If a dotNet program utilize the 32 or 64 bit environment is decided by the programmer at compile time by setting the target platform. If he does not, it compiles to AnyCPU which chooses the 64 bit platform if available.

With the Microsoft tool corflags this can be changed after the fact! Flags in the file header tells the runtime environment if 32 bit is preferred or required and voila the program works well with the already installed 32-bit ODBC, saving me a lot of future work and headaches.

Java programs can be launched with either a 32 or 64 bit javaw.exe. Most Java programs can be launched with a specific client, bundled with the program itself. This is useful since most Java versions are incompatible with anything. But that's a different blog post.

Right now I'm working on something that is going to bring a different kind of headache. Cheers!

Different minds, different worlds. A case study.

The giants in the new world are called Google, Apple or Microsoft. In the old ages, they were called Siemens or Asea Brown Boveri.

Lets compare their philosophy when it comes to deliver software products. I've made an easy to understand table comparing a typical Google program, such as Google Earth, with software from ABB or Siemens, such as ABB Automation Builder or Siemens Totally Integrated Automation Portal (say it quickly five times).

Google	ABB and Siemens
Small msi or single file setup.	Ginormous installer, dozens or even hundreds of smaller setups, wrapped in a launcher, difficult or impossible to install without the wrapper.
Installs in under 1 minute.	Takes hours. Often takes a different amount of time to install each time, even on the same clean computer. Fails unpredictably.
Silent install with simple parameters.	Nope, never in a million years. Even autoclicking through the install is difficult, because the control IDs change or buttons are not real buttons.
Just works.	Doesn't work. Drivers bluescreen! Actually crashes regsvr32! Has issues with UAC and Credential Guard, can't install in Console 0, and even has problems with long filenames. I mean, long filenames, seriously?
Seamless automatic updates.	Requires elevation for updates nobody is asking for, and also for add on modules you are asking for but are not included in the offline install.
Secure.	Requires full permission in its many many Program Files folders and can't be installed elsewhere, breaking AppLocker security. Confusing number of processes requiring firewall exceptions.
Distinctly different programs each with a clear purpose.	Several identical looking programs with no description of what they are for or what the differences are.
Just download.	After registering an account and finally finding the correct program using a horrible search engine, you are told you don't qualify to download their precious software.
Just install and run.	After finally installing you are told you need to apply for a license or to put a hardware dongle into the USB. Who pirates engineering software?
Usually a free version, the paid version costs a few dollars.	Costs a fortune.
Program is contained in one folder.	Installs everywhere, including the root of the drive. Computer is never the same again.
Modern look and feel.	GUI like it's 1999.
Explore the entire world.	Automates something something, except itself.
Steals your soul.	Forces you to slowly descend into madness.