Recent Posts

Tags

News

  • A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

    To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

    <!-- Creative Commons License --> Creative Commons License
    This work is licensed under a Creative Commons License. <!-- /Creative Commons License --> <!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <Work rdf:about=""> <dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" /> <license rdf:resource="http://creativecommons.org/licenses/by-nc/2.0/" /> </Work> <License rdf:about="http://creativecommons.org/licenses/by-nc/2.0/"> <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> <permits rdf:resource="http://web.resource.org/cc/Distribution" /> <requires rdf:resource="http://web.resource.org/cc/Notice" /> <requires rdf:resource="http://web.resource.org/cc/Attribution" /> <prohibits rdf:resource="http://web.resource.org/cc/CommercialUse" /> <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> </License> </rdf:RDF> -->

    Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.

    <!-- technorati again --> <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

Community

Email Notifications

Other Blogs

General

Technical Resources

About Me

Archives

Kernel Mustard

Reflections on Windows System Programming
Steve Dispensa, MVP - Windows DDK

Posted: by

Comments

Steve Dispensa said:

Just a guess at the weakness you mentioned.

I'm thinking ReleaseLock should also use an InterlockedExchange to provide a memory barrier and preserve ordering.
# August 20, 2004 10:34 AM

TrackBack said:

# August 22, 2004 10:47 PM

Steve Dispensa said:

Note that threads that have called into win32k.sys will have larger stacks - 64K, IIRC.
# August 30, 2004 9:25 AM

TrackBack said:

# September 1, 2004 4:04 AM

TrackBack said:

# September 1, 2004 4:04 AM

Steve Dispensa said:

Actually the KM stack was changed from 2 pages to 3 page s between NT 3.51 and NT4 (at least on i386). The reason had something to do with filesystem reentrancy IIRC.
# September 1, 2004 5:36 PM

Steve Dispensa said:

Nobody calls it WinDbag! :p

/FASTBOOT --> you meant /FASTDETECT, I think? I don't think you need to turn this off, though.

Also, I wasn't ever able to get Win2003 to boot in VPC (latest from MS).

If you are using VMware, don't step into a sysenter instruction or you will crash the machine hosting VMware with an instant hard reset (this turns out to be a major pain once you get to debugging WinXP or Win2003 in VMware on a Pentium 2 (or later), as then sysenter instead of int 2e is used for system calls).
# September 3, 2004 12:47 AM

Steve Dispensa said:

Note that by default, all users can open a device for FILE_READ_DATA | FILE_WRITE_DATA.

This is what the default security descriptor looks like for device objects:

Security descriptor:
--------------------
Owner: BUILTIN\Administrators
Primary group: NT AUTHORITY\SYSTEM
Revision: 1, Control: DaclPresent
Dacl: Revision 2 Size 92 bytes used, 0 bytes free, 4 ACEs present
Ace: Index 0 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: Everyone
AccessMask: ReadData WriteData AppendData ReadEA WriteEA Execute ReadAttributes WriteAttributes ReadControl Synchronize
Ace: Index 1 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: NT AUTHORITY\SYSTEM
AccessMask: ReadData WriteData AppendData ReadEA WriteEA Execute DeleteChild ReadAttributes WriteAttributes Delete ReadControl WriteDac WriteOwner Synchronize
Ace: Index 2 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: BUILTIN\Administrators
AccessMask: ReadData WriteData AppendData ReadEA WriteEA Execute DeleteChild ReadAttributes WriteAttributes Delete ReadControl WriteDac WriteOwner Synchronize
Ace: Index 3 Flags: <empty> Type: AccessAllowedAce SecurityPrincipal: NT AUTHORITY\RESTRICTED
AccessMask: ReadData ReadEA Execute ReadAttributes ReadControl Synchronize
Sacl: not present

You can use IoCreateDeviceSecure to specify your own security descriptor, or you can build it yourself with the appropriate Rtl routines (for the most part, the ones you need are only documented by the IFS kit though).

Another option available for restricting access is to use SeCaptureSubjectContext / SeLockSubjectContext SeTokenIsAdmin / SeUnlockSubjectContext (these also require the IFS kit) and deny access manually if the requestor isn't KernelMode or an admin (SYSTEM counts as an admin).

Finally, you could use SeSinglePrivilegeCheck to require a specific NT privilege for a request.
# September 3, 2004 12:58 AM

Steve Dispensa said:

Skywing - I might be well wrong, but isn't the 64Kb stack the case only for threads that did *DirectDraw/3D* calls to win32k?
# September 4, 2004 9:12 AM

Steve Dispensa said:

No, any call to win32k does it. PsConvertToGuiThread is called on the first win32k system service and it switches the kernel stack to a large stack.
# September 5, 2004 9:54 AM

Steve Dispensa said:

no, ReleaseLock is ok as is.
But AcquireLock() can be "improved":

VOID AcquireLock(LONG *lock)
{
while(InterlockedExchange(lock, 1)) {
while(*lock != 0);
}
}

this way it will spin mostly in the inner while() loop that avoid "coherent bus traffic" incurred by InterlockedExchange().

It can be improved even further by assuming that lock contention is low and making fast-path inline.
# September 8, 2004 4:16 PM

Steve Dispensa said:

where windows kernel services interrupts? On the current stack, or by switching to the "interrupt thread"? If the former, then effective stack size is actually smaller, because stack has to be shared between thread and interrupt.

It worth noting that Linux goes into opposite direction: in 2.6 (x86) kernel stack was reduced from 2 pages, to 1 page (4K).
# September 9, 2004 8:49 AM

Steve Dispensa said:

LOL. I just wanted to post on this topic in the comments of the other IOCTL article, but then I realized the DDK documentation was updated and describes this correctly (as opposed to W2K DDK documentation which haven't said the important information about METHOD_IN_DIRECT and buffer) so I scratched the few paragraphs after twenty minutes of writing. Now I see I should have posted it... well, too late :-(
# September 10, 2004 11:53 AM

Steve Dispensa said:

Well well well, it turns out that I was looking at an older DDK, as Filip had indicated. The current DDK says:

METHOD_IN_DIRECT or METHOD_OUT_DIRECT
For these transfer types, IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer. This represents the input buffer that is specified in calls to DeviceIoControl and IoBuildDeviceIoControlRequest. The buffer size is specified by Parameters.DeviceIoControl.InputBufferLength in the driver's IO_STACK_LOCATION structure.
For these transfer types, IRPs also supply a pointer to an MDL at Irp->MdlAddress. This represents the output buffer that is specified in calls to DeviceIoControl and IoBuildDeviceIoControlRequest. However, this buffer can actually be used as either an input buffer or an output buffer, as follows:

METHOD_IN_DIRECT is specified if the driver that handles the IRP receives data in the buffer when it is called. The MDL describes an input buffer, and specifying METHOD_IN_DIRECT ensures that the executing thread has read-access to the buffer.
METHOD_OUT_DIRECT is specified if the driver that handles the IRP will write data into the buffer before completing the IRP. The MDL describes an output buffer, and specifying METHOD_OUT_DIRECT ensures that the executing thread has write-access to the buffer.
For both of these transfer types, Parameters.DeviceIoControl.OutputBufferLength specifies the size of the buffer that is described by the MDL.

Thanks for the pointer, Filip. I would have liked to have seen your comment, though! :-)
# September 10, 2004 12:21 PM

Steve Dispensa said:

I did a search on my drivers also.. I havent used METHOD_IN_DIRECT either.. i wonder if anyone has?
# September 10, 2004 2:58 PM

Steve Dispensa said:

Rob Green - It was commonly used by the NT4 sound drivers to transfer data from the user-mode WinMM driver to the kernel mode driver which did the sound playback, but I don't remember seeing it in new drivers either (with the exception of the predefined DDK TDI IOCTLs).
# September 10, 2004 6:50 PM

Steve Dispensa said:

Like Filip, the only examples I found were the TDI IOCTLs, but TDI is only accessed from kernel-mode components, using IRP_MJ_INTERNAL_DEVICE_CONTROL.

On further review, it looks like the .NET DDK also has DOT4 IOCTLs defined this way. I have never done anything with DOT4 either.
# September 12, 2004 4:32 PM

Steve Dispensa said:

Didn't you mean to write this:
while(a == 0)
{
ASSERT(b == 1);
}
in the first example?

If not I think I misunderstood something. Nice article, BTW.
# September 17, 2004 11:58 AM

Steve Dispensa said:

No, I meant it that way (but I did have to ponder it again :) ). That loop means "spin forever until a is no longer equal to 0", and a is pre-initialized to 0 above.

g() sets them both to 1(b first, then a). The point is that the ASSERT in f() might still fire because it's missing a memory barrier. Even though g() writes b = 1 first, the CPU might re-order it behind the write of a = 1, and in that interim time between writing a first and b second (which is backwards of what the code says), the other thread might read a = 1 and b = 0, triggering the ASSERT.
# September 17, 2004 12:15 PM

Steve Dispensa said:

Oh, now I got it. Thanks. For some weird reason I had mixed up my understanding of ASSERT(x) and thought of it as ASSERT(!x) and your code made no sense to me. :-)
# September 17, 2004 1:18 PM

Steve Dispensa said:

Are you sure that works? Wouldn't you need the memory barrier before the *test*?

Consider either of the cases where you placed a memory barrier; in both of them, there is a possibility of two writes happening before a memory barrier (either a++ then start of loop and b++ or start of loop, b++ then an a++. Now, consider that two writes happen, get reordered on CPU#1 --- then CPU#2 runs the test/ASSERT, and then CPU#1 runs the memory barrier. I think CPU#1 will see the reordered writes here.

I think putting a memory barrier after each write, OR a memory barrier before the test would work.
# September 17, 2004 2:23 PM

Steve Dispensa said:

The test is ostensibly happening on a different chip, where a memory barrier would have no effect. You're right about the fact that you can get two writes before the barrier, but you can only get two, and the location of the barrier matters.

In re-reading this article, it seems that I forgot to comment on which of the two scenarios fixes the problem in the example. The truth is that only the first scenario (i.e. KeMemoryBarrier() between b++ and a++) does. The reason is that at the time of the very first memory barrier execution, b is guaranteed to be 2 ahead of a, so it doesn't matter in which order the next two increments happen. As long as there's a barrier after every two writes, you're guaranteed to be either 1 or 2 ahead.

# September 20, 2004 10:14 AM

Steve Dispensa said:

I always manage to forget something... sigh...

The same issues show up in usermode code, by the way. I didn't mean to imply that this was kernel-mode-only. In fact, the SDK has MemoryBarrier() for the same reason. For those of you who invest your time in the .Nyet silliness, there's even Thread.MemoryBarrier for you.

Anyone know how to do this in a JVM? :-)

The sdk documentation idiotically says that you only have to use memory barriers "if you know your code will be running on multiprocessor architectures using weak-ordering CPUs". Hmm... Let me see... that seems to include all hyperthreaded P4s, doesn't it?

Even more hmmm... I have no idea if the two virtual CPUs that are exposed by an HT P4 have the same memory barrier issues. Theoretically Intel could keep the entire physical chip self-consistent (in fact, there are statements to that effect in the manuals, but they're in a different context).
# September 20, 2004 1:05 PM

Steve Dispensa said:

Java doesn't really go that close to the underlying architecture to be as specific as saying 'do all of this before anything else' as far as I know. You would have to do something along the lines of a mutex or spinlock via the synchroized keyword in java. In java, synchronized can be added to any method's declaration to make it 'mutexed' across each instance of the object. For instance, if you make an object with two methods, each synchronized, and created one instance of the object. When instantiated, any thread can only run one of those methods at a time. In addition, additional instances of the object are only restricted by THEIR instance... meaning that both objects could run method 1 at the exact same time, but one object cannot run both of it's methods at the same time.

This is, in my opinion, handy, yet limiting. luckily, java allows you to use the syncronized keyword in another more useful way. You can basically treat any Object (I say Object because Object is the base class for any object in java) as a mutex/spinlock. If you want to use specific locks, just do synchronized (someObj) { code; } around any code that you want to be locked based on someObj. Only one synchronized (someObj) { code; } block can run at a time for the intance of someObj in that scope. If you want to do a process wide lock, declare a static Object outside your class instance (like at the top of a .java file) and do syncrhonized blocks off of it. This is equivilant to mutexes in the java world.

Another handy feature of java's threading setup is the fact that each object you use or define, as long as it's a real object like Integer and not a language literal like int, can be used to synchronize, notify, and wait on. The Object base class has methods called wait, notify, notifyAll. One version of the wait method takes a timeout also. Notify will cause one thread that is waiting to wake up. NotifyAll will wake them all up. Very handy indeed.
# September 20, 2004 1:47 PM

Steve Dispensa said:

Breaker 19, There's a big pile up on i-90: 933, 1053

Yes, that's right... read the code and see why. If you uncomment out the syncronized blocks it works just fine. Code follows:

public class Test
{
public static boolean keepTruckn = true;

static public class T1
extends Thread
{
int goods[] = null;

public T1( int goods[] )
{
this.goods = goods;
}

public void run()
{
while ( keepTruckn )
{
//synchronized ( goods )
//{
goods[0]++;
goods[1]++;
//}
}
}
}

static public class T2
extends Thread
{
int goods[] = null;

public T2( int goods[] )
{
this.goods = goods;
}

public void run()
{
while ( true )
{
//synchronized ( goods )
//{
if ( (goods[0] != goods[1]) && keepTruckn )
break;
//}
}

System.err.println("Breaker 19, There's a big pile up on i-90: " + goods[0] + ", " + goods[1] );
keepTruckn = false;
}
}

public static void main( String args[] )
{
int goods[] = new int[2];
goods[0] = goods[1] = 0;

T1 t1 = new T1( goods );
T2 t2 = new T2( goods );

t1.start();
t2.start();

try
{
t2.join();
t1.join();
}
catch ( Exception e ) { }
}
}
# September 20, 2004 2:44 PM

Steve Dispensa said:

Hrmm, view source on that last post to view the indentation correctly -- it makes much more sense that way ;)
# September 20, 2004 2:46 PM

Steve Dispensa said:

http://www-106.ibm.com/developerworks/java/library/j-jtp02244.html

Gives a great write up of the Java memory model, why it's broken and how they want to fix it...

Unsuprisingly there is a proposal for Read/write/both barriers.
# September 21, 2004 8:39 AM

Steve Dispensa said:

Steve:

Perhaps you could blog about some book recommendations, or online resources where one could read more about this subject?
# September 21, 2004 10:25 AM

Steve Dispensa said:

Beware that in Server 2003 the IRQL check for APC_LEVEL is not sufficient. Server 2003 has begun using "guarded mutexes," which block both normal AND special kernel APCs (thus preventing I/O completion) but leave the IRQL at PASSIVE_LEVEL. It's not at all pretty...

You can get more info here: http://www.osronline.com/article.cfm?article=283

-scott
OSR
# September 29, 2004 8:38 AM

Steve Dispensa said:

Note that you don't have to overwrite ntoskrnl.exe and hal.dll, boot.ini is happy to let you specify an alternate kernel and HAL. Just extract the checked versions to %SystemRoot%\System32\ntoskrnl.chk and %SystemRoot%\System32\hal.chk and add "/kernel=ntosknrl.chk /hal=hal.chk" to your boot.ini. You can find more detailed info under "Installing Just the Checked Operating System and HAL" in the DDK.

By doing it this way you have an easy way to back out if you happened to grab the wrong checked images (which happens to me a lot nowadays with all of the hotfixes).

-scott
OSR
# September 29, 2004 8:51 AM

Steve Dispensa said:

You know, I completely forgot to point to that article, but it is a great one. I believe it appeared in the 50+ page NT Insider I got last month too. The whole thing is totally worth a read.

I'm just too lazy (for whatever reason) to set up a boot.ini, but as I think about it, it's like 15 seconds of extra work, so that's probably short-sighted on my part.

Thanks for the feedback!
# September 29, 2004 12:26 PM

Steve Dispensa said:

Scott, could you elaborate a little bit on what the motivation for going to guarded mutexes was?
# September 29, 2004 12:47 PM

Steve Dispensa said:

I don't have any extra insight on why the change was made, I just know that it was made and that it can definitely cause problems. It was a real head scratcher when code that was definitely running at PASSIVE_LEVEL was hanging because the special kernel APC for I/O completion was blocked...

-scott
OSR


# September 29, 2004 1:14 PM

Steve Dispensa said:

Are you sure about that?

lkd> u nt!KeAreApcsDisabled
nt!KeAreApcsDisabled:
8050f74d 64a124010000 mov eax,fs:[00000124]
8050f753 83787000 cmp dword ptr [eax+0x70],0x0 ; <--- tests a ULONG and not a USHORT!
8050f757 0f95c0 setne al
8050f75a c3 ret


lkd> dt nt!_KTHREAD
.
.
.
+0x070 KernelApcDisable : Int2B
+0x072 SpecialApcDisable : Int2B
+0x070 CombinedApcDisable : Uint4B

It seems as if KeAreApcsDisabled won't return 1 unless both kernel and special kernel APCs are disabled, (despite what the documentation says; I guess it's now wrong, since the Win2003 DDK claims special APCs will still be delivered...). This is on Windows Server 2003 SP0 plain-x86.
# October 4, 2004 10:57 PM

Steve Dispensa said:

Hmm. Maybe spread a word of HCT in the Developer's Toolbox series?
# October 13, 2004 2:32 PM

Steve Dispensa said:

Hi, Steve, we just talked after your presentation in SCE. Summarize what you mentioned above, if I may. You emphasized on capacity to conduct al·go·rith·mic analysis and passion for programming. I am completely agree. Add my two cents, care for others and willingness to take up responsibility are another two characteristics I observed will harness a programmer. BTW, thanks for your kind advices in the noon.
# October 27, 2004 3:59 PM

Steve Dispensa said:

Yes, VMWare drivers sucks... They do a VERY STUPID thing, they fill the non used dispatch table entries with NULL.
# October 31, 2004 2:21 PM

Steve Dispensa said:

I was astonished at the noise that the deadlock thread
in NTDEV created. Deadlock prevention is a 101
for any filesystem developer. Maybe some reiteration
about locking hierarchies, what resources can come
into play, and times when the OS appears to be
trying to invert your lock hierarchy?
# November 1, 2004 6:11 AM

Steve Dispensa said:

keep writing!
# November 18, 2004 8:20 AM

Steve Dispensa said:

Ah, but the funny part is that the developers still get to use the _AMD64_ compile-time variable, and there are no plans to change it to _X64_.
http://travis.servebeer.com/blog.net/archive/2004/11/04/amd_sixtyfour_for_windows_xsixtyfour.aspx
# November 18, 2004 12:13 PM

Steve Dispensa said:

well i landed here looking for an int2b instruction
that is being executed in user32.dll (GetDc+3a) in w2k pro is there no utility by which one can trace inside
this interrupt or any other in interrupt (int 2e for example ) without using sice in a single machine

where does an ametuer go to find another comp or
sice :(
any way nice article hope there are some more articles
usage of windbg
# December 3, 2004 4:37 AM

Steve Dispensa said:

Any chance you were able to track down all of the hardware drivers needed for the Sager NP4750 to run Windows XP Pro 64-bit (evaluation version)? The drivers from Sager don't all work, leaving things like wireless LAN not working and video unable to display at native resolution. If you have any tips, I'd really appreciate it! austian@visi.com
# December 13, 2004 11:54 PM

Steve Dispensa said:

Yeah, everything works well enough. Another guy here has one; his response:
----
The video driver displays fine for me, although the wireless does not work (I haven't tried to get it to work either since I don't use wireless)
----

Go to amd.com and search for native 64-bit drives. you have to look a little bit, but you'll find them.
# December 15, 2004 12:01 PM

Steve Dispensa said:

a
# December 23, 2004 1:00 PM

Steve Dispensa said:

Having attended both conferences (DDC and WinHEC) I wonder why they have scheduled them at the same time this year?
# December 23, 2004 6:42 PM

Steve Dispensa said:

salutatin
# December 27, 2004 10:09 AM

Steve Dispensa said:

going up
# December 27, 2004 10:10 AM

Steve Dispensa said:

Congrats Steve! It's good to see your efforts being recognized...maybe even better to see that it is MS doing the recognizing ;-}

m.
# January 20, 2005 11:02 AM

Steve Dispensa said:

How do I go about becoming a programmer if I have a strong desire to become a programmer. I have no formal computer training. To give you an idea, the extent of my programming experience is editing macros in MS Excel. I was told just a few college coarses could teach you the logic behind programming, after that it is learning the different languages. I considered going to a Technology school. Please advise.
# January 20, 2005 9:26 PM

Steve Dispensa said:

Well, I'd say you should pick a reasonable progamming language and grab a book about it, or better yet, look around online for resources about your language of choice. I'd recommend Java or (preferably) C# as good starting languages, as they're a lot like C/C++, which are the real workhorses of the development world, while being much easier to get a handle on to start with.

Eventually, you really have to get comfortable with C and/or C++, and the best way to get there is, in my opinion, to work on some real code. Find an open-source project of some sort that interests you, go through the bug database, find problems that are within your grasp to solve, and submit patches to the project. After a while of patch submission, if you like the work and are any good at it, you may be invited to be a regular contributor to the project.

Bottom line: the *only* way to become a programmer is to write lots of code. You can't read it out of books, and you can't learn it in school. You just have to code.

Joel Spolsky had a recent rant about this precise point, and his article on the topic was much more eloquent than my own - go check out http://www.joelonsoftware.com/articles/CollegeAdvice.html for his thoughts.

-sd
# January 20, 2005 11:20 PM

Steve Dispensa said:

Steve Dispensa, I just reviewed the first half of a book by Stephen R. Davis, "c++ weekend crash course".

Tell me if I am wrong but it seems like most of the literature on programming should be used like a dictionary, rather than reading from start to finish.

I think I have a grasp of the logic behind programming. It seems like, in most circumstances, there is more than
one way to code something.

I have a few simple projects that I need coded.

I am using a windows system and will be using c++. Could you suggest a compiler to use.
# January 26, 2005 8:41 PM

Steve Dispensa said:

Good
# February 12, 2005 2:48 PM

Steve Dispensa said:

We switched to DDK build last year and it works ;-) But I needed to derive tools from DDK, add some headers/libs from PSDK and make some changes to makefile.new. But this solution is also flawed because there're no converting tools to/from VS project files, so may be MSBuild build process is better, did you check it?
# March 11, 2005 6:32 AM

TrackBack said:

# March 13, 2005 11:17 AM

TrackBack said:

# March 13, 2005 11:22 AM

Steve Dispensa said:

I also was staggered when I realized that
BUILD.EXE has such project-limiting source
layout requirements.

Good article. I'm looking forward to seeing
what you choose to replace BUILD.EXE.
# March 14, 2005 1:38 PM

Steve Dispensa said:

1) Why not just copy SDK header from the recent SDK (XPSP2)? Anyway - you SHOULD store building environment in SCS
2) Yes, it seems that DDK supports only STL6
3) If you check SSCLI sources you'll see that source code is really compiled in static libraries
4) Again - check SSCLI sources - build IS ported to FreeBSD ;-)
# March 15, 2005 3:46 AM

Steve Dispensa said:

/YX is flawed. Don't use it.

Every single project I've created or that I've seen which uses it ends up rebuilding the PCH on every single compile. You might as well not be using PCH at all.

Setting up manual PCH takes a second or two and as an added bonus, it actually works correctly too!
# March 17, 2005 1:53 PM

Steve Dispensa said:

Looks great to me - I tried it out on a few small projects and it looked like it worked. Any idea why it would just decide to not work? Anyway, I still say that keeping pch working is a pain, for any reasonable-sized, multi-developer project.

This does, of course, ignore the much more fundamental header organization principles that should be used regardless of pch.
# March 17, 2005 10:27 PM

Steve Dispensa said:

I want to become programmer how can i be
# March 25, 2005 9:41 AM

Steve Dispensa said:

Greetings from Malaga (Spain). Antonio :-)
# March 27, 2005 10:13 AM

Steve Dispensa said:

Hi there,

Im a philosophy undergraduate specializing in symbolic logic/philosophy of logic, and not knowing what I want to do after graduation I resently visited a careers advisor. I told him that if it was up to me, I would just sit around doing propostional calculus all day, but as there were no jobs requiring me to do that I didnt know what to become. To which he (suprisingly) answered that I was wrong, and said I should become a programmer.

The thing is though, I know nothing about computers. Sure I have studied computability and the ideas of people such as Turing and Godel, I know how you can represent all logical propostions using the operators "not" and "and", and I know that this can be represente d by an integrated curcuit, but thats about it.

Is there still hope for me? What should I do next (except actually learning C++) ? And how similar is programming to problemsolving in propositional calculus anyways?

cheers!
# March 28, 2005 7:35 AM

Steve Dispensa said:

i dont even known a single knowledge in programming but eager to kwon it i dont have time to get to school may you help me to choose a web site to to learn it
# March 31, 2005 11:09 PM

TrackBack said:

# April 26, 2005 5:13 PM

TrackBack said:

# April 26, 2005 5:13 PM

TrackBack said:

# April 26, 2005 5:13 PM

Steve Dispensa said:

To try out this functionality yourself, simply call NtSetSystemInformation with the Information Class 69 (SystemApplyHotPatch).
You'll need a large undocumented structure, and a handle to a file contaninga a special hot patch PE section with special hot patch data. Once you have that, not only can you patch the data, but you can also install Rtl Debug Hooks which will hook everything you need and notify you.

Best regards,
Alex Ionescu
# April 27, 2005 7:29 AM

Steve Dispensa said:

Maybe it belongs at www.thedailywtf.com
# May 1, 2005 7:20 PM

Steve Dispensa said:

Windows Professional x64 audio drivers for the NP4750 can be found at http://www.realtek.com.tw/downloads/dlac97-2.aspx?lineid=5&famid=12&series=8&Software=True while the updated video drivers can be found at https://support.ati.com/ics/support/default.asp?deptID=894&task=knowledge&folderID=27 (you're looking to install the CATALYST 5.4 Windows XP Professional x64 Edition drivers. With these two drivers, your audio and video will mostly work. I say mostly because I've found some DVD's that do not play the dialog even though the background music and sounds still play. There are also some issues with older (legacy) modems and network devices (external, usb, etc.) that you may not be able work around.
# May 2, 2005 12:10 PM

Steve Dispensa said:

Hi,
You mentioned here open-source projects bugs to fix lib.
i was wondering if you have any urls of that kind for that subject, that you familiar with and can refer me to them.
i did a small search of my own but didn't quite find what i was "looking for".

thanks a lot.

Aviad
# May 4, 2005 4:11 AM

TrackBack said:

# May 8, 2005 9:20 PM

TrackBack said:

# May 8, 2005 9:22 PM

Steve Dispensa said:

>>The reason is easy - the MOV is called every time the
>>function is called, whether it is hooked or not (or,
>>more precisely, when it its not hooked).

Actually it's about applying patches safely - if there were two NOPs the EIP in some thread at the moment when patch is being applied could point to second NOP which would result in execution of second byte of jmps as an instruction. But when there's a 2-byte instruction, you can always replace it with another 2-byte instruction, cause EIP points either at it or at next instruction (it's also SMP-safe, cause CPU will re-read instruction when it detects a write to any of the instruction bytes while)
# May 12, 2005 6:53 AM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 16, 2005 10:44 AM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 16, 2005 11:05 AM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 16, 2005 7:17 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 9:57 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:17 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:20 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:24 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:27 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:30 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:34 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:36 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 10:56 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 11:01 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 11:03 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 11:05 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 11:08 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 17, 2005 11:12 PM

Steve Dispensa said:

Great summary! Of course this "vulnerability" does not come as a great surprise. Every cryptography textbook warns against it!
# May 31, 2005 3:38 PM

Steve Dispensa said:

Wow, user mode drivers? What I missed! I should read MSDN more times.
# June 7, 2005 4:30 AM

TrackBack said:

More Sharp Languages: F#ooeess
# June 10, 2005 1:51 AM

TrackBack said:

Nar Ganapathy on Channel9ooeess
# June 10, 2005 1:55 AM

TrackBack said:

Q
# June 10, 2005 1:57 AM

TrackBack said:

The Browser Ate My Homeworkooeess
# June 10, 2005 1:58 AM

TrackBack said:

/YX Switch Is The Best Thing Everooeess
# June 10, 2005 2:02 AM

TrackBack said:

Microsoft's Shared Source Director Is Bloggingooeess
# June 10, 2005 2:03 AM

TrackBack said:

Building with BUILDooeess
# June 10, 2005 2:04 AM

TrackBack said:

Inisde Windows, 4eooeess
# June 10, 2005 2:05 AM

TrackBack said:

Low-Level Codingooeess
# June 10, 2005 2:07 AM

TrackBack said:

Real-Life Debugging, Final Answerooeess
# June 10, 2005 2:10 AM

TrackBack said:

A Real-life Debugging Challengeooeess
# June 10, 2005 2:11 AM

TrackBack said:

Dummy Pagesooeess
# June 13, 2005 8:23 PM

Steve Dispensa said:

Sounds like perfect example of comparing apples and oranges. Need real case study and example.
# June 14, 2005 12:59 PM

TrackBack said:

Frustrationooeess
# June 15, 2005 1:04 AM

Steve Dispensa said:

kernel data inpage error
# July 3, 2005 10:40 AM

Steve Dispensa said:

Article is very very excellent
But i need more information on this can u please send me
vamshi.k@optis.cc
Regards
vamsi.k
# July 10, 2005 11:22 PM

Steve Dispensa said:

verey very excellent
# July 10, 2005 11:22 PM

Steve Dispensa said:

You have rather good site about compilers - http:/www.compilers.net
# July 11, 2005 5:46 AM

Steve Dispensa said:

If my memory is correct, the code for this bug check is 0xdeaddead. ;)
# July 12, 2005 6:22 AM

Steve Dispensa said:

I didn't make it to the DevCon/Hec due to moving to CA from the north east. I missed the dinner. What do you mean by "attract smart and interesting people to build its products"? Were they recruiting you?
# July 19, 2005 1:12 AM

Steve Dispensa said:

Haha... no, they weren't recruiting me. I'm just always struck by the fact that the particular Microsoft teams that I've gotten to hang around for a few years (mostly kernel-related) seem to be pretty cool.

I'm sure there are lots of cool places to work. Microsoft, to my initial surprise, seems to be one of them.
# July 19, 2005 10:38 AM

Steve Dispensa said:

Yeah, and the house in Redmond is much affordable than California as of today:)
# July 20, 2005 1:42 AM

Steve Dispensa said:

well im only 15 but ive made a few programs using vb6 and id like to try learning more about programming and maybe do that as a career. any suggestions?

walter_nguyen@hotmail.com
# July 23, 2005 2:28 PM

Steve Dispensa said:

We have a Compaq server that randomly restarts. The only error message in the Event Logs states "System Rebooted."

How can I force the system to write more data to the event log when it restarts?
# July 25, 2005 2:50 PM

Steve Dispensa said:

"JAVA" -- there, now you have to fire me.
# August 4, 2005 2:41 PM

Steve Dispensa said:

Anyone with enough patient to solve problem and have a curiosity mind will be capable to be a "mediocre " programmer.
To be a great programmer one have to be a scientist that continuously do r & d , and of course to have great IQ for doing the logic. In other words, interest and intelligent play important part here.

But to be a fantastic one, he need to be a great team player that loves to share his knowledge with others where this will multiply the efficiency of the whole team by few hundred percent. So communication skill is the key word here.
# August 11, 2005 12:59 AM

Steve Dispensa said:

A little addition to that:
You can only use the right Ctrl to generate the dump.
(CRASH_R_CTRL)
# August 25, 2005 2:45 PM

TrackBack said:

# September 27, 2005 9:47 PM

TrackBack said:

# September 27, 2005 9:49 PM

Steve Dispensa said:

Wow, I cry like a baby whenever I'm reduced to serial ports. Firewire for WinDbg is da bomb.

The one trick to using firewire is that windbg seems to be a somewhat hardware-sensitive. Windbg, at least older versions, wouldn't work with some firewire chips/cards. So I've found some firewire cards that I know work, and install these in the target system -- even if the target system already has firewire.

I haven't tried this with laptops, though... I don't know if a firewire PC card works at all...
# September 28, 2005 7:58 AM

Steve Dispensa said:

My two laptops use an "OHCI Compliant IEEE 1394 Host Controller / manufacturer IEEE 1394 OHCI Compliant Host Controller Vendor" and a "Texas Instruments OHCI Compliant IEEE 1394 Host Controller / manufacturer Texas Instruments" and I haven't had any problems doing 1394 debugging. For reference, the laptops in question are Dells, an Inspiron 9300 and an Inspiron 8500.

Some more points about 1394 debugging:

- The first time you are running WinDbg/kd in 1394 mode on your debugger PC, you need to run WinDbg/kd as an Administrator because it has to install a special 1394 driver. Subsequent uses work fine as a limited user.
- 1394 debugging disables the 1394 port on the target computer much like serial, which is a pain if you use 1394 for networking or an external HD (like I do).
# September 29, 2005 12:06 PM

TrackBack said:

# October 9, 2005 8:15 PM

TrackBack said:

# October 9, 2005 8:22 PM

Steve Dispensa said:

The tools are part of the Windows AIK (Automated Installation Kit). ximage.exe will let you do everything from mounting, extracting and creating new layers inside the image. Although it may seem more complicated at first, the extra versatility and customization is much worth it. One of the AIK devs has a blog on msdn.com, it's worth a read

Best regards,
Alex Ionescu
Kernel Developer
# October 14, 2005 12:12 AM

TrackBack said:

# October 14, 2005 3:50 PM

TrackBack said:

# October 15, 2005 3:31 PM

TrackBack said:

# October 15, 2005 3:56 PM

TrackBack said:

# October 15, 2005 8:28 PM

Steve Dispensa said:

I have a bacoc D900 (http://www.bacoc.com) which is similar to the Sager or the same.

Does anybody know where I can find x64 drivers for Windows XP 64bit?
# October 16, 2005 4:19 PM

TrackBack said:

# October 20, 2005 8:31 PM

TrackBack said:

# October 20, 2005 9:31 PM

TrackBack said:

# October 20, 2005 9:35 PM

Steve Dispensa said:

Which thread was this?
# October 22, 2005 7:14 AM

TrackBack said:

# November 3, 2005 12:39 PM

Steve Dispensa said:

I think this is on point. Scanning all the library's would definitley build a nice data set for testing.
# November 8, 2005 9:34 AM

Steve Dispensa said:

I'd pay 50 bucks a month for Tivo - it's that worth it to me.

But market forces cause it to be 10 to 20 a month. Schweet.
# November 11, 2005 12:11 PM

TrackBack said:

# November 12, 2005 8:48 PM

Steve Dispensa said:

Awesome! This looks like it will come in very handy in verifying kd sessions in our lab. :D
# November 13, 2005 4:14 AM

TrackBack said:

# November 13, 2005 10:11 PM

Steve Dispensa said:

A fixed Windows-Tab is coming in Vista. Enjoy!
# November 13, 2005 11:34 PM

TrackBack said:

# November 15, 2005 12:32 AM

Steve Dispensa said:

Another site that I find useful is http://www.dnsstuff.com/
# November 15, 2005 3:47 PM

Steve Dispensa said:

There are earlier sources of Regmon and Filemon floating on the web. You could check them out before diving into reversing Regmon.
# November 17, 2005 2:28 PM

Steve Dispensa said:

Someone asked about RegMon in Mark's blog and this was my answer:

"I got curious after reading your question and I took a look at the drivers that came with regmon.exe; the main difference that I've found is that the old NT driver imports KeServiceDescriptorTable to hook a couple of functions and the 2K3 driver doesn't import it but it imports two functions to 'hook' and 'unhook' the registry provided by Microsoft: CmRegisterCallback and CmUnRegisterCallback.

After this discovering I went to the MSDN and found that these functions are available from XP so I got confused again.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_ec214e13-1342-48b5-9a31-8c6c9da57cd6.xml.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_13cbc14e-4652-4a3d-a87e-f6eef883f912.xml.asp

I'm not sure but maybe this fact is the one that hit the target:

"For Windows XP, the system only makes post-notification calls only when a registry key is created or opened. For Microsoft Windows Server 2003 and later operating systems, the system makes post-notification calls for every registry operation"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/DrvrRtns_988f8f3d-4ee8-4351-8fc0-703a88bd8421.xml.asp

Anyway, all that I have said is pure speculation :=)"

http://www.sysinternals.com/blog/2005/09/multi-platform-images.html
# November 21, 2005 2:32 AM

Steve Dispensa said:

no your not alone!
# November 23, 2005 8:33 PM

Steve Dispensa said:

I did too.

Will somebody create a similiar service ?
# December 4, 2005 7:32 AM

Khurram Aziz said:

Over the last few years; rebooting Windows frequency is decreased. People have started making good installers....
# February 19, 2006 10:31 PM

Usermode Troubleshooooo..ting paper said:

反馈收集和回复===请您在这里通过添加评论留下您对这篇文章的反馈信息,我会及时整理并且回复。如果您的反馈不想让别人看到,可以点击右边的Email链接给我发邮件:
http://blogs.msdn.com/lixiong/contact.aspx...
# August 3, 2006 9:55 AM

Kernel Mustard » Blog Archive » Waiting in NDIS drivers said:

PingBack from http://kernelmustard.com/2006/10/04/waiting-in-ndis-drivers/

# October 4, 2006 10:28 PM

Kernel Mustard » Blog Archive » Whence came function hooking? said:

Pingback from  Kernel Mustard  &raquo; Blog Archive   &raquo; Whence came function hooking?

# June 14, 2007 12:46 AM

» Hot Patching said:

Pingback from  &raquo; Hot Patching

# June 14, 2007 9:02 AM

» Hot Patching said:

Pingback from  &raquo; Hot Patching

# June 14, 2007 9:02 AM

bathroom spy cam said:

BUILD Breakage

# August 2, 2007 11:53 AM

Start Coding Right Now! » How Do I Become A Programmer? said:

Pingback from  Start Coding Right Now!  » How Do I Become A Programmer?

# June 30, 2009 2:48 AM

Sleeve Sealers said:

Many technological developments will give you, the customer, real advantages – using less film, using less energy and running faster production speeds reliably

# September 28, 2009 1:17 AM