I recently ran into a customer having decryption problems on Windows 8.1.
The data was encrypted using a symmetric key created on Windows 7 and exported as an OPAQUEKEYBLOB.
When importing the key on Windows 8.1 and then attempting to decrypt, CryptDecrypt failed with NTE_BAD_DATA.
It turns out that there was a fair amount of code change to CryptoAPI on Windows 8.1 and the OPAQUEKEYBLOB is slightly different from Windows 7.
The key blob is compatible moving in the following directions:
Win 7 -> Win 7
Win 8.1 -> Win 8.1
Win 8.1 -> Win 7
However, when going from Win 7 -> Win 8.1, there's a different interpretation of the key blob.
There's an easy fix to this problem. There is an offset (0x14) that indicates the size of what is defined as a "packed key".
If this size is set 0, the Win 8.1 code will execute a different code path and successfully imports the key blob.
// lpBlob contains the OPAQUEKEYBLOB
*(DWORD *)(lpBlob + 0x14) = 0; // Set the packed key length to zero
bResult = CryptImportKey(hProv, lpBlob, dwBlobLength, 0, CRYPT_EXPORTABLE, &hKey);
if (bResult == FALSE)
{
// Import failed
}
// Decrypt the data
bResult = CryptDecrypt(hKey, 0, TRUE, 0, lpCypherText, &dwCypherTextLength);
if (bResult == FALSE)
{
// Decryption failed
}
// Decryption succeeded
↧
An OPAQUEKEYBLOB exported via CryptExportKey on Windows 7 is incompatible with Windows 8.1
↧
Hotfix Releases for Windows: March 2015
Here are the Windows hotfix releases for March 2015
KB2688074 An access violation occurs on a domain controller that is running Windows Server 2008 R2 or Windows Server 2008
KB2928562 Event 55 when you copy an encrypted folder to EFS shared folder in Windows
KB3012644 Items disappear or are duplicated on All Programs menu after moving icons in Windows 7 or Windows Server 2008 R2
KB3014783 "RDS busy" or "The Group Policy Client failed logon" error when you log on to an application in Windows Server 2008 R2
KB3027577 "0x0000007F" Stop error when you run both data encryption and antivirus software in Windows 7 or Windows Server 2008 R2
KB3031085 "0x000000D5" Stop error on a ConfigMgr server that is running Windows Server 2008 R2 SP1
KB3031311 Duplicate SPNs cannot be detected in Windows 7 SP1 or Windows Server 2008 R2 SP1
KB3036150 Remote desktop users can see the printers of the other users in Windows 7 SP1 or Windows Server 2008 R2 SP1
KB3037941 Files are replaced even though they are not changed when you run Robocopy command in Windows 7 or Windows Server 2008 R2
KB981538 You receive broken messages in the Ftp command output logs on a computer that is running Windows
KB2970653 A SQL Server that is running in a Hyper-V virtual machine takes a long time to restore a database to a dynamic VHD
KB3003689 Exit code improvements for Task Scheduler event log in Windows 8 and Windows Server 2012
KB3004070 VSS task schedule is not created as you configure if shadow copy storage is on another share disk in Windows
KB3014069 Performance regressing in Hyper-V guest system in Windows Server 2012 R2 or Windows 8.1
KB3014136 PowerShell transcript file doesn't contain the correct information in Windows Server 2012 R2
KB3014406 Startup delay occurs after you disable IPv6 in Windows
KB3016407 Message Queueing resource takes long time during startup and failover in Windows Server 2012 R2 or Windows Server 2012
KB3018454 XPS printing fails if your preferred printer settings have decimal data in Windows
KB3020717 VMMS crashes when you perform live migration and request VM information at the same time in Windows Server 2012 R2
KB3021052 Monitor that uses the WMI service stops working for the cluster service in Windows
KB3021190 IME freezes for a while when you input text in Windows
KB3021946 Frozen application dialog box appears if you tap the screen after you select language during OOBE process in Windows
KB3022752 A custom authentication package causes an error on a computer that is running Windows 8.1
KB3022776 Update to add support for Generic Routing Encapsulation in Windows 8.1 and Windows Server 2012 R2
KB3023555 A short delay is experienced in IPsec connections if RSS feeds are enabled on a computer that is running Windows Server 2012 R2
KB3023869 Crash on Windows 8.1 or Windows Server 2012 R2 when a WPF driver calls the FwpsConstructIpHeaderForTransportPacket0 function
KB3024252 NBL tracking buffer is too small when you troubleshoot NBL issues in Window 8.1 or Windows Server 2012 R2
KB3025370 You cannot access server share in System Center 2012 R2 Configuration Manager in Windows
KB3027123 Premature events on Windows Server 2012 R2 when you run RRAS together with VPN static pools
KB3027174 Insufficient MBCS file name support on the FTP client in Windows
KB3029348 "0x00000133" Stop error on CHT or BYT platform computers that are running Windows 8.1 or Windows Server 2012 R2
KB3030039 "0xC000021B" error when you insert an NBL that contains multiple net buffers for IPv6 in Windows
KB3031436 Windows Store apps cannot be updated automatically when proxy service is used in Windows
KB3032331 "0x0000007E" Stop error on a multiple sockets server that is running Windows Server 2012 R2
KB3032590 "STATUS_TRUSTED_RELATIONSHIP_FAILURE" error when you log on to Office 365 from AD FS proxy in Windows
KB3033446 Wi-Fi connectivity issues or poor performance on CHT platform computers in Windows 8.1
KB3033917 AD FS cannot process SAML response in Windows Server 2012 R2
KB3033918 Disk resource does not come online in Windows Server 2012 R2 or Windows Server 2008 R2-based failover cluster
KB3033930 Hotfix increases the 64K limit on RIO buffers per process for Azure service in Windows
KB3035025 Hotfix for update password feature so that users are not required to use registered device in Windows Server 2012 R2
KB3035444 "0x000000F5" Stop error when data deduplication is enabled on Windows Server 2012
KB3035465 PowerShell 3.0 might not execute switch statements in Windows 8 or Windows Server 2012
KB3035899 DirectAccess clients cannot establish connections when you use an authenticated web proxy from extranet in Windows
KB3036155 Scanning application crashes upon close after you perform a scan in Windows
KB3036575 "0x000000C2" Stop error when you transfer large files over SMB 2.0 in Windows Server 2012
KB3036579 CA server freezes when you use an Eseutil utility to defrag an .edb database file in Windows Server 2012 R2
KB3036606 Windows 8.1 mobile broadband may not auto-reconnect after it resumes from connected standby
KB3036614 "0x000000D1" Stop error when you fail over a cluster group in Windows Server 2012 R2
KB3036965 Printing preferences window appears behind a RemoteApp window in Windows
KB3037317 xHCI controller disappears after you rescan the hardware in Device Manager in Windows 8.1
KB3037924 You cannot do System Image Backup to Blu-ray media in Windows
KB3038002 UHS-3 cards cannot be detected in Windows on Surface devices
KB3038017 Client computer does not obtain IP address from a DHCP failover that is running Windows Server 2012 R2
KB3038022 Background download of files cannot be resumed in Windows 8.1 or Windows RT 8.1
KB3038024 DNS names cannot be resolved and other DNS related issues occur in Windows Server 2012 R2
V/R,
Nathan Manis
Follow us on Twitter, www.twitter.com/WindowsSDK
↧
↧
Accidental Denial of Service through Inefficient Program Design Part 2 – Incorrectly Implementing Interfaces
There are few things that are more annoying as a user than to have the performance of a computer which they’re using grind to a halt. This series will outline program design flaws that I’ve run across, explain what they are, how they impact the system, example scenarios where the impact will be exacerbated, and safer alternatives to accomplish the same programming goal. In part two of this series, we’ll be exploring:
Incorrectly Implementing Interfaces
What It Is
There are a multitude of entry points in Windows where functionality can be added to, enhanced, or even replaced through the use of objects which implement interfaces. In many if not most of those cases, such entry points affect the user experience across many applications but are not implemented in their own processes. In other words, the system will load those objects in other processes to use them as those processes use system functionality that those objects integrate with. Some common examples of this would be user mode drivers and shell extensions.
How It Impacts the System
When an interface is documented, the expected behavior of each interface member is described as well as the expected behavior of the module function exports which will give access to initial objects. When those members or functions do not behave in ways the documentation states that they are required to behave, unexpected results can happen. Commonly these unexpected results take place in processes who haven’t done anything wrong, and it is difficult to figure out what the real root problem is for a veteran programmer while the average user or administrator incorrectly blames the application who was the victim of the bad code. It can lead to frustration with the system and even system restores and reinstalls by users who can’t resolve their issues.
Example Scenario of Exacerbation
I recently had a case where this exact kind of thing was happening; while I won’t name the specific parties involved, the scenario that I’m about to go over is in a commonly distributed component and has been known to affect the users of many applications. The interface in this scenario is IWiaTransferCallback, and the object implementing the interface which ultimately causes the problem is passed to the IWiaTransfer::Download method of a system provided object.
First, let’s go over what an object implementing IWiaTransferCallback, which inherits from IUnknown and is COM based, and the module which contains is required to do based on the documentation above and the content which it links to:
1. The object needs to implement the GetNextStream, TransferProgress, QueryInterface, AddRef, and Release methods.
2. The module needs to implement and export the DllCanUnloadNow and DllGetClassObject methods.
Due to the actual problem in this scenario, we’re going to ignore the DllGetClassObject, GetNextStream, TransferProgress, and QueryInterface and assume that they are all implemented correctly. This takes out all of the functionality specific to IWiaTransferCallback and leaves us with some basic COM interface implementation methods. The linked documentation on MSDN already does a great job of what each of these are supported to do, so I’ll only include a brief snippet here:
AddRef – increments the number of references to an object
Release – decrements the number of references to an object; also frees the object when there are no longer any references to the object
DllCanUnloadNow - determines whether the module from which it is exported is still in use; a module should be considered to be no longer in use when it is not managing any existing objects which should be determined by the reference count for all of its objects to be zero
What that boils down to is that each object should have its own reference counter so it knows whether or not it is safe to be freed, and that each object type should have its own reference counter so that the module knows whether or not an instance of each of its types is open or not. There is a caveat to this though; the DllCanUnloadNow function doesn’t have to be exported in some scenarios and in other scenarios it is an informative context instead of an inquisitive context. In the former case, the module won’t be unloaded until COM is uninitialized. In the latter, the function will be called before the module is unloaded but the result of the function will be ignored. In both cases, the module is still responsible for keeping objects and itself available while they are still in use. Whether or not these apply can be derived from the documentation for the specific interface(s) being implemented.
In this scenario, the implementer of IWiaTransferCallback, part of a scanner mini-driver, neglected to properly implement these functions. AddRef and Release always returned zero, it didn’t keep track of its references properly otherwise, and it allowed the module to be unloaded prematurely. When IWiaTransfer::Download was called, the system called AddRef more times than it called Release on the object before returning since it was still using that object in a RPC call. The module didn’t account for this this, the Release function pointed to an address within the module, and when the system later went to call Release on the object when it was done with it, the Release function no longer existed in memory. The result of that was an access violation which crashed whichever application was using the driver to retrieve a scan when the application called CoUninitialize to initiate cleanup on a thread. In the case of an application that only used COM from one thread, this resulted in the application crashing on exit. This turned out to be particular problematic for applications which implemented COM on multiple threads though as it caused the application to crash whenever it cleaned up the thread that was doing the scanning.
Luckily, there was an easy way to work around this particular problem. An application using this driver could call GetModuleHandleEx with the flags set to not unload the module before the module was unloaded. This came with the cost of having to leave the module in memory when it really shouldn’t be needed and wasn’t something that the application should have needed to do had the driver implemented things correctly. It did fix the problem for end users with a fairly trivial amount of code though.
Safer Alternatives
The simplest thing to do in a case like this would be to use a framework or language that already takes care of basic IUnknown implementation for you when implementing interfaces which inherit from IUnknown. A couple of examples of this would be ATL for C++ or exposing a COM Interface from a CLR binary. If you are going to implement IUnknown on an object from scratch, make sure you do it correctly. Returning the correct value for AddRef and Release and makes it substantially easier to verify behavior external to your object, but the more important thing is that your module doesn’t let itself be unloaded while its address space is being used.
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
How to register for File Dialog notifications from Shell namespace extension
If you are implementing a shell namespace extension and want to know when a file system item in your shell namespace extension is chosen by the user from Open Dialog, this blog post is for you.
The basic steps on how to do this as follows:
- Implement IObjectWithSite in your COM class that is passed to SHCreateShellFolderView inSFV_CREATE::psfvcb.
- In your implementation of IObjectWithSite::SetSite, query IUnknown *pUnkSite for SID_SExplorerBrowserFrame service to retrieve IFileOpenDialog interface.
Note: it will be NULL if your namespace extension is not hosted by Open Dialog as the interface name suggests. - Implement IFileDialogEvents::OnFileOk in a COM class and pass it to IFileDialog::Advise (IFileOpenDialog is derived from IFileDialog)
OnFileOK will be called when a file system item in your shell namespace extension is chosen by the user from Open Dialog.
Here is how this can be implemented:
classCFolderViewCB : publicIShellFolderViewCB,
publicIFolderViewSettings,
publicIObjectWithSite
{
public:
CFolderViewCB() : _cRef(1), m_pUnkSite(NULL), m_cookie(0), m_fileOpenDialog(NULL) {}
// IUnknown
IFACEMETHODIMP QueryInterface(REFIIDriid, void **ppv)
{
staticconstQITAB qit[] =
{
QITABENT(CFolderViewCB, IShellFolderViewCB),
QITABENT(CFolderViewCB, IFolderViewSettings),
QITABENT(CFolderViewCB, IObjectWithSite),
{ 0 },
};
return QISearch(this, qit, riid, ppv);
}
…
IFACEMETHODIMP SetSite(IUnknown *pUnkSite);
IFACEMETHODIMP GetSite(REFIID riid, void **ppvSite);
private:
…
IUnknown *m_pUnkSite;
DWORD m_cookie;
IFileOpenDialog *m_fileOpenDialog;
};
…
HRESULTCFolderViewCB::SetSite(IUnknown *pUnkSite)
{
if (m_pUnkSite != NULL)
{
m_pUnkSite->Release();
if (m_fileOpenDialog != NULL)
{
m_fileOpenDialog->Unadvise(m_cookie);
m_fileOpenDialog->Release();
m_fileOpenDialog = NULL;
m_cookie = 0;
}
}
m_pUnkSite = pUnkSite;
if (m_pUnkSite != NULL)
{
m_pUnkSite->AddRef();
HRESULT hr = IUnknown_QueryService(m_pUnkSite, SID_SExplorerBrowserFrame, IID_PPV_ARGS(&m_fileOpenDialog));
if (SUCCEEDED(hr))
{
IFileDialogEvents *fileDialogEvents;
hr = FileDialogEvents_CreateInstance(IID_PPV_ARGS(&fileDialogEvents));
if (SUCCEEDED(hr))
{
hr = m_fileOpenDialog->Advise(fileDialogEvents, &m_cookie);
fileDialogEvents->Release();
}
if (FAILED(hr))
{
m_fileOpenDialog->Release();
m_fileOpenDialog = NULL;
}
}
if (FAILED(hr))
{
//OutputDebugString(L"Failed to subscribe for IFileDialogEvents::Advise\n");
}
}
returnS_OK;
}
HRESULTSTDMETHODCALLTYPECFolderViewCB::GetSite(REFIIDriid, void **ppvSite)
{
HRESULT hr = E_FAIL;
if (m_pUnkSite != NULL)
{
hr = m_pUnkSite->QueryInterface(riid, ppvSite);
}
if (FAILED(hr))
{
*ppvSite = NULL;
}
return hr;
}
classFileDialogEvents : publicIFileDialogEvents
{
public:
FileDialogEvents() : _cRef(1) {}
// IUnknown
IFACEMETHODIMP QueryInterface(REFIIDriid, void **ppv)
{
staticconstQITAB qit[] =
{
QITABENT(FileDialogEvents, IFileDialogEvents),
{ 0 },
};
return QISearch(this, qit, riid, ppv);
}
IFACEMETHODIMP_(ULONG) AddRef() { returnInterlockedIncrement(&_cRef); }
IFACEMETHODIMP_(ULONG) Release()
{
long cRef = InterlockedDecrement(&_cRef);
if (0 == cRef)
{
deletethis;
}
return cRef;
}
IFACEMETHODIMP OnFileOk(IFileDialog *pfd)
{
PWSTR filePath;
IShellItem *shellItem;
if (SUCCEEDED(pfd->GetResult(&shellItem)))
{
if (SUCCEEDED(shellItem->GetDisplayName(SIGDN_FILESYSPATH, &filePath)))
{
//OutputDebugString(filePath);
//OutputDebugString(L"\r\n");
CoTaskMemFree(filePath);
}
shellItem->Release();
}
returnS_OK;
}
IFACEMETHODIMP OnFolderChanging(IFileDialog * /*pfd*/, IShellItem * /*psiFolder*/)
{
returnE_NOTIMPL;
}
IFACEMETHODIMP OnFolderChange(IFileDialog * /*pfd*/)
{
returnE_NOTIMPL;
}
IFACEMETHODIMP OnSelectionChange(IFileDialog * /*pfd*/)
{
returnE_NOTIMPL;
}
IFACEMETHODIMP OnShareViolation(IFileDialog * /*pfd*/, IShellItem * /*psi*/, FDE_SHAREVIOLATION_RESPONSE * /*pResponse*/)
{
returnE_NOTIMPL;
}
IFACEMETHODIMP OnTypeChange(IFileDialog * /*pfd*/)
{
returnE_NOTIMPL;
}
IFACEMETHODIMP OnOverwrite(IFileDialog * /*pfd*/, IShellItem * /*psi*/, FDE_OVERWRITE_RESPONSE * /*pResponse*/)
{
returnE_NOTIMPL;
}
private:
~FileDialogEvents()
{
};
long _cRef;
};
HRESULT FileDialogEvents_CreateInstance(REFIIDriid, void **ppv)
{
*ppv = NULL;
HRESULT hr = E_OUTOFMEMORY;
FileDialogEvents *events = new (std::nothrow) FileDialogEvents();
if (events)
{
hr = events->QueryInterface(riid, ppv);
events->Release();
}
return hr;
}
Additional references:
IExplorerBrowser interface
https://msdn.microsoft.com/en-us/library/windows/desktop/bb761909(v=vs.85).aspx
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
Troubleshooting "Access Denied" errors
Anyone who has used Windows has encountered the dreaded "Access Denied" error. (AKA error code 5 or 0x5). This error typically implies you can't do something like open or save a file. The error implies that you have encountered some type of security issue.
In the past, an "Access Denied" issue came down to 2 things in Windows:
- Token
- DACL (Discretionary Access Control List)
A token represented a user and Windows compared it to the DACL of the secured object that the user was accessing. Windows was answering the basic question, "Does the user have the requested access to the secured object?". Once you dig into these 2 items, explaining an "Access Denied" error is easy but understanding whether this is the expected result is much more difficult. (I may discuss this further in a future BLOG post).
Lately, solving "Access Denied" issues have become more complex due to a new security feature which was introduced in many years ago (Windows VISTA), Mandatory Integrity Control (Integrity Levels). The purpose of Integrity Levels was to add an extra security check where a user running untrustworthy code is attempting to do something malicious. See the following for more information:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx
There are 4 levels of integrity in Windows. Different users in Windows have a different default integrity level.
- Anonymous - Anonymous User
- Low
- Medium - Normal User
- High - Elevated User (Administrator)
- System - LocalSystem
The best example of Integrity Level Usage is Internet Explorer's Protected Mode (See https://msdn.microsoft.com/en-us/library/bb250462%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 ) Basically, Internet Explorer is running in a Low Integrity Level. What this means is that even though a user may have the appropriate access to a file, the file cannot be accessed from Internet Explorer. I mentioned above that an access check was based on the system comparing the user's token with the secured object's DACL. Well, we need to check one more thing, the integrity level of the user's token and what level can access the secured object. A user can only access objects that have the same or lower integrity level. In the case of IE, most files and directories in Windows have a medium or higher integrity level and since IE Is running at a low integrity level, any code running in IE will not be able to access any files or directories even if the user has the appropriate permissions to the file or directory. The above article goes into details on finding the default low integrity level directory which IE can access. Integrity levels also impact the registry as well.
The integrity level for the user is stored in the token. The integrity level for a secured object is actually stored in the SACL but the ACEs are not System Aces but they are called System Mandatory Label ACEs. The Access Check is still the same but there is an additional check that needs to be made from the token and from the Security Descriptor.
So the next time you are dealing with an "Access Denied" error, do not forget to check the integrity levels of the user and the secured object. You'll save yourself a lot of time.
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
↧
Windows Hotfix List for April 2015
Jeff here, from the SDK team with the better late than never edition of the April 2015 Windows Hotfix list.
3027578 I/O failure during MPIO path failover in Windows Server 2008 R2 SP1
3031987 Hotfix rollup 3031987 for the .NET Framework 3.5.1 on Windows 7 SP1 and Windows Server 2008 R2 SP1
2884176 Large backlogs on Windows -based DFSR servers
2959626 Reliability improvements for Remote Desktop Session Host and RemoteApp
3013776 System freezes when you use a domain account to start an application in Windows
3027174 Insufficient MBCS file name support on the FTP client in Windows
3030736 "550 The process cannot access the file" error when you try to download a file in Windows
3031988 Hotfix rollup 3031988 for the .NET Framework 3.5 on Windows 8 and Windows Server 2012
3031989 Hotfix rollup 3031989 for the .NET Framework 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2
3036173 "0x00000050" Stop error when Hyper-V host crashes in Windows Server 2012 R2
3036542 "This page failed to load" error when you run Windows Store apps in Windows 8.1 or Windows RT 8.1
3037318 Event ID 1511 when you start a task with some specific settings in Windows 8 or Windows Server 2012
3041832 CPU usage is high on an Exchange Server 2013 server in Windows 8.1 or Windows Server 2012 R2
3042127 "HTTP 400 - Bad Request" error when you open a shared mailbox through WAP in Windows Server 2012 R2
3042841 Files cannot be copied when drive redirection is enabled in Windows 8.1 or Windows Server 2012 R2
3044108 Update to improve battery performance and power schemes in Windows 8.1 or Windows Server 2012 R2
3044738 Performance improvement for WinHTTP when lots of HTTP requests are received in Windows
3046465 USB devices drain battery fast on a computer that is running Windows 8.1 or Windows Server 2012 R2
3046826 You cannot upgrade Hyper-V integration components or back up Windows virtual machines
3047296 RDP session becomes unresponsive when you connect to a Windows Server 2012 R2-based computer
3047646 Domain controllers restart unexpectedly and the Lsass.exe process crashes in Windows Server 2012 R2
3047732 HTTP 404" error when you access a website with URL redirection in Windows
3048161 4K resolution cannot be used to display videos in a Miracast session in Windows
3048469 Kernel debugging over network does not work on a Windows virtual machine
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
Hotfix Releases for Windows: May 2015
Here are the Windows hotfix releases for May 2015
KB3042839 Mstscax.dll file leaks handles on a Remote Desktop Protocol 8.1 client in Windows 7 or Windows Server 2008 R2
KB3045682 You cannot restore files and folders from Server Essentials Backup on a Windows-based computer
KB3050293 Cluster resources are not initialized correctly after Rhs.exe process crashes on a Windows Server 2008 SP2-based cluster
KB3051475 Cookies are not passed as part of a session when you make an HTTP connection in Windows 7 or Windows Server 2008 R2
KB3054251 Stop Error in Rdbss.sys and unsaved documents in Windows 7 SP1 or Windows Server 2008 R2 SP1
KB3056066 Backups fail for VMs with pre-existing software snapshots that use shadow storage set to a different drive in Windows 7 and Windows Server 2008 R2
KB2672277 Some services are preloaded unexpectedly on an IIS 7.5 server in Windows
KB3018489 "No host bus adapter is present" error when querying SAS cable issues in Windows Server 2012 R2 or Windows Server 2012
KB3025091 Shared Hyper-V virtual disk is inaccessible when it's located in Storage Spaces on a Windows Server 2012 R2-based computer
KB3033937 32-bit applications do not receive events when the WscRegisterForChanges function is used on 64-bit Windows 8.1
KB3036169 Reliability improvement update for Windows 8.1 and Windows Server 2012 R2: May 2015
KB3036614 "0x000000D1" Stop error when you fail over a cluster group in Windows Server 2012 or Windows Server 2012 R2
KB3041673 You cannot enter PIN on a PIN pad device after you insert a smart card into a Windows-based computer
KB3042534 the Sleep option is missing on a Windows 8.1-based computer that uses the Intel Skylake chipset
KB3042816 AD DS or AD LDS responds slowly to LDAP query that has an undefined attribute and an OR clause in Windows Server 2012
KB3042836 The Remote Desktop Active X control Mstscax.dll leaks thread handles in Windows 8.1
KB3044759 Black screen when you resume a laptop from hybrid shutdown in Windows
KB3045634 You cannot make a PPP connection after you reconnect a PLC device in Windows 8
KB3046394 WWAN device may disappear from charm bar on Intel BYT platform that is running Windows 8.1 or Windows Server 2012 R2
KB3046797 Single tunnel throughput drops after you install April 2014 update rollup on Windows Server 2012 R2
KB3046798 VPN gateway becomes unresponsive and a connection can't be established in Windows Server 2012 R2
KB3046799 Azure services overbill when you use point-to-site VPN service in Windows Server 2012 R2
KB3047280 "The URL cannot be resolved" error during network location server setup for a DirectAccess server in Windows Server 2012 R2
KB3047295 Virtual memory allocations for a 32-bit process fail in Windows Server 2012 R2
KB3048476 Application may not function correctly when it uses WMI queries in Windows
KB3048824 A w3wp.exe process crashes when a performance counter value is requested while the worker process shuts down
KB3049448 Resolution of external DNS records on a Windows Server 2012 R2 Hyper-V guest cluster fails through a Hyper-V Network Virtualization Gateway
KB3049605 Transparent graphic elements are filled when printed as XPS to a Windows 8.1 or Windows Server 2012 R2 Version 4 printer driver
KB3049843 You cannot access DPAPI data after an administrator resets your password on a Windows Server 2012-based domain controller
KB3050205 An IP Address Management error occurs in Windows Server 2012 R2 when a DNS record is deleted
KB3051395 No Wi-Fi connection if a Wi-Fi profile uses two or more SSIDs in Windows 8.1
KB3051472 DNS name resolution and DNSSEC validation fail in Windows Server 2012 R2
KB3051690 System becomes unresponsive when you use xcopy command to copy files in Windows Server 2012 R2
KB3053660 The ScriptShapeOpenType function returns bad data in the target array for the pwLogClust parameter in Windows
KB3053744 Applications play 5.1-channel audio content that uses only two channels in Windows
KB3054187 "Before you can print, you need to select a printer" error when you try to print from a 32-bit application in Windows 8.1 and Windows Server 2012 R2
KB3054249 Backup application that calls the VSS service becomes unresponsive when the DFSR service is running in Windows
KB3054290 Start screen and modern applications are displayed unexpectedly in German in Windows 8.1
KB3055292 Microsoft Hyper-V does not start on an AMD Carrizo-based computer that is running Windows 8.1 or Windows Server 2012 R2
KB3055343 Stop error code 0xD1, 0x139, or 0x3B and random crashes in Windows Server 2012 R2
KB3055778 Office 365 integration is unsuccessful if the Rights Management service is installed on Windows Server 2012 R2 Essentials
Follow us on Twitter, www.twitter.com/WindowsSDK
↧
How to obtain the list of visible columns in a shell view
I was recently looking into how to obtain the list of columns displayed in the shell view for a namespace extension that uses the default shell view (DefView). DefView provides the IColumnManager interface to manage the columns that can be displayed in in the view window. The following sample code demonstrates listing the visible columns for each shell view hosted in a shell browser window contained in the ShellWindows collection:
#include<windows.h>
#include<ShlObj.h>
#include<Shlwapi.h>
#include<propsys.h>
#include<stdio.h>
#pragma comment(lib, "propsys.lib")
#pragmacomment (lib, "shlwapi.lib")
HRESULT PrintShellViewColumns(IShellView *);
int wmain(int argc, wchar_t *argv[])
{
//
// For each item in the ShellWindows collection that has an active
// IShellView, print the list of visible columns in the view window
HRESULT hr = CoInitialize(NULL);
if (SUCCEEDED(hr))
{
IShellWindows *pShellWindows;
hr = CoCreateInstance(CLSID_ShellWindows, NULL, CLSCTX_LOCAL_SERVER,
IID_PPV_ARGS(&pShellWindows));
if (SUCCEEDED(hr))
{
long cWindows = 0;
hr = pShellWindows->get_Count(&cWindows);
for (long iWindow = 0;
SUCCEEDED(hr) && iWindow < cWindows;
iWindow++)
{
VARIANT vtIndex;
vtIndex.vt = VT_I4;
vtIndex.lVal = iWindow;
IDispatch *pDispatch;
hr = pShellWindows->Item(vtIndex, &pDispatch);
if (S_OK == hr))
{
IShellBrowser *pShellBrowser;
hr = IUnknown_QueryService(pDispatch,
SID_STopLevelBrowser,
IID_PPV_ARGS(&pShellBrowser));
if (SUCCEEDED(hr))
{
IShellView *pShellView;
hr = pShellBrowser->QueryActiveShellView(&pShellView);
if (SUCCEEDED(hr))
{
PrintShellViewColumns(pShellView);
}
pShellBrowser->Release();
}
pDispatch->Release();
}
}
pShellWindows->Release();
}
CoUninitialize();
}
return (int)hr;
}
void PrintHeader(IShellView *pShellView)
{
//
// Print a header that includes the display name of the folder displayed
// in the view window
IFolderView *pFolderView;
HRESULT hr = pShellView->QueryInterface(IID_PPV_ARGS(&pFolderView));
if (SUCCEEDED(hr))
{
IShellItemArray *pShellItemArray;
hr = pFolderView->GetFolder(IID_PPV_ARGS(&pShellItemArray));
if (SUCCEEDED(hr))
{
IShellItem *pShellItem;
hr = pShellItemArray->GetItemAt(0, &pShellItem);
if (SUCCEEDED(hr))
{
LPWSTR pszDisplayName;
hr = pShellItem->GetDisplayName(SIGDN_NORMALDISPLAY,
&pszDisplayName);
if (SUCCEEDED(hr))
{
wprintf(L"IShellView: %p Folder: %s\r\n",
pShellView, pszDisplayName);
CoTaskMemFree(pszDisplayName);
}
pShellItem->Release();
}
pShellItemArray->Release();
}
pFolderView->Release();
}
if (FAILED(hr))
{
//
// Print a generic header on an error
wprintf(L"IShellView: %p\r\n", pShellView);
}
wprintf(L"----------------------------------------\r\n");
}
void PrintFooter(IShellView *pShellView)
{
UNREFERENCED_PARAMETER(pShellView);
wprintf(L"\r\n");
}
void PrintPropertyKey(PROPERTYKEY &propkey)
{
LPWSTR pszCanonicalName = NULL;
HRESULT hr = PSGetNameFromPropertyKey(propkey, &pszCanonicalName);
if (SUCCEEDED(hr))
{
wprintf(L" %s\r\n", pszCanonicalName);
CoTaskMemFree(pszCanonicalName);
}
else
{
WCHAR szGuid[50];
ZeroMemory(szGuid, sizeof(szGuid));
hr = StringFromGUID2(propkey.fmtid, szGuid, ARRAYSIZE(szGuid));
if (SUCCEEDED(hr))
{
wprintf(L" %s,%d\r\n", szGuid, propkey.pid);
}
else
{
wprintf(L" Unknown. Error=%X\r\n", hr);
}
}
}
HRESULT PrintShellViewColumns(IShellView *pShellView)
{
IColumnManager *pColumnManager;
HRESULT hr = pShellView->QueryInterface(IID_PPV_ARGS(&pColumnManager));
if (SUCCEEDED(hr))
{
PrintHeader(pShellView);
UINT nColumns = 0;
hr = pColumnManager->GetColumnCount(CM_ENUM_VISIBLE, &nColumns);
if (SUCCEEDED(hr) && nColumns)
{
PROPERTYKEY *columns = new PROPERTYKEY[nColumns];
hr = pColumnManager->GetColumns(CM_ENUM_VISIBLE,
columns,
nColumns);
if (SUCCEEDED(hr))
{
for (UINT index = 0; index < nColumns; index++)
{
PrintPropertyKey(columns[index]);
}
}
delete columns;
}
pColumnManager->Release();
PrintFooter(pShellView);
}
return hr;
}
↧
FileSystemWatcher Follies
System.IO.FileSystemWatcher is a handy class that can be used to monitor directories for some types of changes with very little programming effort for the developer who uses it. For some situations, it’s incredibly useful. However, it often gets used in program designs with poor assumptions about how things are going to play out in a real world enterprise scenario, and that can lead to problems. I’ll be going over several examples below and using them to explain limitations of the FileSystemWatcher class, but before that, let’s discuss what the FileSystemWatcher actually does.
FileSystemWatcher: ReadDirectoryChangesW wrapped for .NET
System.IO.FileSystemWatcher is basically a wrapper class for the native API ReadDirectoryChangesW. There are some differences, mainly added parsing capabilities by FileSystemWatcher after it receives results from ReadDirectoryChangesW that it can use to decide whether or not to report the changes to its subscribers based on its settable properties. It’s the similarities that are going to matter in most cases though. This is the function prototype for ReadDirectoryChangesW from WinBase.h in the Windows 8.1 SDK:
WINBASEAPI BOOL WINAPI ReadDirectoryChangesW( _In_ HANDLE hDirectory, _Out_writes_bytes_to_(nBufferLength, *lpBytesReturned) LPVOID lpBuffer, _In_ DWORD nBufferLength, _In_ BOOL bWatchSubtree, _In_ DWORD dwNotifyFilter, _Out_opt_ LPDWORD lpBytesReturned, _Inout_opt_ LPOVERLAPPED lpOverlapped, _In_opt_ LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine );
There is a restriction here that one probably wouldn’t notice when just looking at FileSystemWatcher: Only directories can be monitored, and while monitoring of sub-directories is optional, at least the entirety of the directory is going to monitored. So if FileSystemWatcher is set to watch a directory with a lot of activity but filtered to only watch one file, it is going to consume a lot of resources processing things that never make it back to its subscribers.
There’s also some guidance in the documentation that is often relevant to subscribers of FileSystemWatcher. When the buffer is overflown, ReadDirectoryChangesW returns ERROR_NOTIFY_ENUM_DIR, and FileSystemWatcher will report that with its OnError event as an InternalBufferOverflowException. When that happens, the documentation states that “you should compute the changes by enumerating the directory or subtree”. That effectively means that if an application using FileSystemWatcher wants to not miss changes that happen when a buffer overflow occurs, it needs to keep track of the state of things as they change, and whenever an InterBufferOverflowException is reported, manually enumerate things and compare it against its last known state to compute the changes.
With that basic overview complete, let’s move on to our examples.
Example 1: Attempting to detect when a file has been created and its contents finished writing to disk
This often happens when someone creates a design where data needs to be moved from one server to another, and when the data arrived at the destination, the destination needs to react to the data. In an effort to “simplify” things and not use networking code, some developers use the file system to pass data to another machine, either through a file sharing technology or another local service like FTP or SFTP. For this example, let’s say that Server A has an application that is creating files and then using a script to FTP them to Server B. Server B then has a service that is watching the directory where the FTP service is storing the files. When data through the form of files come into the directory, Server B attempts to open them and act on the data.
Obviously, there are a lot of holes in the strategy above, so we won’t cover all of them, but here are some highlights:
- There is no FileSystemWatcher event for when a file is closed.
- Monitoring for size changes and/or last_write is going to be affected by the disk cache if present.
- Suppose that the developers of the application realize the above two things and decide to send a second file over to indicate that the first file has finished transferring through FTP. This also will not work as there is no guarantee that the second file doesn’t get written before the first.
- Repeatedly trying to open a file when its creation is reported with no file sharing may eventually let you know when it is closed, but it will use a lot of resources and could become problematic if many started happening at once or if the directory being watched is accessed over the network.
Example 2: Attempting to watch for changes on a high traffic network share
This happens when the directory being watched has many files changing in it and/or subdirectories are being watched too and those have many changes happening. The buffer size for network paths is capped due to limits in the underlying network technologies used by file sharing protocols. If many changes are happening, the buffer will often overflow. In order to get the changes, the directory or directories will have to be enumerated. The more files that there are in a directory, the longer it takes to enumerate, so this can quickly add up to a lot of resources for the server actually hosting the files and delays for the application trying to access the information.
Watching a single directory without subdirectories and minimizing the number of files in that directory will improve performance and reduce the number of potential buffer overflows.
Example 3: Assuming that all directories behave the same way
Often times a developer will design an application that uses the FileSystemWatcher to monitor a modifiable path through some sort of configuration. If that developer assumes that the location will be a local hard disk on a physical machine, many unexpected problems could arise in the application. For instance, let’s go over some of the things that could happen if the user enters a path that ultimately ends up on a network file share:
- The remote file server may not be a Windows Server and may not properly support ReadDirectoryChangesW; though many other operating systems will support at least one protocol that does support ReadDirectoryChangesW, not all of them do, and that protocol may not be in use for some reason in the environment.
- There could be latency in the connection that causes performance problems in the application especially if the application performs synchronous I/O operations on GUI interacting threads. This could be actual network latency or it could just be the additional resources it takes to perform the same functionality against a remote system.
- The remote file server may be shut down incorrectly and fail to send a packet back to the machine to inform it that the handle is now invalid. If that happens, the FileSystemWatcher won’t report an error or any changes from that point on. It won’t know that there’s a problem, and there’s no built-in timeout mechanism for the class which is about the best one can do to cover this situation.
Wrapping up
In conclusion, FileSystemWatcher is a handy class, but its use needs to be thought about carefully when considering implementing it especially in enterprise scenarios in order to avoid unexpected scenarios within an application and be a good member of the computing ecosystem while achieving desirable outcomes.
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
↧
Printing successfully using impersonation from a 32-bit application on a 64-bit system
There is a known limitation with Windows x64 systems where 32-bit processes fail to print from a thread that uses impersonation (e.g. ImpersonateLoggedOnUser, WindowsIdentity.Impersonate). The simplest workaround is to convert the 32-bit application to 64-bit, but it is not always feasible, especially for legacy applications that rely on components that are only available in 32-bit. As 64-bit systems are getting more common and Windows Server OS has only been available in 64-bit since Windows 2008 R2, more applications are running into this limitation.
I have good news for you if your application is running into this on Windows 8.1 x64 or Windows 2012 R2. There is a hotfix available that addresses the limitation and it is downloadable from the following KB:
"Before you can print, you need to select a printer" error when you try to print from a 32 bit application in Windows 8.1 and Windows Server 2012 R2
https://support.microsoft.com/en-us/kb/3054187.
Why it did not work before.
On Windows 64-bit systems, printer drivers are available only in 64-bit, so they cannot be loaded into 32-bit processes. Thus, a 32-bit process will goes through a 64-bit proxy process called splwow64.exe for printing. I don't get into details of how it is implemented, but let's just say that if a thread is impersonating another user, it cannot communicate with the splwow64 process and any Print Spooler APIs that need to go through the proxy will fail.
How do you know if your application is running into this?
The error message described in the KB is actually from Windows 7 x64 and Windows 2008 R2 when you call:
[Win32]
LogonUser with LOGON32_LOGON_NEW_CREDENTIALS
ImpersonateLoggedOnUser with the token returned by LogonUser
PrintDlg or PrintDlgEx
[Windows Forms]
LogonUser with LOGON32_LOGON_NEW_CREDENTIALS
WindowsIdentity.Impersonate with the token returned by LogonUser
System.Windows.Forms.PrintDialog.ShowDialog
[WPF]
LogonUser with LOGON32_LOGON_NEW_CREDENTIALS
WindowsIdentity.Impersonate with the token returned by LogonUser
System.Windows.Controls.PrintDialog.ShowDialog
On Windows 8.1 x64 or Windows 2012 R2, you won't see any error message, but the following will occur instead:
[Win32] If you use PD_RETURNDC for PrintDlg or PrintDlgEx, it will fail to return a DC in PRINTDLGEX.hDC.
[Windows Forms] PrintDialog.Document.Print will throw Win32Exception: The handle is not valid.
[WPF] Interestingly you can proceed with printing without any problem.
However, when calling LogonUser with LOGON32_LOGON_INTERACTIVE instead of LOGON32_LOGON_NEW_CREDENTIALS, you will see something similar for Win32, Windows Forms and WPF: "Before you can perform printer-related tasks such as page setup or printing a document, you need to install a printer. Do you want to install a printer now?"
These are not the only manifestations of the limitation as any Print Spooler APIs that go through splwow64.exe will fail.
If you believe you are running into this limitation, please give the hotfix a try. For this to work, you also need to install the security update described in the following KB if you have not done so yet:
MS15-044 and MS15-051: Description of the security update for Windows font drivers
https://support.microsoft.com/en-us/kb/3045171/
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
Winsock’s Listen() Backlog Offers More Flexibility In Windows 8+
Jeff here from the SDK team.
A customer was writing a high performance computing type application that needed to handle lots of incoming winsock connections all at the same time.
Normally the listen() API is used to control the maximum number of incoming (backlogged) requests, but there is a caveat with the listen() API, we don't define the maximum limit of incoming requests that are allowed.
Per MSDN:
A value for the backlog of SOMAXCONN is a special constant that instructs the underlying service provider responsible for socket s to set the length of the queue of pending connections to a maximum reasonable value.
On Windows Sockets 2, this maximum value defaults to a large value (typically several hundred or more). When calling the listen function in a Bluetooth application, it is strongly recommended that a much lower value be used for the backlog parameter (typically 2 to 4), since only a few client connections are accepted. This reduces the system resources that are allocated for use by the listening socket. This same recommendation applies to other network applications that expect only a few client connections.
Starting in Windows 8, there is a new parameter for the listen() API.
/* Maximum queue length specifiable by listen. */
#define SOMAXCONN 0x7fffffff
#define SOMAXCONN_HINT(b) (-(b))
While SOMAXCONN was defined as 0x7fffffff, it was limited to a few hundred in Winsock 2, or as few as 5 in Winsock 1.
In Windows 8, we can pass in any number we want with the macro SOMAXCONN_HINT(b). So now in Windows 8, you have much more control over how many connections listen() will accept/backlog.
Enjoy.
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
FileSystemWatcher Fencing(Part 1)
This post is a follow up to the FileSystemWatcher Follies post. I received a lot of feedback that it would be useful to highlight what would be appropriate to guide against some of the pitfalls that I mentioned in that post. I’ll cover several of the issues here over a couple of posts and propose things that could be done to detect that they are there before using the FileSystemWatcher class against them. Though the code examples will all be in C#, there will be some P/Invoke involved here as not all of this functionality is exposed through .NET Framework classes at this time.
Determining whether a file system is local or remote
A lot of the pitfalls of the FileSystemWatcher class come into play when remote file shares are introduced. There are a couple of ways to do this based off of a file or directory path that we’ll go over; we’ll discuss each individually then show a code sample that incorporates all of them later on in the post:
GetFinalPathNameByHandle returns the final path, after resolving junctions such as symlinks, for the specified file. This means that it will return the full path to a file on a mapped drive for instance. Using it, we can quickly check for UNC paths.
GetFileInformationByHandleEx can obtain many different types of data, but the type that we’ll be most interested in is FILE_REMOTE_PROTOCOL_INFO. The most important thing about this function for determining whether a file system is local or remote is that it will simply fail with the error ERROR_INVALID_PARAMETER (87) if used against a non-remote share. Also, in the event that the path is from a local share and done through the loopback address, that information will be given too.
Determining what type of file sharing protocol is in use and whether or not a share is in offline mode
GetFileInformationByHandleEx /FILE_REMOTE_PROTOCOL_INFO comes into play again here. It lets us know what type of file sharing protocol is in use. Remember from the last post that FileSystemWatcher is not supported on all types of file shares. An example of what is obtained from this function can be found later on in this post.
Code Example – Extension for System.IO.FileInfo
Here is the code for a sample application which does the things mentioned above. Please do note that there would be some slight modifications necessary to use directory names instead of file names (use the supplied CreateFIleW to obtain a handle to the directory for use by the other functions and close it with CloseHandle when finished using it).
using System;using System.Collections.Generic;using System.IO;using System.Runtime.InteropServices;using System.Text;namespace FileInformationChecks {public enum FileInformationClassEnum : uint{ FileBasicInfo = 0,// FILE_BASIC_INFOFileStandardInfo = 1,// FILE_STANDARD_INFOFileNameInfo = 2,// FILE_NAME_INFOFileStreamInfo = 7,// FILE_STREAM_INFOFileCompressionInfo = 8,// FILE_COMPRESSION_INFOFileAttributeTagInfo = 9,// FILE_ATTRIBUTE_TAG_INFOFileIdBothDirectoryInfo = 0xa,// FILE_ID_BOTH_DIR_INFOFileIdBothDirectoryRestartInfo = 0xb,// FILE_ID_BOTH_DIR_INFOFileRemoteProtocolInfo = 0xd,// FILE_REMOTE_PROTOCOL_INFOFileFullDirectoryInfo = 0xe,// FILE_FULL_DIR_INFOFileFullDirectoryRestartInfo = 0xf,// FILE_FULL_DIR_INFOFileStorageInfo = 0x10,// FILE_STORAGE_INFOFileAlignmentInfo = 0x11,// FILE_ALIGNMENT_INFOFileIdInfo = 0x12,// FILE_ID_INFOFileIdExtdDirectoryInfo = 0x13,// FILE_ID_EXTD_DIR_INFOFileIdExtdDirectoryRestartInfo = 0x14// FILE_ID_EXTD_DIR_INFO} [StructLayout(LayoutKind.Sequential)]public struct FILE_REMOTE_PROTOCOL_INFORMATION{// Structure Versionpublic ushort StructureVersion; // 1 if before Windows 8 (ProtocolSpecificReserved only),
//2 if >= Windows 8 (Smb2 protocol information may be present - see properties)public ushort StructureSize; // sizeof(FILE_REMOTE_PROTOCOL_INFORMATION) // Protocol Version & Typepublic RemoteProtocolEnum Protocol; // Protocol (WNNC_NET_*) defined in winnetwk.h or ntifs.h.public ushort ProtocolMajorVersion;public ushort ProtocolMinorVersion;public ushort ProtocolRevision;public ushort Reserved;public long Flags;// Protocol-Generic Information[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]public int[] GenericReserved; //Length is always 8 // Protocol specific information [MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]public int[] ProtocolSpecificReserved; //Length is always 16public int SMB2ServerCapabilities {get{if (StructureVersion == 2){return ProtocolSpecificReserved[0]; }return 0; } }public int SMB2ShareCapabilities {get{if (StructureVersion == 2){return ProtocolSpecificReserved[1]; }return 0; } }public int SMB2ShareCachingFlags {get{if (StructureVersion == 2){return ProtocolSpecificReserved[2]; }return 0; } } } [Flags]public enum RemoteProtocolFlags : uint{ Loopback = 1, Offline = 2, PersistentHandle = 4, Privacy = 8, Integrity = 0x10, MutalAuth = 0x20 }public enum RemoteProtocolEnum : uint{ MSNET = 0x00010000, SMB = 0x00020000, LANMAN = 0x00020000, NETWARE = 0x00030000, VINES = 0x00040000, TENNET = 0x00050000, LOCUS = 0x00060000, SUN_PC_NFS = 0x00070000, LANSTEP = 0x00080000, NINETILES = 0x00090000, LANTASTIC = 0x000A0000, AS400 = 0x000B0000, FTP_NFS = 0x000C0000, PATHWORKS = 0x000D0000, LIFENET = 0x000E0000, POWERLAN = 0x000F0000, BWNFS = 0x00100000, COGENT = 0x00110000, FARALLON = 0x00120000, APPLETALK = 0x00130000, INTERGRAPH = 0x00140000, SYMFONET = 0x00150000, CLEARCASE = 0x00160000, FRONTIER = 0x00170000, BMC = 0x00180000, DCE = 0x00190000, AVID = 0x001A0000, DOCUSPACE = 0x001B0000, MANGOSOFT = 0x001C0000, SERNET = 0x001D0000, RIVERFRONT1 = 0x001E0000, RIVERFRONT2 = 0x001F0000, DECORB = 0x00200000, PROTSTOR = 0x00210000, FJ_REDIR = 0x00220000, DISTINCT = 0x00230000, TWINS = 0x00240000, RDR2SAMPLE = 0x00250000, CSC = 0x00260000, THREEIN1 = 0x00270000, EXTENDNET = 0x00290000, STAC = 0x002A0000, FOXBAT = 0x002B0000, YAHOO = 0x002C0000, EXIFS = 0x002D0000, DAV = 0x002E0000, KNOWARE = 0x002F0000, OBJECT_DIRE = 0x00300000, MASFAX = 0x00310000, HOB_NFS = 0x00320000, SHIVA = 0x00330000, IBMAL = 0x00340000, LOCK = 0x00350000, TERMSRV = 0x00360000, SRT = 0x00370000, QUINCY = 0x00380000, OPENAFS = 0x00390000, AVID1 = 0x003A0000, DFS = 0x003B0000, KWNP = 0x003C0000, ZENWORKS = 0x003D0000, DRIVEONWEB = 0x003E0000, VMWARE = 0x003F0000, RSFX = 0x00400000, MFILES = 0x00410000, MS_NFS = 0x00420000, GOOGLE = 0x00430000, NDFS = 0x00440000 }internal partial class NativeMethods{ [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern int QueryDosDeviceW( [MarshalAs(UnmanagedType.LPWStr)]string name,StringBuilder path,int pathSize ); [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern int GetFileInformationByHandleEx(IntPtr hFile,int FileInformationClass,IntPtr fileInformation,int bufferSize ); [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern int GetFinalPathNameByHandleW(IntPtr hFile,StringBuilder filePath,int fpLength,int flags ); [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern int GetFileInformationByHandleEx(IntPtr hFile,int FileInformationClass_Remote_0x0d,ref FILE_REMOTE_PROTOCOL_INFORMATION fileInformation,int bufferSize ); [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern IntPtr CreateFileW( [MarshalAs(UnmanagedType.LPWStr)]string lpFileName,uint dwDesiredAccess,uint dwShareMode,IntPtr lpSecurityAttributes,uint dwCreationDisposition,uint dwFlagsAndAttributes,IntPtr hTemplateFile ); [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]internal static extern int CloseHandle(IntPtr handle);internal const uint REMOTE_PROTOCOL_FLAG_LOOPBACK = 0x00000001;internal const uint REMOTE_PROTOCOL_FLAG_OFFLINE = 0x00000002;internal const uint ERROR_MORE_DATA = 234; }internal partial class NativeWrapped{public static string VerifyVolumeIndicator(string str) {if (str.StartsWith(@"\\?\")){return str; }else if (str.StartsWith(@"\?\")){return @"\" + str; }else if (str.StartsWith(@"?\")){return @"\\" + str; }else if (str.StartsWith(@"\")){return @"\\?" + str; }return @"\\?\" + str; }public static string RemoveVolumeIndicator(string str) {if (str.StartsWith(@"\\?\")){return str.Substring(4); }else return str; }public static string DeviceFromVolume(string volume) {string v = RemoveVolumeIndicator(volume); //Take off the \\?\if (v.EndsWith("\\")) { v = v.Substring(0, v.Length - 1); //Remove the trailing slash if present}StringBuilder sb = new StringBuilder(5000);if (NativeMethods.QueryDosDeviceW(v, sb, 5000) == 0)
Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error());return sb.ToString(); }public static string GetFinalPathNameByHandle(IntPtr hFile, int flags = 0, bool throwOnError = true) {StringBuilder sb = new StringBuilder(10000);if (NativeMethods.GetFinalPathNameByHandleW(hFile, sb, 10000, flags) == 0){if (throwOnError) ThrowLastError(); }return sb.ToString(); }internal static void ThrowLastError() {Marshal.ThrowExceptionForHR(Marshal.GetHRForLastWin32Error()); } }public static class FileInfoExtension{//Gets remote protocol information for a FileInfo instancepublic static FILE_REMOTE_PROTOCOL_INFORMATION GetRemoteProtocolInformation(this FileInfo fi) {//FileStream gives access to the handleusing (FileStream fs = fi.OpenRead()){FILE_REMOTE_PROTOCOL_INFORMATION f = new FILE_REMOTE_PROTOCOL_INFORMATION(); f.StructureVersion = (Environment.OSVersion.Version.Major >= 6 &&
Environment.OSVersion.Version.Minor >= 2) ? (ushort)2 : (ushort)1; f.StructureSize = (ushort)Marshal.SizeOf(f);if (NativeMethods.GetFileInformationByHandleEx(fs.SafeFileHandle.DangerousGetHandle(), (int)FileInformationClassEnum.FileRemoteProtocolInfo,ref f, f.StructureSize) == 0){NativeWrapped.ThrowLastError(); }return f; } }//Gets remote protocol information for a FileInfo instance and returns the error codepublic static int TryGetRemoteProtocolInformation(this FileInfo fi, out FILE_REMOTE_PROTOCOL_INFORMATION f) {//FileStream gives access to the handleusing (FileStream fs = fi.OpenRead()){ f = new FILE_REMOTE_PROTOCOL_INFORMATION(); f.StructureVersion = (Environment.OSVersion.Version.Major >= 6
&& Environment.OSVersion.Version.Minor >= 2) ? (ushort)2 : (ushort)1; f.StructureSize = (ushort)Marshal.SizeOf(f);if (NativeMethods.GetFileInformationByHandleEx(fs.SafeFileHandle.DangerousGetHandle(), (int)FileInformationClassEnum.FileRemoteProtocolInfo,ref f, f.StructureSize) == 0) {int lastError = Marshal.GetLastWin32Error();return lastError; } }return 0; }//Gets the final path name for a FileInfo instancepublic static string FinalPathName(this FileInfo fi) {using (FileStream fs = fi.OpenRead()){return NativeWrapped.GetFinalPathNameByHandle(fs.SafeFileHandle.DangerousGetHandle()); } }//Short and simple way to determine if the final path is UNCpublic static bool FinalPathNameIsUNC(this FileInfo fi) {string finalPathName = FinalPathName(fi);if (!string.IsNullOrEmpty(finalPathName)) {if (finalPathName.StartsWith(@"\\?\UNC\")) {return true; } }return false; }//Returns a DriveInfo instance for a FileInfo instance if one can be obtained, otherwise returns nullpublic static DriveInfo GetDriveInfo(this FileInfo fi) {//Final Path without the volume indicatorstring finalPath = FinalPathName(fi);//Remove the volume indicator if not nullif (!string.IsNullOrEmpty(finalPath)) { finalPath = NativeWrapped.RemoveVolumeIndicator(finalPath); }//Extract the drive letter if possibleif (!string.IsNullOrEmpty(finalPath)) {if (finalPath.Length > 1) {//e.g. C:, D:, etc.if (finalPath.Substring(1, 1).Equals(":")) {//DriveInfo wants just the drive letterreturn new DriveInfo(finalPath.Substring(0, 1)); } } }return null; }//Determines if the FileInfo instance is from a local pathpublic static bool IsRemote(this FileInfo fi, out bool offLine,
bool includeLoopbackAsLocal=false, bool verifyRemoteProtocolInfo=true) { offLine = false;//Try to get System.IO.DriveInfo firstvar driveInfo = GetDriveInfo(fi);if(driveInfo != null) {if(driveInfo.DriveType == DriveType.Network) {if (!verifyRemoteProtocolInfo && !includeLoopbackAsLocal) return true;FILE_REMOTE_PROTOCOL_INFORMATION frpi;int error = TryGetRemoteProtocolInformation(fi, out frpi);if (error == 0) { offLine = ((frpi.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE)
== NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE);//Successfullif (includeLoopbackAsLocal) {return ((frpi.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK)
!= NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK); }else{return true; } }else if (error == 87) //Invalid parameter{if (verifyRemoteProtocolInfo) {return false; }else return true; }else{NativeWrapped.ThrowLastError(); } } }else{//Failed to get the DriveInfo objectFILE_REMOTE_PROTOCOL_INFORMATION frpi;int error = TryGetRemoteProtocolInformation(fi, out frpi);if (error == 0) { offLine = ((frpi.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE)
== NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE);//Successfullif (includeLoopbackAsLocal) {return ((frpi.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK)
!= NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK); }else{return true; } }else{NativeWrapped.ThrowLastError(); } }return false; }//Determines if the FileInfo instance is from a local pathpublic static bool IsRemote(this FileInfo fi, bool includeLoopbackAsLocal=false,
bool verifyRemoteProtocolInfo=true) {bool offLine;return IsRemote(fi, out offLine, includeLoopbackAsLocal, verifyRemoteProtocolInfo); } }class Program{static void WriteInfo(string filename) {FileInfo fi = new FileInfo(filename);Console.WriteLine("Filename:\t{0}", filename);Console.WriteLine("Final Path Name:\t{0}", fi.FinalPathName());if (!fi.IsRemote()) {DriveInfo di = fi.GetDriveInfo();if (di != null) {if (di.IsReady) {Console.WriteLine("Root Directory:\t{0}", di.RootDirectory);Console.WriteLine("Drive Type:\t{0}", di.DriveType.ToString());Console.WriteLine("Drive Format:\t{0}", di.DriveFormat);if (!di.DriveType.Equals(DriveType.Network)) {return; } }else{Console.WriteLine("Drive not ready"); } } }var f = fi.GetRemoteProtocolInformation();Console.WriteLine("Remote Protocol Information:");Console.WriteLine("Protocol:\t{0} v{1}.{2}", f.Protocol.ToString(),
f.ProtocolMajorVersion, f.ProtocolMinorVersion);Console.WriteLine("Loopback:\t{0}", ((f.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK)
== NativeMethods.REMOTE_PROTOCOL_FLAG_LOOPBACK));Console.WriteLine("Offline:\t{0}", ((f.Flags & NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE)
== NativeMethods.REMOTE_PROTOCOL_FLAG_OFFLINE)); }static void Main(string[] args) {//notepadstring filePath1 = Path.Combine(Environment.SystemDirectory, "notepad.exe");//Admin cache notepad...needs elevation for this (or just use another path that doesn't require elevation)string filePath2 = string.Format(@"\\{0}\{1}", Environment.MachineName, filePath1.Replace(@":\", @"$\")); WriteInfo(filePath1);Console.WriteLine(); WriteInfo(filePath2);Console.ReadLine(); } } }
Sample output from a laptop named cllptop01 running Windows 8.1 with the code compiled to x86:
Filename: C:\Windows\system32\notepad.exe
Final Path Name: \\?\C:\Windows\SysWOW64\notepad.exe
Root Directory: C:\
Drive Type: Fixed
Drive Format: NTFS
Filename: \\CLLPTOP01\C$\Windows\system32\notepad.exe
Final Path Name: \\?\UNC\CLLPTOP01\C$\Windows\System32\notepad.exe
Remote Protocol Information:
Protocol: SMB v3.0
Loopback: True
Offline: False
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
What is up with "The application failed to initialize properly (0xc0000142)" error?
You've probably seen this error before in Windows at one time or another. Somebody launched calc.exe and it failed to run. The error doesn't tell you much. It provides you an hex error and your only option is to terminate the application.
I first encountered this error over 20 years ago and unfortunately, it is still around today.
There are primarily 2 actions that can cause this error:
- Launching lots of applications
- Launching an application as a different user
- Launching an application to a different desktop
This can happen from the user's desktop (the user who logged on by entering their credentials) or from a Windows Service. Programmatically, you launch applications using the family of CreateProcess APIs (CreateProcessAsUser(), CreateProcessWithLogonW(), CreateProcessWithTokenW()). Another thing you have to look out for in the call is whether, a desktop was specified in the STARTUPINFO struture:
typedefstruct _STARTUPINFO { DWORD cb; LPTSTR lpReserved;LPTSTR lpDesktop; ....... } STARTUPINFO, *LPSTARTUPINFO;
I'll come back to this later.
You'll see the API will succeed but if you check the exit code of the launched process (with GetExitCodeProcess()), it will return 128 or ERROR_WAIT_NO_CHILDREN, "There are no child processes to wait for."
If you are wondering what the error 0xc0000142 means in the above Message Box, you can find the error in ntstatus.h. It is STATUS_DLL_INIT_FAILED or "{DLL Initialization Failed} Initialization of the dynamic link library %hs failed. The process is terminating abnormally."
If you debugged the launched process and reviewed why Windows wasn't loading the DLL, it makes perfect sense that there was no error with CreateProcess (or CreateProcessAsUser) and the error was seen in the exit code of the launched process. CreateProcess's responsiblity is to find the exe and provide it to the Windows Loader, if this succeeds then CreateProcess() was done at this point. If the process can't load the DLLs that are required for it to run, this isn't the responsibility of the loader but is a failure with the application itself.
Why is this happening because of these actions?
It comes down to Windows Stations & Desktops. Before moving on, if you are not familiar with these objects, I suggest you read the following BLOG posts:
http://blogs.msdn.com/b/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx
http://blogs.technet.com/b/askperf/archive/2007/07/24/sessions-desktops-and-windows-stations.aspx
You can also read up on them in MSDN:
There are 2 issues you have to consider with Window Stations & Desktops:
- Desktop Heap Exhaustion - There is a limited amount of desktop heap (memory).
- Desktop Heap Security - When moving between users or desktops from the calling process, you have to ensure that the launched process has he appropriate permissions to the targeted process.
Let's first start with desktop heap exhaustion. There have been a lot of Blog Posts and KB articles on this topic. I will let you review the following links but I'll mention the following:
- Services (Session 0) have smaller desktop heaps than the INTERACTIVE desktop.
- Desktop Heap has increased with x64 systems.
- Desktop Heaps are smaller in Remote Desktop Sessions
There used to be a nice utility, Desktop Heap Monitor Version 8.1 to determine the amount of heap being used on your system. The only issue is that it was only supported on Windows 2000 and Windows Server 2003.
https://www.microsoft.com/en-us/download/details.aspx?id=17782
The only way to do this now is through the Kernel Debugger or through indirect methods such as creating as many Window Stations & Desktops to determine how much space is left.
http://blogs.msdn.com/b/ntdebugging/archive/2013/02/27/debugging-a-debugger-to-debug-a-dump.aspx
Desktop Permissions is the other issue where you could encounter this error. I touched this topic indirectly (following this BLOG post, you shouldn't encounter this issue) on the Windows SDK Support BLOG. "How to launch processes INTERACTIVELY from a service" See the following:
Years ago, I wrote the following KB article on how to deal with the issue by directly modifying the permissions on the Window Station and Desktop Object
"User32.dll or Kernel32.dll fails to initialize"
https://support.microsoft.com/en-us/kb/184802
I wouldn't recommend using this method anymore.
Today, the INTERACTIVE desktop permissions are accessed using the technique implemented in CreateProcessWithLogonW(). I discussed this in the following BLOG post:
I would recommend doing this to avoid directly modifying the permissions on a Window Station and Desktop controlled by the system since the system could make changes and negate yours and cause your application to not have any more permissions.
I will continue more posts on this topic in the future.
↧
↧
The Real Hotfix List of June 2015
Hey guys, Jeff here from the Windows SDK team. It is June and school’s out for the year and to go with that we have also have the June hotfix list.
Now with 100% more June Hotfixes!
3045682 You cannot restore files and folders from Server Essentials Backup on a Windows-based computer
3052122 Update adds support for compound ID claims in AD FS tokens in Windows Server 2012 R2
3052480 Unexpected ASP.NET application shutdown after update 3000850 is installed in Windows Server 2012 R2
3053666 MTU size settings changes are not retained in Windows 8.1 or Windows Server 2012 R2
3055615 A Windows Server 2012 R2 server becomes slow and unresponsive if update 2927901 is installed
3056053 Snapshot contents are not accessible when Server for NFS has handle signing enabled
3062563 Limited connectivity through a manual proxy setup in Internet Explorer and Windows 8.1 Enterprise
3063075 Many ID 129 events are logged when you run a Windows Server 2012 R2 virtual machine in Windows Azure
3063283 Update to improve the backup of Hyper-V Integrated components in Hyper-V Server 2012 R2
Enjoy!
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
.NET Hotfix Rollups for June
Jeff here from the Windows SDK Team. Just a quick blog with a few .NET Hotfix rollup articles today.
Issue 1
Assume that you use a Windows Presentation Foundation (WPF) application that has touch/stylus input. When the Windows is activated, you click a button. However, the button is not successfully clicked. If you are a developer, you cannot see the click event that should be raised for the button. If you are a general user, you cannot see the click action graphics, and no action that is associated with the button occurs.
Issue 2
Assume that you are running a Windows Forms application. When the application disposes a System.Windows.Forms.MonthCalendar control in certain cases, the following InvalidOperationException exception will be thrown: Operation is not valid due to the current state of the object.
Issue 1
When you insert a 4-byte character by using an Input Method Editor (IME) in a Windows Presentation Foundation (WPF) text box, a crash occurs.
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
Hotfixes and Patches for Windows for July 2015
Hey SDK friends, Jeff here with the July 2015 Hotfix List
3070714 "0x000000B8" Stop error during MPIO path failover in Windows Server 2008 R2 SP1
3062586 "0x000000D1" Stop error on a Windows Server 2012-based cluster
3066044 Custom Tool tile is not displayed on the troubleshooting menu in Windows Server 2012 R2
3066427 You cannot compress Windows image files because of memory leak in Windows 8.1
3066685 Strong key protection cannot be enforced in Windows 8.1 and Windows Server 2012 R2
3067900 Rotated italic text flows in the wrong direction when it's printed on a PCL6 printer in Windows 8.1
3068362 Remotely managed Server Manager does not find connected storage connected in Windows Server 2012 R2
3068445 Virtual machines that host on Windows Server 2012 R2 may crash or restart unexpectedly
3070746 Hotfix for certain devices to support MSI-X interrupt mode in Windows 8.1 or Windows Server 2012 R2
3071787 "0x0000007E" Stop error after you install service packs or hotfixes in Windows
3072380 Hyper-V cluster unnecessarily recovers the virtual machine resources in Windows Server 2012 R2
3072381 "0xc000017" error when you restart a UEFI-based computer in Windows
3072401 File system corrupts when you delete a file that has 4 GB-1 bytes of size on FAT32 system in Windows
Until August…
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
Windows August 2015 Hotfix List
Hey guys. Jeff here from the Windows SDK team. Here are this month’s hotfixes.
KB2966038 Printer managed by custom print providers is not visible in Devices and Printers in Windows
KB3071345 Start screen customization is disabled for a Windows Embedded 8.1 Industry Pro-based computer
KB3073902 NDES stops working after you restart a Windows Server 2012 R2-based CA server
KB3073922 Groups may not be assigned correctly after a node failure on a Windows Server 2012 R2-based failover cluster
KB3075161 Computer might crash during storage enumeration stack in Windows Server 2012 R2
KB3075610 Trust relationships are lost on secondary AD FS server after you add or remove claims provider in Windows Server 2012 R2
KB3075623 Configuring registry policy processing causes MUP to ignore Group Policy setting in Windows 7 or Windows Server 2008 R2
KB3075872 Application might stop working when it is used in Windows
KB3076946 CSV VSS writer does not report components after a deduplication volume is added to CSV in Windows Server 2012 R2
KB3076950 "STATUS_CONNECTION_RESET" error when an application reads a file in Windows Server 2012 R2 or Windows Server 2012
KB3077354 Computer freezes when WFP leaks nonpaged pool memory in Windows Server 2012 R2
KB3078405 "0x0000004A" or "0x0000009F" Stop error occurs in Windows 8.1
KB3078411 Tenant VMs lose network connectivity if NAT gateway VM exhausts all TCP/IP ephemeral ports in Windows Server 2012 R2
KB3078412 Rhs.exe process crashes during offline of IP address resource in Windows Server 2008 R2 SP1
KB3078689 The prompt is not displayed to the correct user in Windows Server 2012 R2-based RDS server
KB3078919 eMMC device is not detected as a storage device by Windows 8.1 or Windows Server 2012 R2
Follow us on Twitter, www.twitter.com/WindowsSDK.
Happy patching!
/Jeff
↧
↧
.NET Hotfix Rollup for August 2015
Jeff here,
There is a .NET hotfix rollup for August. 3078646
Issues that this hotfix rollup resolves
Issue 1
Assume that you have a Windows Presentation Foundation (WPF) application that creates an XPS file, and this XPS file has an embedded font that is missing some special characters. Assume then that you have another WPF application that prints this XPS file. In this situation, the missing characters may result in the document being printed in an incorrect font.
After you apply this update, WPF now includes the missing characters when you create a new XPS file if the font supports them.
Note This issue still occurs when you use the WPF application to print an old XPS file.
Issue 2
Assume that you run a touch-enabled WPF application on a computer that is running Windows 8 or a later version of Windows. You remove a tablet device from the computer while the device is being used, the WPF application crashes or you lose the touch promotion to mouse operations. This means clicking buttons may not work correctly and some touch specific actions could be broken.
WPF no longer immediately removes a tablet device when it is removed from the system. Instead, it delays this process until it can guarantee that there is no further pending input to be processed for the device. At that point, the device will be removed safely and normal touch operation will continue.
/Jeff
Follow us on Twitter, www.twitter.com/WindowsSDK.
↧
LogonUser + LOGON32_LOGON_NEW_CREDENTIALS, What is this flag used for?
A new flag was introduced in Windows VISTA for LogonUser(), LOGON32_LOGON_NEW_CREDENTIALS.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
The remarks say the following for this flag:
"This logon type allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identifier but uses different credentials for other network connections."
Why was this flag introduced and what is it used for?
A common scenario in Windows is you need to access secured resources on a remote system as a different user through impersonation. Some APIs that you may call to access a remote Windows system include:
- RegConnectRegistry()
- OpenSCManager()
- WTSOpenServer()
Impersonation becomes really important in a scenario where you are attempting to access a server which has no trust with your system since you can't modify the permissions for the remote secured resource to allow your user access.
In the past, this was done by providing alternate credentials to the IPC$ share with WNetAddConnection2(). There is an old KB article which provides background information on IPC$:
Using IPC$ kind of stopped working in Windows VISTA for certain scenarios but a lot of developers today are still unaware of the changes.
Due to the limitations and scenarios where it doesn't work, a new flag was introduced in Windows VISTA for LogonUser(), LOGON32_LOGON_NEW_CREDENTIALS to address the weaknesses for this common scenario.
The way the flag works, if you impersonate the user, the user's credentials are only used on the remote system. Locally you are still using the identity of the process. On remote systems, the credentials will be used to generate a token on the remote system. Since the credentials are being presented on the system itself, no trust is required. You can now access the remote system as a different user without any trust.
I hope this post gives you some insight into the LOGON32_LOGON_NEW_CREDENTIALS flag.
↧
Logon as a user without a password
In Windows, it is possible to logon as a different domain user without any credentials. This is known as a S4U or a Service For User Logon. This is a Microsoft Extension to Kerberos introduced with Windows Server 2003. There have been several articles and post on this topic but I thought it would be nice to go over this topic again. The official names for S4U are:
- Service for User to Self (S4U2self)
- S4UProxy (Constrained Delegation Extension) - For more information: https://technet.microsoft.com/en-us/library/cc739587%28v=ws.10%29.aspx
You can find more details on the extension in the following protocol doc:
[MS-S4U] - https://msdn.microsoft.com/en-us/library/cc246071.aspx
A S4U Logon allows an application to obtain a token to a domain user with just their User Principal Name (UPN). This is a powerful feature but there are some caveats to control the power of a S4U logon.
- The caller needs to have the SeTcbPrivilege to generate an SecurityImpersonation level token. If the caller doesn't have this privilege, the resultant token will be at a SecurityIdentification level. An Identification level token only allows you to get the identity and privileges of the user to Access Check against a secured resource. You can't actually access a secured resource with this token. (If you attempt to obtain a handle to a secured object while impersonating this token, the API will fail with a wrong impersonation level error).
- The token can only be used locally. In order to use the impersonation token on a remote server, delegation needs to be enabled for the application and on the targeted server. If you pass the token to another process (via CreateProcessAsUser() for example), even if delegation is enabled, the process can only access secured resources locally. The credentials used are associated with the process that generated the S4U token so when you create a new process with the S4U token, the token has no credentials to present to a remote server for authentication.
Ok, since I've provided the highlights of S4U, how can you programmatically generate an S4U token? There are 2 ways to do this.
1. LsaLogonUser + KERB_S4U_LOGON structure. https://msdn.microsoft.com/en-us/library/windows/desktop/aa378128(v=vs.85).aspx
2. An easier way to generate an S4U token is through the WindowsIdentity object by passing a User Principal Name (UPN) which is in the format of user@domain. Remember if the caller doesn't have the SeTcbPrivilege, the internal token stored in the WindowsIdentity object will be at an identification level instead of an impersonation level. The code is very simple:
WindowsIdentity s4u = new WindowsIdentity("user@domain");
You'll see that this code is much easier than calling LsaLogonUser().
I hope this posts provides some insight to understanding and using S4U.
↧