Software Generalist

Reading Notebook: 16-September-09

Comments in italics are mine and express my own views, thoughts and opinions

Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:

InitOnceExecuteOnce API, synchronous (p. 197) - new in Vista and W2K8, http://msdn.microsoft.com/en-us/library/ms683493(VS.85).aspx

InitOnceBeginInitialize / InitOnceComplete API, asynchronous (p. 197) - code examples for one-time initialization: http://msdn.microsoft.com/en-us/library/ms686934(VS.85).aspx

Dynamic worker threads (pp. 199 - 200)

ALPC (pp. 202 - 206) - ALPC is used extensively in terminal services environments. Here is the sample output from WinDbg to mine for ALPC wait chains in frozen systems and blocked services:

1: kd> !process 0 ff

[...]

THREAD fffffa8006ef7060 Cid 0350.279c Teb: 000007fffffa4000 Win32Thread: fffff900c22904f0 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa8006ef73f0 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff880104eecf0 : queued at port fffffa80060d4c80 : owned by process fffffa8004c39040 IRP List: fffffa8006d21c60: (0006,03a0) Flags: 00060030 Mdl: 00000000 fffffa8005f876c0: (0006,03a0) Flags: 00060030 Mdl: 00000000 Not impersonating DeviceMap fffff88000007450 Owning Process fffffa80057844d0 Image: svchost.exe Attached Process N/A Image: N/A Wait Start TickCount 10908131 Ticks: 18864 (0:00:04:54.750) Context Switch Count 12660 LargeStack UserTime 00:00:00.671 KernelTime 00:00:00.578 Win32 Start Address 0×000007fefe51fdec Stack Init fffffa6006249db0 Current fffffa6006249670 Base fffffa600624a000 Limit fffffa6006243000 Call 0 Priority 13 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr Call Site fffffa60`062496b0 fffff800`016a36fa nt!KiSwapContext+0×7f fffffa60`062497f0 fffff800`0169835b nt!KiSwapThread+0×13a fffffa60`06249860 fffff800`016cd4e2 nt!KeWaitForSingleObject+0×2cb fffffa60`062498f0 fffff800`01916d14 nt!AlpcpSignalAndWait+0×92 fffffa60`06249980 fffff800`019137a6 nt!AlpcpReceiveSynchronousReply+0×44 fffffa60`062499e0 fffff800`0190330f nt!AlpcpProcessSynchronousRequest+0×24f fffffa60`06249b00 fffff800`016a0ef3 nt!NtAlpcSendWaitReceivePort+0×19f fffffa60`06249bb0 00000000`774d756a nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`06249c20) 00000000`029decd8 00000000`00000000 0×774d756a

1: kd> !alpc /m fffff880104eecf0

Message @ fffff880104eecf0 MessageID : 0x053C (1340) CallbackID : 0xC26264 (12739172) SequenceNumber : 0x0000031F (799) Type : LPC_REQUEST DataLength : 0x0048 (72) TotalLength : 0x0070 (112) Canceled : No Release : No ReplyWaitReply : No Continuation : Yes OwnerPort : fffffa800a7804d0 [ALPC_CLIENT_COMMUNICATION_PORT] WaitingThread : fffffa8006ef7060 QueueType : ALPC_MSGQUEUE_PENDING QueuePort : fffffa80060d4c80 [ALPC_CONNECTION_PORT] QueuePortOwnerProcess : fffffa8004c39040 (svchost.exe) ServerThread : fffffa800aa8c700 QuotaCharged : No CancelQueuePort : 0000000000000000 CancelSequencePort : 0000000000000000 CancelSequenceNumber : 0×00000000 (0) ClientContext : 0000000004e87390 ServerContext : 0000000000000000 PortContext : 0000000005615340 CancelPortContext : 0000000000000000 SecurityData : 0000000000000000 View : 0000000000000000

1: kd> !alpc /p fffffa80060d4c80 Port @ fffffa80060d4c80 Type : ALPC_CONNECTION_PORT CommunicationInfo : fffff88007f66ba0 ConnectionPort : fffffa80060d4c80 ClientCommunicationPort : 0000000000000000 ServerCommunicationPort : 0000000000000000 OwnerProcess : fffffa8004c39040 (svchost.exe) SequenceNo : 0x00000000 (0) CompletionPort : fffffa80057d8040 CompletionList : 0000000000000000 MessageZone : 0000000000000000 ConnectionPending : No ConnectionRefused : No Disconnected : No Closed : No FlushOnClose : Yes ReturnExtendedInfo : No Waitable : No Security : Static Wow64CompletionList : No

Main queue is empty.

Large message queue is empty.

Pending queue has 192 message(s)

fffff88012c7e030 0000201c 0000000000013f88:00000000000154fc 0000000000000000 fffffa8008573a30 LPC_CANCELED fffff88009a98cf0 0000221c 0000000000000b04:00000000000109b4 fffffa800b533bb0 fffffa8008ee7bb0 LPC_REQUEST fffff880129b9cf0 00001ffc 00000000000067d8:000000000000a85c fffffa800a032060 fffffa800a408060 LPC_REQUEST fffff8800ed62cf0 00001ea4 0000000000012c1c:0000000000013238 fffffa800afbcbb0 fffffa800bbf1060 LPC_REQUEST fffff88011fa7cf0 000014ec 0000000000000b04:0000000000013a38 fffffa80072c6bb0 fffffa800b4d2700 LPC_REQUEST fffff8801001e980 0000159c 000000000000b25c:0000000000003004 fffffa8006ebcbb0 fffffa8009c25060 LPC_REQUEST fffff88009a56cf0 00001f94 0000000000012940:0000000000015478 fffffa800a75d700 fffffa800b4b8060 LPC_REQUEST [...] fffff880129aa640 000018f0 000000000000d31c:00000000000147c0 fffffa800ab9bbb0 fffffa8006ffb560 LPC_REQUEST fffff88008b29ac0 0000152c 000000000000fa5c:000000000000faa4 0000000000000000 fffffa800abadbb0 LPC_CANCELED fffff88009eaa460 000005dc 000000000000e13c:000000000000e3d4 fffffa800921b630 fffffa800a191060 LPC_REQUEST

Canceled queue is empty.

The .NET Developer’s Guide to Windows Security by M. Brown:

Developing code in non-privileged way: two logons (p. 35)

whoami command (p. 37) - whoami /all

netsh command (p. 37)

runas /netonly (p. 39)

Nested runas commands (p. 40)

Debugger Users group (p. 41)

Run - install assumption (p. 46) - Got an idea for a bugtation: “You must assume that your program will be” coded “by one person and” debugged “by another!”

Least privilige for installer design (p. 46)

Software Requirements & Specifications by M. Jackson:

Indicative mood of formalizations (p. 9)

Application domain vs. generic domain and app. domain vs. environment (p. 9)

Structured Analysis of DeMArco / Gane / Sarson - the danger of thinking in terms of a machine when looking at the existing system (p. 10)

Costruction of difficulty from simplicity in software development, shorter vs. longer problem description spans (pp. 12 - 14) - lesson: create one structural UML diagram that covers all possible problem spans

Different views on the origin of software development disasters (pp. 14 - 15) - the view from memory dump analysis engineer: study crash dump analysis patterns (by applying bijectionism) and learn from them. Software artifacts are memory dumps. Software development is memory change.

Software technology as technology of description (p. 17)

- Dmitry Vostokov @ SoftwareGeneralist.com -