Sunday, May 24, 2009
Saturday, June 07, 2008
App.Config problems
(Blogger has been failing while I try to post today - Error code: bX-qmyy22).
So, to recap, I was trying to add the App.config to use it to load various lists of items to go into list boxes and other settings. Hence I checked out the use of AppSettings and custom Configuration and Dynamic Properties, and so on. But they all do seem to be rather labored constructions, so I think I will abandon the App.config and instead use custom files. Rocky Lhotka gave a presentation in 2004 on the use of local storage for storing user settings, which I will look at again. It can still be found at his website
Wednesday, April 30, 2008
Posting again
Topics I could fill in on, over the past year cover a lot of Windows configuration issues - especially security related ones. As to programming, the new .NET stuff of most interest is probably LINQ. But I have been doing more shell programming and will put up some notes about it.
Along the way I have found a lot of useful utilities...
Disk and File management utilites:
Bulk Rename (recommended by Scott Hanselman)
DU.EXE by SysInternals guys now at Microsoft
FolderSize - freeware by a curmudgeonly Brian Oraas at foldersize.sourceforge.net
Multiple great utilities by Nir Sofer @Nirsoft.net:
Particularly his terrifc RegScanner utility. I've never seen anything like it!
Boy does it run fast. And you can restrict searches in a multiplicity of ways.
There was a command line registry grep tool, but I've lost track of it.
And regarding security the standard Microsoft utilities...
CACLS.EXE, XCACLS.EXE, and especially SUBINACL.EXE.
I have had to become pretty familiar with these to keep running LUA.
Monday, April 23, 2007
Time to upgrade to Vista?
Most recently cannot install IE7. Looks like its related to the way I have the machine locked down.
Earlier the machine seemed to be really bogged down. Turns out that was because the System Restore service was running against an external harddrive on a USB port.
Wednesday, July 26, 2006
Problems running MS Office under LUA
The main problem is that Windows Installer is automatically launched when you start any Office program, or Internet Explorer, if the account does not have admin privileges. This is quite irritating and frustrating, amd my efforts has been quite tedious and frustrating too. I did a lot of searching online at both Microsoft and elsewhere, and posted on some forums without luck.
Saturday, June 17, 2006
Extending IE - links and thoughts
The main article is "Browser Extensions" under Web Programming at MSDN.
How to add to the standard context menus of the WebBrowser control
Now I am looking at this again and have found how to add items to the tools menu after seeing some keys in the registry. This is discussed in Adding Menu Items under the above section.
I copied what is done by a 'search related' add-in for MSN does. You need to put a custom GUID under HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
I see on this machine than along with the MSN search one, there is also one from Sun for the 'Sun java console'. It has a special dll which it launches.
They both have a CLSID entry which points to shdocvw.dll as inproc server.
Some other links of interest which I have found now are:
Extending the IE Context Menu at The Old New Thing blog - has some other tips
Saturday, May 06, 2006
New LUA stuff
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnlong/html/AccProtVista.asp
Gaming with Least-Privileged User Accounts
VISTA RELATED
Developer Best Practices and Guidelines for Applications in a Least ...
(subtitled "Uderstanding User Account Protection in Microsoft Windows Vista Beta 1")
Privilege-elevation APIs
Thursday, April 20, 2006
This blog finally restored
I must say this was rather disturbing. I was worried about losing my work here and irritated that they simply disabled the site without sending me ANY notification!
Saturday, February 11, 2006
Running LUA - Tricks and Talk
Traditionally I have always installed custom utilities into a root\utils directory. I have done this for years ( since 16-bit Windows) for several reasons - I know where they are, which makes it easy to see which are installed and to copy them between machines, and with one short path it can be added to environment execution path without a lot of overhead. I have always disliked the "Program Files" directory because it does not conveniently meet those requirements. And I particularly dislike the fact that it is a long name with a space in it. That was a problem for some time after it became the standard when trying to install old, often 16-bit software, which didn't handle the space.
But now that I am thinking more about security I am choosing to install more software into ProgFiles. So I am now discovering the problems that leads too with certain software. Some programs seem to write local data back to their execution dierectory without option to change it. They don't run correctly without access to those files in ProgFiles. I discovered this with one app I installed under the Admin logon. But then tried to run under a limited logon. I wasn't sure whether the problem was inability to access the registry or files, so thought about granting full rights to its directory to users who need it. But instead I found that by launching the app while running under my limited logon with elevated privileges the app sucessfully created the needed data files with my limited logon as owner. Then when I went back to run the app with the normally limited logon it I find that the app now has enough permissions to use those files as needed without granting me extra privileges to that directory. That is a pretty clean solution.
There have been a lot more references talking about running LUA lately. I will try to find them.
Friday, February 10, 2006
What's up
I have been reading/working Ron Jeffries book "Extreme Programming in C#". I find it interesting and helpful. It has been a pretty good way to try TDD, which I haven't used much in my own work. Another theme is evolving the codebase in a natural way using regular refactoring. I have always done a lot of refactoring without knowing it had a name (a la Monsieur Jourdain) so I do enjoy watching him change the code in a natural way.
One useful thing I note is related to his YAGNI ('you aren't going to need it') principle. I sometimes get hung up trying to build a more general design than is currently needed, especially since I have found it hard to retrofit projects when additional functionality required late in a project. In particular, I once got hung up on the same capability that he has trouble with in the last chapters of his book - to wit, an Undo feature. He firmly believes that it is better to keep building continually usable software with limited functionality than to push for a complete project with full functionality that extends the development timeframe.
More to come...
Monday, January 30, 2006
Update on Using Collections - Now we have Generics
There is reference article Defining and Using Generics in VB 2005 at MSDN
Wednesday, January 25, 2006
Blogs to Track
http://geekswithblogs.net/sabotsshell/Rss.aspx
DotNetSlackers itself aggregates articles about ASP.NET "for Lazy Developers"
Dr Dobbs Journal
Mike Gunderloy's Larkware which everyone said they read regularly
more on Securing Windows
Internet Security Guide at Firewall Guide website is full of pretty good info.
Tighten Microsoft Windows to Improve Security is a checklist there.
Checklist for Securing Windows XP Pro at Lawrence Berkeley Nat'l Lab is a fine article, written for internal users it is probably a little advanced for standalone home users.
Securing Windows XP (Sep 2005) at TweakHound - a link from above.
TweakHound also has some other helpful articles such as these:
Windows XP Backup Strategies For Home Users
What Do Those XP Services Do?
Amazon brings back Gold Treasure Chest
Beta Microsoft MCP Exams Offered
Beta Exam Invitation for MCAD and MCSDs
February 13 - March 12
- MCAD Exam 70-552 - Upgrade: MCAD Skills to MCPD Windows Developer
by Using the Microsoft .NETFramework (use promo code 552BTA)- MCSD Exam 71-553 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise ApplicationDeveloper by Using the Microsoft .NET Framework - Part 1 (use promo code BTA553)
- MCSD Exam 71-554 - Upgrade: MCSD Microsoft .NET Skills to MCPD Enterprise
ApplicationDeveloper by Using the Microsoft .NET Framework - Part 2 (use promo
code UPG554)These free beta exams will count toward certification in the same way as the final version of the exam.
Interesting Finds after Nerd Dinner
Google Blogscoped by Philip Lennson - lots of articles critiquing Google, esp on censorship.
Cool Tools by Kevin Kelly is full of descriptions of fascinating tools and books. Really NEAT.
DotNetSlackers
Feline Cranial Protection link from Eric Gunnerson's blog
More to come...
Monday, January 23, 2006
'LUA' name changes to UAP, then UAC
IE's "Mark of the Web"
How the Mark of the Web Enhances Computer Security
Because the Local Machine zone has so few security restrictions, active HTML documents running on the local machine have access to the computer's entire file system. The MOTW aids Internet Explorer in protecting the user from the risks of running these documents in the Local Machine zone. By referencing the MOTW, Internet Explorer can force these Web pages into a zone that has more restrictions, such as the Internet zone. At the same time, the MOTW cannot
be used to elevate Web pages to a zone with fewer restrictions. Forced out of the Local Machine zone, the active content has no access to the computer's file system. Note Windows XP SP2 applications—including Internet Explorer 6—that take advantage of the Local Machine Zone Lockdown security feature run in an even more restricted environment than the Internet zone. Additionally, cross-domain requests both to and from the active HTML documents fail, so
that code running from these Web pages cannot access the user's hard drive.
That makes sense, but it seems to contradict the explanation below by Dave Massy on the IEBlog, which I find a little confusing. I don't seem to be the only one, based on the comments to his posting (see "There does seem to be a some continued confusion around the LMZ lockdown").
I have not tested the functionality yet myself to see if I can figure it out, but I did notice that this box has only one file with that tag in it.
Here are some discussions of this:
Mark of the Web posted in March 2005 at the IEBlog by Dave Massey of MS
Tricks with Mark of the Web: Behaviors, XML files at Adi Oltean's(MSFT) AntiMail weblog
This UK site has good discussion of the issues surrounding the LocalMachine zone.
Changes to Functionality in Windows XP Service Pack 2 - Part 5: Enhanced Browsing Security
Sunday, January 22, 2006
Unblock CHM files after patch for MS05-026 - Vulnerability in HTML Help
The following bulletins and KB articles from MS address this issue:
- You cannot open HTML Help files from Internet Explorer after you install security update 896358
- 896358: MS05-026 - A vulnerability in HTML Help could allow remote code execution
- INFO: Executing Files by Hyperlink and the File Download Dialog Box
Update:
It appears that this behavior is controlled by something called Persistent Zone Identifier. There is a fair amount of documentation of them on the MS site (Persistent Zone Identifier Object), but surprisingly little discussion in blogs. Here is one example referencing from Internet Explorer7 Bugs at Channel9:
HTML Help doesn't work
When I try to view a chm help file that has been downloaded from the internet, the help browser loads about:blank rather than the help page. This happens when the chm file has what I think is called a persistent zone identifier associated with the file (on NTFS - when I double-click the file, I get a security warning before launching). If the file does not have the identifier (removed via Properties->Unblock) the help page is correctly displayed.
Friday, January 20, 2006
Changes to Security Zones in MS Internet Explorer Version 7
Dude, where’s my intranet zone? (… and more about the changes to IE7 security zones)
It has recieved extensive comments, not all of which I have read yet. One theme among them is that the zones are not effective, so why bother. But they seem useful to me and the most disappointing thing that I notice is that they apparently have not added any new zone between ran Internet and Trusted. That is what I want, and have created on my machines.
Some excerpts:
The My Computer Zone is locked down as of IE6 for XP SP2; the changes in IE7 continue our trend to run the browser with more secure default settings.
Because security zones allows more power to some websites, zones also open the possibility of zone-spoofing attacks: if there is a flaw in IE’s zone detection logic, a malicious website could try to run in a less restrictive security zone than they should run in. With URL parsing and other improvements in Windows XP SP2 and IE7, we have helped to ensure this doesn’t happen.
More on Running LUA
Addendum to some earlier posts
I have tended to run devenv.exe (Visual Studio) as an Admin, but one can develop local WinApps with a limited account as long as you make sure that account has the proper rights to the target source directories and any needed data file directories. Setting those up on a non-domain machine can involve setting the rights at a granular level, and normally this is not available in the Windows Explorer GUI when simple file sharing is enabled.
But you can use the NT command line tools for setting ACLs (Access Control Lists) - CACLS.EXE (NT) and XACLS.EXE (Support Tools). They are a little arcance but do the trick. One thing you have to be careful of is not use the /G or /P options with out /E, or else you remove all existing rights.
As to managing the localgroups, I never listed the UI tools for changing them in my post CCS User Group Presentation where I showed the appropriate command lines. There are several GUI programs that allow you to manage users and local groups:
Running "control userpasswords" gives you the rather dumb User Accounts dialog in Control panel. Running or "control userpasswords2" gives you a smarter, more granular tool to manage users, including specifying their group membership. Finally "lusrmgr.msc" is an MMC plugin which provides a full powered GUI tool to create/manage local users and groups.
It is worth noting that Power Users seem to have the power to add users to the Admin group, hence one reason that it is not really a safe level of operation.
Thursday, January 12, 2006
Tip on using Google as a Free Proxy
CNUG Downtown Chapter meets at IMG
Thursday, December 15, 2005
Using Collections in .NET [UPDATED]
I think the discussions are good in the books of Francesco Balena, Jeff Richter, and others:
Authors I like include Ken Getz and Paul Sheriff, but I don' find articles by them on this.
Articles I have found:
Scott Mitchell has some articles at his 4GuysFromRolla site:
Chapter 2 (from his ASP.NET: Tips, Tutorials, and Code book) compares 5 types of collections: ArrayList, Hashtable, SortedList, Queue, and Stack. After discussing each one individuality he shows their similarities and demonstrates the use of the IEnumerator interface to access them.
Specialized Collections is a useful article at MSDN.
Not to mention his series An Extensive Examination of Data Structures at MSDN.
Related Blog Postings:
Collection classes and behavior by Yves Reynhout
Article: OOP and Security sometimes go hand in hand by Tobin Titus
The new version 2.0 of the Framework will apparently extend the functionality of collections. Obviously the availability of generics is significant; plus some new extensions to the actual object collection classes. No refs yet for them.
CodeSmith by Eric Smith may be a good way to generate code for collection classes. http://www.ericjsmith.com/codesmith/default.aspx
[Original post 5/15/2005]
Delegates in C# vs VB.NET down to the IL
Thursday, December 08, 2005
C# posts on several topics
C#: Anonymous methods are not closures, led to extended and interesting discussion.
C# : Enum and overriding ToString on it:
His introduction:
"I saw two posts on Enums today on Eric Lipperts and Chris Rathjen's blog. Enums are significantly different from the other types and people run into unusal problems while working with them. "
He discusses the issue I have faced:
"This is a common issue that comes up frequently when you want to show values in reports, web pages, XML where you want to put in human readable text for enum values. Commonly people use non-generic solution of maintaining arrays of these descriptions and get text out of them by indexing using the enum value or some other things like storing it in a hashtable and using the ToString value as the key to get the desciption out."
Wednesday, December 07, 2005
Internet Wayback Machine
About the Wayback Machine
Browse through 40 billion web pages archived from
1996 to a few months ago. To start surfing the Wayback, type in the web address
of a site or page where you would like to start, and press enter. Then select
from the archived dates available. The resulting pages point to other archived
pages at as close a date as possible. Keyword searching is not currently
supported.
Sunday, November 27, 2005
More on Xi-Soft Netransport to download webcasts
References the original post by Georgeo Pulikkathara from 2004:
Wednesday, November 23, 2005
Is Microsoft going to an Open Standard for Office File Format
Microsoft ECMA/ISO move could give Office formats new lease on life by ZDNet's David Berlind -- I'm trying to grab a few vacation days here during the short week. But the news that Microsoft is looking to establish its Office XML Reference Schema (the new file format for it's Office productivity suite) as an International Organization of Standardization (ISO) ratified standard has pulled me out of hiding for at least one [...]
Friday, November 18, 2005
Local Microsoft Events in November
The last talk, (by Tim Landgrave?), on using the Component Application Block in Smart-Client apps showed stuff I had not seen before. And it finished with a BANG when he blue-screened!
CNUG had another Day of .NET on Saturday the 12th, just two days after the launch event. Pretty good turnout (>200) but somewhat disappointing lineup of speakers. The highlight for me was a talk on AJAX (even though Joel Spolsky and others enjoy pointing out that there is nothing new there).
Wednesday night "The Scripting Guys" (Dean Tstatas & Peter Constantino) were in town, and gave a good presentation. They have a great web site at Technet. Sample resource script.
Cross-Site Scripting and Tracing
That led me to some other good articles about cross-site scripting.
Mitigating Cross-site Scripting With HTTP-only Cookies
Scott Hanselman blogged about it over the summer, but I missed it then.
And to an article that uses the TRACE function as a technique to circumvent this attribute.
I don't know whether it is common to turn off the TRACE functionality on IIS servers.
Jeff Prosise wrote and lectured on website hacking during 2004. He came to Bloomington(IL) as part of an INETA-sponsored tour a year ago. I guess I wasn't blogging then, so I didn't post about his presentation, but other user groups and bloggers (Robert Hurlbut) have posted summaries and his sample code. Jeff wrote Stop Cross-site Scripting Attacks in their Tracks in ASP.NET Pro Mag in 2003 (subscription only) and on Foiling Session Hijacking Attempts in his Wicked Code column in MSDN Mag for August 2004 and
==============================================
Other topics:
Where is that artcle about script reading the clipboard?
--------------------------------------------------
Retrieving Data using Script
Thursday, November 17, 2005
Audio Encoding - Tools and Quality tests
It points to several sites which describe comparison tests of different sound systems:
ABX Double Comparator at ABX Company site of David Carlstrom.
Roberto's public listening tests page has some samples and results of encoding.
Newly found tools
- MonkeyAudio for lossless compression.
- MediaMonkey as a general tool.
- MP3Tag just for tag editing.
Sites with lists of tools
- free-codecs has a lot of codecs
- mp3-converter.com has even more stuff, and is better organized
Wednesday, November 16, 2005
Interesting web sites
http://www.programmableweb.com/
Speaking of Mapping
On the other hand, google, and the others emphasize their money making local links, which diminish the useful size of the actual maps. Sometimes the google map is full width, and sometimes restricted by local lists on the left. It is tough to figure out how to get the full width map.
Chicago Nerd Dinner - Nov 15, 2005
We had a wide-ranging discussion. Here are some of the questions and topics which came up that have stuck with me.
Web sites and services:
- Amazon's new "Mechanical Turk" web service pays humans a (very) small fee to perform simple tasks (HITs) which are hard for computers. Very creative. They reference an article at Business Week.
- 37signals.com is an ASP which provides inexpensive organization, collaboration and management tools for small business and individuals. It is built using the "Ruby on Rails"(RoR) framework, which has been getting attention lately. eWeek has a good article on RoR and they also have an interview with its creator, David H. Hansson. There was extended discussion of it, which I missed since it was at the other end of the table.
- http://www.writely.com/ is a web-based site for creating and collaboratively editing documents. It is also mentioned in Ten Blogging Hacks by Steve Rubel
Some other topics, issues:
FLICKR was bought by Yahoo last spring. It caused quite a stir back then, and more recently Wired has reported some resistance to its integration into the Yahoo superstructure.
Ryan was talking about a seminar by Juval Lowy at DevConnections, who he said was very instructive, if a little too full of himself, and about working with Clemens Vasters (whom I confused, thinking instead of Ingo Rammer, the .NET Remoting guru.)
Where, if anywhere is pluralsight based? Bill Williams, who is their administrative contact was, and I think, still is based in Massachusets. They do a lot of training in Redmond, WA. I guess the issue was where Ryan's blog reading went when he hit their server. Need to do one of those IP mapping requests to figure that out.
And there was also some discussion of whether there might be a new Internet bubble. I mistakenly confused Ted Neward with Dave Winer, who sold his weblongs.com site to Verisign earlier this year. Scoble blogged about it here in October. Verisign talked about it here. There is a good bio of Dave at Wikipedia.
Friday, October 28, 2005
More on Security and Running LUA
Aaron Margosis mentioned that running as a member of the Power Users group is just as dangerous as local admin. I didn't quite understand that, and have only recently found some more details on this issue:
Per Ostergaard discusses this in a "And I thought Power Users were a wise choice..." at his msgoodies blog.
Microsoft posted a KB article A member of the Power Users group may be able to gain administrator rights and permissions(October 2004) describing the nature and danger of putting users in the "Power User" group.
He found a reference at the "Hall of Shame" page at the threatcode.com site.
He also posts links to more details of the dangers of the "Power Users" group. There is an oldpost at Michael Howard's blog about kewl tools that has some good comments on the issue.
Margosis posts PrivBar Source Code
Tuesday, October 25, 2005
Audio Stream Capture
Wikipedia has quite a few good articles on digital audio encoding and decoding in different formats. Audio Data Compression is quite good, including a section on Lossless compression.
And it supplied some good references to other tools.
Swen's Weblog explains How to download Real Audio streams and convert Real Audio to MP3
He also writes about Lossless Compression with the Shorten (.SHN) format.
The eTree.org Wiki is also a good source on Lossless Encoding using Shorten or FLAC.
A Small SHN and MD5 FAQ by D & G Hamiltion is a widely referenced article (last update 2003). Sources he references have stopped updating and reference the Wikipedia article above.
Saturday, October 22, 2005
Jeff Prosise on the ASP.NET Provider Model
[UPDATE]
Dino Esposito has an excellent (as usual) article in the December MSDN Magazine on the new provider for the ASP.NET Membership and Profile API.
Friday, October 21, 2005
SECURITY - Cached data and Cookies
Thursday, September 29, 2005
URL's, URI's and URN's
The essay 'Cool URIs don't change' at W3.ORG Style is an iteresting dialog.
An article at Wikipedia, URI(Uniform Resource Identifier), explains the definition of URI and its relation to URL. URI's provide unique naming functionality as well as locator functionality.
Tuesday, September 27, 2005
Some newer posts on Non-Admin development
He discusses my preferred approach "Logging in as LUA and escalating privileges when required" in some detail and mentions at least one security hole I have ignored - the possibility of messages being sent from some process window to the window running with elevated or admin privileges. He makes reference to the various techniques and pitfalls, but does not detail them.
Interestingly he preferred choice would be FUS (FastUserSwitching), but of course it is not available in most work environs. I don't like it. I frequently want to have Internet browsing windows open on the same desktop where I am developing.
Notes from Pluralsight folks
It is
So checking out the Pluralsight blogs here are a few refs of some note:
Craig Andera mentions "Speaking of blogging things so I can remember them…"
and talks about working as a consultant versus teaching.
It looks like Keith did not update his password manager from the version I have.
New Security Links
And, it looks like Keith Brown has posted a new version of his Password Manager program. I need to check it out.
Monday, September 26, 2005
more .NET links
He has some interesting posts at his 'Paraesthesia.com' site:
http://www.paraesthesia.com/blog/comments.php?id=597_0_1_0_C
Your Clipboard is Not Safe!
Wednesday, August 31, 2005
Furl.net stores web pages
http://blog.contentious.com/archives/2004/06/22/10-cool-things-to-do-with-furl
Create Your Own Online Web Page Archive at searchenginewatch.
Furl - Saving Web Pages the Easy Way
Robots may threaten online Poker
- The Rise of the PokerBots at CodingHorror.com, which is a good .NET coding site.
- A page on the WinHoldem site emphasizes the importance of running with least privilege.
Task management software
Wednesday, August 17, 2005
Security Alerts and Running NonAdmin
Some article I read pointed me to this good site: Websense Security Labs
It has an example, "Malicious Website / Malicious Code: Phishing via Hosts File", which provides another good example of the dangers of running as local Administrator. If you run with diminished rights and with the NTFS protecting the Windows directory, then the hosts file cannot be modified by processes you launch.
USRobotics Modems
There is a good article, "I remember modems", at Tom's Hardware.
He links to a good site: http://www.modemhelp.org