When Notepad++ doesn't start truly maximized

For as long as I've used Notepad++, it had a certain strange behavior that bothered me a little. While it seemed to remember the location and size of its window, it evidently didn't take into account whether the window was maximized. Therefore, since I always use Notepad++ in full screen, I always got a screen-sized but not actually maximized window when I started a new instance. Since windows have a bit of extra chrome on the edges, the Notepad++ one spilled over onto my second monitor a little.

Yesterday I found out that that behavior was the result of a bug. Updating to the latest Notepad++ version solved the problem. (I had been using v6.3, the bug was fixed in v6.4.)

Blogger's "Select Blogs to Display" Jumps Around

If you own multiple Blogger blogs, Google has a page that lets you set which of those blogs appear in your profile. An interesting property of that page is that the order of the blogs in the list is not constant. In fact, it seems to be random - every time I press "Save changes", the entries reshuffle themselves. Whether I've checked or unchecked an item doesn't seem to affect the shuffling at all.

State of the Deep Web Stack Exchange site

Stack Exchange's Deep Web site has been in private beta for 12 days now. Statistics-wise, we're doing fairly well. At the moment, we have 147 questions, 97% of which are answered. That's an average of 11.5 questions per day. Of the 446 registered users, 25 have more than 200 reputation. It looks like we're doing fine compared to other new beta sites. "Looks like", anyway.

A current issue for us is a need for unique expert-level content. Many of our questions, though interesting, are beginner-level. Fortunately, there are certainly some more technical ones as well. Some of those are about Tor, which already has its own Stack Exchange site. We do also have many non-Tor questions, and I hope we get more.

To help with that, I've e-mailed the Freenet and I2P teams, inviting them to join the site. Getting people who actually develop these technologies would be an excellent asset for the site, and would also be very beneficial to those projects as well (exposure and availability of information).

If you want to get involved, click the "Visit the site now!" link on the site's Area 51 page.

The Hyper-V client is .NET

I just noticed that vmconnect.exe, the Hyper-V Virtual Machine Connection program, is a .NET assembly. I've been mildly interested in how Hyper-V machines are connected to, and since the program that does is .NET, it's possible to decompile it to see an example.

It looks like the actual connection happens inside a native control called IMsRdpClient8, which is wrapped by AxMsRdpClient8NotSafeForScripting, which is controlled by a RdpViewerControl.

Making the Shift key automatically remove Caps Lock

If you find yourself frequently annoyed by Caps Lock being on when it shouldn't, you might appreciate it if hitting Shift automatically disabled Caps Lock. It just so happens that Windows has a feature to do that. How do enable it in the UI changes from version to version, but the Registry change is fairly simple.

There is (or can be) a DWORD value called Attributes in HKCU\Keyboard Layout. The sixteenth bit of its data specifies whether this feature is active, so if the entry isn't there at all or is zero, you can set it to 65536 (decimal).

The feature does have some unusual side effects. Caps Lock can no longer turn itself off, only on. Some applications - Hyper-V as one that I use - start interpreting every Shift press as a toggle of Caps Lock.

Figured out the SQL Anywhere "SET HIDDEN" obfuscation algorithm

I had previously figured out how to get at the unobfuscated text of an SQL Anywhere 11 stored procedure that was protected by SET HIDDEN, but that method requires a lot of manual clicking and is less than reliable when it comes to getting the full text of long procedures.

Today I had some spare time, so I worked at reversing the actual obfuscation process. I was successful, but publishing the algorithm here would be a legally dubious proposition even though I didn't steal any code from the SQL Anywhere server program. Mostly, I just put in lots of slightly different plaintexts to see how the obfuscated output differed. The final necessary epiphany came when I modified certain strings in one file to cause a clearer delineation of the sections of the obfuscated text.

I can say that the algorithm is pretty simple; my function is only 26 lines of VB.NET code. There is no tokenization of any kind, so every bit of the text that gets stored in sys.sysprocedure (e.g. comments but not extra semicolons) is recoverable. The process is lightning fast and not computationally intensive at all.

.crypt ransomware with mention of "RZA4096"

Today I briefly looked at a small outbreak of ransomware, which fortunately didn't affect me personally. The encrypted files had .crypt appended to their names, and the ransom note had several misspellings, including a mention of RZA4096 (should be RSA). The files are indeed scrambled in some way. Kaspersky's tool to decrypt CryptXXX files does not support these. Stories I found on the Internet indicate that paying will not help, so if you're hit with this, don't pay. Instead, restore from backups, which you totally have, right?

Seriously, make backups now. You never know when some kind of exploit will result in your data getting destroyed.

Set Blogger to force HTTPS

I'm not sure how long it's been around, but I recently noticed that Blogger's Settings → Basic section has an option called "HTTPS Redirect" that causes blog visitors to automatically be redirected to the secure (HTTPS) version. If you have a Blogger blog, you should totally take advantage of that feature, assuming you don't embed any HTTP-served resources.

Windows VPN surprise: More configuration required

When you create a new VPN connection from the Metro-style Windows 8 UI, it may require more configuration in the traditional Network Connections item if you use a Microsoft VPN provider, e.g. a Windows Server machine running RRAS. Specifically, the Security tab needs to have an Authentication option chosen. Once I set Data encryption to Require encryption and used the bottom half to allow CHAP and MS-CHAP v2, my connection worked.

Working settings for connection to Windows Server 2008 R2

When Hyper-V just shows "Connecting" in the wide window

Today I noticed an interesting thing: a Hyper-V Virtual Machine Connection window was in the enhanced session size but just displayed "Connecting" on the black background for a very long time.

Evidently, that can happen when the virtual machine has Integration Services installed but is installing updates. When I unchecked Enhanced session on the View menu, I got the small window showing the update progress. I guess the enhanced session viewer component in the VM isn't ready while updates are being installed, despite the VMC window thinking it is.

Less-known way for sites to identify you: Canvas fingerprinting

It's moderately well-known that web browsers include some information about themselves and the system in requests, and that such information can be used to identify ("fingerprint") the user. There are also several less-known pieces of data that can be harvested, including one particularly interesting one.

New-ish browsers support the <canvas> tag, which is a way for web sites to render images and shapes from JavaScript. Different video hardware/software configurations result in ever-so-small differences when instructed to draw some simple shapes. Sites can ask your browser to render things on a canvas and then read the pixel data back to use as part of your fingerprint.

Tor Browser has an option to return blank data when a site tries to read the canvas, thus blocking this potential avenue to anonymity compromise.

Removing a Blogger page from Google search results

I noticed that a few of my articles are outdated but still ranking higher in Google search results than my up-to-date web site about the topic. Hiding them by reverting them to a draft in Blogger didn't help, even after waiting a few days.

Google documentation suggested using their URL removal tool to get the pages out of the cache. The resulting page confused me for a while - it needed a "web property" to manage, and when I clicked the button to add one, it showed me a list of my blogs, but the only action I could perform on them was to manage them at Blogger, which doesn't seem to have a way to file URL removal requests.

On the blog list screen, I ended up clicking the button to add another property and typing in this blog's URL. It then told me my ownership had already been verified, and it gave me the option to add a new verification method. I declined, and immediately I was shown a Search Console for my blog. That place's Google Index tab has a "Remove URLs" entry, which is what I was looking for. The "Temporarily hide" button adds a new removal request.

Why are Freenet files stored encrypted despite the key being part of the address?

The Freenet anti-censorship network identifies static files with Content Hash Keys, which consist of three parts: a hash of the encrypted version of the file, the symmetric encryption key, and some cryptographic settings. You might wonder what the point of the encryption is if the decryption key is part of the file's identifier.

Well, the only piece of information needed to single out a file is its hash, and that's all that servers store. (Besides the actual encrypted data, of course.) That fact provides a good deal of protection for server operators. Because the servers don't store and optimally never see the decryption key, the operators can't know what their servers are storing, and therefore almost certainly won't get into any trouble for it.

It also means that server operators can't read the data on their servers without a link, so they don't get anything special in regard to access by hosting.

Join the Deep Web Stack Exchange private beta

I originally thought that only people who committed to the Area 51 proposal for the Stack Exchange site about the Deep Web could access the site during private beta. It turns out that anybody who knows about the site can access it via the Area 51 page. Clicking the "Visit the site now!" link will let you create a Stack Exchange account or, if you already have one, create an associated account on the new site.

So far, we have 67 questions; that's from just a bit more than a day of activity. Hopefully we'll keep going strong.

Deep Web Stack Exchange site: It's happening!

A couple days ago, I committed to a Stack Exchange Area 51 proposal for a Deep Web site and managed to drum up some additional interest in it. It got 100% committed yesterday and went into private beta today. So far, more than 50 questions have been posted, virtually all of which have one or more answers. Hopefully, we'll continue to experience high activity. Private beta usually lasts 20 days, and if we prove our viability, we go on to public beta, where the possibility of failure/closure effectively vanishes.

Interested in joining? Leave a comment with a way for me to contact you, or ping me in a Stack Exchange chatroom (@BenN).

When IIS serves the wrong SSL certificate

Today I investigated a problem with IIS serving the wrong SSL certificate. My server runs two different web sites on the same interface but with different SSL certificates (because of the different hostnames). Even though I had set the right certificate for each site in its bindings window, IIS decided to use one certificate for both sites.

It would appear that, under the hood, certificates are bound to an IP address and port rather than a site. Since both sites used the same address and port, they got the same certificate. I worked around the problem by assigning one site to a different port, but that's not an ideal solution; I'm looking for something better.

Can't search for things in a 64-bit address space with WinDbg

Today I attempted to use WinDbg to poke around in the memory of a 64-bit application. I wanted to search for a certain pattern of bytes, so I used the s command with the appropriate -s flag. The problem was that searching the entire 64-bit address space would take ages, since it's exponentially larger than the 32-bit address space, which I can search in a minute or so. Some Googling turned up a couple questions that are still unanswered. Though I can find the string in a dump of the process's memory, I don't know how to get the memory address from that. Therefore, I have no way to search for things in a 64-bit process using WinDbg.

What's a System Access Control List?

Sometimes you hear about System Access Control Lists, as opposed to Discretionary Access Control Lists. DACLs (which are just your standard ACLs) contain object permissions, like who can read or write a file. SACLs say what kinds of access from which people will be written to the event log in auditing events. That is, SACLs don't affect who can access a file, just whose attempted access to it will produce audit entries.

You can find the SACL for a file on the Auditing tab of its Advanced Security Settings dialog, which appears when you press the Advanced button on the Security tab of the file's Properties window.

Windows VPN connections interrupt network connectivity

I've been testing out VPN connections with the client that's built into Windows 8. I got it to connect to the VPN server, but a few seconds after Windows marks it "Connected", I briefly lose connection to everything on my normal interface. That's kind of unfortunate, since it interrupts some applications I'm running. At least it goes back to normal after that, though.

When Abiathar extensions fail to load with a FileLoadException

A semi-common issue people run into with Abiathar extensions is a failure dialog at launch indicating a FileLoadException:

Could not load file or assembly 'file:///C:\path\file.aex' or one of its dependencies. Operation is not supported.

The problem is caused by a zone identifier on the AEX file. When most web browsers download files, they add an Alternate Data Stream indicating that the file is potentially dubious because it came from the Internet. When a ZIP is extracted, the mark is added to all resulting files. .NET evidently refuses to load assemblies from files with the mark, so the above error is returned and extension loading halts.

To fix the problem, open the Properties of the downloaded AEX file and click the Unblock button. That removes the mark and lets Abiathar load the extension successfully.

Does totaling the threads of each process give the system's thread count?

Evidently not.

You can loop through each running process and total up the running threads in each, with some PowerShell, for instance:

(gwmi -Query "select threadcount from win32_process" | Select-Object -Property ThreadCount | Measure-Object ThreadCount -Sum).Sum

Interestingly, the result of that will match the result Performance Monitor (Perfmon) gives for the _Total instance of the Process → Thread Count counter, but is markedly less than Perfmon's value for Objects → Threads.

At first I guessed that kernel-mode drivers' threads weren't counted because of not being associated with a user-mode process, but it looks like driver threads appear as threads of the System process. Therefore, I don't know where the extra threads are coming from.

Registry setting for Internet Explorer Protected Mode

Internet Explorer's Internet Options dialog has a setting called Protected Mode, which is a security mode that can be enabled or disabled for each zone. The Registry setting for it is stored with the rest of the Internet Options items, under the appropriate numerical subkey here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

The numeric zone IDs are: 0 for Local Machine, 1 for Intranet, 2 for Trusted Sites, 3 for Internet, and 4 for Restricted sites.

A REG_DWORD value named 2500 controls Protected Mode. The entry is 0 if Protected Mode is enabled and 3 if Protected Mode is disabled for that zone.

Based on my Super User answer.

How do I check whether a level ID exists from the Abiathar API?

While rigging up EasyAslev, I noticed a little infelicity in the Abiathar extension API. It's actually kind of tricky to check whether an IAbiatharLevelSetWrapper contains a level at a certain ID - there's no Contains method. (Oops.) Attempting to get the At property for a nonexistent ID results in an exception, so iterating to find the first empty level would be slow.

The best way to check for a level's presence is to use that interface's List function, which returns a list containing the taken IDs. You can then use the Contains method on that, or iterate over it.

I'll make sure to add a cleaner way of testing for level presence via the API in the next version of Abiathar.

Impersonating domain accounts with PowerShell

It's possible to impersonate users with PowerShell without a password (given sufficient privilege), taking advantage of the normal .NET way of doing that. It only works on domain accounts because the credential-less WindowsIdentity constructor only works with actual UPNs.

Construct a WindowsIdentity like this:

$ident = New-Object System.Security.Principal.WindowsIdentity("user@domain.tld")

Then, actually start the impersonation of that identity (requires SeTcbPrivilege):

$ctx = $ident.Impersonate()

If you don't have SeTcbPrivilege, that command will royally mess up your PowerShell session. Either way, it returns an impersonation context that has an Undo method that stops impersonation.

Correcting HP Color LaserJet color alignment problems with the HP Toolbox

My HP Color LaserJet CP1215 has had a color alignment problem for a while. When printing colors, the different primary colors would be printed offset from each other by a few millimeters, producing an unusual visual effect. Internet searching recommended the HP Toolbox, but all the download links for it no longer work. On older OSes, that program was installed with the printer driver (from the CD, maybe? I'm not sure).

I had a virtual machine around with Windows XP, so I connected the printer to that. Fortunately, the Toolbox was indeed installed. You can get to it by double-clicking the fuzzy printer icon in the notification area. In one of the sections (Troubleshooting, probably), there's a button at the bottom labeled Calibrate. Pressing that caused a recalibration, which lasted for several minutes, after which the problem was fixed.

The Abiathar simple single-level file format

Yesterday, I wrote about a tool that extends Abiathar, handling a new kind of file that represents a single Keen Galaxy level in a very simple format. I briefly touched on the actual format there, but I figured I should specify it more precisely.

Every number is stored as an unsigned little-endian 16-bit integer (UShort in VB.NET), which I will refer to as a "word". A simple single-level file starts with the level width (in tiles) as a word, followed by the height as a word. Tile data follows, with each tile ID as a word. The three-dimensional data is stored in plane-major then row-major order. The background plane is first, then the foreground, then the infoplane.

Therefore, the third word of one of these files is the background's upper-left tile. The next is the second tile in the first row of the background, and so on.

There is no compression in these files. There is also no place to store a level name or signature (though such data could be stored after the tile data without breaking anything). The format is indeed simple.

EasyAslev

I recently received a request for assistance with Abiathar's single-level format (ASLEV). The format is indeed challenging to implement without the assistance of FMod's compression features; it uses 24-bit LZW. The person who contacted me suggested that I also support a simpler format that just has the level dimensions and then the tile data as 16-bit integers.

That sounded pretty reasonable to me, but since I don't currently have time to polish it up enough for inclusion in Abiathar proper, I threw together a .NET binary that is simultaneously an Abiathar extension and a console program.

With a .exe extension, it takes a file name or mask on the command line and converts those files (assumed to be in the aforementioned simple format) to ASLEV.

With a .aex extension, it adds some menu items to Abiathar. One is a level tool that exports the currently-viewed level as a simple single-level file. The other is an item in the Level menu that opens a simple level and adds it to the first empty slot in the current project.

I'll release this little tool after it gets a bit of testing from the inquirer.

How does Windows figure out the size of an installed program?

In the Programs and Features dialog, you see that some entries have a value in their Size column. The obvious question is, how does Windows figure that size out?

The answer is that it doesn't, at least as of Windows 7. The value is set by the program's installer at install time. That value could conceivably be wildly off the mark from the actual space used by the program's files, but that's not a concern of Windows. Windows keeps the information in a value called EstimatedSize in the program's entry in the Uninstall key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Programs without that Registry entry simply have no value in the Size column.

Windows versions prior to 7, when confronted with a program that doesn't supply its own size estimation, would do some disk searching to guess.

Digital signatures can be in catalogs too

Some digitally signed files (e.g. executables that produce a UAC prompt with a verified publisher) have a Digital Signatures tab in their Properties window. Others, however, do not, but still are treated as verified in the UAC dialog and by the Sysinternals sigcheck utility. Usually, the ones that don't are binaries that shipped with the OS.

The reason that some files don't get that tab is that their digital signatures are stored not in the files themselves, but in security catalogs, which are big lists of signed file hashes. Evidently, Explorer only checks the file itself for the signature. The -i parameter to sigcheck will tell you on the "Catalog" line where the signature for the target file is stored. If it does have a catalog, you'll get the path to the .cat file, stored under \Windows\System32\catroot.