Comments by Randor (Top 130 by date)

Can you upload it somewhere so I can see more code?

Have a look at RtlInitUnicodeString to initialize your UNICODE_STRING
https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-rtlinitunicodestring

I can help you with the kernelmode code and anything C/C++ or assembler. But I know very little about VB.NET so I won't be much help there.

Codeproject has a VB.NET forum, I think a few members can help you if the need arises. :)

Ok, next you will need to design a structure to send to your usermode application. You will be using FltSendMessage. Design a C struct with file path and other things you would be interested in inspecting from usermode.

I also highly recommend adding some code to reduce the filtering scope. I recommended adding the ability to exclude or include paths to monitor.

I can't see your code. Could you verify that you can connect to the communication port from your usermode application?

I am observing alot of very fundamental mistakes in your C code such as reading the value of uninitialized variables. I would recommend that you improve your C language skills. It's highly unusual to see those those type of mistakes. Your compiler should be warning you.

Don't be discouraged, everyone has to start somewhere. Everyone has been in your shoes, keep experimenting and you will see progress.

In the C language an 'assert' throws an error.

Look at your code:

PFLT_PORT ClientPort;
FLT_ASSERT(ClientPort == NULL);

Can you tell me what the value of your ClientPort is when you never initialize it? Do you know what FLT_ASSERT does?

You can write a BOM (byte order mark) at the beginning of the file. This will tell Notepad and other text editors about the Unicode text encoding. This should allow your text file to be displayed properly in various text editors.

https://docs.microsoft.com/en-us/globalization/encoding/byte-order-mark

That's not possible. std::wofstream cannot throw a std::basic_ofstream<char> error if you are passing a wstring filename.

You probably meant to recommend std::wofstream

Setup your symbols, check my last message.

You can also use the .sympath command to manual load the paths.
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/-sympath--set-symbol-path-

If you add the path to your driver PDB this will make your WinDbg session usable.

You need to setup your symbols:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/symbol-path

Also add the path to your driver PDB file.

You should probably let Chris know. He specifically asked about this in the Bugs forum.

Test 2

Test (notification).

You should just take my advice. The Windows operating system is continually writing data into the registry and other very important places. It's just a matter of time before a BSOD occurs and the data is half written.

There are other benefits to deploying your driver to a VM, you can setup WinDbg and see the exact place causing the BSOD

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg--cdb--or-ntsd

Don't see anything but if I were debugging it I would comment out all that code in your ScannerPortConnect() function. Hollow it out and just leave the paged_code macro, unreferenced macros and DbgPrint

You can't develop a minifilter on your localhost, you will have a very high risk of being locked out of your operating system. I highly suggest that you spend a few days setting up a development VM. You can get free VM images here:

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Are you deploying the driver in a virtual machine? Where are you installing the minifilter?

I am not guessing. I am telling you that this is the connection problem. I knew where to look because your error code (-2147024773) 0x8007007B means it's an invalid name.

A BSOD is progress. Leave that change in there. Your port name is: "\BitPort"

Now you need to track down why it's generating a BSOD

Ok, I think I see the problem. I am not a VB.NET programmer but I think VB.NET does not backslash escape strings.

The C++ code:
const PWSTR ScannerPortName = L"\\BitPort";

Your VB.NET code:
Dim OpenPortNumber = FilterConnectCommunicationPort("\\BitPort", 0, IntPtr.Zero, 0, IntPtr.Zero, OpenPortHandle)

In the C++ language L"\\BitPort" is being escaped to "\BitPort"

So in VB.NET I believe this would be: "\BitPort"

It's difficult tp help people when we can't see your code and development setup. I have to make guesses. :)

I have no idea why you can't connect to the communication port in your VB.NET application. Is it returning an error code?

Are you running your usermode client as Administrator or System? The FltBuildDefaultSecurityDescriptor() function builds a default security descriptor that requires Administrator or System. If you are running your VB.NET application as a normal user then you can set a NULL ACL to allow anyone to connect during the development process.

It's your call. I am just responding to your questions and making suggestions.

Sorry if I was unclear. I was trying to say that you should consider adding:

RtlSetDaclSecurityDescriptor(sd,TRUE,NULL,FALSE);

Before your call to InitializeObjectAttributes() to see if that allowed you to connect to the communication port. Beware that this allows 'Everyone' to connect to the port.

Check if that fixes your connection issues. Unfortunately I am not a .NET programmer so I can't help very much with your VB.NET code.

Well, you probably wouldn't want a rogue program sending IRPs or connecting to your communication port. If your usermode counterpart is a system service then you can restrict access to SYSTEM.

You can sort to output (stdout) with a state machine. No arrays or temporary storage required.

If you are working on a hobby project it probably doesn't matter. But on a commercial security product you might want to consider restricting access to SYSTEM. You should plan/design for this.

It might be easier to give 'everyone' access during the development process. Call it with TRUE,NULL,FALSE to allow 'Everyone'. But make sure that you remember to secure it before release.

I can see your deleted post but can't respond to it. You build the security descriptor but never assign it to your communication port. You need to call RtlSetDaclSecurityDescriptor.

Really strange that you left that part out.

Just rip out the code from the scanner sample to get it up and running:

https://github.com/microsoft/Windows-driver-samples/blob/main/filesys/miniFilter/scanner/filter/scanner.c

Thanks for updating your question. I am still having trouble understanding what exactly you are trying to do. But I think you might be looking for FSCTL_GET_RETRIEVAL_POINTERS

https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/fsctl-get-retrieval-pointers

No, none of the functions you just listed are callbacks.

Call FltCreateCommunicationPort from your DriverEntry

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltcreatecommunicationport

From your usermode app call FilterConnectCommunicationPort to connect to it

Further reading:
https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/communication-between-user-mode-and-kernel-mode

No, FltSendMessage does not facilitate pending or cancellation of i/o operations. It's just an api for communicating with usermode. You seem to be having trouble with events, so I think it might be easier for you.

Here is what I would propose for pending/cancellation:
1.) Initialize a non-paged queue with FltCbdqInitialize in your FLT_REGISTRATION instance setup.
2.) When you want to pend an i/o call use FltCbdqInsertIo and add it to the queue created in step 1 and return FLT_PREOP_PENDING

But let's focus on your current issue before discussing that.

There is a contact in the README.

http://stanford.edu/~cpiech/karel/README

You can't take the start physical sector and add the file size to find the end physical sector. Although that might actually work if the file is stored contiguous. File physical sectors are typically scattered all around.

Also, the first sentence in your question is pure gibberish. You ask: "I am investigating how to find out physical address of MFT entry" and then you proceed to ask about the start/end physical sectors by using a manual calculation.

I can see that you have been reading OSR documents. Of course, it's up to you what architecture you want to use in your driver. But I don't think that you need to use this "inverted call model" here. Have you considered using io completion ports via FltCreateCommunicationPort and FltSendMessage instead of an event object to communicate with your usermode app? If you are new to minifilter drivers it might be easier for you.

I honestly feel like the distance between where you currently are... and where you need to be is a great distance away. I would recommend that you focus on a single step at a time. You should focus on getting the driver/usermode communication completed first. Once you get that working I can show you how to use FltCbdqInitialize, FltCbdqInsertIo and FltCbdqRemoveIo to cancel or pend your i/o operations.

How do you want to proceed?

Your filter manager output looks normal. The OSRLOADER program is really old. You should ask Peter Viscarola over in the OSR forum for support with that tool.

Pretty sure the Linux kernel would need to be compiled with CONFIG_RT_GROUP_SCHED to get the features you are looking for.

The default schedule has no real-time capabilities:
https://github.com/torvalds/linux/blob/master/kernel/sched/fair.c

Now you might see why I had a negative opinion of the code associated with your P&V article. I've never seen anyone attempt to manage threads like that. Looks like it's not even possible on Linux unless the kernel is compiled with the real-time extensions.

Are you saying that the Microsoft code sample is causing you to BSOD?

https://github.com/Microsoft/Windows-driver-samples/tree/master/general/event

That doesn't sound right. Can you show me the output of Fltmc.exe

Open a command prompt as Administrator and type fltmc.exe and show me the output.

Yeah, man2 covers syscalls, man3 covers usermode libs or something.

I believe setting the RLIMIT_NICE would allow your app to raise it's own priority. I'm super rusty on Linux stuff as I'm mostly a Windows guy. But I have used setrlimit() in the past. Let me know how it works out.

Do you still need help with this? You never reference the HANDLE that you pass. Shouldn't you be calling ObReferenceObjectByHandle on the HANDLE that you pass to your device driver?

It should fix your nice/priority EPERM issue. But I don't think you can use SCHED_RR on WSL though.

Have you tried calling setrlimit() to set the RLIMIT_NICE limit?

Happy to see you solved it, congratulations.

Yep, for some reason I can see deleted posts here. Your warning was a missing parameter in your callback.

You want the drive letter? Have you tried IoVolumeDeviceToDosName?

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-iovolumedevicetodosname

From kernelmode you can use the FltQueryInformationFile function to get most info about the file and reassemble the file path.

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltqueryinformationfile

Edit: There are a dozen ways to do this, you can use this one too
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nf-fltkernel-fltparsefilenameinformation

The error message is telling you exactly what is wrong. It's telling you the function parameters do not match. Look closely at the error message. Do you see your callback function in the error message has only three parameters. The callback signature is on the MSDN site:

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/fltkernel/nc-fltkernel-pflt_post_operation_callback

That's what causes your C4113 warning.

Thanks, but I don't answer questions for internet points.

Good luck with your project. What is your relationship with the original poster? Are you coworkers?

I'm not going to design your driver/kernel communication protocol for you. I will simply say that you can set/unset and share events.

Code sample is here:
https://github.com/Microsoft/Windows-driver-samples/tree/master/general/event

You need to learn how to read the documentation before asking for help. The answer to your question is right there in the docs.

"For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running."

Obviously the code has been mapped at that point in time.

That looks to be from a minifilter driver. That's exactly what I recommend to block process creation before it occurs. It would also potentially allow you to block malware DLL/libs from loading into a process.

What you would be doing here is catching it as it's being mapped into memory.

[My recommendations]
If your goal is to block process creation I would recommend a minifilter driver. You should want to catch it *before* it executes from the file level.

Code samples are here: https://docs.microsoft.com/en-us/windows-hardware/drivers/samples/file-system-driver-samples

You would want to filter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and look for anything being mapped into memory with PAGE_EXECUTE.

[Your current code]
With your current kernel driver you can set the CreationStatus in the PS_CREATE_NOTIFY_INFO structure to block the process creation.

[Your question about event objects]
Your question about events... I would recommend creating an event in the 'Global Namespace' to signal between your malware driver/service.

https://docs.microsoft.com/en-us/windows/win32/termserv/kernel-object-namespaces

[Events between driver/usermode]
https://github.com/Microsoft/Windows-driver-samples/tree/master/general/event

There is a code sample for just about every scenario. Just keep experimenting/exploring and asking questions.

Use the IOCTL sample as a starting point. Don't forget about potential security issues. Further reading: https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/security-issues-for-i-o-control-codes

You never checked to make sure it's safe to write to the address. You just created a driver that can patch any memory address. Before writing to usermode addresses you must call MmGetSystemAddressForMdlSafe. :)

You could reduce all that down to a single line. Have a look at std::count_if

What is the DLL path? Check to see if folder redirection applies. If so then have a look at Wow64DisableWow64FsRedirection

Hi,

I don't know what you are working on but using PostMessage to for automation is bound to fail. I would suggest that you take a look at Microsoft Active Accessibility which is designed to assist disabled people play games and use the computer.

https://docs.microsoft.com/en-us/windows/win32/winauto/microsoft-active-accessibility

Chromium supports these COM interfaces but you need to enable it in the browser:
https://www.chromium.org/developers/design-documents/accessibility

MFC DLLs are actually required to be a CWinApp derived class.

COM is actively being used in Windows 10 and will not be going away anytime soon. Some of the new system services within Windows 10 have decided to go with COM/DCOM. Some of the major frameworks such as WinRT are actually COM based. You have no idea how much COM is used internally...

I do agree with you that it's used much less outside of Microsoft. Which is unfortunate because it's very robust and well designed.

By the way... the Wikipedia article you are linking to is referring to the base32 transfer encoding... not the duotrigesimal number system.

Well by following what you just said... it could also be Base16 with "programmer chosen character encoding"

Anyway I am willing to bet money that it's BASE36 encoded. The BASE36 encodings and above are the only systems that contain the letter Z.

It can't be BASE32 because it contains the letter Z. Base32 is typically encoded as 0-9 and letters A through V.

This has absolutely nothing to do with DirectX or XAML.

Actually... I believe the older version of "Visual Studio .NET 2003" has a built-in wizard to convert your VBA/VB6 projects to VB.NET and there is also a VB.NET conversion tool to further convert those projects to C#

Can you visualize a chess board? Can you imagine walking across a large chess board and painting each square red as you step on each square? You can visualize the Dijkstra algorithm and many other graph algorithms by coloring each visited node.

You should refer to the Microsoft documentation for Early Launch Anti-Malware and have a look at the code sample:

https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam

The instructions for installing as a system service is there.

I do not have an answer for the second part of your question; You are asking me to define what 'Anti-Malware' covers.

Keep in mind that there is a difference between 'University Research Projects' and commercial product development. If your team intends to release a commercial product there are many prerequisites:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-prerequisites

Best Wishes,
-David Delaune

There is no such thing as a stupid question. Everyone has to start somewhere.

Yes, if you plan on supporting outdated operating systems such as Windows XP and a modern OS then you will most likely need to implement multiple techniques.

I believe protected processes are only supported on Vista and above. There are additional requirements for Windows 10... it's a moving target.

In the old XP days it was common for nearly all commercial security vendors to implement SSDT hook of NtTerminateProcess and NtCreateProcess via device driver to both protect the anti-malware process and filter process creation/termination. Today these techniques are frowned upon and completely unsupported. You cannot do this on Vista+ operating systems due to KPP/PatchGuard.

Again, the only Microsoft sanctioned technique for protecting a process is the Microsoft ELAM program outlined in my solution above.

Yep,

Here is what Stephan T. Lavavej had to say about low cout performance in MS Visual C++:

https://connect.microsoft.com/VisualStudio/feedback/details/642876/std-wcout-is-ten-times-slower-than-wprintf-performance-bug-in-c-library

Looks like the problem still exists here in 2017 :)

Best Wishes,
-David Delaune

First: There are two ways to kill a process on Microsoft Windows.

1.) Nicely with a WM_CLOSE message.
2.) Forcefully with a TerminateProcess which kills and destroys the process potentially leaving much of the processes handles and objects remaining in the kernel. In other words this one can cause a resource leak.

To handle the NICE method: For Windows XP you simply need to handle/intercept the WM_CLOSE window message in a GUI app or the CTRL_CLOSE_EVENT on a console application to prevent 'End Task' from the Windows XP Task manager.

Task manager on Windows XP calls the EndTask function to kill a process.
https://msdn.microsoft.com/en-us/library/windows/desktop/ms633492(v=vs.85).aspx

The forceful method to kill a process: To prevent your process from the forced termination on Windows XP you can hook NtTerminateProcess from a kernel-mode device driver and filter by process id (PID).

You are encouraged to not do these things... the method I gave in my original answer is how anti-virus and security products protect their usermode process. My original answer is the only Microsoft sanctioned method for protecting a process from usermode termination.

Best Wishes,
-David Delaune

Hi.

Keep in mind that Microsoft periodically issues out "ActiveX Kill Bits" which may or may not be your problem.

https://blogs.msdn.microsoft.com/vsod/2009/06/04/visual-basic-6-controls-stop-working-after-security-advisory-960715/

It appears that you do not understand the documentation. For some reason this misinformation keeps propagating here on codeproject due to 'experts' repeating this misinformation. Please review this old discussion[^]

I would suggest that you use a HTTP sniffer like "Fiddler" or a packet sniffer like "WireShark" to check the raw response.

This is not true. You've been saying this same thing so many for years...

Sounds like you are trying to send binary data in TEXT mode... which can be 7 bits with 1 used as the odd parity bit.

Yes, you are more than a decade behind. You appear to have reached that point in Win32 development where you have just enough knowledge to get yourself in trouble.

Read all of this:

https://msdn.microsoft.com/en-us/library/ms810439.aspx

(Note the date of 1993)

Scroll down to these parts:
How Multiple Threads Affect Window Management
The Effects of Multiple Threads on Message Routing

There are some things that are not mentioned in that document...

When you do this from a worker thread:

mainThread->DoSomething();

Guess where all the window messages for your worker thread are going? To your main thread for the duration of the call.

Don't ever reach across threads to execute code from a GUI worker threads.

Follow these rules:
1.) Only create and manage windows from your main thread.
2.) Never reach across GUI threads to execute code: somethread->DoSomething(); Instead Post a message to your thread instructing it to DoSomething();

You need to call the Windows API DeleteObject() to delete the GDI object. I am not a VB.NET programmer so I don't know if you have this built into your framework. Try to pInvoke it and see what happens.

Did you search here on codeproject?
https://www.codeproject.com/Articles/85391/Microsoft-Visual-C-Static-and-Dynamic-Libraries

Shouldn't you contact Integrated Biometrics for support?
For what it's worth... I suspect KarstenK is correct and that you need to install the Visual C++ Redistributable for whatever Visual Studio version the DLL was compiled with. You can avoid this by using a static linked DLL.

https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads

Hi,

Have you considered disabling visual styles *only* for your checkbox? SetWindowTheme(YourCheckHwnd, L"", L"");

Hi,

If the file begins with 0x0100 then it is not a standard Windows ANI file. I remember back in the late 90's 3D Studio Max and other 3D tools had some plugins that exported 3D animations into a file with the ANI extension. There were several game engines using these *.ani files.

Hi, COM and DCOM are not considered obsolete at Microsoft. We are still utilizing this technology on new architectures including WinRT.

Best Wishes,
-David Delaune

Hi,

As the others have hinted at... on a 64 bit OS running a 32 bit application... you will need to add the flag KEY_WOW64_64KEY depending on the return value of IsWow64Process()

Best Wishes,
-David Delaune

No way.
I have no idea why I thought it was a splitter window yesterday when I answered your question. Let me look into this today and I'll update my answer.

Outstanding. That is an excellent table. Of course there would be a German somewhere in the world taking the time to document nearly 2500 diagnostic interfaces. Although it looks like most of the information was ripped from ScanTool.NET :)

Jochen,
I am very happy to see that there are others out there that rememember that you can check or send your POP3 e-mail via telnet. :)

Hi,
I realize that English is not your native tongue. If you are looking for the right terminology for a search engine it would be "datasheet". Typically you should search for "[microcontroller name] datasheet" in your favorite search engine. Keep in mind that some microcontrollers are proprietary (secret) and the datasheets might not be in the public domain.

The information you gave is useful and it explains 'binary mode' versus 'text mode' and newline translation quite well.

Yes, if both variables are l-value then there is no trick for avoiding an erroneous assignment.

Left operand must be l-value.

Hi,

Sorry for the late reply. I was out of the office today. Is there any reason for using the STRETCH_DELETESCANS mode? Could you try using HALFTONE? The HALFTONE mode will give a higher quality stretch blit.

Beware of the darkside. Stopped they must be; on this all depends. Yoda conditions I recommend.

There seems to be an echo in the room. :)

Thank you. I really appreciate your feedback.

Creating a new thread on each new connection at a connection rate of 10/sec is not a problem? Do you really believe this? Each thread will consume 1MB memory for stack space and the rapid creation/deletion of threads will negatively influence context switching and page faults. It is not a very good design for a high-load server. As Jack suggested he should consider using a thread pool.

I would consider the WaitForSingleObject inside the OnAccept() a design flaw and this is what probably caused him to come ask for help. I am very happy to assist him and to also include other suggestions about architectural design changes.

But your profile says that you are from the United States. :)

Your screenshot is going to be very small with only a single BYTE to store the bitmap bits. :)

Just wanted to add a little more history behind the AX register.

In the old days... dinosaurs programming on 8 bit processors used the A register... with A meaning Accumulator.
Then 16 bit processors were created... the A register was eXtended... and named AX.
Then 32 bit processors were created and we had to Extend the A register that was already eXtended and named EAX.

And then the 64 bit processor was created and... I have no idea why they called it RAX...

The codeproject javascript editor is really buggy... it was modifying my c++ code... had to fix it twice.

My instincts are telling me that this is homework... because it is somewhat of a trick question. As Chuck points out... its impossible to give a correct answer without first knowing the date format.

Hi Tomazas,

It appears that the linker is unable to find the dynamic-run-time version of the std::string inside your Test:: class and then std::iostream inside your ::sentry class.

Then check to see if you have /NODEFAULTLIB enabled... if so... remove that compile flag. The error message implies that you are linking with the dynamic version of the C++ Runtime. As I told you before... make sure that *everything*... is using the same run-time.

http://msdn.microsoft.com/en-us/library/2kzt1wy3(v=vs.80).aspx

Hi,

I am happy to see that you have almost fixed the linker error. I also recognize your second problem:

unresolved external symbol ___security_cookie referenced in function

That is the security stack cookies... it looks like the OpenSSL library was compiled with /GS (Buffer Security Check)
http://msdn.microsoft.com/en-us/library/8dbf701c(v=vs.80).aspx

Modify your project to include /GS and everything should be fine.

If you are using an outdated compiler without support for /GS stack cookies... then you will need to compile OpenSSL yourself.

Best Wishes,
-David Delaune

Hi,
Very interesting how you have obtained over 7k Organiser reputation points in under a month. I wonder if someone has been playing with libcURL. It is a pitty that codeproject has become a reputation video game. I have suddenly become keenly interested in the binary you uploaded.

[Update]
The binary you uploaded was created with the NSIS installer: http://nsis.sourceforge.net
It drops an executable into the TMP folder and executes it.

Hi,
Do you really expect people to download and execute a random application off the internet uploaded by a user named 'Member 8397946'?
Anyway I am not certain that I understand what you are trying to do. If you are attempting to embed a binary/text file into your executable then perhaps you should begin by reading the XResFile series written by the under-appreciated Hans Dietrich.

http://www.codeproject.com/KB/files/XResFilePt1.aspx

Jack,

You need to describe what you have accomplished so far and what problems you are having. In the C language you can compare characters as if they are numbers such as: char vowels[] = {'a', 'e', 'i', 'o', 'u'}; if('a' == vowels[0]) {/*...*/}

Hi,

I have updated my answer to #include some information about color depth and safe color palettes.

Best Wishes,
-David Delaune

The project window will not show color-key transparency, how would it know what color to make transparent? You can use the TransparentBlt function at run-time to paint with transparency. It appears that your color key is RGB(255,0,255) but you should probably make sure.

He is apparently showing some VB script utilizing the firewall manager for removing an application firewall rule and asking how to implement the same thing under COM with the C++ language. (I have updated the original question to make it more clear)

Congratulations,

I am happy to hear that you have worked it all out.

Yes you are correct. The NT kernel PE loader allocates and maps the PE image into an address space then walks through the InLoadOrderModuleList and maps/rebases/performs various other voodoo magic and eventually starts a single non-gui thread beginning execution at the AddressOfEntryPoint. When the thread performs the first GDI syscall it gets promoted into a GUI thread with a message queue.

I did not understand your second question. All usermode processes must have at least one thread or they will not be given any cpu time by the nt scheduler. A process without any executing threads are called zombie process.

Best Wishes,
-David Delaune

I will try to answer both of questions:

1.) Yes the above code will iterate through all system threads. You should consider a process as a parent for many threads. 1 process can have many threads. There is no such thing as the 'main thread'. Anybody that tells you otherwise is wrong. Some software engineers will refer to the 'main thread' as the thread owning the top level window. However Microsoft Windows allows a process to have multiple top level windows.

2.) As I mentioned above the NT architecture does not have a 'main thread' for a process. However... if you want to be adventurous and consider the 'first thread' as the 'main thread' then you can use the code I previously gave you and call the GetThreadTimes function and read the lpCreationTime. The thread belonging to the process with the earliest creation time might be what you are looking for in most cases.

If you want to avoid enumerating ALL threads in the system... [REMOVED]
[UPDATE]
I removed the undocumented stuff. Don't bother with anything undocumented. You gain nothing from it. Even if you use NtQuerySystemInformation or NtQueryInformationProcess all it does is cause the kernel to iterate through these same internal linked lists internally. Just use the Toolhelp code above to enumerate process threads.

Best Wishes,
-David Delaune

Yep, you are of course correct. I was referring to the PostThreadMessage function which is what the OP said he was using. You can use this to post thread messages to console applications without the need for a window.

There is no need to create a hidden window. Any thread is promoted to a GUI thread as soon as it makes a GDI call. One caveat though... you will need to manually pump the message queue just like you do in a pure Win32 project.

1.) No, a process begins as a single thread.

2.) The question itself is nonsensical. A better question would be how to enumerate all threads belonging to the process. You could do something like:

#include <tlhelp32.h>
DWORD dwYourPIDToCompare = 0;
THREADENTRY32 te32;
te32.dwSize = sizeof(THREADENTRY32);

HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
if(INVALID_HANDLE_VALUE != hThreadSnap)
{
if(Thread32First(hThreadSnap, &te32))
{
do
{
if(te32.th32OwnerProcessID == dwYourPIDToCompare)
{
//This thread belongs to the process
}
} while(Thread32Next(hThreadSnap, &te32));
CloseHandle(hThreadSnap);
}
}

Actually you are doing exactly as I described. When you call GetMessage() it invokes NtUserGetMessage which internally invokes a win32k syscall above 0x1000. But I guess that is besides the point. I apologize for complicating the issue, I did not fully read your question. I will try to answer all points:

1.) Yes.. there are many IPC techniques... pipes, memory maps... mailslots... sockets and the message subsystem are a few. Pick your poison.
2.) GetCurrentThreadId will get the current thread ID but it looks like you already know this. If you have a window handle and want to know both the thread ID and process id use GetWindowThreadProcessId()
3.) A process *can* have more than 1 thread. When the other program sends you a message... use GetWindowThreadProcessId to get both the thread ID and process ID from the window handle.
4.) No, a thread ID is not the same as a process ID.

Best Wishes,
-David Delaune

A console application does not have a message queue! You will need to perform some hacktastic wizardry to force the NT kernel into calling PsConvertToGuiThread() You can accomplish this by invoking a win32k syscall with an index greater or equal to the NtGdiAbortDoc index. After you make the syscall the kernel will promote your main thread into a GUI thread, increase the stack size and give your thread a message queue.

As I stated previously using WM_SETTINGCHANGE to change these settings is undocumented and should probably be avoided. You do realize that virtual address pointing to the string only exists in the process calling the SendNotifyMessage function right? I reiterate my previous advice... you should probably use IInternetZoneManager::SetZoneActionPolicy() to modify these settings.

P.S. The format of these 'Quick Answers' is very awkward when we enter these lengthy discussions. The original question has already been addressed.

Best Wishes,
-David Delaune

Hi,

I believe the hidden Internet Explorer window responds to a WM_SETTINGCHANGE message but I also think the the parameters are undocumented. I believe the LPARAM should be a pointer to a string containing the registry path if I remember correctly. You should probably just scrap all of this code and instead use IInternetZoneManager::SetZoneActionPolicy() to change this setting.

Best Wishes,
-David Delaune

The value IPType will be returned by the SQL database. You will need to show more code if you want a C++ answer. If your looking for a SQL answer it could be: "SELECT ISNULL(MAX(IPType), 0) FROM tblURLIP WHERE IP = '%s'"

Best Wishes,
-David Delaune

If ipSrc is NULL then "0" is the string that will be written into the format tag: '%s'

Best Wishes,
-David Delaune

Sounds like you need to add: #define BUFFER_SIZE 1024

If your getting an error "No storage class or type specifier" then that would imply that you are missing a type definition. Make sure you are #including windows.h which will pull in the windef.h header. Also make sure you #define BUFFER_SIZE

The value that is written into the registry is here:

*((LPDWORD)data) = 0;

It essentially casts the pointer from the BYTE array into a pointer to a DWORD and then sets the value to zero.

Best Wishes,
-David Delaune

I was contacted by a member here regarding this code sample. You have my apology for the poorly written and leaky code sample. I have updated the sample.

Best Wishes,
-David Delaune

Just a quick comment:
A probable reason for Microsofts decision to deprecate most of those C functions is security related. Several years ago a statistical analysis was performed on application exploits and the majority were caused by buffer overflows. So rather than depend on the language committee I guess they wanted to be independantly pro-active. The new secure CRT functions along with /GS stack cookies were the result. While I agree that Microsoft does not (and should not) have the authority to deprecate standard functions... I completely understand their reasoning behind doing so.

Whoops... sorry. For some reason when I read your question I thought you wanted to know what version of VS the executable was generated by. The answer by JF2015 is correct... you can check the _MSC_VER value at compile time.