Click here to Skip to main content
15,400,381 members

Comments by Randor (Top 130 by date)

Randor 21-Jul-22 11:15am View
I also see where you call ExAllocatePoolWithTag but you never release the memory. Can you confirm?

You could use the stack here with RtlInitUnicodeString and pass it a local WCHAR array of [260] since you seem to be checking for that length.
Randor 21-Jul-22 10:11am View
Can you upload it somewhere so I can see more code?
Randor 21-Jul-22 5:41am View
Have a look at RtlInitUnicodeString to initialize your UNICODE_STRING
Randor 20-Jul-22 8:41am View
I can help you with the kernelmode code and anything C/C++ or assembler. But I know very little about VB.NET so I won't be much help there.

Codeproject has a VB.NET forum, I think a few members can help you if the need arises. :)
Randor 20-Jul-22 5:02am View
Ok, next you will need to design a structure to send to your usermode application. You will be using FltSendMessage. Design a C struct with file path and other things you would be interested in inspecting from usermode.

I also highly recommend adding some code to reduce the filtering scope. I recommended adding the ability to exclude or include paths to monitor.
Randor 19-Jul-22 5:48am View
I can't see your code. Could you verify that you can connect to the communication port from your usermode application?
Randor 11-Jul-22 3:27am View
I am observing alot of very fundamental mistakes in your C code such as reading the value of uninitialized variables. I would recommend that you improve your C language skills. It's highly unusual to see those those type of mistakes. Your compiler should be warning you.

Don't be discouraged, everyone has to start somewhere. Everyone has been in your shoes, keep experimenting and you will see progress.

In the C language an 'assert' throws an error.
Randor 29-Jun-22 15:18pm View
Look at your code:

PFLT_PORT ClientPort;
FLT_ASSERT(ClientPort == NULL);

Can you tell me what the value of your ClientPort is when you never initialize it? Do you know what FLT_ASSERT does?
Randor 26-Jun-22 4:23am View
You can write a BOM (byte order mark) at the beginning of the file. This will tell Notepad and other text editors about the Unicode text encoding. This should allow your text file to be displayed properly in various text editors.
Randor 24-Jun-22 19:30pm View
That's not possible. std::wofstream cannot throw a std::basic_ofstream<char> error if you are passing a wstring filename.
Randor 24-Jun-22 19:21pm View
You probably meant to recommend std::wofstream
Randor 17-Jun-22 5:44am View
Setup your symbols, check my last message.

You can also use the .sympath command to manual load the paths.

If you add the path to your driver PDB this will make your WinDbg session usable.
Randor 17-Jun-22 5:40am View
You need to setup your symbols:

Also add the path to your driver PDB file.
Randor 14-Jun-22 20:10pm View
You should probably let Chris know. He specifically asked about this in the Bugs forum.
Randor 14-Jun-22 19:27pm View
Test 2
Randor 14-Jun-22 19:23pm View
Test (notification).
Randor 11-Jun-22 2:35am View
You should just take my advice. The Windows operating system is continually writing data into the registry and other very important places. It's just a matter of time before a BSOD occurs and the data is half written.

There are other benefits to deploying your driver to a VM, you can setup WinDbg and see the exact place causing the BSOD
Randor 11-Jun-22 2:10am View
Don't see anything but if I were debugging it I would comment out all that code in your ScannerPortConnect() function. Hollow it out and just leave the paged_code macro, unreferenced macros and DbgPrint
Randor 11-Jun-22 2:08am View
You can't develop a minifilter on your localhost, you will have a very high risk of being locked out of your operating system. I highly suggest that you spend a few days setting up a development VM. You can get free VM images here:
Randor 11-Jun-22 2:00am View
Are you deploying the driver in a virtual machine? Where are you installing the minifilter?
Randor 11-Jun-22 1:54am View
I am not guessing. I am telling you that this is the connection problem. I knew where to look because your error code (-2147024773) 0x8007007B means it's an invalid name.

A BSOD is progress. Leave that change in there. Your port name is: "\BitPort"

Now you need to track down why it's generating a BSOD
Randor 11-Jun-22 1:44am View
Ok, I think I see the problem. I am not a VB.NET programmer but I think VB.NET does not backslash escape strings.

The C++ code:
const PWSTR ScannerPortName = L"\\BitPort";

Your VB.NET code:
Dim OpenPortNumber = FilterConnectCommunicationPort("\\BitPort", 0, IntPtr.Zero, 0, IntPtr.Zero, OpenPortHandle)

In the C++ language L"\\BitPort" is being escaped to "\BitPort"

So in VB.NET I believe this would be: "\BitPort"
Randor 11-Jun-22 1:07am View
It's difficult tp help people when we can't see your code and development setup. I have to make guesses. :)

I have no idea why you can't connect to the communication port in your VB.NET application. Is it returning an error code?
Randor 11-Jun-22 0:57am View
Are you running your usermode client as Administrator or System? The FltBuildDefaultSecurityDescriptor() function builds a default security descriptor that requires Administrator or System. If you are running your VB.NET application as a normal user then you can set a NULL ACL to allow anyone to connect during the development process.

It's your call. I am just responding to your questions and making suggestions.
Randor 11-Jun-22 0:27am View
Sorry if I was unclear. I was trying to say that you should consider adding:


Before your call to InitializeObjectAttributes() to see if that allowed you to connect to the communication port. Beware that this allows 'Everyone' to connect to the port.

Check if that fixes your connection issues. Unfortunately I am not a .NET programmer so I can't help very much with your VB.NET code.
Randor 10-Jun-22 18:19pm View
Well, you probably wouldn't want a rogue program sending IRPs or connecting to your communication port. If your usermode counterpart is a system service then you can restrict access to SYSTEM.
Randor 10-Jun-22 17:50pm View
You can sort to output (stdout) with a state machine. No arrays or temporary storage required.
Randor 10-Jun-22 16:58pm View
If you are working on a hobby project it probably doesn't matter. But on a commercial security product you might want to consider restricting access to SYSTEM. You should plan/design for this.
Randor 10-Jun-22 14:27pm View
It might be easier to give 'everyone' access during the development process. Call it with TRUE,NULL,FALSE to allow 'Everyone'. But make sure that you remember to secure it before release.
Randor 10-Jun-22 13:43pm View
I can see your deleted post but can't respond to it. You build the security descriptor but never assign it to your communication port. You need to call RtlSetDaclSecurityDescriptor.

Really strange that you left that part out.
Randor 8-Jun-22 1:31am View
Just rip out the code from the scanner sample to get it up and running:
Randor 8-Jun-22 0:55am View
Thanks for updating your question. I am still having trouble understanding what exactly you are trying to do. But I think you might be looking for FSCTL_GET_RETRIEVAL_POINTERS
Randor 8-Jun-22 0:45am View
No, none of the functions you just listed are callbacks.

Call FltCreateCommunicationPort from your DriverEntry

From your usermode app call FilterConnectCommunicationPort to connect to it

Further reading:
Randor 8-Jun-22 0:10am View
No, FltSendMessage does not facilitate pending or cancellation of i/o operations. It's just an api for communicating with usermode. You seem to be having trouble with events, so I think it might be easier for you.

Here is what I would propose for pending/cancellation:
1.) Initialize a non-paged queue with FltCbdqInitialize in your FLT_REGISTRATION instance setup.
2.) When you want to pend an i/o call use FltCbdqInsertIo and add it to the queue created in step 1 and return FLT_PREOP_PENDING

But let's focus on your current issue before discussing that.
Randor 7-Jun-22 23:16pm View
There is a contact in the README.
Randor 7-Jun-22 19:31pm View
You can't take the start physical sector and add the file size to find the end physical sector. Although that might actually work if the file is stored contiguous. File physical sectors are typically scattered all around.

Also, the first sentence in your question is pure gibberish. You ask: "I am investigating how to find out physical address of MFT entry" and then you proceed to ask about the start/end physical sectors by using a manual calculation.
Randor 7-Jun-22 19:16pm View
I can see that you have been reading OSR documents. Of course, it's up to you what architecture you want to use in your driver. But I don't think that you need to use this "inverted call model" here. Have you considered using io completion ports via FltCreateCommunicationPort and FltSendMessage instead of an event object to communicate with your usermode app? If you are new to minifilter drivers it might be easier for you.

I honestly feel like the distance between where you currently are... and where you need to be is a great distance away. I would recommend that you focus on a single step at a time. You should focus on getting the driver/usermode communication completed first. Once you get that working I can show you how to use FltCbdqInitialize, FltCbdqInsertIo and FltCbdqRemoveIo to cancel or pend your i/o operations.

How do you want to proceed?
Randor 7-Jun-22 19:14pm View
Your filter manager output looks normal. The OSRLOADER program is really old. You should ask Peter Viscarola over in the OSR forum for support with that tool.
Randor 3-Jun-22 8:32am View
Pretty sure the Linux kernel would need to be compiled with CONFIG_RT_GROUP_SCHED to get the features you are looking for.

The default schedule has no real-time capabilities:
Randor 3-Jun-22 8:02am View
Now you might see why I had a negative opinion of the code associated with your P&V article. I've never seen anyone attempt to manage threads like that. Looks like it's not even possible on Linux unless the kernel is compiled with the real-time extensions.
Randor 3-Jun-22 7:53am View
Are you saying that the Microsoft code sample is causing you to BSOD?

That doesn't sound right. Can you show me the output of Fltmc.exe

Open a command prompt as Administrator and type fltmc.exe and show me the output.
Randor 2-Jun-22 19:22pm View
Yeah, man2 covers syscalls, man3 covers usermode libs or something.

I believe setting the RLIMIT_NICE would allow your app to raise it's own priority. I'm super rusty on Linux stuff as I'm mostly a Windows guy. But I have used setrlimit() in the past. Let me know how it works out.
Randor 2-Jun-22 17:07pm View
Do you still need help with this? You never reference the HANDLE that you pass. Shouldn't you be calling ObReferenceObjectByHandle on the HANDLE that you pass to your device driver?
Randor 2-Jun-22 16:49pm View
It should fix your nice/priority EPERM issue. But I don't think you can use SCHED_RR on WSL though.
Randor 2-Jun-22 16:10pm View
Have you tried calling setrlimit() to set the RLIMIT_NICE limit?
Randor 16-May-22 1:45am View
Happy to see you solved it, congratulations.
Randor 14-May-22 16:49pm View
Yep, for some reason I can see deleted posts here. Your warning was a missing parameter in your callback.
Randor 14-May-22 16:27pm View
You want the drive letter? Have you tried IoVolumeDeviceToDosName?
Randor 12-May-22 2:36am View
From kernelmode you can use the FltQueryInformationFile function to get most info about the file and reassemble the file path.

Edit: There are a dozen ways to do this, you can use this one too
Randor 12-May-22 2:18am View
The error message is telling you exactly what is wrong. It's telling you the function parameters do not match. Look closely at the error message. Do you see your callback function in the error message has only three parameters. The callback signature is on the MSDN site:

That's what causes your C4113 warning.
Randor 11-May-22 16:34pm View
Thanks, but I don't answer questions for internet points.

Good luck with your project. What is your relationship with the original poster? Are you coworkers?
Randor 11-May-22 0:53am View
I'm not going to design your driver/kernel communication protocol for you. I will simply say that you can set/unset and share events.

Code sample is here:
Randor 11-May-22 0:48am View
You need to learn how to read the documentation before asking for help. The answer to your question is right there in the docs.

"For a new process, the CreateProcessNotifyEx routine is called after the initial thread is created, but before the thread begins running."

Obviously the code has been mapped at that point in time.
Randor 11-May-22 0:37am View
That looks to be from a minifilter driver. That's exactly what I recommend to block process creation before it occurs. It would also potentially allow you to block malware DLL/libs from loading into a process.

What you would be doing here is catching it as it's being mapped into memory.
Randor 11-May-22 0:23am View
[My recommendations]
If your goal is to block process creation I would recommend a minifilter driver. You should want to catch it *before* it executes from the file level.

Code samples are here:

You would want to filter IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION and look for anything being mapped into memory with PAGE_EXECUTE.

[Your current code]
With your current kernel driver you can set the CreationStatus in the PS_CREATE_NOTIFY_INFO structure to block the process creation.

[Your question about event objects]
Your question about events... I would recommend creating an event in the 'Global Namespace' to signal between your malware driver/service.

[Events between driver/usermode]

There is a code sample for just about every scenario. Just keep experimenting/exploring and asking questions.
Randor 5-May-22 5:48am View
Use the IOCTL sample as a starting point. Don't forget about potential security issues. Further reading:
Randor 5-May-22 5:16am View
You never checked to make sure it's safe to write to the address. You just created a driver that can patch any memory address. Before writing to usermode addresses you must call MmGetSystemAddressForMdlSafe. :)
Randor 4-May-22 14:25pm View
You could reduce all that down to a single line. Have a look at std::count_if
Randor 10-Feb-22 4:21am View
What is the DLL path? Check to see if folder redirection applies. If so then have a look at Wow64DisableWow64FsRedirection
Randor 5-Dec-20 6:06am View

I don't know what you are working on but using PostMessage to for automation is bound to fail. I would suggest that you take a look at Microsoft Active Accessibility which is designed to assist disabled people play games and use the computer.

Chromium supports these COM interfaces but you need to enable it in the browser:
Randor 15-Aug-20 15:54pm View
MFC DLLs are actually required to be a CWinApp derived class.
Randor 25-Nov-19 21:59pm View
COM is actively being used in Windows 10 and will not be going away anytime soon. Some of the new system services within Windows 10 have decided to go with COM/DCOM. Some of the major frameworks such as WinRT are actually COM based. You have no idea how much COM is used internally...

I do agree with you that it's used much less outside of Microsoft. Which is unfortunate because it's very robust and well designed.
Randor 3-May-19 4:21am View
By the way... the Wikipedia article you are linking to is referring to the base32 transfer encoding... not the duotrigesimal number system.
Randor 2-May-19 19:57pm View
Well by following what you just said... it could also be Base16 with "programmer chosen character encoding"

Anyway I am willing to bet money that it's BASE36 encoded. The BASE36 encodings and above are the only systems that contain the letter Z.
Randor 2-May-19 19:39pm View
It can't be BASE32 because it contains the letter Z. Base32 is typically encoded as 0-9 and letters A through V.
Randor 9-Feb-18 23:25pm View
When developing device drivers... WinDbg is your friend.
Randor 9-Feb-18 23:24pm View
When developing device drivers... WinDbg is your friend.
Randor 13-Dec-17 17:47pm View
This has absolutely nothing to do with DirectX or XAML.
Randor 22-Nov-17 11:41am View
Actually... I believe the older version of "Visual Studio .NET 2003" has a built-in wizard to convert your VBA/VB6 projects to VB.NET and there is also a VB.NET conversion tool to further convert those projects to C#
Randor 21-Nov-17 8:58am View
Can you visualize a chess board? Can you imagine walking across a large chess board and painting each square red as you step on each square? You can visualize the Dijkstra algorithm and many other graph algorithms by coloring each visited node.
Randor 7-Jul-17 8:31am View
You should refer to the Microsoft documentation for Early Launch Anti-Malware and have a look at the code sample:

The instructions for installing as a system service is there.

I do not have an answer for the second part of your question; You are asking me to define what 'Anti-Malware' covers.

Keep in mind that there is a difference between 'University Research Projects' and commercial product development. If your team intends to release a commercial product there are many prerequisites:

Best Wishes,
-David Delaune
Randor 6-Jul-17 17:21pm View
There is no such thing as a stupid question. Everyone has to start somewhere.

Yes, if you plan on supporting outdated operating systems such as Windows XP and a modern OS then you will most likely need to implement multiple techniques.

I believe protected processes are only supported on Vista and above. There are additional requirements for Windows 10... it's a moving target.

In the old XP days it was common for nearly all commercial security vendors to implement SSDT hook of NtTerminateProcess and NtCreateProcess via device driver to both protect the anti-malware process and filter process creation/termination. Today these techniques are frowned upon and completely unsupported. You cannot do this on Vista+ operating systems due to KPP/PatchGuard.

Again, the only Microsoft sanctioned technique for protecting a process is the Microsoft ELAM program outlined in my solution above.
Randor 5-Jul-17 9:02am View

Here is what Stephan T. Lavavej had to say about low cout performance in MS Visual C++:

Looks like the problem still exists here in 2017 :)

Best Wishes,
-David Delaune
Randor 4-Jul-17 9:38am View
First: There are two ways to kill a process on Microsoft Windows.

1.) Nicely with a WM_CLOSE message.
2.) Forcefully with a TerminateProcess which kills and destroys the process potentially leaving much of the processes handles and objects remaining in the kernel. In other words this one can cause a resource leak.

To handle the NICE method: For Windows XP you simply need to handle/intercept the WM_CLOSE window message in a GUI app or the CTRL_CLOSE_EVENT on a console application to prevent 'End Task' from the Windows XP Task manager.

Task manager on Windows XP calls the EndTask function to kill a process.

The forceful method to kill a process: To prevent your process from the forced termination on Windows XP you can hook NtTerminateProcess from a kernel-mode device driver and filter by process id (PID).

You are encouraged to not do these things... the method I gave in my original answer is how anti-virus and security products protect their usermode process. My original answer is the only Microsoft sanctioned method for protecting a process from usermode termination.

Best Wishes,
-David Delaune
Randor 28-Jun-17 14:30pm View

Keep in mind that Microsoft periodically issues out "ActiveX Kill Bits" which may or may not be your problem.
Randor 28-Jun-17 14:29pm View
Hi, keep in mind that Microsoft periodically issues "ActiveX Kill Bits" that can disable old Visual Basic controls due to security issues.
Randor 26-Jun-17 17:51pm View
It appears that you do not understand the documentation. For some reason this misinformation keeps propagating here on codeproject due to 'experts' repeating this misinformation. Please review this old discussion[^]
Randor 26-Jun-17 4:49am View
I would suggest that you use a HTTP sniffer like "Fiddler" or a packet sniffer like "WireShark" to check the raw response.
Randor 26-Jun-17 4:36am View
This is not true. You've been saying this same thing so many for years...
Randor 26-Jun-17 4:33am View
Sounds like you are trying to send binary data in TEXT mode... which can be 7 bits with 1 used as the odd parity bit.
Randor 31-May-17 13:57pm View
Yes, you are more than a decade behind. You appear to have reached that point in Win32 development where you have just enough knowledge to get yourself in trouble.

Read all of this:

(Note the date of 1993)

Scroll down to these parts:
How Multiple Threads Affect Window Management
The Effects of Multiple Threads on Message Routing

There are some things that are not mentioned in that document...

When you do this from a worker thread:


Guess where all the window messages for your worker thread are going? To your main thread for the duration of the call.

Don't ever reach across threads to execute code from a GUI worker threads.

Follow these rules:
1.) Only create and manage windows from your main thread.
2.) Never reach across GUI threads to execute code: somethread->DoSomething(); Instead Post a message to your thread instructing it to DoSomething();

Randor 31-May-17 10:19am View
You need to call the Windows API DeleteObject() to delete the GDI object. I am not a VB.NET programmer so I don't know if you have this built into your framework. Try to pInvoke it and see what happens.
Randor 17-Mar-17 16:42pm View
Did you search here on codeproject?
Randor 17-Mar-17 0:41am View
Shouldn't you contact Integrated Biometrics for support?
For what it's worth... I suspect KarstenK is correct and that you need to install the Visual C++ Redistributable for whatever Visual Studio version the DLL was compiled with. You can avoid this by using a static linked DLL.
Randor 29-Mar-14 0:38am View

Have you considered disabling visual styles *only* for your checkbox? SetWindowTheme(YourCheckHwnd, L"", L"");
Randor 14-Feb-14 22:56pm View

If the file begins with 0x0100 then it is not a standard Windows ANI file. I remember back in the late 90's 3D Studio Max and other 3D tools had some plugins that exported 3D animations into a file with the ANI extension. There were several game engines using these *.ani files.
Randor 27-Sep-13 20:41pm View
Hi, COM and DCOM are not considered obsolete at Microsoft. We are still utilizing this technology on new architectures including WinRT.

Best Wishes,
-David Delaune
Randor 10-May-12 8:31am View

As the others have hinted at... on a 64 bit OS running a 32 bit application... you will need to add the flag KEY_WOW64_64KEY depending on the return value of IsWow64Process()

Best Wishes,
-David Delaune
Randor 10-May-12 7:47am View
No way.
I have no idea why I thought it was a splitter window yesterday when I answered your question. Let me look into this today and I'll update my answer.
Randor 21-Mar-12 19:14pm View
Outstanding. That is an excellent table. Of course there would be a German somewhere in the world taking the time to document nearly 2500 diagnostic interfaces. Although it looks like most of the information was ripped from ScanTool.NET :)
Randor 21-Mar-12 17:05pm View
I am very happy to see that there are others out there that rememember that you can check or send your POP3 e-mail via telnet. :)
Randor 21-Mar-12 17:01pm View
I realize that English is not your native tongue. If you are looking for the right terminology for a search engine it would be "datasheet". Typically you should search for "[microcontroller name] datasheet" in your favorite search engine. Keep in mind that some microcontrollers are proprietary (secret) and the datasheets might not be in the public domain.
Randor 16-Mar-12 20:07pm View
The information you gave is useful and it explains 'binary mode' versus 'text mode' and newline translation quite well.
Randor 15-Mar-12 23:06pm View
Yes, if both variables are l-value then there is no trick for avoiding an erroneous assignment.
Randor 15-Mar-12 21:56pm View
Left operand must be l-value.
Randor 15-Mar-12 21:48pm View

Sorry for the late reply. I was out of the office today. Is there any reason for using the STRETCH_DELETESCANS mode? Could you try using HALFTONE? The HALFTONE mode will give a higher quality stretch blit.
Randor 14-Mar-12 17:56pm View
Beware of the darkside. Stopped they must be; on this all depends. Yoda conditions I recommend.
Randor 7-Mar-12 12:08pm View
There seems to be an echo in the room. :)
Randor 28-Feb-12 20:46pm View
Thank you. I really appreciate your feedback.
Randor 28-Feb-12 7:59am View
Creating a new thread on each new connection at a connection rate of 10/sec is not a problem? Do you really believe this? Each thread will consume 1MB memory for stack space and the rapid creation/deletion of threads will negatively influence context switching and page faults. It is not a very good design for a high-load server. As Jack suggested he should consider using a thread pool.

I would consider the WaitForSingleObject inside the OnAccept() a design flaw and this is what probably caused him to come ask for help. I am very happy to assist him and to also include other suggestions about architectural design changes.
Randor 25-Feb-12 17:54pm View
But your profile says that you are from the United States. :)
Randor 24-Feb-12 23:27pm View
Your screenshot is going to be very small with only a single BYTE to store the bitmap bits. :)
Randor 30-Jan-12 7:28am View
Just wanted to add a little more history behind the AX register.

In the old days... dinosaurs programming on 8 bit processors used the A register... with A meaning Accumulator.
Then 16 bit processors were created... the A register was eXtended... and named AX.
Then 32 bit processors were created and we had to Extend the A register that was already eXtended and named EAX.

And then the 64 bit processor was created and... I have no idea why they called it RAX...
Randor 3-Jan-12 2:08am View

You posted a solution in response to your own question. You should click on the 'Have a Question or Comment' to respond/comment to solutions.

If you read the documentation:

It clearly states: This function is fully supported only for images with color maps; that is, images with 256 or fewer colors.

Best Wishes,
-David Delaune
Randor 30-Dec-11 22:09pm View
The codeproject javascript editor is really buggy... it was modifying my c++ code... had to fix it twice.
Randor 29-Dec-11 20:10pm View
My instincts are telling me that this is homework... because it is somewhat of a trick question. As Chuck points out... its impossible to give a correct answer without first knowing the date format.
Randor 29-Dec-11 19:44pm View
Hi Tomazas,

It appears that the linker is unable to find the dynamic-run-time version of the std::string inside your Test:: class and then std::iostream inside your ::sentry class.

Then check to see if you have /NODEFAULTLIB enabled... if so... remove that compile flag. The error message implies that you are linking with the dynamic version of the C++ Runtime. As I told you before... make sure that *everything*... is using the same run-time.
Randor 28-Dec-11 17:18pm View

I am happy to see that you have almost fixed the linker error. I also recognize your second problem:

unresolved external symbol ___security_cookie referenced in function

That is the security stack cookies... it looks like the OpenSSL library was compiled with /GS (Buffer Security Check)

Modify your project to include /GS and everything should be fine.

If you are using an outdated compiler without support for /GS stack cookies... then you will need to compile OpenSSL yourself.

Best Wishes,
-David Delaune
Randor 4-Dec-11 0:05am View
Very interesting how you have obtained over 7k Organiser reputation points in under a month. I wonder if someone has been playing with libcURL. It is a pitty that codeproject has become a reputation video game. I have suddenly become keenly interested in the binary you uploaded.

The binary you uploaded was created with the NSIS installer:
It drops an executable into the TMP folder and executes it.
Randor 3-Dec-11 21:54pm View
Do you really expect people to download and execute a random application off the internet uploaded by a user named 'Member 8397946'?
Anyway I am not certain that I understand what you are trying to do. If you are attempting to embed a binary/text file into your executable then perhaps you should begin by reading the XResFile series written by the under-appreciated Hans Dietrich.
Randor 3-Dec-11 19:09pm View

You need to describe what you have accomplished so far and what problems you are having. In the C language you can compare characters as if they are numbers such as: char vowels[] = {'a', 'e', 'i', 'o', 'u'}; if('a' == vowels[0]) {/*...*/}
Randor 3-Dec-11 18:35pm View

I have updated my answer to #include some information about color depth and safe color palettes.

Best Wishes,
-David Delaune
Randor 17-Oct-11 23:43pm View
The project window will not show color-key transparency, how would it know what color to make transparent? You can use the TransparentBlt function at run-time to paint with transparency. It appears that your color key is RGB(255,0,255) but you should probably make sure.
Randor 17-Oct-11 23:26pm View
He is apparently showing some VB script utilizing the firewall manager for removing an application firewall rule and asking how to implement the same thing under COM with the C++ language. (I have updated the original question to make it more clear)
Randor 29-Sep-11 12:05pm View

I am happy to hear that you have worked it all out.

Yes you are correct. The NT kernel PE loader allocates and maps the PE image into an address space then walks through the InLoadOrderModuleList and maps/rebases/performs various other voodoo magic and eventually starts a single non-gui thread beginning execution at the AddressOfEntryPoint. When the thread performs the first GDI syscall it gets promoted into a GUI thread with a message queue.

I did not understand your second question. All usermode processes must have at least one thread or they will not be given any cpu time by the nt scheduler. A process without any executing threads are called zombie process.

Best Wishes,
-David Delaune
Randor 29-Sep-11 9:51am View
I will try to answer both of questions:

1.) Yes the above code will iterate through all system threads. You should consider a process as a parent for many threads. 1 process can have many threads. There is no such thing as the 'main thread'. Anybody that tells you otherwise is wrong. Some software engineers will refer to the 'main thread' as the thread owning the top level window. However Microsoft Windows allows a process to have multiple top level windows.

2.) As I mentioned above the NT architecture does not have a 'main thread' for a process. However... if you want to be adventurous and consider the 'first thread' as the 'main thread' then you can use the code I previously gave you and call the GetThreadTimes function and read the lpCreationTime. The thread belonging to the process with the earliest creation time might be what you are looking for in most cases.

If you want to avoid enumerating ALL threads in the system... [REMOVED]
I removed the undocumented stuff. Don't bother with anything undocumented. You gain nothing from it. Even if you use NtQuerySystemInformation or NtQueryInformationProcess all it does is cause the kernel to iterate through these same internal linked lists internally. Just use the Toolhelp code above to enumerate process threads.

Best Wishes,
-David Delaune
Randor 29-Sep-11 8:21am View
Yep, you are of course correct. I was referring to the PostThreadMessage function which is what the OP said he was using. You can use this to post thread messages to console applications without the need for a window.
Randor 29-Sep-11 5:00am View
There is no need to create a hidden window. Any thread is promoted to a GUI thread as soon as it makes a GDI call. One caveat though... you will need to manually pump the message queue just like you do in a pure Win32 project.
Randor 29-Sep-11 4:41am View
1.) No, a process begins as a single thread.

2.) The question itself is nonsensical. A better question would be how to enumerate all threads belonging to the process. You could do something like:

#include <tlhelp32.h>
DWORD dwYourPIDToCompare = 0;
te32.dwSize = sizeof(THREADENTRY32);

HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0);
if(Thread32First(hThreadSnap, &te32))
if(te32.th32OwnerProcessID == dwYourPIDToCompare)
//This thread belongs to the process
} while(Thread32Next(hThreadSnap, &te32));
Randor 29-Sep-11 3:47am View
Actually you are doing exactly as I described. When you call GetMessage() it invokes NtUserGetMessage which internally invokes a win32k syscall above 0x1000. But I guess that is besides the point. I apologize for complicating the issue, I did not fully read your question. I will try to answer all points:

1.) Yes.. there are many IPC techniques... pipes, memory maps... mailslots... sockets and the message subsystem are a few. Pick your poison.
2.) GetCurrentThreadId will get the current thread ID but it looks like you already know this. If you have a window handle and want to know both the thread ID and process id use GetWindowThreadProcessId()
3.) A process *can* have more than 1 thread. When the other program sends you a message... use GetWindowThreadProcessId to get both the thread ID and process ID from the window handle.
4.) No, a thread ID is not the same as a process ID.

Best Wishes,
-David Delaune
Randor 29-Sep-11 2:45am View
A console application does not have a message queue! You will need to perform some hacktastic wizardry to force the NT kernel into calling PsConvertToGuiThread() You can accomplish this by invoking a win32k syscall with an index greater or equal to the NtGdiAbortDoc index. After you make the syscall the kernel will promote your main thread into a GUI thread, increase the stack size and give your thread a message queue.
Randor 16-Sep-11 18:57pm View
As I stated previously using WM_SETTINGCHANGE to change these settings is undocumented and should probably be avoided. You do realize that virtual address pointing to the string only exists in the process calling the SendNotifyMessage function right? I reiterate my previous advice... you should probably use IInternetZoneManager::SetZoneActionPolicy() to modify these settings.

P.S. The format of these 'Quick Answers' is very awkward when we enter these lengthy discussions. The original question has already been addressed.

Best Wishes,
-David Delaune
Randor 16-Sep-11 17:42pm View

I believe the hidden Internet Explorer window responds to a WM_SETTINGCHANGE message but I also think the the parameters are undocumented. I believe the LPARAM should be a pointer to a string containing the registry path if I remember correctly. You should probably just scrap all of this code and instead use IInternetZoneManager::SetZoneActionPolicy() to change this setting.

Best Wishes,
-David Delaune
Randor 14-Sep-11 23:55pm View
The value IPType will be returned by the SQL database. You will need to show more code if you want a C++ answer. If your looking for a SQL answer it could be: "SELECT ISNULL(MAX(IPType), 0) FROM tblURLIP WHERE IP = '%s'"

Best Wishes,
-David Delaune
Randor 14-Sep-11 23:33pm View
If ipSrc is NULL then "0" is the string that will be written into the format tag: '%s'

Best Wishes,
-David Delaune
Randor 11-Sep-11 19:29pm View
Sounds like you need to add: #define BUFFER_SIZE 1024
Randor 11-Sep-11 19:07pm View
If your getting an error "No storage class or type specifier" then that would imply that you are missing a type definition. Make sure you are #including windows.h which will pull in the windef.h header. Also make sure you #define BUFFER_SIZE

The value that is written into the registry is here:

*((LPDWORD)data) = 0;

It essentially casts the pointer from the BYTE array into a pointer to a DWORD and then sets the value to zero.

Best Wishes,
-David Delaune
Randor 15-Jan-11 4:45am View
I was contacted by a member here regarding this code sample. You have my apology for the poorly written and leaky code sample. I have updated the sample.

Best Wishes,
-David Delaune
Randor 27-Nov-10 13:16pm View
Just a quick comment:
A probable reason for Microsofts decision to deprecate most of those C functions is security related. Several years ago a statistical analysis was performed on application exploits and the majority were caused by buffer overflows. So rather than depend on the language committee I guess they wanted to be independantly pro-active. The new secure CRT functions along with /GS stack cookies were the result. While I agree that Microsoft does not (and should not) have the authority to deprecate standard functions... I completely understand their reasoning behind doing so.
Randor 26-Nov-10 17:06pm View
Whoops... sorry. For some reason when I read your question I thought you wanted to know what version of VS the executable was generated by. The answer by JF2015 is correct... you can check the _MSC_VER value at compile time.