header image

Read at your own discretion

MmGetMdlPfnArray macro has an interesting remark in the description:

Changing the contents of the array can cause subtle system problems that are difficult to diagnose. We recommend that you do not read or change the contents of this array.

Right. I didn’t want to read the information I requested anyway.

Serious question: why would reading the PFN array cause problems?

Down with the sickness

Yeah, I like Disturbed (in small doses).

Being sick sucks. Especially when you don’t really get sick that often and this flu-like thing hits you suddenly with full force. Dehydration, weakness, trouble to keep your thoughts together.

Oh well, at least I can go through my backlog of The Old New Thing. Why did I stop following Raymond? I guess when I finally ditched Opera 12 and forgot to update my RSS feeds. I miss you sweet princess.

New friends

Well, not really new — they are with us for a few months now. This post was long overdue but here we go.

The black and white male is Sutomir Stanisław (named after a friend). He was found near a garbage dump in a cage, someone just left him there. He’s the most curious one (well, he and Szafa) and has no survival instinct — goes everywhere, checks everything out.

The small black female is Szafa. She’s probably the smartest of the bunch.

The big black male is Zabrak (named after another friend of ours). He’s a bit… slow, not sure if that’s some mental condition or he’s just lazy.

The two albino twin females are Złomiarka and Kuklux. They are lab rats. They’re either blind or see very poorly, but that doesn’t stop them from being very active (and fast). They were pretty leery of humans at the beginning but now are very friendly.

Kernel debugging Windows HVMs under Xen

Having troubles setting up kernel debugging between two Windows HVMs in a Xen environment? I’ve spent a lot of time lately troubleshooting this, it just didn’t work. Finally it turned out that Xen was corrupting serial port data (yeah, I really neaded that CRLF conversion). Check out this article for details. It’s written with Qubes in mind, but it should be easy to adapt for other environments.

Running processes on the Winlogon desktop

Disclaimer: this is a Bad Idea unless you know exactly what you’re doing, why you’re doing it and there are no alternatives. Please use responsibly.

There may be circumstances where you’d like to programmatically interact with the Winlogon desktop (the one that houses the LogonUI process responsible for displaying logon tiles and the rest of, well, logon UI). Test automation, seamless VM integration, whatever. It’s not easy though, and for good reasons:

  • Logon desktop created by Winlogon has ACL that only grants access to the SYSTEM account. We need a service to access it. Changing that ACL to allow other accounts is a very bad idea.
  • When a user chooses “Switch user” from the Start Menu or when the system first boots and displays the logon UI, it’s all done in a separate session. If a new user logs on, the Winlogon session is reused for that user’s interactive logon. If there is no new logon (but a user switch or unlocking a locked session for example), the Winlogon session is destroyed.
Temporary processes in a Winlogon session after quick user switch

Temporary processes in a Winlogon session after locking/unlocking user session

So, our service needs to monitor session changes and act when a Winlogon session is created (and made interactive). The code below demonstrates how you can create a process that runs on the Winlogon desktop and can interact with it.

Service code Show

You can install the service using following command (mind the spaces):

C:\>sc create QTestService binPath= d:\test\QService.exe type= own start= demand
[SC] CreateService SUCCESS

Then start it with:

sc start QTestService

After starting, choose “Switch user” or “Lock” from the Start Menu. You should see a console window on the logon screen.

A crack on the glass

A paper I’ve been working on lately is now public. In it I dissect various Windows security mechanisms and how effective they really are for providing sandbox-like isolation for groups of arbitrary applications. This work was performed for Invisible Things Lab and Qubes OS.

The end of something

Today we bid farewell to Szatan. She was the last one of the original “Pandemonium” as we called it, the three rats that we got first.

Most distrustful at first, she became the cutest later. We will miss her.

Be careful when closing your object handles

Let’s say we want to create a new Window Station, a new Desktop and create a process that should be associated with those objects. Sounds simple, right?

int _tmain(int argc, TCHAR* argv[])
    HWINSTA winsta, original;
    HDESK desk;

    winsta = CreateWindowStation(L"omeg-winsta", 0, MAXIMUM_ALLOWED, NULL);
    if (!winsta)
        printf("CreateWindowStation failed: %d\n", GetLastError());

    original = GetProcessWindowStation();
    // we need to switch to the new window station, because CreateDesktop uses a current one
    if (!SetProcessWindowStation(winsta))
        printf("SetProcessWindowStation(new) failed: %d\n", GetLastError()
    desk = CreateDesktop(L"omeg-desk", NULL, NULL, 0, MAXIMUM_ALLOWED, NULL);
    if (!desk)
        printf("CreateDesktop failed: %d\n", GetLastError()

    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);
    si.lpDesktop = L"omeg-winsta\\omeg-desk";
    CreateProcess(0, L"calc.exe", 0, 0, 0, 0, 0, 0, &si, &pi);

    return 0;

Let’s try that!

calc.exe - Application Error
The application was unable to start correctly (0xc0000142). Click OK to close the application. 


So what’s happening? At first I thought that maybe that’s supposed to happen — MSDN says that the only interactive window station is WinSta0, a predefined one created with the interactive user session. But why give the ability to create new ones then? System services run in separate sessions and have separate window stations/desktops. In the past (pre-Vista) they all ran in the user’s session, but that was changed to mitigate Shatter attacks.

Anyway, services used to be able to display GUI even on their separate window stations in Vista (with the help of a helper service). Apparently that should still be possible on Windows 7 (where I run my tests). Why didn’t it work then?

I was even more confused when calc.exe appeared to work when I launched my test program from the Visual Studio debugger (but still refused to work if I launched it from a command shell). Also if there was one instance of calc.exe already running in my new desktop, test also worked when launched from command prompt, explorer or wherever. What is this, black magic?

And then it struck me. When running under debugger, I had a breakpoint set just after the CreateProcess call. That means the child process was created, but handles to the new window station and desktop were not immediately closed (because of debugger pause). If running standalone, on the other hand, handles were immediately closed. Why is that significant?

Window stations and desktops are both Windows kernel objects under the hood. And all kernel objects are reference-counted. That means the Windows Object Manager can (and will) destroy any kernel object that is no longer referenced. The example program above contains a race condition — by closing all handles to the newly-created objects we indirectly destroy them, usually before the child process can initialize properly. How to fix that? Add a call to WaitForInputIdle after CreateProcess. That way we wait for the child process to finish its initialization before closing handles. The new desktop and window station won’t be destroyed because now the child keeps their handles.

Moral of the story: don’t close your object handles until you know you really don’t need to keep them.

Creating COM wrappers programatically

In my previous post I wrote about using Windows Installer’s COM object to edit MSI packages. To easily use COM methods you need a managed wrapper assembly for the particular native COM server DLL. Visual Studio can generate one automatically, or you can use TlbImp, a tool from Windows SDK. But what if you don’t have any of that? Don’t worry, there is still hope!

It’s very easy in fact, (almost) all you need is aptly named TypeLibConverter class in System.Runtime.InteropServices namespace. You also need AssemblyBuilder to actually create the assembly. And finally we need one import from oleaut32.dll — LoadTypeLibEx, which allows us to load type library embedded in an exe/dll without extracting it ourselves. So without further ado, here is the code:

using System;
using System.Reflection;
using System.Reflection.Emit;
using System.Runtime.InteropServices;

// This utility extracts COM type library definition from unmanaged DLL and creates matching managed wrapper assembly.

namespace Utils
    static class TlbConvert
        private enum RegKind
            RegKind_Default = 0,
            RegKind_Register = 1,
            RegKind_None = 2

        [DllImport("oleaut32.dll", CharSet = CharSet.Unicode, PreserveSig = false)]
        private static extern void LoadTypeLibEx(String strTypeLibName, RegKind regKind,
            [MarshalAs(UnmanagedType.Interface)] out Object typeLib);

        static int Main(string[] args)
            if (args.Length < 2)
                Console.WriteLine("Usage: tlb-convert <unmanaged COM DLL path> <managed wrapper path> [root namespace]");
                return 2;

                string srcDll = args[0];
                string outDll = args[1];
                string rootNamespace = args.Length == 3 ? args[2] : null;

                Object typeLib;
                LoadTypeLibEx(srcDll, RegKind.RegKind_None, out typeLib);
                TypeLibConverter tlbConv = new TypeLibConverter();
                AssemblyBuilder asm = tlbConv.ConvertTypeLibToAssembly(typeLib, outDll, 0, new ConversionEventHandler(), null, null, rootNamespace, null);
            catch (Exception e)
                Console.WriteLine("Exception: {0}\n{1}", e.Message, e.StackTrace);
                return 1;

            Console.WriteLine("\nConversion successful.");
            return 0;

    public class ConversionEventHandler : ITypeLibImporterNotifySink
        public void ReportEvent(ImporterEventKind eventKind, int eventCode, string eventMsg)
            Console.WriteLine("{0}", eventMsg);

        public Assembly ResolveRef(object typeLib)
            return null;

And another one…

Klocek passed away this Wednesday. He was the oldest of our bunch — over two years and nine months. Rat this old is an ancient one but still he was one of the luckiest, not really suffering any illness until the old age got to him. Now only Szatan remains from the original three (well, Klocek/Półklocek weren’t here from the start but still)…

We also have yet another new one: Sutek, a youngish male around the age of Zabrak. He’s of the black and white variety, reminds us of Szpadla… I really should get my camera going and make more pictures. Someone left him with a cage near a garbage dump, he was rescued and landed with us. He’s really friendly and totally tame, why would someone leave him just like that? He wasn’t accustomed to other rats but is now fully “assimilated”. Let’s hope he’ll be more happy here.