Update 10/8: The site is no longer blocked.

I received a note from a reader indicating users of OpenDNS are receiving phishing warnings about a site I created a few days ago, in light of the Hotmail news. Upon using OpenDNS’ CacheCheck feature, it appears the site has indeed been blocked. According to OpenDNS’ little blurb at the bottom, they “block known phishing sites”. That’s funny, because they really don’t know a damn thing about the site. They didn’t bother to ask me about how it worked nor bothered to click the only link at the bottom of the page to find my (previously) top-most post here, indicating the site isn’t a scam. How can I run a phishing operation without asking for credentials or posing to be Bank of America?

*shakes head in disgust*

In response to news about a large amount of harvested emails being spread around the Internet, I created a site to do a quick lookup against a list of known-leaked addresses. Despite what Neowin’s ignorant audience claims, it’s not fake nor a site to harvest email addresses.

Hopefully this post will clarify the site’s intentions and purpose.

I am now accepting your stickers for placement on the lid of my oft-used Lenovo X300 laptop, measuring at 12.4" x 9.1" (314.96mm x 231.14mm). I will showcase the stickers at least until November 20th, but it’s very likely they’ll remain in place for much longer. (Removing stickers is not fun.)

Notable showcase locations:

• Windows 7 Launch in New York City (October 22) + Train
• Microsoft PDC 2009 (November 15-20) + Airplanes

The rules are simple:

• No pornographic, druggie, dating, or nude stickers. Violence is acceptable though.
• No overly humongous stickers.  Be realistic.
• No Katy Perry. No Miley Cyrus. No Paul Thurrott.
• I ultimately decide if I want to use your sticker or not. Product samples and/or bribes can work to your advantage.

If you’re interested, email rafael+stickers@withinwindows.com with a description/image of your sticker and I’ll send you an address to mail them to.

Accepted stickers thus far: Bing, Identity Mine, LiveSide, Pingie, DataPortability, F-Secure, Hostgator

Back on the 17th, I posted a quick registry hack for those that wanted to force certain Zune software features on or off. One of my readers inquired, however, about Radio features that seemed to exist but were disabled. Double-checking my previous research, there was nothing available to enable anything related to Radio, so I had to dig deeper.

Before you see Zune’s cute UI, the software has to jump through a number of hoops beforehand. Some of these hoops involve asking the Zune Gods (pictured to the right) if certain features are enabled or disabled. This inquiry is made by calling a special function called IsFeatureEnabled, implemented by a special object returned from Zune’s native (as opposed to managed) library. (This function is one of many that are described by an interface called IFeatureEnablement.)

Why is this important?

While it is true that most of the Zune features were implemented with a “ignore the Gods” override, this isn’t true for the unfinished Radio feature. This feature was marked as permanently disabled, hiding unfinished/unstable code from the public.

Re-enabling this feature isn’t exactly easy.

At first, I was inclined to simply disassemble all the managed code into IL, edit, and re-assemble. This turned into a nightmare involving digital signatures, Steven Sinofsky, and embedded native code (which cannot be disassembled properly). My second idea involving writing a loader that patched the relevant code at runtime fell flat too, due to my inexperience with the whole managed/native mish mash environment. Growing tired, I simply resorted to old school patching-on-disk of the Zune native library.

First, I wrote a utility to identify what I need to patch. Static analysis is fun, but not that fun. The Zune Function Locator utility (pictured above) may have a corny name but it does its job. (I plan on further expanding the tool’s capabilities, hence the generic name.) It will locate, within Zune’s native library (ZuneNativeLib.dll), where the IsFeatureEnabled function starts.

Err… why do we care?

Well, as I mentioned before, this function asks the Zune Gods if a feature is enabled or disabled. It returns the “answer” to the Zune software, controlling whether or not the user sees the feature. We’ll need to rewrite this function’s logic to always return “can haz”.

Second, I opened the library in a disassembler to provide a machine code listing of what’s going on here. The contents weren’t really relevant – I was going to rewrite it.

Third, I opened the library in trusty ol’ XVI32, jumped to the offset my tool spat out earlier, moved a few bytes in and… mashed the keyboard, inputting a bunch of random characters.

No, not really.

I typed in the hexadecimal characters for several assembly opcodes that ensured the feature was always considered enabled. The actual x64 code for this is below:

xor rax, rax
inc rax
mov [r8], al
dec rax
pop rdi
retn

(The x86 code is very similar, therefore I won’t spend two hours trying to format it properly in Windows Live Writer.)

Fourth, I saved everything and fired up Zune. Crossing my fingers, the UI appeared and lo’ and behold the Radio feature appeared.

As mentioned earlier, the Radio feature is very unpolished and unstable. The baked in stations don’t play or display station graphics, but I’m willing to bet the folks at Zunerama will have it tamed in a few days.

All the resources I used are available for download from either here or the internet. Enjoy your private tinkering, but remember: I’m not responsible if your entire Zune music collection is replaced with Katy Perry albums. Also keep in mind the patched library may inhibit proper servicing (i.e. updating) by Microsoft. YMMV.

Download: Zune Function Locator 0.1 [x86/x64] // Raw patching instructions

I received a bunch requests to update the auto-elevate list from May, so here it is. There’s no change from the RC list.

• \Windows\ehome\Mcx2Prov.exe
• \Windows\System32\AdapterTroubleshooter.exe
• \Windows\System32\appinfo.dll
• \Windows\System32\BitLockerWizardElev.exe
• \Windows\System32\bthudtask.exe
• \Windows\System32\chkntfs.exe
• \Windows\System32\cleanmgr.exe
• \Windows\System32\cliconfg.exe
• \Windows\System32\CompMgmtLauncher.exe
• \Windows\System32\ComputerDefaults.exe
• \Windows\System32\dccw.exe
• \Windows\System32\dcomcnfg.exe
• \Windows\System32\DeviceEject.exe
• \Windows\System32\DeviceProperties.exe
• \Windows\System32\dfrgui.exe
• \Windows\System32\djoin.exe
• \Windows\System32\eudcedit.exe
• \Windows\System32\eventvwr.exe
• \Windows\System32\fsquirt.exe
• \Windows\System32\FXSUNATD.exe
• \Windows\System32\hdwwiz.exe
• \Windows\System32\ieUnatt.exe
• \Windows\System32\iscsicli.exe
• \Windows\System32\iscsicpl.exe
• \Windows\System32\lpksetup.exe
• \Windows\System32\MdSched.exe
• \Windows\System32\msconfig.exe
• \Windows\System32\msdt.exe
• \Windows\System32\msra.exe
• \Windows\System32\MultiDigiMon.exe
• \Windows\System32\Netplwiz.exe
• \Windows\System32\newdev.exe
• \Windows\System32\ntprint.exe
• \Windows\System32\ocsetup.exe
• \Windows\System32\odbcad32.exe
• \Windows\System32\OptionalFeatures.exe
• \Windows\System32\perfmon.exe
• \Windows\System32\printui.exe
• \Windows\System32\rdpshell.exe
• \Windows\System32\recdisc.exe
• \Windows\System32\rrinstaller.exe
• \Windows\System32\rstrui.exe
• \Windows\System32\sdbinst.exe
• \Windows\System32\sdclt.exe
• \Windows\System32\shrpubw.exe
• \Windows\System32\slui.exe
• \Windows\System32\SndVol.exe
• \Windows\System32\spinstall.exe
• \Windows\System32\SystemPropertiesAdvanced.exe
• \Windows\System32\SystemPropertiesComputerName.exe
• \Windows\System32\SystemPropertiesDataExecutionPrevention.exe
• \Windows\System32\SystemPropertiesHardware.exe
• \Windows\System32\SystemPropertiesPerformance.exe
• \Windows\System32\SystemPropertiesProtection.exe
• \Windows\System32\SystemPropertiesRemote.exe
• \Windows\System32\taskmgr.exe
• \Windows\System32\tcmsetup.exe
• \Windows\System32\TpmInit.exe
• \Windows\System32\verifier.exe
• \Windows\System32\wisptis.exe
• \Windows\System32\wusa.exe
• \Windows\System32\DriverStore\FileRepository\bth.inf_amd64_neutral_a1e8f56d586ec10b\fsquirt.exe
• \Windows\System32\oobe\setupsqm.exe
• \Windows\System32\sysprep\sysprep.exe

For those of you in the US or Canada, stop reading now.

Welcome non-US/CA readers! There’s nothing more frustrating than buying a Zune, plugging it in, and discovering the software is “broken” because of how your computer is “configured”. Features like the Marketplace and that snazzy intro video? Completely missing! Yikes.

If you’re positive you should be seeing these features, don’t panic. Microsoft spent a lot of time programming some overrides for you. Simply navigate to HKCU\Software\Microsoft\Zune and create a key called FeaturesOverride. Within this key, create a DWORD for each feature you want to enable and set its value to 1. A list of tweakables follow.

• Quickplay
• Marketplace
• Picks
• Videos
• MusicVideos
• Podcasts
• Channels
• Games
• SubscriptionFreeTracks
• SignInAvailable (allows restricted locales to sign in!)
• FirstLaunchIntroVideo
• MBRRental
• MBRPurchase
• MBRPreview

For those that are lazy, you can download a simple registry script to double-click. Don’t blame me if it eats your hard drive though.

In early August, I documented a handle leak that had existed in NVIDIA’s Forceware drivers for some time, affecting all of their newer GPUs. Yesterday, NVIDIA released a new set of WHQL drivers versioned 190.62. In a typical sweep-under-the-rug fashion, NVIDIA made zero references to the issue in their release notes. Having scanned the disassembly of nvSCPAPISrv.exe, however, I can confirm NVIDIA has fixed the problem by calling the appropriate function I suggested. AMD’s fastest GPU – the ATI Radeon HD 4870 X2 – continues to be unaffected by this issue.

You’re welcome, NVIDIA.

Windows Live Movie Maker, having started off as a glass hammer, has made significant strides in the areas of functionality and usability. If you haven’t already pushed all the buttons in the new release, I recommend you check out Paul’s thorough review.

While playing around with Movie Maker, I tried to import some video content stored on my HP MediaSmart. Just my luck, it’s not supported. As you can plainly see on the right, Microsoft suggests I copy my content – which could theoretically be gigabytes in size – to my local disk.

Uh. How about no?

Poking around a bit, I noticed Movie Maker has an undocumented override switch... but it comes at a tiny cost: The network share housing your media must may need to allow unfettered Guest access. For those that aren’t trying to hide porn on their MediaSmart servers, this isn’t a big deal. I suspect this is either a temporary code issue revolving around the lack of user impersonation or a security feature. Either case, it’s annoying.

(Update August 21, 2009: Tom Warren mentioned he did not require Guest access. YMMV.)

To run the roadblock, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows Live\Movie Maker and add a DWORD value named AllowNetworkFiles. Afterwards, simply double-click it and set its data to either 0 (disabled) or 1 (enabled).

Keyboard cat, inside the new Windows Live Movie Maker, playing me off.

Affected: GeForce 8800 GT and higher, 9600 GT and higher, or any GeForce 200 series and higher, using driver version 186.xx and up.

Update (8/10): A NVIDIA representative has indicated the fix will be “available in the next driver release” sometime this month.

While poking around Process Explorer, I stumbled upon a process having a curiously high handle count. Having dealt with leaky components before, I identified the 64 handle/minute pattern almost immediately.

Figure - Process Explorer viewing nvSCPAPISvr.exe open file handles

As the description indicates, this particular component (a Windows service) is responsible for some sort of NVIDIA Stereoscopic feature. With some Bing’ing around, I discovered this functionality is only useful if you use 3D glasses shown on the NVIDIA 3D Vision product page.

While I could have simply stopped the service – which shouldn’t be configured to start Automatically to begin with – I decided to dive a little deeper to understand the issue.

After some disassembly, I found string references to \INF\OEM*.INF which led me to a piece of code wrapped in a loop. My ASM to C++ hand transcribed version of the code (not representative of the real product):

GetWindowsDirectoryA(260, path);
strcat(path, "\\INF\\OEM*.INF");
 
HANDLE find_handle = FindFirstFile(path, &wfd);
 
if(find_handle != INVALID_HANDLE_VALUE) {
 
  do
  {
    HANDLE inf_handle = SetupOpenInfFile(
        wfd.FileName,
        NULL,
        INF_STYLE_WIN4,
        error_line);
 
    // [...] Additional code to search for nvstusb.cat/sys
  }
  while(FindNextFile(find_handle, &wfd));
 
  FindClose(find_handle);
}
 

The bug isn’t obvious at first glance. The issue lies within the use of SetupOpenInfFile. The handle returned by this function is never passed into SetupCloseInfFile, leaving various internal file and mutex handles open consuming a large amount of memory (as this user reported in July).

To mitigate this issue, I strongly suggest you stop and disable the NVIDIA Stereoscopic 3D Driver Service. If you use its stereoscopic features, I suggest you only use the service for short amounts of time.

Although the latest drivers I’m using aren’t WHQL signed (190.56), this problem also exists in all drivers versioned 186.xx and up. This range is inclusive of WHQL and non-WHQL signed drivers. I, again, urge Microsoft to include some sort of Application Verifier testing with all components bundled with WHQL submitted drivers.

It’s hard to picture the Windows Taskbar’s evolutionary past at Microsoft, because… well it was developed in the dark. A couple of months ago, I sat down with Chris Holmes and dug up builds from each development milestone at Microsoft and activated the new, secret Taskbar for comparison.

Figure of Milestone 1, 2, and Beta (Milestone 3-like) Taskbars displayed vertically, respectively.

The Milestone 1 Taskbar was switched on with the addition of a Boolean DWORD value named EnableCHS, placed in the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced key. One could infer CHS is a symbolic reference to the Chinese and their government’s way of shrouding everything in secrecy. Microsoft has come out and said CHS stood for Can Has Superbar, a reference to “lolspeak”. This iteration of the Taskbar featured very basic grouping features, live preview, and early support for “pinning” although not completely functional.

Milestone 2 builds featured an improved Taskbar, primarily focused on improving past pinning and grouping work. It also featured the beginnings of what we now know as Jumplists and Aero Peek. Unlike the previous Taskbar, the Shell performed more vigorous checks on who you were, under the Microsoft corporate umbrella, to determine if you were authorized to use the new Taskbar. One could infer these additions denote the point in time in which “new Taskbar builds” of Windows 7 had to be shared outside the Shell group for further work (e.g. the teams that work on Libraries, Find and Organize).

At the end of what you could call the “private development” tunnel, Microsoft started work on Milestone 3 builds of Taskbar. It is at this time, pinning and grouping features were smoothed out, attention jerking elements were removed (e.g. the awful white gradient), and the more subtle icon resources installed in preparation for the upcoming technical preview. Unpictured, Jumplists still had the small arrow that appeared upon hover over a Taskbar button.

The Milestone 3 Taskbar received little polish before being pushed out to the public in the first Pre-beta build of Windows 7. While demoed at the Professional Developers Conference in 2008, the Taskbar was not intended for public use. Having received a tip of the new Taskbar’s existence, however, I circumvented its Milestone 2-based protection and developed a tool to enable its public critique. (After all, we, the users, were the ones that were going to be using this from now until the next major Taskbar change. I felt it was important to perfect it now before code freeze.)

Updated July 30, 2009: Added proper definition of CHS, as per Microsoft.