RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:Referencing a RegKey Object from handle

I can’t believe this is even up for discussion.

It hasn’t changed – YET. Do you want to bet on it never changing? Do you
want to bet on [random data structure X] never changing?

Show me a solid example of a *common* problem that you simply cannot solve
without relying on undocumented structures.

I would at least expect some agreement from you & Alberto that such
approaches should be, whenever possible, avoided, and that the *legitimate*
need for this approach is exceedingly rare.

Even in this example of binding to an registry key, several people posted
much more reliable examples that did not require peeking in OBJECT_HEADER.

Or are we, after all these years, no better than DOS hackers?

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Friday, August 05, 2005 9:45 PM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a
RegKey Object from handle

Why? Things like OBJECT_HEADER or the PsLookupProcessByProcessId routine
are here without changes from NT4 up to w2k3.

So, if there are no other ways - why not use them?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”
Sent: Friday, August 05, 2005 8:37 PM
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
Object from handle

> Digging in structures for diagnostics, understanding, etc. is fine.
> Shipping code that relies on it is a mortal sin. How many times do we
need
> to relearn this lesson? Shall I trot out recent examples?
>
> – arlie
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
> Sent: Friday, August 05, 2005 11:38 AM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
Object
> from handle
>
> >> Digging in undocumented, unexposed headers should always be a warning
> >> that you are doing something wrong.
>
> Please note that dealing with absolutes and emitting such judgements holds
> very limited value.
> Digging in undocumnted has a very clear value, and can make you
understand
> much easier how the OS works. It clearly does not show , to ME at least ,
> any sign that you are dealing something wrong, except maybe if you are an
> automaton writting code.
>
> Dan
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stonestreetone.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> I can’t believe this is even up for discussion.

It hasn’t changed – YET. Do you want to bet on it never changing? Do you
want to bet on [random data structure X] never changing?

OK, I will create the new build of the binary to support the next Windows
version :slight_smile: is this bad?

Show me a solid example of a *common* problem that you simply cannot solve
without relying on undocumented structures.

Verifying that this particular object pointer is a registry key.

BTW - using undocumented functions seems to be absolutely fine in most cases
(especially in the cases when any other way is too complex).

For instance, PsLookupProcessByProcessId never changed since NT4. Some of these
functions are documented in IFS kit :slight_smile: why not copy-paste this definition from
the IFS kit to my own source and build it? or just require ntifs.h for
building?

Sometimes using the undocumented stuff is really bad. NDIS internals, for
instance, or EPROCESS - it is too huge and thus changes from SP to SP.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Do you charge your customers for the update to fix the bug you
introduced by relying on an undocumented data structure? What do they
do when you’ve moved on from doing driver development? You’re handing a
time-bomb to every customer you give/sell this too - do you warn them
about this? Can they get their money back when it blows up?

As to verifying that a particular object pointer is a registry key - if
you’re getting the handle from user-mode you can call the Nt API to get
the same effect (as discussed earlier on this thread). If you’re
getting the handle from a kernel component there’s no reason to be
validating what it gives you.

The assumption that an undocumented function won’t change simply because
it hasn’t in the past is not a good one to make. If you really think
this is the path you have to go down, you should (a) inform your
customers of the risk you’re forcing them to take and (b) figure out
some mitigation strategy ahead of time - license your source code to
them as well, provide a way to turn off the bug-magnet you’ve added to
your driver so they can limp along when it breaks, etc…

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, August 08, 2005 9:09 AM
To: Windows System Software Devs Interest List
Subject: Re: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

I can’t believe this is even up for discussion.

It hasn’t changed – YET. Do you want to bet on it never changing?
Do you
want to bet on [random data structure X] never changing?

OK, I will create the new build of the binary to support the next
Windows
version :slight_smile: is this bad?

Show me a solid example of a *common* problem that you simply cannot
solve
without relying on undocumented structures.

Verifying that this particular object pointer is a registry key.

BTW - using undocumented functions seems to be absolutely fine in most
cases
(especially in the cases when any other way is too complex).

For instance, PsLookupProcessByProcessId never changed since NT4. Some
of these
functions are documented in IFS kit :slight_smile: why not copy-paste this
definition from
the IFS kit to my own source and build it? or just require ntifs.h for
building?

Sometimes using the undocumented stuff is really bad. NDIS internals,
for
instance, or EPROCESS - it is too huge and thus changes from SP to SP.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The best part about using undocumented APIs, relying upon internal data
structures, calling unexported functions, patching system call entry
point tables and overwriting existing code is that when it breaks on the
next service pack, security fix (reminder: tomorrow is Security
Tuesday!) or upgrade, is that the finger of blame will be pointed square
at MICROSOFT, not the original developer.

Remember: last component added that causes the break is blamed, guilty
or not!

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, August 08, 2005 1:34 PM
To: ntdev redirect
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

Do you charge your customers for the update to fix the bug you
introduced by relying on an undocumented data structure? What do they
do when you’ve moved on from doing driver development? You’re handing a
time-bomb to every customer you give/sell this too - do you warn them
about this? Can they get their money back when it blows up?

As to verifying that a particular object pointer is a registry key - if
you’re getting the handle from user-mode you can call the Nt API to get
the same effect (as discussed earlier on this thread). If you’re
getting the handle from a kernel component there’s no reason to be
validating what it gives you.

The assumption that an undocumented function won’t change simply because
it hasn’t in the past is not a good one to make. If you really think
this is the path you have to go down, you should (a) inform your
customers of the risk you’re forcing them to take and (b) figure out
some mitigation strategy ahead of time - license your source code to
them as well, provide a way to turn off the bug-magnet you’ve added to
your driver so they can limp along when it breaks, etc…

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, August 08, 2005 9:09 AM
To: Windows System Software Devs Interest List
Subject: Re: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

I can’t believe this is even up for discussion.

It hasn’t changed – YET. Do you want to bet on it never changing?
Do you
want to bet on [random data structure X] never changing?

OK, I will create the new build of the binary to support the next
Windows
version :slight_smile: is this bad?

Show me a solid example of a *common* problem that you simply cannot
solve
without relying on undocumented structures.

Verifying that this particular object pointer is a registry key.

BTW - using undocumented functions seems to be absolutely fine in most
cases
(especially in the cases when any other way is too complex).

For instance, PsLookupProcessByProcessId never changed since NT4. Some
of these
functions are documented in IFS kit :slight_smile: why not copy-paste this
definition from
the IFS kit to my own source and build it? or just require ntifs.h for
building?

Sometimes using the undocumented stuff is really bad. NDIS internals,
for
instance, or EPROCESS - it is too huge and thus changes from SP to SP.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Tony, do you agree that using undocumented APis like
PsLookupProcessByProcessId is the least sin of all of this?

Very, very many undocumented functions do not change from NT4 to 2003
Server.

Also - sometimes it is impossible to do something without using the
undocumented function. For instance, before XP we had no SeIsTokenAdmin, so, to
have this facility, the undocumented ZwQueryInformationToken was used.

Another task. GetProcAddress analog for the kernel mode. How to do this
without using the undocumented functions (or the undocumented DRIVER_OBJECT
field) to get the image base address?

I do not think that using undocumented functions “here and there” is good.
But sometimes they are the only way.

Now about structures. I rememeber a nasty bug in NT4 where STATUS_REPARSE
mechanism was not working at all for relative file opens. To bypass this bug, I
needed to patch the Parse handler for the File object type. Any other ways of
doing this, if the OS forgotten to clear the RelatedFileObject field in some
internal structure passed from IoCreateFile to IopParseDevice on getting
STATUS_REPARSE from the stack?

Hooking and other kinds of patching is another song. Very, very dangerous.
Using undocumented stable and well-known stuff at least gives us the stable
code on this particular OS version.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”
Sent: Monday, August 08, 2005 10:17 PM
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a
RegKey Object from handle

The best part about using undocumented APIs, relying upon internal data
structures, calling unexported functions, patching system call entry
point tables and overwriting existing code is that when it breaks on the
next service pack, security fix (reminder: tomorrow is Security
Tuesday!) or upgrade, is that the finger of blame will be pointed square
at MICROSOFT, not the original developer.

Remember: last component added that causes the break is blamed, guilty
or not!

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, August 08, 2005 1:34 PM
To: ntdev redirect
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

Do you charge your customers for the update to fix the bug you
introduced by relying on an undocumented data structure? What do they
do when you’ve moved on from doing driver development? You’re handing a
time-bomb to every customer you give/sell this too - do you warn them
about this? Can they get their money back when it blows up?

As to verifying that a particular object pointer is a registry key - if
you’re getting the handle from user-mode you can call the Nt API to get
the same effect (as discussed earlier on this thread). If you’re
getting the handle from a kernel component there’s no reason to be
validating what it gives you.

The assumption that an undocumented function won’t change simply because
it hasn’t in the past is not a good one to make. If you really think
this is the path you have to go down, you should (a) inform your
customers of the risk you’re forcing them to take and (b) figure out
some mitigation strategy ahead of time - license your source code to
them as well, provide a way to turn off the bug-magnet you’ve added to
your driver so they can limp along when it breaks, etc…

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, August 08, 2005 9:09 AM
To: Windows System Software Devs Interest List
Subject: Re: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

> I can’t believe this is even up for discussion.
>
> It hasn’t changed – YET. Do you want to bet on it never changing?
Do you
> want to bet on [random data structure X] never changing?

OK, I will create the new build of the binary to support the next
Windows
version :slight_smile: is this bad?

> Show me a solid example of a common problem that you simply cannot
solve
> without relying on undocumented structures.

Verifying that this particular object pointer is a registry key.

BTW - using undocumented functions seems to be absolutely fine in most
cases
(especially in the cases when any other way is too complex).

For instance, PsLookupProcessByProcessId never changed since NT4. Some
of these
functions are documented in IFS kit :slight_smile: why not copy-paste this
definition from
the IFS kit to my own source and build it? or just require ntifs.h for
building?

Sometimes using the undocumented stuff is really bad. NDIS internals,
for
instance, or EPROCESS - it is too huge and thus changes from SP to SP.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

LOL. This is like a religious discussion now. Let’s come up with a
categorization of sins, from most heinous to most benign.

  • Calling unexported, undocumented functions. Most of the people who
    can figure out how to do this know how to make it work right when the
    function is different or no longer works.
  • Using undocumented data structures; people change data structures to
    suit the changing needs of the OS.
  • Using exported but undocumented functions. These do tend to change
    less than most other functions. Within this category I generally think
    “functions that are most heavily used are least likely to change”. What
    happens instead is that someone replaces the function with a new
    function (NtCreateFileExGoldProfessionalExtendedEdition2) that replaces
    the old one, and the old one calls the new one.

I think the gist of much of the religious war here is that some people
seem to eschew doing things in the most documented fashion simply
because they CAN and make it work. I can demonstrate things I’ve had to
do that violate all of these rules at one time or another, although most
*NOT* in shipping product! Last month I needed to add some debugging
code to find APC Index mismatch problems. The issue is that there’s no
documented mechanism to retrieve the APC Index - and the OS reports
index mismatches is to bug check when the thread exits, which is
generally WAY too late. If you run the checked build it will do it on
exit of the system call, but even that can be too coarse when trying to
track down a problem of this type. So I came up with a way of finding
the APC disable field in an OS version independent fashion. But that
was DEBUG code. It doesn’t appear in production code.

Each of the cases you mention is familiar to me as well and those fall
into the category of “log a bug, work around the issue”. The
work-arounds have become less extreme over the years and we’ve been able
to get most of these problems resolved.

Finally, I don’t want to lose my point that if you know enough how to
make it FAIL gracefully, then you’re doing ok. But many of the
newcomers to this field do not have sufficient experience or insight to
know how to make it fail cleanly - they are struggling just to make it
work cleanly. Thus, we need to teach them the “right” way to do things
before we teach them that there are other, more nefarious black arts
that can be employed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, August 08, 2005 2:39 PM
To: ntdev redirect
Subject: Re: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

Tony, do you agree that using undocumented APis like
PsLookupProcessByProcessId is the least sin of all of this?

Very, very many undocumented functions do not change from NT4 to
2003
Server.

Also - sometimes it is impossible to do something without using the
undocumented function. For instance, before XP we had no SeIsTokenAdmin,
so, to
have this facility, the undocumented ZwQueryInformationToken was used.

Another task. GetProcAddress analog for the kernel mode. How to do
this
without using the undocumented functions (or the undocumented
DRIVER_OBJECT
field) to get the image base address?

I do not think that using undocumented functions “here and there” is
good.
But sometimes they are the only way.

Now about structures. I rememeber a nasty bug in NT4 where
STATUS_REPARSE
mechanism was not working at all for relative file opens. To bypass this
bug, I
needed to patch the Parse handler for the File object type. Any other
ways of
doing this, if the OS forgotten to clear the RelatedFileObject field in
some
internal structure passed from IoCreateFile to IopParseDevice on getting
STATUS_REPARSE from the stack?

Hooking and other kinds of patching is another song. Very, very
dangerous.
Using undocumented stable and well-known stuff at least gives us the
stable
code on this particular OS version.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”
Sent: Monday, August 08, 2005 10:17 PM
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a
RegKey Object from handle

The best part about using undocumented APIs, relying upon internal data
structures, calling unexported functions, patching system call entry
point tables and overwriting existing code is that when it breaks on the
next service pack, security fix (reminder: tomorrow is Security
Tuesday!) or upgrade, is that the finger of blame will be pointed square
at MICROSOFT, not the original developer.

Remember: last component added that causes the break is blamed, guilty
or not!

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Monday, August 08, 2005 1:34 PM
To: ntdev redirect
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

Do you charge your customers for the update to fix the bug you
introduced by relying on an undocumented data structure? What do they
do when you’ve moved on from doing driver development? You’re handing a
time-bomb to every customer you give/sell this too - do you warn them
about this? Can they get their money back when it blows up?

As to verifying that a particular object pointer is a registry key - if
you’re getting the handle from user-mode you can call the Nt API to get
the same effect (as discussed earlier on this thread). If you’re
getting the handle from a kernel component there’s no reason to be
validating what it gives you.

The assumption that an undocumented function won’t change simply because
it hasn’t in the past is not a good one to make. If you really think
this is the path you have to go down, you should (a) inform your
customers of the risk you’re forcing them to take and (b) figure out
some mitigation strategy ahead of time - license your source code to
them as well, provide a way to turn off the bug-magnet you’ve added to
your driver so they can limp along when it breaks, etc…

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Monday, August 08, 2005 9:09 AM
To: Windows System Software Devs Interest List
Subject: Re: SPAM-LOW: Re: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev]
Referencing a RegKey Object from handle

> I can’t believe this is even up for discussion.
>
> It hasn’t changed – YET. Do you want to bet on it never changing?
Do you
> want to bet on [random data structure X] never changing?

OK, I will create the new build of the binary to support the next
Windows
version :slight_smile: is this bad?

> Show me a solid example of a common problem that you simply cannot
solve
> without relying on undocumented structures.

Verifying that this particular object pointer is a registry key.

BTW - using undocumented functions seems to be absolutely fine in most
cases
(especially in the cases when any other way is too complex).

For instance, PsLookupProcessByProcessId never changed since NT4. Some
of these
functions are documented in IFS kit :slight_smile: why not copy-paste this
definition from
the IFS kit to my own source and build it? or just require ntifs.h for
building?

Sometimes using the undocumented stuff is really bad. NDIS internals,
for
instance, or EPROCESS - it is too huge and thus changes from SP to SP.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

This isn’t about learning, or debugging. There are numerous books on
Windows internals, targeted at device driver developers and developers in
general. I’m particularly fond of Rajeev Nagar’s File System Internals,
Gary Nebbett’s Windows NT/2000 Native API Reference. There are also lots of
good web resources for this.

This whole argument is about what you ship in your device drivers – the
code that customers place their trust in. All experience shows that being
conservative, *especially* with kernel-mode components, is important.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
Sent: Monday, August 08, 2005 4:40 PM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle

>I’m sorry that this interferes with your abilty to learn more about
>the OS.

Im sorry , but all this has nothing to do with my ability to learn something
:stuck_out_tongue: Fortunately, for me I can find my way inside your OS regardless you make
stuff public or not.

>But until that happens I’m going to keep asking people why they want
>to know what they’re asking

You have 3 points illustrate here. 2 of them are purely your problem because
you are a Microsoft employee, and thus you have to obey company policy and
not reveal data which would be integrated into a “competitor product”, or a
"
better tool to break it" , I asume you talk about activation and XP keys
here …
but unfortunately the code which handle those tasks is what … 0.00000001 %
linked with what ppl usually want to know about undocumented asspects of NT.

Ms could reaveal and expose a lot more APIs , and improve on existing one
whithout fearing that the data will be “integrated” into a competitor
product.
Let’s face it, there would be only some decalrations of structs and APIs.
Do you really think that a person determined to learn them really needs
official header to understand this ?

> build a time-bomb of a driver to sell to customers.

I dont want to be evil, and god is my whitness that I love MS’s operating
systems and products. I
apreciate their value. But did you heard about Sasser, MsSQL worm, Codered
and whatever ?
Isnt MS which sold a time bomb to his customers here ? Ugly weakneses and
“security through obscurity”
made this possible. So If Micorsoft doest it, time and again, why is so
concerned about 3rd party companies ?
Solve your problems first, and make sure security is not implemented through

obscurity , then youll have
less problems revealing more aspects of the OS.

I hope you will take this message as is, and not consider at it a attack to
your person, or MS’s products.

Sorry, Dan

Garry Nebett …

Im indeed fond as well of that book, and curious … how the author which
claims that
used reverse engineering to write that book had so much clarvoyance to name
98%
of structure members the same way as later we seen them in
Windbg, at later times. He surely must have some kind of paranormal powers.
He is one with the force.

> This whole argument is about what you ship in your device drivers

Its more than this. In time it will result in a guideline of what you can
ask or not
on a mailinglist without beeing labeled and judged. I seen ppl here
arogantly saying:
“Tell me what product you write, so I can advize ppl not to buy it”.
Unfortunately
from the same ppl which more than once in their lives fiddled with
undocumented.
And even if they where 100% honest to DDK documented API, who gives
them the right to judge a product which is in development, and they have no
ideea
which is the market for the product, if any , and the product is not a
custom tailored solution to
run in a controled environment for a special customer.

>All experience shows that being
> conservative, *especially* with kernel-mode components, is important.

I beg to differ. Is safe, not important. Less chanches to be chalenged and
end in a situation which you cant easly handle. On the other hand, you wont
progress being conservative.

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, August 09, 2005 12:05 AM
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle

> This isn’t about learning, or debugging. There are numerous books on
> Windows internals, targeted at device driver developers and developers in
> general. I’m particularly fond of Rajeev Nagar’s File System Internals,
> Gary Nebbett’s Windows NT/2000 Native API Reference. There are also lots
> of
> good web resources for this.
>
> This whole argument is about what you ship in your device drivers – the
> code that customers place their trust in. All experience shows that being
> conservative, especially with kernel-mode components, is important.
>
> – arlie
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
> Sent: Monday, August 08, 2005 4:40 PM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle
>
>>>I’m sorry that this interferes with your abilty to learn more about
>>>the OS.
>
> Im sorry , but all this has nothing to do with my ability to learn
> something
> :stuck_out_tongue: Fortunately, for me I can find my way inside your OS regardless you
> make
> stuff public or not.
>
>>>But until that happens I’m going to keep asking people why they want
>>>to know what they’re asking
>
> You have 3 points illustrate here. 2 of them are purely your problem
> because
> you are a Microsoft employee, and thus you have to obey company policy and
> not reveal data which would be integrated into a “competitor product”, or
> a
> “
> better tool to break it” , I asume you talk about activation and XP
> keys
> here …
> but unfortunately the code which handle those tasks is what … 0.00000001
> %
> linked with what ppl usually want to know about undocumented asspects of
> NT.
>
> Ms could reaveal and expose a lot more APIs , and improve on existing one
> whithout fearing that the data will be “integrated” into a competitor
> product.
> Let’s face it, there would be only some decalrations of structs and APIs.
> Do you really think that a person determined to learn them really needs
> official header to understand this ?
>
>
>>> build a time-bomb of a driver to sell to customers.
>
> I dont want to be evil, and god is my whitness that I love MS’s operating
> systems and products. I
> apreciate their value. But did you heard about Sasser, MsSQL worm, Codered
> and whatever ?
> Isnt MS which sold a time bomb to his customers here ? Ugly weakneses and
> “security through obscurity”
> made this possible. So If Micorsoft doest it, time and again, why is so
> concerned about 3rd party companies ?
> Solve your problems first, and make sure security is not implemented
> through
>
> obscurity , then youll have
> less problems revealing more aspects of the OS.
>
> I hope you will take this message as is, and not consider at it a attack
> to
> your person, or MS’s products.
>
> Sorry, Dan
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to xxxxx@lists.osr.com

This whole argument is what people will answer, sorry but it is reasonable
to ask why you want to do something, and not just tell people how to do
something if it appears to be stupid. I got curious a long time ago and
started writing documentation for the undocumented kernel exports, after I
was well along, I realized that I was just creating a problem.

Note if you are competent you can reverse engineer most of the undocuemted
calls. Of course we can hope if you have reached that level, you are also
competent enough to not use most them. Even the Open Source guys have this
kind of bar, you get a ton of code with Linux with little or no
documentation, finding what you need requires building enough knowledge to
work your way around the tree.

You claim, that this is a freedom of the group thing, but in the 20 years
I’ve been on Usenet, the “How do I shoot myself in the foot” questions have
always been answered that way.

Also, you claim that you cannot make progress by being conservative. I’ve
been conservative but have done multiple things that Microsoft and industry
pundits said were impossible. These include, a fault tolerant system that
took control of the computer 20 times a second and could ride through most
failures on NT4. A video filesystem that delivered 150 MB/sec when PCI did
not make that speed, and a headless, diskless server where all the devices
were virtual over a high speed link. IN ALL OF THESE PROJECTS, I NEVER
VIOLATED THE DDK GUIDELINES!


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Dan Partelly” wrote in message news:xxxxx@ntdev…
>
>>> This whole argument is about what you ship in your device drivers
>
>
> Its more than this. In time it will result in a guideline of what you can
> ask or not
> on a mailinglist without beeing labeled and judged. I seen ppl here
> arogantly saying:
> “Tell me what product you write, so I can advize ppl not to buy it”.
> Unfortunately
> from the same ppl which more than once in their lives fiddled with
> undocumented.
> And even if they where 100% honest to DDK documented API, who gives
> them the right to judge a product which is in development, and they have
> no ideea
> which is the market for the product, if any , and the product is not a
> custom tailored solution to
> run in a controled environment for a special customer.
>
>
>>>All experience shows that being
>>> conservative, especially with kernel-mode components, is important.
>
> I beg to differ. Is safe, not important. Less chanches to be chalenged and
> end in a situation which you cant easly handle. On the other hand, you
> wont
> progress being conservative.
>

When it ships, it must be just code running on the machine. The
more one uses OS services, the more exposure one has to nonsense
and to uncontrollable behavior. The solution, to me at least, is
obvious: talk to the hardware first, to the OS only when there’s
no alternative. Minimizing one’s exposure to the OS minimizes
one’s exposure to events one cannot control.

So, the only real conservative approach is to talk to the
hardware. That’s frozen functionality, mind you, it has been
around for years and by and large it works wonders. Beyond that,
it’s basically a kind of a lottery.

Alberto.

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”

Sent: Monday, August 08, 2005 5:05 PM
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
Object from handle

> This isn’t about learning, or debugging. There are numerous
> books on
> Windows internals, targeted at device driver developers and
> developers in
> general. I’m particularly fond of Rajeev Nagar’s File System
> Internals,
> Gary Nebbett’s Windows NT/2000 Native API Reference. There
> are also lots of
> good web resources for this.
>
> This whole argument is about what you ship in your device
> drivers – the
> code that customers place their trust in. All experience
> shows that being
> conservative, especially with kernel-mode components, is
> important.
>
> – arlie
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan
> Partelly
> Sent: Monday, August 08, 2005 4:40 PM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
> from handle
>
>>>I’m sorry that this interferes with your abilty to learn more
>>>about
>>>the OS.
>
> Im sorry , but all this has nothing to do with my ability to
> learn something
> :stuck_out_tongue: Fortunately, for me I can find my way inside your OS
> regardless you make
> stuff public or not.
>
>>>But until that happens I’m going to keep asking people why
>>>they want
>>>to know what they’re asking
>
> You have 3 points illustrate here. 2 of them are purely your
> problem because
> you are a Microsoft employee, and thus you have to obey
> company policy and
> not reveal data which would be integrated into a “competitor
> product”, or a
> “
> better tool to break it” , I asume you talk about
> activation and XP keys
> here …
> but unfortunately the code which handle those tasks is what
> … 0.00000001 %
> linked with what ppl usually want to know about undocumented
> asspects of NT.
>
> Ms could reaveal and expose a lot more APIs , and improve on
> existing one
> whithout fearing that the data will be “integrated” into a
> competitor
> product.
> Let’s face it, there would be only some decalrations of
> structs and APIs.
> Do you really think that a person determined to learn them
> really needs
> official header to understand this ?
>
>
>>> build a time-bomb of a driver to sell to customers.
>
> I dont want to be evil, and god is my whitness that I love
> MS’s operating
> systems and products. I
> apreciate their value. But did you heard about Sasser, MsSQL
> worm, Codered
> and whatever ?
> Isnt MS which sold a time bomb to his customers here ? Ugly
> weakneses and
> “security through obscurity”
> made this possible. So If Micorsoft doest it, time and again,
> why is so
> concerned about 3rd party companies ?
> Solve your problems first, and make sure security is not
> implemented through
>
> obscurity , then youll have
> less problems revealing more aspects of the OS.
>
> I hope you will take this message as is, and not consider at
> it a attack to
> your person, or MS’s products.
>
> Sorry, Dan
>
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

It is a conscious decision to write code that’s Service Pack
dependent, and the need to maintain it across different versions
of the OS comes with the turf. And sometimes the change is
minimal if any, and even when it isn’t, it’s often the case of
looking at Windbg dt outputs and updating the code accordingly.
One of the things one does when one has SP or OS version
dependencies is to check, and to refuse to run if the version of
the product doesn’t match one of the versions that is supported;
that’s about five or so lines of code, big deal.

Sometimes one doesn’t need to resort to that kind of thing;
sometimes one does. It all depends on the circumstances and on
the reasons why we’re writing the particular piece of kernel
code we’re writing. In either case, it’s my decision as a
developer; not anyone else’s, not even of the OS’s.

Alberto.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”

Sent: Monday, August 08, 2005 11:07 AM
Subject: Re: Re:[ntdev] SPAM-LOW: Re: Re:Referencing a RegKey
Object from handle

> OBJECT_HEADER was not changed since very old times.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Gary G. Little”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
>
> Sent: Monday, August 08, 2005 6:36 PM
> Subject: Re:[ntdev] SPAM-LOW: Re: Re:Referencing a RegKey
> Object from handle
>
>
>> Yes but … pity your poor clients because the NEXT release
>> of the OS or
>> even the next bug fix “adjusts” these undocumented areas and
>> now their
>> systems are broke simply because of your arrogance.
>>
>> –
>> The personal opinion of
>> Gary G. Little
>>
>> “Alberto Moreira” wrote in message
>> news:xxxxx@ntdev…
>> > It depends on your definition of “undocumented”. To me at
>> > least, anything
>> > exposed by the Windbg dt command is fair game. Actually,
>> > I’m not totally
>> > contrary to using something like Chapeaux-Noirs either - it
>> > all depends on
>> > what I need to do and on how much support I get from the
>> > OS. To put it
>> > simply: if the OS thwarts me, I feel totally justifying in
>> > thwarting the
>> > OS. And serve them right.
>> >
>> > Alberto.
>> >
>> >
>> > ----- Original Message -----
>> > From: “Arlie Davis”
>> > To: “Windows System Software Devs Interest List”
>> >
>> > Sent: Friday, August 05, 2005 11:22 AM
>> > Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
>> > Object from
>> > handle
>> >
>> >
>> >> No no no no no no NO. Digging in undocumented, unexposed
>> >> headers should
>> >> always be a warning that you are doing something wrong.
>> >>
>> >> If you want to validate that something is a registry key,
>> >> and you can’t
>> >> get
>> >> direct access to the registry key object type, then at
>> >> least do something
>> >> reasonable – don’t manually dig in undocumented
>> >> structures. How many
>> >> times
>> >> has this blown up?! Just go read some of Raymond Chen’s
>> >> descriptions of
>> >> the
>> >> agony that this has caused.
>> >>
>> >> If you have a handle, and you suspect that it is a
>> >> registry key but you
>> >> want
>> >> to verify this, then ask it to do something that only
>> >> registry keys do.
>> >> Call ZwQueryKey, and request something innocuous, like
>> >> KeyBasicInformation.
>> >> If this succeeds, then you have a pretty good idea that it
>> >> is a registry
>> >> key. Then you can call ObReferenceObjectByHandle, with
>> >> ObjectType =
>> >> NULL,
>> >> and have some peace of mind that this will work two
>> >> service packs down
>> >> the
>> >> road.
>> >>
>> >> – arlie
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: xxxxx@lists.osr.com
>> >> [mailto:xxxxx@lists.osr.com] On Behalf Of
>> >> Maxim S. Shatskih
>> >> Sent: Friday, August 05, 2005 10:21 AM
>> >> To: Windows System Software Devs Interest List
>> >> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
>> >> Object from handle
>> >>
>> >> Use undocumented means of getting the KeyObjectType,
>> >> like
>> >> ZwOpenKey+ObReferenceObjectByHandle+digging into the
>> >> undocumented object
>> >> header. It holds a type pointer.
>> >>
>> >> Maxim Shatskih, Windows DDK MVP
>> >> StorageCraft Corporation
>> >> xxxxx@storagecraft.com
>> >> http://www.storagecraft.com
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> —
>> >> Questions? First check the Kernel Driver FAQ at
>> >> http://www.osronline.com/article.cfm?id=256
>> >>
>> >> You are currently subscribed to ntdev as:
>> >> xxxxx@ieee.org
>> >> To unsubscribe send a blank email to
>> >> xxxxx@lists.osr.com
>> >
>> >
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as:
>> xxxxx@storagecraft.com
>> To unsubscribe send a blank email to
>> xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

>>You claim, that this is a freedom of the group thing, but in the 20 years

>I’ve been on Usenet, the “How do I shoot myself in the foot” questions
>have always been answered that way.

There where always more attitudes Don. The questions always had been
answered that way by ppl like you, which are very quick to label ppl (sorry,
but you did it in the past), and whithout proof. There always where ppl on
those lists like Alberto , which is a evangelist of bare metal , ppl which
maitained neutrality, ppl which actually gave this info out, ppl which react
paranoid to undocumented questions
seeing conspirations and attacks to world order in such questions, plain
idiots, and so on.

My claim is thay I should have the freedom to ask anything whithout beiing
labeled as a virus writer . You also have the liberty to answer my questions
or no, or ask suplimentary details, indeed, to help me better, but not to
accuse one whithout proof, and threathen with stuff “tell em what product
you write, so I can tell others not to buy it”

Dan

Alberto writes:

The more one uses OS services, the more exposure
one has to nonsense and to uncontrollable behavior.

Extremist nonsense and fingerpointing. I can cite just as many examples of
device drivers that do incredibly stupid things than you can of OS flaws.
And what is the end result of this reasoning? No OS, no drivers, just apps
talking directly to hardware? Back to the fifties? Perhaps you should ship
a sealed box, that contains only 100% pure, flawless Moreira code.

We must be conservative at all interfaces between components – between
hardware and software components, and between software components – to the
degree that is rational and necessary, because those components change
independently over time. Using undocumented and unsupported interfaces is
an option, but should only be a last resort, and every effort should be made
to reduce its impact.

I suppose you’re still grumpy that the x64 compiler doesn’t support inline
assembly, too.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
Sent: Monday, August 08, 2005 10:03 PM
To: Windows System Software Devs Interest List
Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object
from handle

When it ships, it must be just code running on the machine. The more one
uses OS services, the more exposure one has to nonsense and to
uncontrollable behavior. The solution, to me at least, is
obvious: talk to the hardware first, to the OS only when there’s no
alternative. Minimizing one’s exposure to the OS minimizes one’s exposure to
events one cannot control.

So, the only real conservative approach is to talk to the hardware. That’s
frozen functionality, mind you, it has been around for years and by and
large it works wonders. Beyond that, it’s basically a kind of a lottery.

Alberto.

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”

Sent: Monday, August 08, 2005 5:05 PM
Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
handle

> This isn’t about learning, or debugging. There are numerous books on
> Windows internals, targeted at device driver developers and developers
> in general. I’m particularly fond of Rajeev Nagar’s File System
> Internals, Gary Nebbett’s Windows NT/2000 Native API Reference. There
> are also lots of good web resources for this.
>
> This whole argument is about what you ship in your device drivers –
> the code that customers place their trust in. All experience shows
> that being conservative, especially with kernel-mode components, is
> important.
>
> – arlie

Bull shit. In the 35 years I’ve been doing this, I’ve seen hardware break
functional software because the hardware engineer had his head up his ass
when he decided he didn’t like the port layout of the card he was
re-engineering. I’ve seen as many hardware types disappear for that kind of
arrogance as I have seen software engineers disappears for much the same
thing.


The personal opinion of
Gary G. Little

“Alberto Moreira” wrote in message news:xxxxx@ntdev…
> When it ships, it must be just code running on the machine. The more one
> uses OS services, the more exposure one has to nonsense and to
> uncontrollable behavior. The solution, to me at least, is obvious: talk to
> the hardware first, to the OS only when there’s no alternative. Minimizing
> one’s exposure to the OS minimizes one’s exposure to events one cannot
> control.
>
> So, the only real conservative approach is to talk to the hardware. That’s
> frozen functionality, mind you, it has been around for years and by and
> large it works wonders. Beyond that, it’s basically a kind of a lottery.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Arlie Davis”
> To: “Windows System Software Devs Interest List”
> Sent: Monday, August 08, 2005 5:05 PM
> Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
> handle
>
>
>> This isn’t about learning, or debugging. There are numerous books on
>> Windows internals, targeted at device driver developers and developers in
>> general. I’m particularly fond of Rajeev Nagar’s File System Internals,
>> Gary Nebbett’s Windows NT/2000 Native API Reference. There are also lots
>> of
>> good web resources for this.
>>
>> This whole argument is about what you ship in your device drivers – the
>> code that customers place their trust in. All experience shows that
>> being
>> conservative, especially with kernel-mode components, is important.
>>
>> – arlie
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan Partelly
>> Sent: Monday, August 08, 2005 4:40 PM
>> To: Windows System Software Devs Interest List
>> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from handle
>>
>>>>I’m sorry that this interferes with your abilty to learn more about
>>>>the OS.
>>
>> Im sorry , but all this has nothing to do with my ability to learn
>> something
>> :stuck_out_tongue: Fortunately, for me I can find my way inside your OS regardless you
>> make
>> stuff public or not.
>>
>>>>But until that happens I’m going to keep asking people why they want
>>>>to know what they’re asking
>>
>> You have 3 points illustrate here. 2 of them are purely your problem
>> because
>> you are a Microsoft employee, and thus you have to obey company policy
>> and
>> not reveal data which would be integrated into a “competitor product”, or
>> a
>> “
>> better tool to break it” , I asume you talk about activation and XP
>> keys
>> here …
>> but unfortunately the code which handle those tasks is what …
>> 0.00000001 %
>> linked with what ppl usually want to know about undocumented asspects of
>> NT.
>>
>> Ms could reaveal and expose a lot more APIs , and improve on existing one
>> whithout fearing that the data will be “integrated” into a competitor
>> product.
>> Let’s face it, there would be only some decalrations of structs and APIs.
>> Do you really think that a person determined to learn them really needs
>> official header to understand this ?
>>
>>
>>>> build a time-bomb of a driver to sell to customers.
>>
>> I dont want to be evil, and god is my whitness that I love MS’s operating
>> systems and products. I
>> apreciate their value. But did you heard about Sasser, MsSQL worm,
>> Codered
>> and whatever ?
>> Isnt MS which sold a time bomb to his customers here ? Ugly weakneses
>> and
>> “security through obscurity”
>> made this possible. So If Micorsoft doest it, time and again, why is so
>> concerned about 3rd party companies ?
>> Solve your problems first, and make sure security is not implemented
>> through
>>
>> obscurity , then youll have
>> less problems revealing more aspects of the OS.
>>
>> I hope you will take this message as is, and not consider at it a attack
>> to
>> your person, or MS’s products.
>>
>> Sorry, Dan
>>
>>
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

Or more likely, the OS is inflexible enough that it cannot
accommodate the hardware ? Again, hardware standards are
independent of OS’s. If a piece of hardware doesn’t support the
standard, it doesn’t support the standard, period - nothing to
do with the OS. However, flexible OS’s allow latitude to
software developers so that those cases can still be
accommodated - I don’t care how bad the hardware is, if I have
to spend tens of grands revving my hw yet again because the OS
doesn’t accommodate a fudge, sorry, won’t do it.

Hardware is way harder to develop than software, so, umpteen out
of umpteen plus one cases it’s the software that must
accommodate the hardware - not the other way around.

Alberto.

----- Original Message -----
From: “Gary G. Little”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”

Sent: Tuesday, August 09, 2005 1:39 PM
Subject: Re:[ntdev] SPAM-LOW: Re: Re:Referencing a RegKey Object
from handle

> Bull shit. In the 35 years I’ve been doing this, I’ve seen
> hardware break functional software because the hardware
> engineer had his head up his ass when he decided he didn’t
> like the port layout of the card he was re-engineering. I’ve
> seen as many hardware types disappear for that kind of
> arrogance as I have seen software engineers disappears for
> much the same thing.
>
> –
> The personal opinion of
> Gary G. Little
>
> “Alberto Moreira” wrote in message
> news:xxxxx@ntdev…
>> When it ships, it must be just code running on the machine.
>> The more one uses OS services, the more exposure one has to
>> nonsense and to uncontrollable behavior. The solution, to me
>> at least, is obvious: talk to the hardware first, to the OS
>> only when there’s no alternative. Minimizing one’s exposure
>> to the OS minimizes one’s exposure to events one cannot
>> control.
>>
>> So, the only real conservative approach is to talk to the
>> hardware. That’s frozen functionality, mind you, it has been
>> around for years and by and large it works wonders. Beyond
>> that, it’s basically a kind of a lottery.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Arlie Davis”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Monday, August 08, 2005 5:05 PM
>> Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
>> Object from handle
>>
>>
>>> This isn’t about learning, or debugging. There are numerous
>>> books on
>>> Windows internals, targeted at device driver developers and
>>> developers in
>>> general. I’m particularly fond of Rajeev Nagar’s File
>>> System Internals,
>>> Gary Nebbett’s Windows NT/2000 Native API Reference. There
>>> are also lots of
>>> good web resources for this.
>>>
>>> This whole argument is about what you ship in your device
>>> drivers – the
>>> code that customers place their trust in. All experience
>>> shows that being
>>> conservative, especially with kernel-mode components, is
>>> important.
>>>
>>> – arlie
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Dan
>>> Partelly
>>> Sent: Monday, August 08, 2005 4:40 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
>>> Object from handle
>>>
>>>>>I’m sorry that this interferes with your abilty to learn
>>>>>more about
>>>>>the OS.
>>>
>>> Im sorry , but all this has nothing to do with my ability to
>>> learn something
>>> :stuck_out_tongue: Fortunately, for me I can find my way inside your OS
>>> regardless you make
>>> stuff public or not.
>>>
>>>>>But until that happens I’m going to keep asking people why
>>>>>they want
>>>>>to know what they’re asking
>>>
>>> You have 3 points illustrate here. 2 of them are purely your
>>> problem because
>>> you are a Microsoft employee, and thus you have to obey
>>> company policy and
>>> not reveal data which would be integrated into a “competitor
>>> product”, or a
>>> “
>>> better tool to break it” , I asume you talk about
>>> activation and XP keys
>>> here …
>>> but unfortunately the code which handle those tasks is what
>>> … 0.00000001 %
>>> linked with what ppl usually want to know about undocumented
>>> asspects of NT.
>>>
>>> Ms could reaveal and expose a lot more APIs , and improve on
>>> existing one
>>> whithout fearing that the data will be “integrated” into a
>>> competitor
>>> product.
>>> Let’s face it, there would be only some decalrations of
>>> structs and APIs.
>>> Do you really think that a person determined to learn them
>>> really needs
>>> official header to understand this ?
>>>
>>>
>>>>> build a time-bomb of a driver to sell to customers.
>>>
>>> I dont want to be evil, and god is my whitness that I love
>>> MS’s operating
>>> systems and products. I
>>> apreciate their value. But did you heard about Sasser, MsSQL
>>> worm, Codered
>>> and whatever ?
>>> Isnt MS which sold a time bomb to his customers here ? Ugly
>>> weakneses and
>>> “security through obscurity”
>>> made this possible. So If Micorsoft doest it, time and
>>> again, why is so
>>> concerned about 3rd party companies ?
>>> Solve your problems first, and make sure security is not
>>> implemented through
>>>
>>> obscurity , then youll have
>>> less problems revealing more aspects of the OS.
>>>
>>> I hope you will take this message as is, and not consider at
>>> it a attack to
>>> your person, or MS’s products.
>>>
>>> Sorry, Dan
>>>
>>>
>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the Kernel Driver FAQ at
>>> http://www.osronline.com/article.cfm?id=256
>>>
>>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>>> To unsubscribe send a blank email to
>>> xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

No, dude, experience. Years of it. A device driver should be
machine code on iron - basically it should misbehave because it
doesn’t handle the hardware appropriately, or because there’s a
programming error, and so on. If a piece of code must spend most
of its time negotiating APIs which are basically there to
channel a dev out of handling the hardware, sorry, no sympathy
from me.

Alberto.

----- Original Message -----
From: “Arlie Davis”
To: “Windows System Software Devs Interest List”

Sent: Tuesday, August 09, 2005 11:11 AM
Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing
a RegKey Object from handle

> Alberto writes:
>
>> The more one uses OS services, the more exposure
>> one has to nonsense and to uncontrollable behavior.
>
> Extremist nonsense and fingerpointing. I can cite just as
> many examples of
> device drivers that do incredibly stupid things than you can
> of OS flaws.
> And what is the end result of this reasoning? No OS, no
> drivers, just apps
> talking directly to hardware? Back to the fifties? Perhaps
> you should ship
> a sealed box, that contains only 100% pure, flawless Moreira
> code.
>
> We must be conservative at all interfaces between
> components – between
> hardware and software components, and between software
> components – to the
> degree that is rational and necessary, because those
> components change
> independently over time. Using undocumented and unsupported
> interfaces is
> an option, but should only be a last resort, and every effort
> should be made
> to reduce its impact.
>
> I suppose you’re still grumpy that the x64 compiler doesn’t
> support inline
> assembly, too.
>
> – arlie
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Alberto Moreira
> Sent: Monday, August 08, 2005 10:03 PM
> To: Windows System Software Devs Interest List
> Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a
> RegKey Object
> from handle
>
> When it ships, it must be just code running on the machine.
> The more one
> uses OS services, the more exposure one has to nonsense and to
> uncontrollable behavior. The solution, to me at least, is
> obvious: talk to the hardware first, to the OS only when
> there’s no
> alternative. Minimizing one’s exposure to the OS minimizes
> one’s exposure to
> events one cannot control.
>
> So, the only real conservative approach is to talk to the
> hardware. That’s
> frozen functionality, mind you, it has been around for years
> and by and
> large it works wonders. Beyond that, it’s basically a kind of
> a lottery.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Arlie Davis”
> To: “Windows System Software Devs Interest List”
>
> Sent: Monday, August 08, 2005 5:05 PM
> Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
> Object from
> handle
>
>
>> This isn’t about learning, or debugging. There are numerous
>> books on
>> Windows internals, targeted at device driver developers and
>> developers
>> in general. I’m particularly fond of Rajeev Nagar’s File
>> System
>> Internals, Gary Nebbett’s Windows NT/2000 Native API
>> Reference. There
>> are also lots of good web resources for this.
>>
>> This whole argument is about what you ship in your device
>> drivers –
>> the code that customers place their trust in. All experience
>> shows
>> that being conservative, especially with kernel-mode
>> components, is
>> important.
>>
>> – arlie
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

You forget one thing. That driver must exist in an environment that is not
only orchestrated by an OS, but one that is also colored and harmonized with
by a multitude of other kernel drivers provided by a multitude of deveopers
and vendors. Most of those developers ASSUME that your driver is doing
basically the same thing as they are, trying to perform the task at hand
without casuing a ripple that will kill someone else. Your driver may work
fine in SP2, using undocumented structures and function calls but will it in
SP3 or Vista? The truth is you cannot guarante that you can correct any
deltas that may exist in SPs before they casue some other vendors driver to
crash. That is going to lead to uneeded stress and work by the poor schmuck
trying to do things right. You cannot guarnatee that what you do when you
decide to run naked through the hardware, is not going to cause someone else
grief.

Norton AV is proof enough. It has to be uninstalled to install to many of
the Microsoft released updates, and an uninstalled AV is absolutely useless.


the personal opinion of
Gary G. Little

“Alberto Moreira” wrote in message news:xxxxx@ntdev…
> No, dude, experience. Years of it. A device driver should be machine code
> on iron - basically it should misbehave because it doesn’t handle the
> hardware appropriately, or because there’s a programming error, and so on.
> If a piece of code must spend most of its time negotiating APIs which are
> basically there to channel a dev out of handling the hardware, sorry, no
> sympathy from me.
>
> Alberto.
>
>
> ----- Original Message -----
> From: “Arlie Davis”
> To: “Windows System Software Devs Interest List”
> Sent: Tuesday, August 09, 2005 11:11 AM
> Subject: RE: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
> Object from handle
>
>
>> Alberto writes:
>>
>>> The more one uses OS services, the more exposure
>>> one has to nonsense and to uncontrollable behavior.
>>
>> Extremist nonsense and fingerpointing. I can cite just as many examples
>> of
>> device drivers that do incredibly stupid things than you can of OS flaws.
>> And what is the end result of this reasoning? No OS, no drivers, just
>> apps
>> talking directly to hardware? Back to the fifties? Perhaps you should
>> ship
>> a sealed box, that contains only 100% pure, flawless Moreira code.
>>
>> We must be conservative at all interfaces between components – between
>> hardware and software components, and between software components – to
>> the
>> degree that is rational and necessary, because those components change
>> independently over time. Using undocumented and unsupported interfaces
>> is
>> an option, but should only be a last resort, and every effort should be
>> made
>> to reduce its impact.
>>
>> I suppose you’re still grumpy that the x64 compiler doesn’t support
>> inline
>> assembly, too.
>>
>> – arlie
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Alberto Moreira
>> Sent: Monday, August 08, 2005 10:03 PM
>> To: Windows System Software Devs Interest List
>> Subject: SPAM-LOW: Re: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey
>> Object
>> from handle
>>
>> When it ships, it must be just code running on the machine. The more one
>> uses OS services, the more exposure one has to nonsense and to
>> uncontrollable behavior. The solution, to me at least, is
>> obvious: talk to the hardware first, to the OS only when there’s no
>> alternative. Minimizing one’s exposure to the OS minimizes one’s exposure
>> to
>> events one cannot control.
>>
>> So, the only real conservative approach is to talk to the hardware.
>> That’s
>> frozen functionality, mind you, it has been around for years and by and
>> large it works wonders. Beyond that, it’s basically a kind of a lottery.
>>
>> Alberto.
>>
>>
>> ----- Original Message -----
>> From: “Arlie Davis”
>> To: “Windows System Software Devs Interest List”
>>
>> Sent: Monday, August 08, 2005 5:05 PM
>> Subject: RE: SPAM-LOW: Re: Re:[ntdev] Referencing a RegKey Object from
>> handle
>>
>>
>>> This isn’t about learning, or debugging. There are numerous books on
>>> Windows internals, targeted at device driver developers and developers
>>> in general. I’m particularly fond of Rajeev Nagar’s File System
>>> Internals, Gary Nebbett’s Windows NT/2000 Native API Reference. There
>>> are also lots of good web resources for this.
>>>
>>> This whole argument is about what you ship in your device drivers –
>>> the code that customers place their trust in. All experience shows
>>> that being conservative, especially with kernel-mode components, is
>>> important.
>>>
>>> – arlie
>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@ieee.org
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

> Or more likely, the OS is inflexible enough that it cannot

accommodate the hardware ?

Or the hardware is inflexible enough so it cannot accomodate the OS?

In real world, standards are set by the most powerful player. So, if the
Chinese USB dongle maker is smaller then Microsoft, then they must obey MS’s
requirements, and not MS - their requirements.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

The hardware comes first. It must adhere to hardware standards.
If there’s both MS and Chinese USB dongles, they must both
adhere to the USB standard, and if they do, it is the duty of
the OS to handle both.

Alberto.

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”

Sent: Wednesday, August 10, 2005 6:10 AM
Subject: Re: Re:[ntdev] SPAM-LOW: Re: Re:Referencing a RegKey
Object from handle

>> Or more likely, the OS is inflexible enough that it cannot
>> accommodate the hardware ?
>
> Or the hardware is inflexible enough so it cannot accomodate
> the OS?
>
> In real world, standards are set by the most powerful player.
> So, if the
> Chinese USB dongle maker is smaller then Microsoft, then they
> must obey MS’s
> requirements, and not MS - their requirements.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@ieee.org
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com

Alberto,

Sorry to disalusion you, but there have been a number of studies
that have shown that for most hardware the costs of the associated software
is 5 to 10 times higher than the hardware. The concept that the hardware is
more expensive went out with discrete packages.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Alberto Moreira” wrote in message news:xxxxx@ntdev…
>
> Hardware is way harder to develop than software, so, umpteen out of
> umpteen plus one cases it’s the software that must accommodate the
> hardware - not the other way around.
>