I went to review the source pages of the web site right away, to see what exactly triggered the Google penalty. It turned out, I had a paragraph of text on the page enclosed with the tags <div class=”description”>…</div>. Nothing bad by itself, until you pull the style.css file and see that the definition for class “description” was: .description { display: none; } In other words, the text that was between the tags was not displayed on the page. Yet it was visible to the googlebot. A clear violation of the Google’s terms, indeed!

How come I had that piece of hidden text on the web page? It happened a few years ago, when I was doing the last redesign of the web site. I was playing with different style sheets, one designed to display the web page on the screen, and another one to be used when the page was sent to the printer.  I was using the display: none; attributes in the printing style sheet to suppress the printing of the non-essential elements (like menus, which have no use when printed on paper). While playing with the different layouts, I forgot about one invisible piece of text I left there. And now, several years later, Goggle finally figured out that the text was hidden and decided to penalize me.

Once I realized what the problem was about, I removed the hidden text from all pages, and submitted a reconsideration request to Google. They replied: “Please allow several weeks for the reconsideration request.” Several weeks! As if the stock market crisis was not enough of bad news at that time.

Then, after a few days passed, the frost was gone, and the usual warm fall returned to Utah. One morning, while checking the Google search results the N-th time, I saw my web site back in the results. Hurray, Google has lifted its punishment, and allowed my web site back into its index! It turned out that instead of “at least 30 days” or “several weeks” the penalty lasted only about 6 days. (Of course, I’m not complaining!).

Looking at the web site statistics, here is how the Google penalty affected the traffic:

The decrease in the traffic was noticeable, but not devastating. Why? Because the “organic” Google traffic, although significant, was not the primary source of the visitors to my web site. What was the primary source then, you might ask? Sorry, I’m not telling (I have a lot of competition!) Let me just mention that the “word of mouth” kind of traffic, that is people telling their friends and colleagues about my products, the web sites recommending my products to their users, and other similar sources, play a very prominent role in keeping my business alive.

Even though the Google punishment was light, I promised to myself that I will pay better attention to the web pages in the future and make sure I don’t do something stupid again that would trigger the Google “winter” again. It may not be so short next time.

Post from: softblog.com

Getting through the Google “winter”

Not so fast. 7-Zip is licensed under the GPL license, which strictly forbids the re-use of its source code in the non-GPL’d projects. If I want to use some of the GPL’d code in my own software, I need to convert my whole project to the GPL license and open its whole source code, something I don’t want to do.

After thinking some more, I came up with an idea: I’d make a separate module (a plug-in) that would serve as a bridge between my closed-source project and the GPL’d project. I would make the plug-in GPL’d (because it would need to use some of the GPL’d code), and publish its source code.  My closed source project would link to the plug-in, the plug-in would link to the other GPL’d project’s code, and everyone would be happy: the users of AB Commander would get additional software functionality, the plug-in would be GPL’d, and I would keep the source code of AB Commander closed. Pretty smart, huh?

Again, not so fast. Let’s browse through the GPL FAQ, that explains the issues related to linking between proprietary software and the GPL’d software (or, as they put it, “free” software, where “free” is as in “free speech”). For example, the answer to the question Can I release a non-free program that’s designed to load a GPL-covered plug-in? reads “…In order to use the GPL-covered plug-ins, the main program must be released under the GPL or a GPL-compatible free software license…“

Huh? I could understand the requirement to GPL any code derived from a GPL’d code, it’s their code and they are free to restrict its re-use anyway they want, but to require two separate modules dynamically linking to each other to be covered by GPL if only one of them is GPL’d? It seems like asking a bit too much. Especially considering that GPL programs have no reservations about linking to proprietary software. Just take any software for Windows, GPL or not, it’s linking to the Microsoft’s proprietory system libraries. Looks like the philosophy of the “free software” is it’s OK to take advantage of the evil and dirty proprietory software, as long as it is not trying to link back to take some advantage of the GPL’d software.

Not fair!

Post from: softblog.com

Is GPL software free as in “free love”?

Vista Elevator 2.0 is an updated version of the sample application Vista Elevator that uses a different approach to solving the problem of starting a non-elevated task from an elevated one.

The first version of Vista Elevator used a trick that created a non-elevated process by programming Vista Task Scheduler to start such a process immediately upon its registration. It worked even if the parent process was elevated. However, there were a few problems with that:

1. It worked well when the process was started by an administrator (that is, by an account with a “split token”). However, if the account was of a standard user (or a Guest account) it did not work as expected: the secondary non-elevated process was created by Task Scheduler to be executed in the administrator’s context, rather than in the original context of the standard user account. The task would launch not when it was registered, but later on, when the administrator logged on to the system.
2. The target machine could have Task Scheduler disabled. In such a case, this method would fail to start the secondary non-elevated task at all.

To solve these problems, a different approach is necessary. An obvious method of achieving the goal would be to have a separate helper executable that would help the main application launch a non-elevated task, when necessary. Specifically, it would work as follows:

1. When a user wants to run the application (main.exe), s/he would start by launching the helper executable (helper.exe) first.
2. The helper process would start non-elevated, but it would launch main.exe, and request it to start elevated (for example, by using the Run Elevated() function).
3. After the administrator would have approved the launch of main.exe, the user would work with it, as usual. Helper.exe would keep running non-elevated, waiting for a signal from main.exe.
4. When main.exe would need to start a non-elevated task, it would send a signal to helper.exe, using some sort of inter-process communication, and helper.exe would start a non-elevated process on main.exe’s behalf.

Such an approach would solve both problems described above: it would not require Task Scheduler to be running on the target system, and it would launch the non-elevated task in the context of the original user, whether it is an administrator, a standard user, or a guest.

What is not good about this approach, it requires a separate helper process to be running all the time, wasting the CPU cycles. It also requires to design a communication protocol between the helper and the main executable, which is not a trivial task and is subject to errors. Wouldn’t it be better if we could use some other non-elevated process already running on the target system to launch a non-elevated process on the main.exe’s behalf? Let’s see… There actually is a process that is guaranteed to run all the time while the user is logged on to the system: the Windows shell! And it runs non-elevated, just what we need. Seems like a perfect candidate for our helper process. But how can we ask Windows shell to launch a process on our behalf? Simply calling ShellExecute() or Start Process() would not work, because they would be executed by our process, not by the shell. What we need to do is inject our code into the shell process and make it launch a process on our behalf!

So, the plan of the attack could be as follows:

1. Our process would find a window that belongs to the shell, and that is guaranteed to be available at any time. A good window for this purpose is Progman, that is responsible for displaying the desktop. We can call the FindWindow() API to obtain a handle to this window.
2. Our process would call RegisterWindowsMessage() API to register a unique message that we would use to communicate with the shell’s window. It must be unique to avoid possible conflicts and side effects if we would have accidentally picked a message that is already used by the shell for some purpose.
3. Our elevated process would call SetWindowsHookEx() API to install a global hook, to be invoked when a windows message gets processed by any process running on the system.
4. Once the hook is installed we would send our unique message to the shell’s window, and that would make our hook procedure to get invoked. (That’s how we inject our code into the shell’s process!)
5. When the hook procedure is called (in the context of the shell process), it would call ShellExecute() API to launch the non-elevated process that we need. The process would start non-elevated because the shell’s process is not elevated, and our process would inherit the shell’s elevation level.
6. Finally, we would remove the hook, as we no longer need it and it should no longer be called and waste system resources and CPU cycles.

That’s the plan that is implemented as the RunNonElevated() function in the VistaTools.cxx file that VistaElevator 2.0 uses. To make it work, the design of the VistaElevator application had to be changed significantly:

Firstly, in order to be able to install a global hook, the hook procedure must reside in a DLL. It means that we can no longer have a single executable, we must create a DLL to go with it, as well.

Secondly, in order to be able to pass data from our process to our code injected in the shell’s process, we must set up a special code section to be shared between several processes.

Finally, to be able to use this method with both 32-bit and 64-bit versions of Vista, we must produce two separate builds, one 32-bit and another one 64-bit. The reason for that is that on a 64-bit Vista the shell is a native 64-bit process, and in order to be able to hook it, we need to use 64-bit code, too.

To see the details, use the download links below:

THIS CODE AND INFORMATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

VistaElevator2.zip

(the compiled executables only, without the source code)

VistaElevator2-src.zip

(the source code, a Visual Studio 2005 project)

Note: If you want to compile the source code on your own, make sure you have the latest Windows SDK (see msdn.microsoft.com for more information).

Post from: softblog.com

Vista Elevator 2.0

I believe I’ve stumbled upon the first bug in Vista UAC (in the final release of Vista, not in a beta version).

It’s very easy to see the bug in action:

• Login to your computer with the Guest account. (You may need to enable the Guest account first, using the Control Panel).
• Download any digitally signed program (such as TweakUAC), save it to the default download folder (C:\Users\Guest\Downloads).
• Now run the file you’ve just downloaded, and take a look at the elevation prompt displayed:

As you can see, UAC cannot recognize that the file contains a valid digital signature, and it warns you that the program is “unidentified”. This is a bug, because you can check that the digital signature of the file is actually valid:

This problem is not limited to the TweakUAC file, any other digitally signed executable (such as the installation utilities of most software packages) will produce the same effect. All you need to do to reproduce this bug is login to Vista with the Guest account and run a digitally signed file from the Guest\Downloads folder. Note that if you copy the executable into the C:\Program Files folder, and run the file from there, its digital signature would magically become recognizable by UAC! Move the file to the root folder C:\, and the file again becomes unidentified to UAC.

Is this bug dangerous? Yes, it is! The whole idea behind UAC is to shift the responsibility of distinguishing the bad programs from the good ones to the end user (you!). The only tool that UAC gives you in this regard is the digital signature information, and it turns out it’s broken! How are you supposed to make the decision whether to trust a certain program or not if UAC does not provide you with the correct information? (Nevermind, it’s a rhetorical question).

Andrei Belogortseff

WinAbility Software Corp.

Comments:

21 Responses to “The first bug in Vista UAC?”

1. Myria Says:
   February 17th, 2007 at 10:10 pm

   I believe that this is because there is an NTFS fork on the directory that says that anything in that directory shouldn’t be trusted. This is similar to XP in how it knows that a file was downloaded recently by IE.

2. Soumitra Says:
   February 19th, 2007 at 6:06 pm

   Hi Andrei,

   Have a quick question about TweakUAC. Can I suppress UAC messages only for a single application using TWeak? Or does it suppress all UAC messages, system wide?

   Thanks.

   Regards,

   Soumitra

3. Andrei Belogortseff Says:

   February 20th, 2007 at 11:20 am

   Hi Soumitra,

   > Can I suppress UAC messages only for a single application using TWeak?

   No, it’s impossible.

   > Or does it suppress all UAC messages, system wide?

   Yes, that’s how it works.

   Andrei.

4. Andrei Belogortseff Says:
   February 20th, 2007 at 11:22 am

   Hi Myria,

   > I believe that this is because there is an NTFS fork on the directory that says that anything in that directory shouldn’t be trusted. This is similar to XP in how it knows that a file was downloaded recently by IE.

   It may very well be so, but it does not make it any less of a bug. If a file contains a valid digital signature, Windows should not misrepresent it as coming from an unidentified publisher.

   Andrei.

5. Chris Says:
   February 26th, 2007 at 1:09 pm

   How did you take a screenshot of the UAC? I can’t get Print Screen to copy it to the clipboard, and the snipping tool isn’t working either.

6. Andrei Belogortseff Says:
   February 26th, 2007 at 9:55 pm

   Hi Chris,

   > How did you take a screenshot of the UAC? I can’t get Print Screen to copy it to the clipboard, and the snipping tool isn’t working either.

   Those tools don’t work because UAC displays its messages on the secure desktop, to which the “normal” user tools have no access. To solve this problem, I’ve changed the local security policy to make the UAC prompts to appear on the user’s desktop. After that, I used the regular Print Screen key to capture the screenshots.

   Hope this helps,

   Andrei.

7. Matthew Bragg Says:
   March 4th, 2007 at 2:58 am

   Hi Andrei,

   I sell software to a *very* non-technical customer base. My setup procedure includes installation of an .ocx file into the \windows\system32 folder and registration of it using regsvr32. In order to copy anything into the \windows\system32 folder under Vista I have to turn off UAC. I would like to be able to do this automatically, programmatically, so I don’t have to make my users mess with UAC. I’d like to be able to turn off UAC for a second or two programmatically, then turn it back on. Will your software enable me to do that?

   Thanks

8. Andrei Belogortseff Says:
   March 4th, 2007 at 11:42 am

   Hi Matthew,

   > I’d like to be able to turn off UAC for a second or two programmatically, then turn it back on.

   Unfortunately it’s impossible: if you enable or disable the UAC, Windows must be restarted before the change would have take effect.

   To solve your problem:

   > In order to copy anything into the \windows\system32 folder under Vista I have to turn off UAC.

   It looks like your setup process is executing non-elevated, that’s why it cannot do that. You may want to try to start it elevated and see if it would have solved the problem without turning off the UAC.

   HTH

   Andrei.

9. caz Says:
   March 25th, 2007 at 10:24 am

   don’t use TweakUAC because this program makes your Vista unsafe!

10. Herbys Says:
    March 29th, 2007 at 10:30 pm

    > How are you supposed to make the decision whether to trust a certain program or not if UAC does not provide you with the correct information? (Nevermind, it’s a rhetorical question).

    The answer is you are not. A guest should not be allowed to make any decision about installing software. If you log on as a valid user, the prompt works just fine. If you log on as a guest, you shouldn’t be installing software, so any dire warning is fine.

    Yes, this might be unintended behavior (or perhaps it is not), but its impact is null.

11. Andrei Belogortseff Says:
    March 31st, 2007 at 4:47 pm

    Hi Herbys, you wrote:

    > The answer is you are not. A guest should not be allowed to make any decision about installing software.

    Sorry, but you are missing the point: the UAC displays this information for the _administrator_ to use and to make a decision, not for the guest user. The administrator is supposed to review the information and enter his or her password to approve the action. Take a look at the screenshot and see for yourself.

    > If you log on as a guest, you shouldn’t be installing software

    Why shouldn’t I? What if I want to install a program for use by the guests only? For example, I use only one web browser (IE), but I never know what browser a guest may want to use. So, being a good host I want to install also Firefox and Opera, but I don’t want them to clutter my desktop, etc., I want them to be used by the guests only. To achieve that, I would log in to the guest account and install the additional browsers from there.

    > so any dire warning is fine.

    Wrong.

    > Yes, this might be unintended behavior (or perhaps it is not), but its impact is null.

    May be, may be not. In any case, it does not make it any less of a bug!

12. Timothy Conner Says:
    April 10th, 2007 at 9:28 pm

    Is there any plan to adapt your program into a Control Panel Applet? I think that would be very clever.

13. Andrei Belogortseff Says:
    April 11th, 2007 at 9:07 am

    Hi Timothy, you wrote:

    > Is there any plan to adapt your program into a Control Panel Applet?

    No, we don’t have such plans at this time, sorry.

14. Mike Says:
    June 18th, 2007 at 9:19 pm

    Anyone know why Vista won’t let me rename any new folder?

    The permissions are all checked for me as administrator, still I get an error message, “folder does not exist”. I can put things in folder and move it, but can’t rename it?

15. Bob Says:
    January 29th, 2008 at 9:46 am

    To be honest, I have always thought that digitally signing was merely a way of generating more revenue. It doesn’t offer you any more security and windows will always moan at you regardless of an application having a signature or not.

    Even if your application has the “all powerful” and completely unnecessary Windows Logo certification, it still offers nothing to you as a user other than the reassurance that the person/s developing the software has allot of spare cash.

16. Thomas Says:
    February 24th, 2008 at 10:34 am

    Bob Said:

    > To be honest, I have always thought that digitally signing was merely a way of generating more revenue.

    I have to agree. I’ve heard the argument of how it’s all designed to protect users from malicious software, and that’s all well and good as far as that goes — but since Vista, and most mobile OSes, don’t offer a way for users to say “okay, I understand the risk, I accept full responsibility, please go ahead and run this unsigned application without restrictions, and never bother me again when I try to run this application”… That makes it pretty clear it’s just a racket initiated by VeriSign and the like, and happily endorsed by Microsoft.

17. Andrew Says:
    May 17th, 2008 at 9:03 am

    This is not a bug.

    The first screen shot shows that Windows doesn’t trust the identity contained in the certificate. In other words, “I can read this, but I don’t know if I should trust the person who wrote it.”

    The second screen shot just shows that the certificate is well-formed, that Windows can understand the information contained within it. It says nothing about what Windows will do with that information.

    Who did you did you pay to sign the certificate for you? If they’re not someone with a well-established reputation, then I don’t WANT my computer to automatically trust them.

    It’s just like how web browsers automatically trust SSL certificates signed by Thawte or Verisign, but will ask you before accepting a certificate from Andy’s Shady Overnight Certificate Company. As always, it’s a balancing act between usability and security.

18. Andrei Belogortseff Says:
    May 17th, 2008 at 10:04 am

    Andrew, you wrote:

    > This is not a bug.

    OK, there is a fine line between a bug and a feature, let’s assume for a moment that it’s a feature rather than a bug. If so, what benefit is this feature supposed to provide? As the second screen shows, the file is digitally signed, and Vista can detect that. Yet, it shows the publisher as “unidentified” on the first screen. Note also (as I mentioned in the post), that if you move the file to one a few specific folders (such as C:/Program files), Vista would magically begin to recognize the publisher. Move the file to some other folder, and it’s unidentified again.

    If you can explain why they designed it that way, I would agree with you. Until then, it’s a bug. Guilty until proven innocent!

    > Who did you pay to sign the certificate for you?

    That particular file was signed with a Verisign certificate, but the same problem occurs with _any_ file, signed with _any_ certificate. Try it yourself and you will see.

19. Farthen Says:
    June 1st, 2008 at 12:53 pm

    I think that it occurs because of IE7 protected mode - see http://victor-youngun.blogspot.com/2008/03/internet-explorer-7-protected-mode-vs.html, it’s a guide to run firefox in protected mode, and this explains very good how the protected mode works… the prompt is because the “Download” Folder is a protected folder (level “low”) and I think it only displays at the guest, because Windows forces UAC to display certificate in normal user mode in “low” level folders, but NOT for the MUCH MORE RESTRICTED “guest” account. This would be my explanaition.

    It doesn’t mean that I like it how Microsoft handels this but this would eventually explain WHY the warning appears sometimes and sometimes not.

20. Farthen Says:
    June 1st, 2008 at 12:55 pm

    sorry, in my last post there is a comma in the link, the correct link is:

    http://victor-youngun.blogspot.com/2008/03/internet-explorer-7-protected-mode-vs.html

21. Andrei Belogortseff Says:
    June 3rd, 2008 at 7:16 pm

    Farthen: thank you for the information and explanation!

Post from: softblog.com

The first bug in Vista UAC?

Although anyone can read this book online for free, I’ve ordered a paper version of it about a year ago, after seeing it mentioned by Bob Walsh in his blog. I was not in the marketing mood, and I did not read it then. These days, I’m getting closer to releasing a new software product (stay tuned for the big announcement here, any day now :-) ), and I’m preparing myself to switching from the programming to the marketing mode for some time, so I decided it was time to read it now. I’m not a novice in the Internet matters (I created the first web site for my business back in 1994, before Google, Yahoo!, and MSN even existed), still I found this book of a good value.

Not that it took too long to read the book: it’s only 93 pages, including the Table of Contents and Acknowledgments. That was my first suprise when I got the book, “Can a book this thin be any good?”. It was, although not without some shortcomings. The biggest of which were rather awkward analogies used throughout the book. For example, the book begins with a description of an imaginary Farmer’s Market that is neat, shiny, visited by a lot of people, but that happens not to have any lettuce on its shelves. This analogy is used to illustrate a poorly designed web site, that does not do a good job of delivering what the visitors are looking for. To me, the analogy is poor: the problem of the missing lettuce was probably caused by a one-time misjudgement of the market’s management, and is easily fixed (by ordering the lettuce!). Problems with web site design and navigation are not so easy to correct.

Another example of a poor analogy is further in the book, when the author explains that you must use a double-opt-in method of subscribing people to your email list. “Don’t sign them up and then ask to unsubscribe!”, writes the author, “That’s just rude, like eating the last piece of cake and then asking if anyone wants it”. Sure, eating the last piece of cake is rude, but it does not illustrate the rudeness of the subscribing to an email list without asking for the permission first. A better analogy, IMHO, would be, for example,  a situation when you are standing on a bus stop, waiting for your bus, and a taxi driver would suddenly stop by you, push you into the car, and start driving, yelling “I’ll take you whenever you want to go, if you don’t want that, I can drop you off on the next corner!”. Now that’s what’s getting on an unwanted email list feels like, if you ask me.

Anyway, those are minor things, which fortunately did not diminish the good value of the book itself for me. What I really liked about the book is the practical advice the author has given, taking an imaginary small business as a case study. Too many books on the Internet marketing give a too abstract advice, that’s difficult to apply to the reality. “Choose the right keyphrases”, “implement good site navigation”, “start a blog”, all that sounds well in theory, but when it comes down to the reality, the question “how do I apply that to my particular situation, to my specific business?” often remains hard to answer. What the author of “Conversation marketing” did, he illustrated the advice he was giving by applying it to the specific situation of a specific small business, step by step, taking it from a regular “brick and walls” business to a business with strong Internet presence, and solid Internet strategy for the future.

The author does not go into the technical details too deeply, and that’s probably why the book turned out so thin in the end. But that’s a good thing, in my opinion: you don’t need to allocate a lot of time for reading it, just a few hours would be enough. Of course, when you start applying the advice to your own business and web site, you will want to revisit the pages, to make sure you’re not missing anything.

To summarize, if you are looking for a good review of the current state of the art and practical advice on doing business on the Internet, get this book. (Just ignore the analogies it has or come up with your own :-) )

Post from: softblog.com

A book review: “Conversation Marketing” by Ian Lurie

The problem, of course, is the icon cache: turns out that Windows keeps each icon in its memory (the icon cache), and when it needs to draw the icon, it uses the copy from the cache rather than retrieving the icon image from the original application file. It makes Windows draw the icons faster, but the negative side effect is the inability of Windows to detect the change of the icon.

The naïve approach to this problem seems to be to delete the icon cache, and thus force Windows to recreate it from scratch. Browsing the user profile folder (such as C:\Users\Username on Vista, or C:\Documents and Settings\Username on XP) reveals the file named suspiciously IconCache.db (located in the subfolder AppData/Local on Vista or Local Settings\Application Data on XP. Note that this file usually has the SYSTEM and HIDDEN attributes, so you may need to change your Windows folder settings to see this file). However, deleting this file causes no effect: Windows keeps displaying the old icon. (Which is not very surprising, because the very fact that Windows did not stop us from deleting this file kind of tells us that the file was not in use by Windows). Even restarting the computer does not help: Windows simply recreates the IconCache.db file with the old icon in it, and keeps displaying the old icon!

Nevertheless, it is possible to delete the icon cache and force Windows to rebuild it. Turns out, Windows recreates the IconCache.db file when the user logs off from his or her account. When the user logs back on, Windows loads the IconCache.db file back intro its memory. This gives us the idea when could be the proper time to delete the IconCache.db file: when the user is logged off. But how to delete the file if the user is not logged on and there is no way to start Windows Explorer or some other file management tool (such as my AB Commander, sorry for the plug, couldn’t resist :-) ) Easy: log in to another user account (such as the administrator’s one) and delete the IconCache.db file that exists in your own profile (you do use separate accounts for the day-to-day work and for the administrative tasks, do you?) Another way is to log off from your account and then connect to your computer from another computer on your LAN (you do have both a desktop and a laptop, do you? And they can talk to each other over the local network, can they? If not, what are you doing reading this blog? Just kidding…) Anyway, from another networked computer navigate to your profile over the network, delete IconCache.db, then go back to the first computer and log back into your account. This time Windows will recreate its cache and start displaying the new icon.

Post from: softblog.com

Quick and dirty way of cleaning the Windows icon cache

The problem was, when I opened the Network folder on the Vista computer, I could see all other computers on the same LAN, as it was supposed to be. However, an attempt to open any of them would either present me with a login box (and no user name and password I tried would let me connect to that computer), or an error message would appear saying “Windows cannot access \\DEV. Check the spelling of the name…”, (where DEV is another computer on the LAN running XP) with the error code 0×80070035 “The network path was not found”. Pressing the Diagnose button would result in the message “DEV is not a valid host name”. Which kind of did not make sense because DEV did show up in the Network folder.

I’ve spent a couple of hours googling around and trying every troubleshooting suggestion I could find, like:

• Is the name of the workroup correct?
• If Network discovery and File sharing enabled?
• Is there something to share from the Vista computer (like a folder on its hard drive)?
• Does turning the firewall temporarily off make a difference?
• Does rebooting the Vista computer help?

Nothing helped, the Vista computer could not connect to others. After googling some more, I’ve found the solution. (Ironically, it’s a suggestion for the Linux users, but it worked for me, too):

1. Open the Local Security Policy console (it’s on the Start - Administrative Tools menu)
2. Navigate to Local Policy - Security Options
3. Locate the entry named “Network security: LAN Manager authentication level”
4. Change the value to “Send LM and NTLM responses”

After I did that, the Vista computer magically started to recognize the presence of other computers and connect to them, just like XP computers always did.

What exactly did the policy change do? It allowed Vista to use a less strong network authentication protocol. Why was it necessary? Apparently, my router (Buffalo AirStation) that runs a variation of Linux, does not provide full support for the NTLM authentication. It is it dangerous to allow the LM responses? It would be dangerous if I allowed unknown persons to plug into my LAN and eavesdrop on the traffic (by doing that they could recover my Windows password), but no one but me is connecting to my LAN. I have to make a note to myself: when I upgrade the router, I need to try to turn off the LM responses on all computers and see if my network would work OK.

Hope this helps someone.

Update: (September 8, 2008)

If you have one of the Home editions of Vista that doesn’t come with the Local Security Policy tool, you can change this policy manually with the Registry Editor: navigate to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, and set the REG_DWORD value named LmCompatibilityLevel to 0. This is equivalent to setting the “Send LM and NTLM responses” value as described above.

Post from: softblog.com

Making Vista play nice with XP on a network

Anyway, today I’ll write about a neat way of creating a “shared” clipboard on your LAN, to be able to quickly send pieces of text between computers just as easily as pressing Ctrl+C and Ctrl+V.

Not sure what I mean? Suppose you have several computers connected into a LAN, and you need to copy some text on one computer and paste into another, how would you do it? For instance, most of the time I browse the Internet with my laptop. If I encounter a download link to an interesting program, I want to try it, but I don’t want to install it on the laptop itself (I’m very selective about what gets installed where), I want to download it to my test computer and try it out there first. So I need to copy the web address from the web browser running on the laptop, and paste that address into the web browser running on the test computer. If it were the same computer, the procedure would be extremely easy: Ctrl+C, then Ctrl+V, and that’s all. But if I do Ctrl+C on one computer and then Ctrl+V on another one, it does not work the way I want, because the second computer has its own clipboard, independent of the clipboard the first computer has.

To solve this problem, I need to create a “shared” clipboard. In the past I used a little utility called Netclip, that did that for me: it used a shared folder as the storage for the shared clipboard, and whenever I wanted to copy something across the network, I would press Ctrl+Alt+C, to copy, and then moved to the second computer, pressed Ctrl+Alt+V there, and that would paste the result there. It worked well for years, but then Vista came along, and Netclip stopped working with it (and it did not seem like the Netclip developers were around anymore to release a new Vista-compatible version). So I started searching for a replacement, and tried a few other similar utilities, claiming the ability to share the clipboard between several computers. Unfortunately, none of them worked well.

Finally, some time ago I encountered a free tool called AutoHotkey (it’s a pity I did not discover it earlier, it would have saved me quite a lot of keystokes). In a nutshell, Aut0Hotkey enables you to create scripts to be executed when certain keys are pressed. There are plenty of examples at their web site of the scripts doing a lot of different things, check it out!

One of the first things I tried with AutoHotkey was to write a script that would emulate the functionality of the Netclip utility.The idea was as follows: I would set up a shared folder on one my computers that is turned on most of the time. Then I would set up two hot keys, one (Win+C) to copy whatever was currently selected to a file located in the shared folder, and the second key (Win+V) to read information from that file, and paste it into the clipboard.

After looking into the sample AutoHotkey scripts, I came up with the following script to emulate Netclip:

--- begin netclip.ahk ----

path := "\\your_computer\your_shared_folder\netclip.txt"

#C:: ; Win+C

AutoTrim Off  ; Retain any leading and trailing whitespace on the clipboard.

FileDelete, %path%

if (ErrorLevel > 0 ) ; could not delete the file
{
 MsgBox FileDelete failed for %path%
 return
}

Send ^c	; copy whatever it is to the clipboard

FileAppend, %ClipboardAll%, %path%

if (ErrorLevel > 0 ) ; could not write the file
{
 MsgBox FileAppend failed for %path%
 return
}
return

#V::	; Win+V

FileRead, Clipboard, *c %path%

if (ErrorLevel > 0 ) ; could not read the file
{
 MsgBox FileRead failed for %path%
 return
}

Send ^v	; paste whatever it is from the clipboard

return

--- end netclip.ahk ----

To use this script, copy the code between the dashed lines and save it to a text file named netclip.ahk (or whatever you want to name it, but keep its extension .ahk). The only thing that you need to modify in the script is the variable path that contains the location of the shared file to be used for the storage, at the very top of the script. Make sure the shared folder you use for storage is writable from other computers on your LAN.

If you have not done it yet, install AutoHotkey on each computer, and copy the script to each computer, too  (or put it into the shared folder itself). Create a shortcut to the script, and use it whenever you want to activate the shared clipboard. If you want it to be always active, add the shortcut to your Programs - Startup folder.
Now, whenever you want to copy some text to the shared clipboard, select it just as you would for the regular copy, but instead of Ctrl+C press Win+C. To paste it into another computer, go to that computer and instead of the usual Ctrt+V press Win+V. Yes, it’s that easy :-)

It works well for me, I hope it will work just as well for you, too. Happy copy-pasting, bye till next time. I’m off to finish my new product (stay tuned!).

Post from: softblog.com

How to create a shared clipboard and copy and paste text between computers with ease

The service was (and still is as of this writing) in a beta phase, so I expected a few hiccups now and then. To my surprise,the setup went rather smooth: after providing my login details to various bank and credit card accounts, Mint.com downloaded the transaction history for those accounts, and I could see my financial picture in one place. I liked it! When a new credit card bill became available, Mint.com would display a notification both on the online dashboard, and it would also send me an email message. That was the most useful feature of Mint.com for me, that would allow me to free myself from the regular routine of going through the bills every few days and checking their due dates. With Mint.com, I could just wait for an email notification to arrive, and when it did, I would open that online account directly, paid the bill, and forget about it till the next notification.

Well, a few minor hiccups did happen during the few months I was trying it. For example, it was supposed to automatically download the new transactions from my accounts at least once a day, but sometimes it would not update the history for 3 or 4 days. That was easy to fix by pressing the Update button on the Mint.com dashboard and force it to download the latest transactions. Sometimes it would characterize the transactions inaccurately (for example, it described payments for the web hosting service as travel expense). However, those were the minor things, and the primary function of Mint.com that I liked the most (keeping track of the credit card bills) seemed to work well.

Until last week.

Two new credit card bills arrived a few days ago and I was unpleasantly surprised to see the LATE FEE lines on each of them. Turns out Mint.com did not send me any notifications about them, even though I checked its dashboard almost daily. Now I’m stuck with two missed credit payments. Sigh…

I guess, the moral of this story is, I should not had trusted such an important procedure as keeping track of the credit card bills to a service in beta. For now, I’m going to close my Mint.com account, and set up the email notifications with each credit card company directly. Maybe I’ll give Mint.com another try when they end the beta period and start doing business “for real”.

I hope this story will help someone be more careful when trusting credit card bill payments to the third-party services.

Post from: softblog.com

Giving Mint.com a try

Version 2.1 (Updated 2008-Feb-24)

While porting our applications to Windows Vista, we had to overcome quite a few challenges related to the new security features of Vista (such as the User Account Control). We decided to make public several functions we’ve developed, to make it easier for other developers to solve such problems, too.

The functions we’ve developed are written in C++ (using Microsoft Visual Studio 2005), and packaged in the file VistaTools.cxx. Please note:

THIS CODE AND INFORMATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

TERMS OF USE: You are free to use this file in any way you like, for both the commercial and non-commercial purposes, royalty-free, AS LONG AS you agree with the warranty disclaimer above, EXCEPT that you may not remove or modify the warranty statement and the copyright notice the file contains.

The file VistaTools.cxx contains the following functions:

BOOL IsVista();

Use IsVista() to determine whether the current process is running under Windows Vista (or a later version of Windows, whatever it will be).

Return Values:

If the function succeeds, and the current version of Windows is Vista or later, the return value is TRUE.

If the function fails, or if the current version of Windows is older than Vista (that is, if it is Windows XP, Windows 2000, Windows Server 2003, Windows 98, etc.) the return value is FALSE.

BOOL IsWow64();

Use IsWow64() to determine whether the current 32-bit process is running under 64-bit Windows (Vista or XP).

Return Values:

If the function succeeds, and the current version of Windows is x64, the return value is TRUE.

If the function fails, or if the current version of Windows is 32-bit, the return value is FALSE.

NOTE: While this function is not Vista specific (it works under XP as well), we include it here to be able to prevent execution of the 32-bit code under 64-bit Windows, when required.

HRESULT
GetElevationType( __out TOKEN_ELEVATION_TYPE * ptet );

Use GetElevationType() to determine the elevation type of the current process.

Parameters:

ptet - [out] Pointer to a variable that receives the elevation type of the current process.

The possible values are:

TokenElevationTypeDefault - User is not using a “split” token. This value indicates that either UAC is disabled, or the process is started by a standard user (not a member of the Administrators group).

The following two values can be returned only if both the UAC is enabled and the user is a member of the Administrator’s group (that is, the user has a “split” token):

TokenElevationTypeFull - the process is running elevated.

TokenElevationTypeLimited - the process is not running elevated.

Return Values:

If the function succeeds, the return value is S_OK. If the function fails, the return value is E_FAIL. To get extended error information, call GetLastError().

HRESULT
IsElevated( __out_opt BOOL * pbElevated = NULL );

Use IsElevated() to determine whether the current process is elevated or not.

Parameters:

pbElevated - [out] [optional] Pointer to a BOOL variable that, if non-NULL, receives the result.

The possible values are:

TRUE - the current process is elevated. This value indicates that either UAC is enabled, and the process was elevated by the administrator, or that UAC is disabled and the process was started by a user who is a member of the Administrators group.

FALSE - the current process is not elevated (limited). This value indicates that either UAC is enabled, and the process was started normally, without the elevation, or that UAC is disabled and the process was started by a standard user.

Return Values

If the function succeeds, and the current process is elevated, the return value is S_OK. If the function succeeds, and the current process is not elevated, the return value is S_FALSE. If the function fails, the return value is E_FAIL. To get extended error information, call GetLastError().

BOOL
RunElevated(
__in HWND hwnd,
__in LPCTSTR pszPath,
__in_opt LPCTSTR pszParameters = NULL,
__in_opt LPCTSTR pszDirectory = NULL );

Use RunElevated() to start an elevated process. This function calls ShellExecEx() with the verb “runas” to start the elevated process.

Parameters:

hwnd - [in] Window handle to any message boxes that the system might produce while executing this function.

pszPath -[in] Address of a null-terminated string that specifies the name of the executable file that should be used to start the process.

pszParameters - [in] [optional] Address of a null-terminated string that contains the command-line parameters for the process. If NULL, no parameters are passed to the process.

pszDirectory - [in] [optional] Address of a null-terminated string that specifies the name of the working directory. If NULL, the current directory is used as the working directory.

Return Values

If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE. To get extended error information, call GetLastError().

NOTE: This function will start a process elevated no matter which attribute (asInvoker, highestAvailable, or requireAdministrator) is specified in its manifest, and even if there is no such attribute at all.

BOOL
RunNonElevated(
__in HWND hwnd,
__in LPCTSTR pszPath,
__in_opt LPCTSTR pszParameters = NULL,
__in_opt LPCTSTR pszDirectory = NULL );

Use RunNonElevated() to start a non-elevated process. If the current process is not elevated, it calls ShellExecuteEx() to start the new process. If the current process is elevated, it injects itself into the (non-elevated) shell process, and starts a non-elevated process from there.

Parameters:

hwnd - [in] Window handle to any message boxes that the system might produce while executing this function.

pszPath - [in] Address of a null-terminated string that specifies the executable file that should be used to start the process.

pszParameters - [in] [optional] Address of a null-terminated string that contains the command-line parameters for the process. If NULL, no parameters are passed to the process.

pszDirectory - [in] [optional] Address of a null-terminated string that specifies the name of the working directory. If NULL, the current directory is used as the working directory.

Return Values

If the function succeeds, the return value is TRUE. If the function fails, the return value is FALSE. To get extended error information, call GetLastError().

NOTE: For this function to work, the application must be marked with the asInvoker or highestAvailable attributes in its manifest. If the executable to be started is marked as requireAdministrator, it will be started elevated!

How to use the file VistaTools.cxx

Make sure you have the latest Windows SDK (see msdn.microsoft.com for more information) or this file may not compile!

This file contains the Win32 stuff only, it can be used with or without other frameworks, such as MFC, ATL, etc.

This is a “combo” file that contains both the declarations (usually placed in the .h files) as well as the definitions (usually placed in the .cpp files) of the functions. To get the declarations only, include it as you would any .h file. To get both the declarations and definitions, define IMPLEMENT_VISTA_TOOLS before including the file. (The latter should be done once and only once per project).

For example, to use this file in a MFC project, create a file MyVistaTools.cpp that contains the following:

#include “StdAfx.h”

#define IMPLEMENT_VISTA_TOOLS
#include “VistaTools.cxx”

This would make MyVistaTools.cpp the implementation file of the VistaTools function for your project. Don’t forget to add MyVistaTools.cpp to your project! You can add VistaTools.cxx to your project, as well, but it should be excluded from the build, because its contents is compiled when it is included in MyVistaTools.cpp file with IMPLEMENT_VISTA_TOOLS defined, as shown above.

In other files of your project, where you need to use the functions declared in VistaTools.cxx, include it without defining IMPLEMENT_VISTA_TOOLS, just as you would include a .h file:

#include “VistaTools.cxx”

To use the function RunNonElevated(), this file must be compiled into a DLL. In such a case, define DLL_EXPORTS when compiling the DLL, and do not define DLL_EXPORTS when compiling the projects linking to the DLL.

If you don’t need to use RunNonElevated(), then this file may be a part of an EXE project. In such a case, define DONTWANT_RunNonElevated and NO_DLL_IMPORTS to make this file compile properly.

For an example of using VistaTools.cxx in a real project, see VistaElevator 2.0.

How do I download the file VistaTools.cxx?

Simply right-click on the link below and choose the Save target as command (or similar) to save it to your hard drive:

Download VistaTools.cxx

If you use this file in your own project, an acknowledgment will be appreciated, although it’s not required.

Enjoy!

Post from: softblog.com

Vista tools