Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

A while back, there was a topic (Virtual Registry vs. "Real registry") in the Sysinternals Forums that brought up the question of how to set the virtualization-related flags of a registry key programmatically in Vista, rather than through the use of the REG.EXE tool's FLAGS switch. (For more information on the flags, see Mark Russinovich's article in TechNet Magazine, "Inside Windows Vista User Account Control"). Even before that topic in the forum, I had wondered how it was done but had not had a chance to explore. It didn't seem that many others were curious about it. That topic had resurrected the idea, but it quickly fell to the bottom of the list. I've finally gotten around to experimenting, and that leads to this write-up. I still don't see much in the way of this discussed anywhere, by searching for terms involved (data types, function param names, etc.), so hopefully this will help someone. (Keep in mind that there very well may be a reason Microsoft hasn't made this available through another, more direct API.)

In the referenced topic, I had gotten so far as determining that REG.EXE was doing its work through the use of NtSetInformationKey, an "undocumented" API in NTDLL.DLL.

NTSYSAPI 

NTSTATUS

NTAPI

NtSetInformationKey(

  IN HANDLE               KeyHandle,

  IN KEY_SET_INFORMATION_CLASS InformationClass,

  IN PVOID                KeyInformationData,

  IN ULONG                DataLength );

After a bit of plonking around in WinDbg, I've come up with the following following details. REG.EXE calls NtSetInformationKey, specifying a value of 2 for the InformationClass parameter. This parameter is of type KEY_SET_INFORMATION_CLASS, which wdm.h tells us is an enum:

typedef enum _KEY_SET_INFORMATION_CLASS {

    KeyWriteTimeInformation,

    KeyWow64FlagsInformation,

    KeyControlFlagsInformation,

    KeySetVirtualizationInformation,

    KeySetDebugInformation,

    MaxKeySetInfoClass  // MaxKeySetInfoClass should always be the last enum

} KEY_SET_INFORMATION_CLASS;

So the 2 for the InformationClass parameter would correspond to KeyControlFlagsInformation. WDM.H also suggests that this class has a type that one passes for the KeyInformationData parameter - KEY_CONTROL_FLAGS_INFORMATION:

typedef struct _KEY_CONTROL_FLAGS_INFORMATION {

    ULONG   ControlFlags;

} KEY_CONTROL_FLAGS_INFORMATION, *PKEY_CONTROL_FLAGS_INFORMATION;

We have a basic idea of how to call NtSetInformationKey now. But what are the values that the ControlFlags member of KEY_CONTROL_FLAGS_INFORMATION can be set to? It would appear that the following (self-made) enum covers the pertinent flags - at least the ones REG.EXE FLAGS can handle (there may be more):

typedef enum _CONTROL_FLAGS {

    RegKeyClearFlags = 0,

    RegKeyDontVirtualize = 2,

    RegKeyDontSilentFail = 4,

    RegKeyRecurseFlag = 8

} CONTROL_FLAGS;

The control flags are a bitmask, so you can OR them to set more than one.

Now that we have this information, what's left? We need to put it all together in a call to NtSetInformationKey. So, we need to get a pointer to the function in NTDLL.DLL. Then, we can declare a struct of type KEY_CONTROL_FLAGS_INFORMATION, set the ControlFlags member to be what we wish, and open a key to the desired location in the registry, that can be passed to NtSetInformationKey. In the end, we wind up with something like the following (error handling has been omitted):

typedef NTSYSAPI NTSTATUS (NTAPI* FuncNtSetInformationKey) (

  HANDLE KeyHandle,

  KEY_SET_INFORMATION_CLASS InformationClass,

  PVOID KeyInformationData,

  ULONG DataLength ); 

//... 

FuncNtSetInformationKey ntsik = (FuncNtSetInformationKey)GetProcAddress( 

          GetModuleHandle( _T("ntdll.dll") ), "NtSetInformationKey" ); 

KEY_CONTROL_FLAGS_INFORMATION kcfi = {0}; 

kcfi.ControlFlags = RegKeyDontVirtualize | RegKeyRecurseFlag; 

HKEY hTheKey = NULL; 

RegOpenKeyEx( HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Whatever"), 0, KEY_ALL_ACCESS, &hTheKey ); 

ntsik( hTheKey, KeyControlFlagsInformation, &kcfi, sizeof( KEY_CONTROL_FLAGS_INFORMATION ) ); 

RegCloseKey( hTheKey ); 

hTheKey = NULL;

The code above is the equivalent of invoking REG.EXE FLAGS HKLM\Software\Whatever SET DONT_VIRTUALIZE RECURSE_FLAGS. To clear the flags, just set kcfi.ControlFlags to RegKeyClearFlags (same as REG.EXE FLAGS HKLM\Software\Whatever SET).

Hopefully, this will prove useful to those that have wished to set these flags programmatically. In a future post, I hope to explore querying for these flags, ala REG.EXE FLAGS HKLM\Software\Whatever QUERY.

Note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...

Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

Previously, I had written about the puzzlers on the NTDebugging / Microsoft Advanced Windows Debugging and Troubleshooting blog - specifically, the most recent puzzler which involved reverse engineering some assembler. The answer was posted today - there were a lot of responses, and a lot of correct responses.

I had posted the hashes for my answer (which was correct), that I am now able to disclose...

void myfun( char* param1 )
{
    size_t local1 = strlen( param1 );
    for( int local2 = local1; local2 > 0; local2-- )
    {
        for( int local3 = 0; local3 < local2 - 1; local3++ )
        {
            if( *(param1+local3) > *(param1+local3+1) )
            {
                char local4 = *(param1+local3);
                *(param1+local3) = *(param1+local3+1);
                *(param1+local3+1) = local4;
            }
        }
    }
}

Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

Over on the Microsoft Advanced Windows Debugging and Troubleshooting blog, they've been posting a "Puzzler" every Monday and providing the answers the following Friday.

The puzzlers are fun to participate in and it is interesting to read people's responses - everyone has their own ideas and own experiences to draw off of.

With the third puzzler, the blog authors have decided to make the challenge a bit more difficult - the latest puzzler requires one to reverse engineer some assembler.

I've not got much experience with reverse engineering assembler - I can read some assembler and can usually get a very basic idea of what a targeted chunk of code is doing. So it was an interesting challenge for me to attempt to C-ify the assembler they provided. It doesn't appear that the authors are posting the responses until they reveal the answer (makes sense to me!). But I thought I'd post hashes of my response, which I'll also post once the NT Debugging blog authors post the answer and submitted comments / responses.

From Sigcheck:

Z:\NTDebuggingPuzzler3>sigcheck -h TheFunc.txt

Sigcheck v1.52
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

Z:\NTDebuggingPuzzler3\TheFunc.txt:
Verified: Unsigned
File date: 12:52 PM 4/22/2008
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
MD5: 755394f9711b80968f17c8ffcb8f2394
SHA1: e8443f09eef43f2575aa08ba25f68267dba7243e
SHA256: 0e044419ef78f2fa7a8e258098f4f658426a8dc3e8a5b9a121a352c2dbbbfafc

In Windows Vista, users can have an extensive System Health Report generated for them in helping troubleshoot performance and reliability issues on their PC or to see how healthy their PC is in general. For the average user, this probably won’t mean anything. But for me, I’m the type of user that really likes having the ability to create reports that tell me about my PC so I was really excited to find this ability in Windows Vista.

This evening I decided to generate a report on my main desktop PC for the first time and see what it says. To have a System Health Report generated:

1. Open Start Menu.
2. Right-click on “Computer” and click “Properties”.
3. In the System Properties window, click on your Windows Experience Index rating.
4. In the Performance Information and Tools window, under “Tasks” in the left-hand options pane click “Advanced Tools”.
5. Under Advanced Tools window choose “Generate a system health report” at the bottom.

The report generates after about 60 seconds of testing. Here is my System Health Report I generated this evening:

As you can see, any sort of errors or warnings for your system are displayed first at the top of the report. You can see from my report, my HP Photosmart C5100 Printer is disabled giving an error. This is because I recently switched my HP Photosmart C5100 from being connected to my PC via USB to being a network printer. I can ignore this error. Under warnings, my CPU was being consumed more than 50% by the EncoderUI.exe process. This is Microsoft Expression Encoder. I was encoding a HD video using Microsoft Expression Encoder at the time of running the System Health Check Report. Nothing to worry about there. Once the encoding was finished, I re-ran the report and my CPU usage dropped to an acceptable level.

In generating the System Health Report, a series of basic system and performance checks are completed. You can also check out your Software and Hardware configurations as well. The information in these tests is pretty detailed. Under Network and TCP you can see outbound and inbound IP traffic for example from when the report was generated or the exact amount of memory being used by processes.

You have the option to save your report as an HTML document if you would like. For me, if I need to save a report, I just print to an XPS document.

For folks using the latest version of Windows Live OneCare, you also have the ability to pull up monthly reports displaying information on PC scans, your monthly subscription, and firewall protection. By default, after a monthly tune-up is run your monthly report is displayed.

Today, Nick told you about some updates to the tools in the Microsoft Desktop Optimization Pack (MDOP) from Barcelona, Spain at TechEd IT Forum. I recently had a chance to give one of the components of MDOP - the Microsoft Diagnostic and Recovery Toolset (DaRT) 6.0 - a try. DaRT is an excellent set of tools for IT Professionals to troubleshoot unresponsive PCs and removing viruses and malware off infected PCs in their environment. DaRT 6.0  also now has the ability for IT Professionals to conduct offline removal of malware and viruses from infected PCs.

The first thing I noticed when I started using DaRT is that it provides two options to the IT Professional: a way to analyze crash files from unresponsive PCs through the Crash Analysis Wizard, and a way to create a startup disc with the necessary tools in fixing an unresponsive PC that is unable to boot into Windows called ERD Commander.

I first took a look at the Crash Analysis Wizard.

The Crash Analysis Wizard allows an IT Professional to take a crash dump file (*.dmp files associated with a system crash) and analyze it and get important bits of information that could help figure out why a PC is crashing. I have an old .dmp file from a crash a long time ago I dug up to run through the Crash Analysis Wizard. The Crash Analysis Wizard requires the Microsoft Debugging Tools for Windows as a prerequisite so before proceeding in analyzing my .dmp file, I had to install that first. I was also able to specify any Symbol files I had as well. I had no Symbols to provide so I skipped to choosing the specific .dmp file I wanted to analyze.

Once I choose the .dmp files - I clicked next and the analysis commenced. The analysis finished in about a minute and brought up a new screen telling me what probably was the cause of the crash as well as when the crash originally occurred.

If I wanted, I could view the full details of the crash as well. The .dmp file I used for this was from June 20^th and was in fact due to a graphics driver issue. The graphics driver issue was corrected after updating to the latest video driver.

I then proceeded to check out ERD Commander.

ERD Commander lets you create a startup image. That startup image can then be burned to a CD in which you can boot off of that lets you repair PCs that do not function. I went through the process, via the ERD Commander Wizard, in creating my own startup disc. In creating a startup disc, I was required to provide a Windows Vista DVD to create the boot image.

After choosing the Windows Vista Ultimate DVD in my DVD Drive and choose next, the Wizard then told me it is about to extract the necessary files in creating a boot image and that it may take a few minutes. For me, it barely took a minute to extra the files. Once the extraction of the files is complete, the wizard then brought me to a new screen in which it gives me an offering of tools I can add to the startup disc.

I went ahead and choose all of the tools. You are given the choice of the following tools for your startup disc:

• Computer Management
• Crash Analyzer
• Disk Commander
• Disk Wipe
• Explorer
• File Restore
• Hotfix Uninstall
• Locksmith
• Registry Editor
• Solution Wizard
• Standalone System Sweeper
• System File Repair
• TCP/IP Configuration

In choosing all of the tools - I proceeded to the next step: providing any .inf files for any specific devices I would need to install drivers for (*.inf files are device driver files). At this point I didn’t have any specific drivers I wanted to include on my startup disc as I was looking to create a generic disc. I was then asked to include any additional files, which I had none, and then create the disc. ERD Commander creates the startup disc image as an .iso file.

To my surprise, after the .iso image is done being created - ERD Commander asked me if I would like to then burn that .iso image to a CD. ERD Commander allows you to burn the disc directly. I was thinking I would have to use a third-party imaging burning tool to burn my startup disc image. This was a very cool surprise perk (a feature I think IT Pros will appreciate as well).

At the end of the Wizard, my startup disc was created as well as an .iso of the disc so I can re-burn the disc and create more if needed at a later date.

To test my new startup disc, I fired up Windows Vista in Virtual PC 2007 and booted off my new startup disc. When I did this, it went into System Recovery (WinRE) which is built into Windows Vista and DaRT runs on top of WinRE (Windows Recovery Environment). Matter a fact, WinRE has its own tools as well and DaRT works with them in helping the IT Pro diagnose what is wrong and recover a unresponsive PC.

I was then able to choose the tools offered in DaRT (which were the tools I chose above) and was able to scan the PC for malware and much more.

After experiencing DaRT first hand, I believe it is a must have for IT Professionals and offers a great set of tools in helping IT Professionals recovery crashed PCs in their environment. DaRT 6.0 (announced today as part of MDOP) offers IT Professionals the ability to run these tools on a BitLocker-encrypted drive as well. Customers can learn more about DaRT on Microsoft.com. 

Today, Nick told you about some updates to the tools in the Microsoft Desktop Optimization Pack (MDOP) from Barcelona, Spain at TechEd IT Forum. I recently had a chance to give one of the components of MDOP - the Microsoft Diagnostic and Recovery Toolset Read More……(read more)