Windows Internals

Installing a software that includes a driver may leave your system in an inconsistent state. If the install fails, parts may remain on the system. And if the remaining part is a driver, I get nervous - drivers are not the kind of stuff I want to have lingering around my system’s memory. Here is a way of identifying when a driver actually got installed.

This article describes a bug that dramatically reduces file copy performance on Windows systems. I cannot provide a fix (not having access to the Windows source code), but I have found a workaround.

Sometimes it is necessary to export/import data from or into the registry for some sort of additional processing. To this end, often regedit is used to create .REG files, which store a human-readable text interpretation of the registry content. .REG files can be edited easily with any capable text editor (even Notepad), and thus are a common way of making a collection of settings available to others. By the way, importing a .REG file’s data silently is done with the following command:

Commenter Lee asked how ACLs are evaluated when an object has multiple hard links. I replied with comments of my own, which turned out to be wrong after I did some experiments. Here is what I found out about hard link permissions and believe to be true.

This is an attempt at demystification. In the Windows world, links in the file system are often regarded as obscure, except for the infamous .LNK files, of course. But file system links are neither freaky UNIX/Linux command line stuff, nor are they new: Microsoft’s OS offers two types of links since Windows 2000 and a third type since Vista/Server 2008. And boy, can they come in handy!

If you are not tired of print spooler crashes then this article is not for you. If you are, you may find a new feature of the upcoming next version of Windows interesting: printer driver isolation.

Updated: 2021-06-22 Every object that can have a security descriptor (SD) is a securable object that may be protected by permissions. All named and several unnamed Windows objects are securable and can have SDs, although this is not widely known. There does not even exist a GUI for manipulating the SDs of many object types! Have you ever tried to kill a system process in Task Manager and got the message “Access denied”? This is due to the fact that this process’ SD does not allow even administrators to kill the process. But it is, of course, possible, as an administrator, to obtain the necessary permissions, provided a GUI or some other tool is available.

Ever wondered what lies beneath the covers of Protected Mode Internet Explorer? Short answer, long explanation: mandatory integrity control (MIC). Recap: Mandatory Integrity Control During the development of Vista the developers at Microsoft felt that the traditional ACL-based mechanism to control access to system resources was not enough. The ACL model grants all processes run by a user specific permissions on system resources like files and registry keys. While this is a powerful thing and well-suited for “normal” applications, programs like Internet Explorer are under much heavier attack by malware than, say, your average text editor. Once an IE process has been corrupted by exploiting a security hole, the attacking software can write to any location on the system the currently logged on user has access to. Not good.

It is a common practice amongst administrators to disable the creation of short filenames on NTFS. I freely admit to have recommended this in the past. Was I wrong? Background

Recently a colleague of mine had a problem: by mistake he had deleted part of the software registry hive (HKLM\Software) of his Vista machine while trying out some code. When he asked me for help my first thought was to go back to the last System Restore point. But that seemed a bit harsh. It would have restored the registry settings in question. But not only that: System Restore not only captures and restores every single file in the windows directory, it also does that same for a lengthy list of file types on all volumes for which System Restore is enabled.