KevinsKorner | April 2008

4/27/2008Annoying Installation Options

As Peter Griffin would say "You know what really Grinds my Gears", I cannot stand annoying default installation options. Today I installed Windows Live Writer, a great tool for blogging, but it just upset me during the installation.

The make Live Search my default search engine has come up in numerous occasions. It would not be so bad, except they are always checked by default, encouraging the user to accept. While it is a great marketing scheme, it is simply annoying when I miss it and have to go into my Internet Explorer preferences. I do not want it and stop asking! During the same installation Microsoft had the concept right.

Microsoft takes the correct approach here by giving the options and not marking them by default. This problem is right up there with previous problems like not having an option to uninstall WMP and MSN messenger which are simply marketing schemes. ARRRGH!

4/18/2008Protect your passwords - The SecureString Class

The SecureString Class was created to hold sensitive information such as passwords, credit cards, SSNs, etc ... and is located in the System.Security namespace. It is an extra layer of security to keep prying eyes away on a compromised machine.

What is wrong with using the standard String class for secret information?

Strings are not encrypted - so anyone or anything (Malware or Viruses) who have access to your process memory can view the values
Strings are immutable - when a String is modified, a new String object is created, leaving two copies on the heap
Strings are not pinned - Garbage collection can move the String object around in memory
Strings cannot be scheduled for disposal

The SecureString Class solves each of these

The SecureString class is encrypted using DPAPI, a data protection api. The problem with DPAPI is that it is platform dependant. It is only included in Windows 2000 sp3 and later.
Only one instance of the SecureString object lives in memory
You can clear the object when finished and the memory is actually zeroed out
Provides a locking mechanism so other code cannot modify the object - MakeReadOnly method

Example (Console application):

Remember to import the System.Security namespace.

        static void Main(string[] args)
        {
            SecureString secureString = new SecureString();

            //the following input code is from http://blogs.msdn.com/shawnfa/
archive/2004/05/27/143254.aspx
            // get the first character of the password
            ConsoleKeyInfo nextKey = Console.ReadKey(true);

            while (nextKey.Key != ConsoleKey.Enter)
            {
                if (nextKey.Key == ConsoleKey.Backspace)
                {
                    if (secureString.Length > 0)
                    {
                        secureString.RemoveAt(secureString.Length - 1);

                        // erase the last * as well
                        Console.Write(nextKey.KeyChar);
                        Console.Write(" ");
                        Console.Write(nextKey.KeyChar);
                    }
                }
                else
                {
                    secureString.AppendChar(nextKey.KeyChar);
                    Console.Write("*");
                }

                nextKey = Console.ReadKey(true);
            }

            //set readonly
            secureString.MakeReadOnly();

            //need password again
            //decrypt
            IntPtr ptr = Marshal.SecureStringToBSTR(secureString);

            //retrieve string - unsecure
            Console.WriteLine(Marshal.PtrToStringBSTR(ptr));
     
            //zero out memory
            Marshal.ZeroFreeBSTR(ptr);
         
            //clear SecureString
            secureString.Dispose();
                    
        }

One thing to note is that once the MakeReadOnly method is called, the Clear method cannot be called; at this time you should use the Dispose method. Once the SecureString is made readonly, it cannot be undone.

Some of you may be saying this isn't secure! Your right. The section where the pointer is written to the console is unsecure because the SecureStringToBSTR method creates a String object, but this is just an example, not how it should be used.

The SecureString is available to secure data that should never be represented strings. It is only really available in a few areas and only makes sense for apis that take advantage of it. One api that takes advantage of this is CredUIPromptForCredentials where a SecureString object is returned for the password and can be used to start a process where the ProcessInfo class accepts the SecureString object.

There are some problems with the SecureString Class. It does not protect you from users with a debugger. Hawkeye, a nasty hacker tool but a great developer tool, can decrypt the SecureString objects and its Open Source! It simply isn't supported in many apis. However, it does protect from a dump file containing the heap from a crash (how many passwords are found). Note that most Malware and Viruses have this privilege because they run under administrator.

I think that when more apis take advantage of this object, it will be a great tool. Glav created a SecureTextBox control for use in forms applications. It really would be useful if ConnectionStrings were handled in this manner. It really is of no use for logging in on an Asp.Net application.

4/16/2008C# - Single Application Instance

Sometimes you need to make sure that there is only one copy of your application running at a time. There a few different ways to accomplish this task, I will go over two that I think are very safe. Lets start off by creating a simple Windows application.

Using a mutex

The most common approach is using a mutex. A mutex is short for mutual exclusion and is a simple data structure used for concurrent programming. In .Net, the Mutex object is a Windows Kernel Object used as a locking mechanism across AppDomains and Processes.

Let's create a class called SingleInstance and import the System.Threading namespace. Inside the class, place a boolean firstInstance variable and an associated property. This will represent if the application failed to be the first instance.

        private bool firstInstance = false;

        //If returns true, the application already exists
        public bool FirstInstance
        {
            get { return firstInstance; }
        }

In the Program.cs file we will modify the Main method as follows:

        [STAThread]
        static void Main()
        {
            SingleInstance single = new SingleInstance();

            if (single.FirstInstance)
            {
                Application.EnableVisualStyles();
                Application.SetCompatibleTextRenderingDefault(false);
                Application.Run(new Form1());
            }
            else
            {
                MessageBox.Show("SingleInstanceApp is already running");
            }
            
        }

Then when the second instance is run our goal is to get

Next put the following code in the default constructor of the SingleInstance class:

        private void SingleInstance
        {
            try
            {
                //Grab mutex if it exists
                mutex = Mutex.OpenExisting("SingleInstanceApp");
            }
            catch (WaitHandleCannotBeOpenedException e)
            {
                //The mutex doesn't exist
                firstInstance = true;
            }

            //Create mutex if still null
            if (mutex == null)
            {
                mutex = new Mutex(false, "SingleInstanceApp");
                
                //Keep Garbage Collection away
                GC.KeepAlive(mutex);
            }
        }

First, we check if there is a current mutex with the name "SingleInstanceApp". This is a unique name you must pick to represent your application. You can add "Local\\" in front of the name to allow different users of the same system run their own instance. If left out, the mutex is check across all processes/AppDomains of the system. If no mutex with that name exists, a WaitHangleCannotBeOpendException is thrown. Then we check to see if the mutex exists by comparing to null and if needed we create the new mutex.

Finally be need to keep the mutex a live in memory while the application is running. The Garbage collection is smart enough to determine that the SingleInstance class is never referenced again, therefore destroying it. The GC.KeepAlive(Object obj) method keeps the object in memory until the AppDomain is unloaded.

There is also another approach using a mutex. Create two methods with a return type of void, Mutex1() and Mutex2(). Put the current code in the constructor in Mutex1(). Next copy the code for the Constructor and Mutex2().

        public SingleInstance()
        {
            Mutex2();
        }

        private void Mutex2()
        {
            //get Mutex
            Mutex mutex = new Mutex(false, "SingleInstanceApp", out firstInstance);

            if (firstInstance)
                GC.KeepAlive(mutex);
        }

This overloaded method will get the current mutex if it exists or create one. The output boolean variable is true if the mutex did not previously exist.

Process Lookup

Another way to enforce a single instance is by doing a simple process lookup. Import the System.Diagnostics namespace. Then change the constructor and add the following method ProcessLookup():

        public SingleInstance()
        {
            ProcessLookup();
        }

        private void ProcessLookup()
        {
            //Get current process
            Process current = Process.GetCurrentProcess();

            //Get array or processes with same name
            Process[] procs = Process.GetProcessesByName(current.ProcessName);

            //Check count
            if (procs.Length == 1)
                firstInstance = true;
        }

I think this method is much slower than the previous method, but it also works fine. This also adds the issue of tricking the application and running multiple copies by simply renaming the executable.

You could further extend and instead of displaying a message or closing the Application, bring the current window to focus. Unfortunately, I do not think there is an easy way to do this without using the user32.dll from the windows32 library. Code for doing this can be found at this article on CodeProject.

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

4/14/2008Google developers

Check out this article regarding Google developer salaries. I have not checked indeed to confirm the results but I wouldn't doubt it. The article states that even one of Google's former masseuses is a millionaire from stock options.

4/10/2008Google App Engine Preview Release

Google is dipping into the cloud computing market. They are claiming to have solved the issue of scalability for web applications, a direct hit against Amazon Web Services. It doesn't matter whether your application gets 10 hits per day or 1 million hits per day.

Google App Engine Picture taken from internetnews

One inconvenience of App Engine is that it is restricted to the Python language. Python is a good language, but it would be nice to see multiple platforms allowed. Another problem is that data is not relational, people are saying that it uses Bigtable, a distributed storage system.

There were only 10,000 initial free accounts offered and guess what they are gone. Each account has a 500MB storage limit and is allowed 5 million hits per month. Hopefully more accounts will become available soon, I am on a waitlist that is probably a mile long :).

If you are interested, Google I/O is from May 28th - 29th. They will be discussing App Engine and different APIs such as Google Gears, Google Web Toolkit, Google Data APIs, and more.

There are already a bunch of applications popping up. Hopefully Google will continue to provide this as a free service when as it goes live.

4/10/2008Process Explorer - Task Manager on steroids

I came across this nifty application today called Process Explorer. I needed to delete a file but had to find out what application had a file Handle open because I kept getting the following error.

A file cannot be deleted if there exists any handle that is associated with it. Process explorer lets you view handles by a process. Process explorer also allows you to view Hardware Interrupts, Deferred Procedure Calls, and process parent/child relationships.

This is not the best way to find a handle when you are not sure what process has control. There is a feature to find a Handle or DLL at Find | Find Handle or DLL ... Ctrl+F.

Once the Handle is found you can close the correct application and delete the file in use. It is not good practice to delete the handle because the file may be in use and could lead to data corruption.

Another nice feature of the process explorer is the System Information. It extends the default Task Manger's Performance view.

This application is from Sysinternals, which was acquired by Microsoft in July of 2006. They have many other interesting system tools.

4/3/2008Microsoft Surface with at&t

Microsoft Surface will be released on April 17th in select at&t stores. This item is a bit pricey for the average tech gadget consumer estimated from $5,000 to $10,000. It will be a great educational tool once the price comes down.

Press Release

Microsoft Surface Demo

There are a few other competitors in this arena. The linux community has been working on the multi touch devices too. You can already download this software and start playing.

MPX Demo

Jeff Han seems to be a bit ahead of the game.

Jeff Han 2006

However, at ten times the price, the Microsoft Surface may be a little more realistic.

About the author

Tags

Archive

Blogroll

Map

Disclaimer