Ladies and gentlemen, we interrupt the silence schedule to bring you shocking news. Hatred has reared its ugly head on the forsaken grounds of our dear old friend — Windows 98. It appears the bigots have set a new target for their cynical and non-politically-correct persecution. Big-boned dialogs and initialization-limited rectangulars are shamelessly discriminated against and abused for no acceptable reason. Exceptions, overflow errors, division errors and antique dialogs were thrown at the victims, reports say. We were unable to get comments from the alleged bigots.

We were unable to get pictures from the event, but luckily, it can be easily reproduced.

  return FALSE;
int main(int argc, char* argv[])
  char dt[24] = {0,};
  RECT r = {32757,};
  HWND dlg = CreateDialogIndirect(
  MapDialogRect(dlg, &r); // BOOM!
  return 0;

The green wire

Apparently, I’m a brainless lump of amino acids mixed with some calcium and water wrapped in keratin. As it turns out, if I had the choice, I’d spontaneously set myself ablaze at the very first opportunity I stumble upon. If I see a ledge, I will delightfully leap ahead and form a charming crater. If I hear a car, I will undoubtfully try to stop it by hand so I can greet the driver. If a gun happens to find its way into my arms, I wouldn’t even pause to ponder and surely pull the trigger. If I become disoriented and wind up in a bar, I will purchase pure ethanol, pour it over my barren head and implore the barman for a zippo. Yes, I’m just that ignorant.

Electricity is another fine example of scary and absurd technologies fools like myself should evade. By far one of humanity’s most hazardous discoveries, this vile and corruptive force has been known to claim the lives of innumerous poor souls. It is a widely known fact that over a hundred of this world’s brightest minds buy a one-way ticket to the buzz train every single day. Thousands of households are desolated every passing minute due to electricity related complications. 8 out of 10 doctors advocate electricity-free households. Edison rolls in his grave and children weep over their lost innocence.

I was therefore not surprised to learn I was denied access to 220v-110v wall socket adapters. Usage of such mischievous tools could result in serious harm to body and property. Failure to properly connect an adapter to a wall socket could incite a fire. Failure to properly mount the cable into the adapter could result in immediate annihilation of the human race.

Hope of a better future overflows me when I learn eggheads responsible of saving me from myself have deemed this doomsday device inappropriate for mass consumption. Despite my futile attempts to dislodge the northern hemisphere by connecting my camera charger using an adapter, I’m still here to tell the tale. All I had to do is halt my quest for an adapter before the third mall and resort to soldering some spare metallic parts, unearthed from the darkest corners of the house.

Triple double U

Since around 1995, I’ve been using the web in one way or another. At those days, I would had been amazed to even notice the slightest proof of recognition on a face in response to the word modem. Today, on the other hand, I can’t walk on the street without hearing or seeing something related to the internet. Despite its ever growing popularity, it still carries with it a distinct odor of technology.

Just the other day, I embarked upon a quest for retrieving information on an everyday object with which I could extend my knowledge. What would later seem obvious caught me by surprise when, lucky as I may have felt, searching Google for apple resulted in what can only be described as an horrific synthesis of metallic, glossy and white alloys of plastic and aluminum; and not the sought sweet and divine composite of texture, taste and aroma I had expected. Quickly I realized my mistake and, not feeling lucky anymore, I commenced on a far less ambitious journey in the depths of the search results to find my craved fruit.

For all of those innocent souls out there looking for the tasty fruit like myself, allow me to dedicate this post and donate my page rank to 1up the original apple. Link by link, the web shall one day become humane.

Genuinely later

On every second Tuesday of the month, Microsoft indulges us with a slew of updates ranging from trivial to critical and sometimes even truly superior. Sadly, not even the most ardor imbued zealot of Windows rejuvenation can bring the updates to life without a reboot. To ensure everyone do reboot, Microsoft has added the lovely “Restart Now” dialog we have all come to cherish.

Distressing as it may be, while loved and cherished, the dialog is often the center of attention in the Windows loath-fest. Getting rid of it, however, isn’t that difficult. All it takes is killing one service.

net stop wuauserv

But what if yours truly is not near the computer on patch Tuesday and the dialog starts its cheerful countdown to complete and total annihilation of the current session? While skimming through some Group Policies, I’ve noticed there’s one for disabling this annoying reboot countdown. Simply create a DWORD named NoAutoRebootWithLoggedOnUsers under HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU, set it to 1 and say bah-bye to Microsoft’s equivalent of the dreaded ad pop-up.

Microsoft’s Tim Rains has more details on the subject.

Atomic codes

I had some fun today trying to figure out why Banner likes to hang around with .NET so much so it wouldn’t even leave. I found out that while being destroyed, something tries to send messages to the main dialog. But the main dialog is busy with destroying the banner. I added exactly two iterations of the famous win32 message loop and everything started working. I still don’t know why those messages are sent or why it’s so important they’ll be answered before the banner is destroyed or even why it happens just with the .NET installer. And don’t even ask about different synchronization methods that make it tick. So far, I’ve found only smoke signals and the fire extinguisher won’t last much longer.

Of all the signals, I liked the message loop the most. It actually points to something I’ve done wrong. I’ve starved the main dialog’s thread while creating a modeless dialog as its child. That’s why I dug in further into those two iterations of the loop and those two messages that it processes. It turns out both of them had the same identifier – 0xc0c3. Now that’s no regular WM_ message… That’s a message registered with RegisterWindowMessage. But which message is it? That’s where the fun starts. There’s no GetRegisteredWindowMessage API available and nothing on the topic comes out on Google.

So with no leads to follow I started digging. Normally, to give a certain string a specific value in Windows, an atom is created. And indeed, 0xc0c3 is in the range of named atoms. To make things even simpler, in WINE, RegisterWindowMessage simply calls GlobalAddAtom, casts ATOM to UINT and returns. Great, then GetAtomName or GlobalGetAtomName should do the trick. Only reality isn’t as bright as WINE would like us to think. It turns out RegisterWindowMessage uses a different atom table for its messages. But which atom table and how can you even specify a table with GetAtomName?

To specify a table, a low-level access to RtlLookupAtomInAtomTable is required. But that function is deep inside ntoskrnl.exe. So, up one level and you get NtUserGetAtomName which uses the same atom table as NtUserAddAtom which is the function RegisterWindowMessage calls. But that’s inside win32k.sys… Luckily, user32.dll already handles that. It has a stub that calls NtUserGetAtomName at 0x7E41FA8E. Some playing around with the second parameter which turns out to be UNICODE_STRING and the atomic table is in hands’ reach.

Engines off, coding fingers down, digging complete and the message name is MSUIM.Msg.Private. That too gets little to none results on Google, but who cares… Debugging is fun 🙂

For any of you who’d ever want to convert a registered message into a readable name, here’s the NSIS code. Replace 0xc0c3 with the message identifier and 0x7E41FA8E with user32!NtUserGetAtomName and you’re good to go.

# the atom
StrCpy $2 0xc0c3
;System::Call user32::RegisterWindowMessage(t'test_message')i.r2
System::Alloc 1008
Pop $R0
StrCpy $R1 0
StrCpy $R2 1000
IntOp $R3 $R0 + 8
System::Call *$R0(&i2R1,&i2R2,iR3)
# call NtUserGetAtomName
System::Call ::0x7E41FA8E(ir2,iR0)i.r1?e
System::Call *$R0(&i2.r4,&i2.r3,w.r0)
# print details
DetailPrint "user atom's name is $0"
DetailPrint "length is $4 (???)"
DetailPrint "NtUserGetAtomName returned $1"
Pop $1
DetailPrint "GetLastError() = $1"
# done
System::Free $R0

Welcome to the 90’s

I don’t usually watch television, but in those short yet so satisfying fixes that I do score, there are always those pesky commercials. For the life of me, I don’t know why, but those are even more addictive. They always find new ways to grab your attention. While watching Friends the other day, a commercial for mortgage came up. It was pretend news cast staring miss I know best G. Yafit (sorry, Hebrew only). In her ever so nice voice, she recommended I get my mortgage done at some bank I don’t even remember. I think it had orange in its logo…

Like gorillas in the background, hands of a great card hustler, or new researches about how eating X will get you great Y, I’m all too used to ignore these commercials. But this particular commercial took me by surprise. Our dear old friend, Yafit, urged me to call right now and get my mortgage at 1-800-MORTGAGE. A toll-free number with letters after it! I was so shocked I had to wait for the second time the commercial was aired in the same short pause for commercials, just to see it again.

Ladies and gentlemen, this is an historic event. For the first time in my life, I’ve seen letters used in a phone number in Israel. We have reached the 90’s! And not just any plain old letters, they were actually in Hebrew (משכנתא). The future is here and I can’t be any more thrilled. Cars, color TVs and maybe even 8mb SDSL are just around the corner. Oh, joy!


I’m a big fan of shortcuts. I meet them everywhere and greet them nicely. On Internet Relay Chat, Instant Messaging, signs on the road and of course Short Message Service. The name already suggests it. The entire system was designed for short messages, so acronyms and other shortcuts are a must. There’s a limit on the number of characters you can send and when you cross that limit, you pay more. It’s understandable why users would want to cut back on characters and even words. Still, I find myself repeatedly writing full sentences.

That’s why I like T9 so much. Not only does it allow me to write messages faster, but due to its somewhat broad acceptance, I also receive messages with what I’d qualify as semi-understandable content. Shiny as it may be, there’s always a glitch. The revered triple dot combo… The two first dots are displayed accurately, but by the third dot it decides a different character was typed that’s not even remotely related to the key clearly marked with the number 1. So instead of receiving the glorious triple dot combo, I get the double dot confusion bomb. Was it an accidental double dot? Was it the combo? It can completely flip the meaning of the message! How can I tell if it was “No…” as in “No, sorry…” or “No.” as in “No way!”. Am I to reply as the combo suggests a continuation is in place or am I missing an abrupt stop of the conversation? This, of course, brings us to the mystery of the ever elusive exclamation mark, but that’s a whole other story.

Yet another reason to just call…

Knowing you’re bored #157

The other day, I found myself holding the N key in guidgen, trying to exhaust all 340282366920938463463374607431768211456 GUIDs. I didn’t count, but I think I got to around a 1000 GUIDs so far… I was just that bored. I guess I was hoping for a cool “OUT OF GUIDS” BSOD or something.

Press the N key

Missed evil files

I tried looking for a newer version of NSIS Media by visiting their latest update server. I came out empty handed, which was bad news for my research but great news for the rest of the world. Just to make sure I got it right, I visited the old update server once again. I was in for a surprise when it served me b10.bin for downloading. As you may recall from one of the earlier posts, I originally downloaded only [ab][1-9]. Seeing as it suddenly served b10.bin, I upgraded my download script and found some more evil files.


I’ve updated my NSIS Media Remover to detect and remove those as well. I’ve also updated the samples archive, though it still doesn’t contain any of the old version DLL files.