Retrieving Process ID Of Calling Process.


 

There are different scenarios where you require to know the Process ID of calling process. This might be parent process where your application is running under the context of explorer or you have defined your custom process by calling CreateProcess / CreateProcessA / CreateProcessW.  

I have created a MFC application and used the below code in one of my custom member function.

     DWORD sai = GetCurrentProcessId();

      WCHAR valueconvert[50];

      swprintf_s(valueconvert, 50, L”%d”, sai);

   MessageBox(valueconvert,L”process id is” ,MB_OK);

 

I was unable to typecast the value to UINT which would be the 3rd parameter I am passing inside messagebox function. GetCurrentProcessID would store the value into the variable “sai”, further I am using swprintf_s to write formatted to a string and print the value using messagebox.

Kernel Objects “Are” Different From GDI / User objects


Applications cannot access system resources directly. In Windows, these resources are represented by an object, an object is a data structure. System resources might be file, folder, image, thread , process, Menu, window, Bitmap, eventlog, desktop etc.

So how does applications communication / access these resources? : Applications obtain an object handle through which applications can perform action on specific resource. Understanding object and object manager requires time and efforts. Objects maintain security related to resource such as ACL. When an application ( Active directory / exchange / custom application ) want to access a resource , it has to obtain a handle to the object of that resource, and the corresponding security will be validated before giving access.

In windows , objects are categorized into

a)     User mode

b)    Kernel mode

c)     GDI mode

In a high level view all these objects do belong to windows , but they are handled differently. Bitmap object / Font object is handled differently than thread object / mutex object , because Bitmap object / font object belong to GDI where as thread and mutex belong to kernel.

Who creates these objects : There are specific dll’s which creates these objects, kernel32.dll creates objects such as Jobs/ threads/ Mutex/ Pipe etc., gdi32.dll creates bitmap / Font and user32.dll creates Icon / Menu etc. Kernel objects plays significant role. Most of us might think “why does Icon /Menu not a “kernel object” , but thread / mutex are kernel objects ?. The reason is the that kernel performs scheduling on Threads, and protects these threads from user mode applications modifying them. Developers / Debuggers should understand what lies at the System Address Space and what is present at the User address space. Before knowing further , I would encourage you to read through

a)     Windows internals 5th edition

b)    Windows programming ( Jeffrey ritcher )

So the conclusion is , every object is NOT kernel object.

Error U1087: cannot have : and:: dependents for same target


You might receive the below error message when building the driver.

BUILD: Compile and Link for x86

BUILD: Start time: Wed Nov 24 13:57:41 2010

BUILD: Examining c:\sai-bt-data\windows\programing\driver dev\7600.16385.0\src\storage\ramdisk directory for files to compile.

 c:\sai-bt-data\windows\programing\driver dev\7600.16385.0\src\storage\ramdiInvalidating OACR warning log for ‘root:x86chk’

BUILD: Building generated files in c:\sai-bt-data\windows\programing\driver dev\

7600.16385.0\src\storage\ramdisk directory

Configuring OACR for ‘root:x86chk’ – <OACR on>

_NT_TARGET_VERSION SET TO WINXP

1>errors in directory c:\sai-bt-data\windows\programing\driver dev\7600.16385.0\

src\storage\ramdisk

1>c:\winddk\7600.16385.0\bin\makefile.new(7117) : error U1087: cannot have : and

 :: dependents for same target

1>nmake.exe /nologo BUILDMSG=Stop. -i BUILD_PASS=PASS0 NOLINK=1 PASS0ONLY=1 MAKE

DIR_RELATIVE_TO_BASEDIR= failed – rc = 2

 BUILD: Compile errors: not linking c:\sai-bt-data\windows\programing\driver dev\

7600.16385.0\src\storage\ramdisk directory

BUILD: Finish time: Wed Nov 24 13:57:41 2010

BUILD: Done 

    0 files compiled – 2 Errors

Resolution:  

Its simple!, you need to make sure that there is no space for folder name. From the above example, you can see that “c:\sai-bt-data\windows\programing\driver dev\” has the space. When you rename it “without space” and build ( either checked / free build ) , the compilation gets successful and executable would be built.

Windows 2008 Fine Grained Password Policies


In Windows Server 2000 and Windows Server 2003 applying password policy was restricted to Default Domain Policy. With this approach if organization has to plan for different set of password policy for their users spread across the globe , it was not possible. 

For the above problem , organizations running windows server 2003 can deploy additional domain and create separate or distinct Password Policies. But an ideal organization is where it has less number of domain’s to manage in a forest which forms centralized administration. 

Windows Server 2008 has introduced new concept called as Fine Grained Password Policies which will allow administrators to specify multiple password policies to different set of users along with account lockout policy. Windows Server 2008 Active directory has new object class for supporting Fine Grained Password along with account lockout policies. 

a)      Password Settings Container ( PSC ) :

  • PSC is created under System container which you can view using Active Directory Users and Computers snap in . You should view ADUC in advanced mode / advance feature enabled. Continue reading

Viewing Active Directory Object Properties With Restricted Privileges.


 I was always curious to know what happens at the background, when you assign user permission to Active directory objects, what privileges require to view directory objects . How are these permissions understood by operating system and provide users the required information.

OR

A normal user with less privileges want to view additional Active directory objects / more active directory objects than they see by default ?

Active Directory is a collection of objects , applications use object to store data into directory and a schema should be defined for the object which stores data. Microsoft has implemented robust security mechanism by preventing unauthorized access to data with the help of different subsystems like LSASS (Local Security Authority Sub System ) ,  SAM (Security Account Manager ) , Active Directory , Authentication Packages, Credential Providers , Netlogon etc

 To answer the above question , we should understand the Windows Security Model and the important component is Token / Access token.

 A structural view of a Token is shown below

During the initial Logon, LSASS creates a token with the above information, and this access token gets attached to every process and threads within it. There is another major component apart from Token which determines which users to perform what action on objects based on their privileges and it is known as Security Descriptor [SD].

Security Descriptor consists of different data structures which determines different access levels a user can be granted or a process can be granted. SD consists of ACL (Access Control List )  and ACE ( Access Control Entry ). SD has 2 types of ACL , DACL ( Discretionary ACL) and SACL ( System ACL ). ACE are part of ACL’s , these ACE’s are data structures which provides access levels. Below diagram should give you clear understanding.

The 8 different Access Control Entries under DACL are

A)      Access allowed

B)      Access denied

C)      Allowed callback

D)      Denied Callback

E)      Allowed object

F)      Denied object

G)     Allowed object callback

H)      Denied object callback

I will map this information with the above asked question. Active directory schema can provide a Security descriptor and each object class that is  defined in Schema has defaultsecuritydescriptor attribute.

If process doesn’t provide a DACL for new Active Directory object then the operating system uses the DACL in the default security descriptor that is specified by schema.

So If an normal user want to view additional properties of an object, you have 2 methods

A)      You can configure the DACL on the parent of the Object that gets applied to all its children and  eliminates the need of specifying it on the schema.

B)      Another way to provide the user to view more properties is to create Delegation on the OU by Right click OU à Delegate Control à Next à Select Users à Create Custom task to delegate à This folder, existing objects in this folder , and creation of new objects in this folder à Read All Properties à Finish.

 

The above document has exposed the components involved in determining the access of an object and how operating system authenticates the users 

The 8 different Access Control Entries under DACL are

 

A)      Access allowed

B)      Access denied

C)      Allowed callback

D)      Denied Callback

E)      Allowed object

F)      Denied object

G)     Allowed object callback

H)      Denied object callback

 

 

I will map this information with the above asked question. Active directory schema can provide a Security descriptor and each object class that is  defined in Schema has defaultsecuritydescriptor attribute.

If process doesn’t provide a DACL for new Active Directory object then the operating system uses the DACL in the default security descriptor that is specified by schema.

 

So If an normal user want to view additional properties of an object, you have 2 methods

 

A)      You can configure the DACL on the parent of the Object that gets applied to all its children and  eliminates the need of specifying it on the schema.

 

B)      Another way to provide the user to view more properties is to create Delegation on the OU by Right click OU à Delegate Control à Next à Select Users à Create Custom task to delegate à This folder, existing objects in this folder , and creation of new objects in this folder à Read All Properties à Finish.

 

 

The above document has exposed the components involved in determining the access of an object and how operating system authenticates the users

IT Infrastructure Planning Requirements.


I am starting up the Infrastructure design category into my blog and will be explaining certain scenario based on the infrastructure. The idea for creating infrastructure component design is

  • To assist architects or decision makers
  • To get more ideas from experts all over the world which would give me more understanding of simplest to complex environments.

 

Most organizations irrespective of size would have multiple branches with several computers running different applications which might range between commercial , business or in-house applications performing certain tasks. And company would require IT engineers / IT administrators to manage the systems. Following are few of the major components which has to be considered

  • Network management
  • Server Management
  • Storage Management
  • Security Management
  • Selecting Operating System
  • Desktop Management
  • Active Directory Management
  • Group Policy Management
  • Application Management
  • Messaging Management

 

The above are the building blocks require to form a complete solution ( there might be many other , but I have targeted major components )

a)      Network Management : This is the heart of any organization , irrespective of the organization size and type , network management plays key role which involves selecting appropriate network devices and plan for ISOLATION. Network engineers should understand how to route the data between

  • Intranet and Internet
  • DMZ and Internet
  • DMZ and Intranet
  • VLAN configuration
  • Wireless Routing

  Once they have laid out the plan regarding the devices they install and the Communication channel, its time for them to plan regarding the devices ( layer2,  Layer 3 devices) and most importantly engineers should have the network layout

b)      Server Management : In a high level , administrators / managers should plan for number of racks , Type of hardware used for the server implementation ( HP, DELL etc.. ), placement of the servers would be the key aspect.

c)      Storage Management: This would be one of the key aspect , because entire 0rganization data would be placed in a storage which should be susceptible for failures. Sizing the appropriate storage is always challenge and the requirements always increase as the company grows. For eg: Company might be using SQL and store 10 GB data, if the company size increases then the SQL database size increases so the storage. You should select the appropriate storage vendor such as

Hitachi or EMC , because I see only these are the major market players as of 2010 . Then vendors would configure the storage appropriately for the number of LUN’s , RAID ( any level ) , Data Deduplication etc..

 

d)      Security Management : This falls into most interesting component, security should be provided for every component we install in our organization but due to Revenue, cost , and experience organizations would implement intermediate solution for managing their data. Security does mean securing data, it means securing their intellectual property which are in form of e-documents. Different organizations have come up with different technologies to provide security management and have divided into hardware and software security management. Hardware security management is provided by Firewalls, Switches also software companies have come up with Software Firewalls  providing another layer for security which include Microsoft Forefront and other products. We have to make sure you secure

  • Email security
  • Documents security ( certificates,  )
  • Application security
  • Data Security (IPsec / Firewall which are at packet level )
  • Desktop client security.
  • Protecting servers

 

e)      Selecting Operating System : Most of the organizations should choose between the client and server operating systems. Selecting client operating system would have less choice and most organizations would opt for Microsoft released versions of client operating systems, Microsoft has simplified the management of the client operating system while providing the robust security when compared to XP operating system and Windows 7 operating system but you would still need to manage them. Selecting the server side operating system is always tricky and it would fall between the expertise of each organization , most legacy managers would opt for UNIX operating systems for enterprise but one who has evaluated Microsoft flavor would opt for Windows 2008 flavor operating system. Unlike Unix or Linux Microsoft servers provide administrators many UI applications which give centralized administrations for the administrators and ease the effort of monitoring them.

f)        Desktop Management:  This is one of the interesting portion which requires customization at various levels. Administrators / System Engineers should carefully architect the deployment , management, policies , patch management for  the clients which they install. Some of the major and critical components of Desktop Management are

  • Image Creation and Deployment using MDT 2010 / BigFix / Landesk /WAIK /Symantec Ghost
  • Lock down the Client Operating System W.R.T Internet Explorer, hard disk usage, software installations, drivers installations, Windows explorer options, Windows Update, NIC configuration, protecting windows registry
  • Integrating ITSM for management of desktop change requests.

 

g)      Active Directory Management: This depends on the organizations, AD has eventually became de-facto Directory management system for SME / Enterprise level organizations who want to have centralized management of their clients deployed across the globe. A dedicated planning needs to be in place which planning for Active Directory because Microsoft directory structure provides functions which are complex , secured and requires skill-full engineers to architect and implement the same. AD management includes major roles like creating OU, AD sites, Managing Replication, Creating Trusts, AD migration and AD backup – Restore. And the most major skill would be troubleshooting AD related errors should be considered.

h)      Group Policy Management: It is one of the most important component of server and client operating system management. Administrators can use Group policy to lock down the clients and server roles, features and perform various tasks such as Software deployment, Driver deployments , Power Management etc. These were earlier managed by 3rd party applications which customers need to purchase, but Microsoft provide these functionalities free of cost.

i)        Messaging Management: Messaging has evolved over 2 decades and there are strong players in market providing messaging solutions such as Microsoft, VMWare. Organizations have implemented Microsoft Exchange , Lotus Notes at high scale and now VMWare has introduced Zimbra which is slowly acquiring market. When selecting messaging solution , you should choose the following

  • Messaging Security ( Microsoft Edge , Symantec Bright Mail )
  • Messaging solution deployment strategy ( Deploying diff roles )
  • Database Consideration ( Number of mail boxes and size )
  • Storage solution ( FC / ISCSI )
  • Performance Monitoring.

j)        Application Management: Unlike the above considerations, organization view of application management solely depends on the product that organization is supporting, This falls under 2 major aspects

  • Product Based Company
  • Services Oriented Company

            The above both have their own limitations, designing a plan in product based is totally different from Services oriented company which I will be covering in different blog. Following are some of the major considerations for the application  management.

  •  
    • Deciding the utility to keep version updates
    • Deciding the utility to develop the application
    • Deciding on managing the application
    • Utilities required to test the application
    • Utilities to debug the application
    • Infrastructure required to test and debug the application

 

I have delibrately left out the cloud infrastructure component and Virtualization component which i would be discussing seperately in my other blogs.

Based on the above categories, i will be writing infrastructure articles which would be useful for IT architects / IT consultants for considering key aspects during planning of any Infrastructure.
            

             

     

Why Not Standard Edition For Hyper-v


 When choosing operating system for Hyper-v installation , I would prefer you to choose either Windows Server 2008 x64 bit Enterprise Edition or Datacenter Edition and skip the Standard Edition because Standard Edition would not provide Failover Clustering support which is require for Quick Migration.

And you might ask , why did Microsoft provided Hyper-v with standard edition ?

Answer to the question would be based on the infrastructure currently you are running, if your organization is SME and doest require you to manage 1000’s of vm’s , then why would you opt for Enterprise / Datacenter edition ? . If you are keen about providing failover clustering then my choice would be EE or DE respectively.