|
I have a dilemma over whether I should create a User Interface thread or a Background thread to process my background operations.
The docs for the function SHGetFileInfo say that it should not be called from the application's main thread because it can lock up the UI.
So I will use a secondary thread. And I will post messages to the thread to prompt it to process stuff.
But should I use the UI thread version of AfxBeginThread because it includes a message pump, or should I use the background thread version and implement my own message pump?
I ask because I do not want the application to terminate when the secondary thread terminates. My understanding of the docs is that that could happen if I use a UI thread.
Thank you
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
I don't have personal experience with this function but Microsoft doc seems pretty specific:
Quote: You should call this function from a background thread. Failure to do so could cause the UI to stop responding. So background thread it is!
Mircea
|
|
|
|
|
Yes, I was taken aback when I first saw that.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Hi,
Richard Andrew x64 wrote: I ask because I do not want the application to terminate when the secondary thread terminates. My understanding of the docs is that that could happen if I use a UI thread.
Could you show me what you are referring to? The only way that I am aware of... where a CWinThread can terminate the main thread is if you reach across threads to execute code. If a WM_QUIT arrives during that short period I believe it gets posted to the main threads message queue.
Don't do this:
ThreadA->ThreadB_DoSomething();
ThreadB->ThreadA_Dosomething();
Instead post a message WM_THREAD_A_DOSOMETHING
As long as ThreadA never touches ThreadB you shouldn't have any problems. Also don't create any windows or enter any modal modal loops from your CWinThread worker thread... do all window management from your main thread.
Follow these rules:
1.) Do all window creation in your main thread.
2.) Don't reach across threads to execute code.
3.) Use PostMessage to communicate between threads.
You *can* break these rules but make sure that you fully understand the consequences and how to get around them. Raymond Chen explains how you can get around messages are eaten by modal loops[^] here.
Best Wishes,
-David Delaune
|
|
|
|
|
Thank you for the detailed response.
So you would recommend the UI version of CWinThread because it has a message pump already?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Well,
Richard Andrew x64 wrote: So you would recommend the UI version of CWinThread because it has a message pump already? Even if you used a non-gui thread.... the Windows kernel auto-promotes a thread via KiConvertToGuiThread and increases the thread stack-size and gives it a message queue immediately when it makes a syscall[^] above 0x1000.
In other words... as soon as you make your call to SHGetFileInfo[^] your thread will become a UI thread. You could prevent the auto-promotion by setting PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON but that would break your SHGetFileInfo and a myriad of other win32k system calls.
You can use CWinThread and just follow the rules I laid out in my previous response.
Best Wishes,
-David Delaune
|
|
|
|
|
Wow!
|
|
|
|
|
Hello.
I need your help.
First of all, I hope you understand that the sentence structure can be strange as I ask questions using a translator machine.
I'm looking for group policy editor api.
Especially, Local Computer Policy/Computer Configuration/Administrative Templates/System/Removable Stroage Access area.
When I changed this part, I found a registry that was created or disappeared.
But what I want is to be able to modify this group policy directly.
Because even if the registry is modified, as a result, the registry is changed to data corresponding to the group policy.
If you know the api that can modify the group policy editor, please let me know.
Thank you.
|
|
|
|
|
|
Thanks your reply.
I checked the link you gave me.
But I'm not sure which method to use in the meantime.
I don't see any method to change the content of Group Policy anywhere.
Of course there is a 100 percent chance that I will not find it.
A little more specific, I would really appreciate if you let me know which method I should use.
Thank you.
|
|
|
|
|
|
Thanks to reply.
I went to the link you gave me, but what method should I use there?
If I knew after seeing the answer, I would not request received the answer again.
I don't really know what to use at that link.
There is no setting method anywhere.
I want to set 'Local Computer Policy/Computer Configuration/Administrative Templates/System/Removable Stroage Access' this area below.
Thanks.
|
|
|
|
|
Sorry, I have not used this API, you will need to study the documentation. Alternatively use Google to find sample code.
|
|
|
|
|
Hi,
You should add more error handling, this is just a code sample:
#include <guiddef.h>
#include <initguid.h>
#include <windows.h>
#include <comdef.h>
#include <cguid.h>
#include <atlcomcli.h>
#include <gpedit.h>
#include <Iaccess.h>
#pragma comment(lib,"gpedit.lib")
int main()
{
HKEY key;
HKEY pol;
DWORD val = 1;
DWORD disp = 0;
GUID ext = REGISTRY_EXTENSION_GUID;
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
CComPtr<IGroupPolicyObject> lgp;
HRESULT hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL, CLSCTX_INPROC_SERVER, IID_IGroupPolicyObject, (LPVOID*)&lgp);
if (SUCCEEDED(lgp->OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY)))
{
if (SUCCEEDED(lgp->GetRegistryKey(GPO_SECTION_MACHINE, &key)))
{
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_All", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCreateKeyExW(key, L"SOFTWARE\\Policies\\Microsoft\\Windows\\RemovableStorageDevices\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_WRITE | KEY_QUERY_VALUE, NULL, &pol, &disp);
RegSetValueEx(pol, L"Deny_Write", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Read", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegSetValueEx(pol, L"Deny_Execute", 0, REG_DWORD, (BYTE*)&val, sizeof(val));
RegCloseKey(key);
hr = lgp->Save(TRUE, TRUE, &ext, const_cast<GUID*>(&CLSID_GPESnapIn));
_com_error err(hr);
wprintf(L"%s", err.ErrorMessage());
}
}
lgp.Release();
CoUninitialize();
return 0;
}
It will set the following policies:
- All Removable Storage classes: Deny All access
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
Best Wishes,
-David Delaune
[Edit two days later]
You can also add an attack surface reduction policy via Windows Defender that requires anything that executes from USB to be signed:
powershell.exe Add-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled
modified 4-Sep-20 17:57pm.
|
|
|
|
|
To anyone who can help me Please?
I apologise in advance if my question seems confusing noobish but I have no clue about coding in C++ hence the apparent ignorance & difficulty to me (& for some it may be a very basic question). First of all I have these lines of code that I would like to amend slightly like so:
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP() {
hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
}
It is not my code it belongs to Abdellatif_El_Khlifi & all credit belongs to him but I would like to make a small amendmant to his code but have no clue how to do this the alteration I would like to change this line:
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
and alter to: (this is obviously not C++ but just trying to illustrate what I am trying to do)
SetSfcFileException(0, L"%SystemDrive%\\windows\\system32\\calc.exe",-1);
My question is there a equivelent C++ code for the SystemDrive variable & could someone re-code this to make the small amendmant Please to suit my needs? The reason is it will make the program more generic for me just in case say for instance my OS XP is installed on D:\\ drive instead of C:\\ drive. I have found this snippet of code that may be of help but have no clue as to how I would incorporate in the given scenario above. char *sysDrive = getenv ("SystemDrive"); or this
sysdrive = getenv("SYSTEMDRIVE");
if (sysdrive == NULL || *sysdrive == NUL)
sysdrive = "C:\\";
}
Best Regards,
Jackngill
|
|
|
|
|
Funny that someone who admits having little programming experience wants to explore an issue that has been linked to malware in the past.
Can you explain what legitimate purpose you have?
BTW the article you mention is here on CP. Also I don’t see what useful purpose it serves.
Mircea
modified 30-Aug-20 23:38pm.
|
|
|
|
|
Hi Mircea,
I suppose as with all things in life you can use any tool for either a positive outcome or negative outcome & I am not very happy that I am being targeted as a possible Malware code writer as I am absolutely not. For one thing I would not post a question like this here it would be on the dark web (Whatever that is as I have never been there) And who & what has been linked to malware? If it has been linked to malware why has the code by Abdellatif_El_Khlifi been allowed to remain posted for as long as it has, that to me is what is funny?
As to my personal reasons to undertake this task I will try to explain. Firstly I am still using XP & I like to carry operations like creating mini windows varients of XP Which is not negative in its self. I will chop and change from a good XP system to a Mini XP system on different drives so the code altered re the SystemDrive makes it easier for generic drives not being hardcoded to C:\\ & to me is a legitimate reason. The portion of code suits my needs very well in that I can selectively stop Windows File Protection on individual files to carry out removal or adjustment so that I do not get error messages being reported back. There is a way already of disabling WFP but it is more of a shotgun shampoo approach in that it switches off WFP wholesale but I digress. This code would facilitate me in selectively disarming WFP on a selective file(s) in a quick manner without rebooting etc etc. I stated & came clean about who wrote the original code & I hinted in my original post the reason for it. My motives are honourable & not for negative reasons to me it would prove very useful! XP as an OS is becoming a niche market there is no longer any support for it so if I was a malware code writer I would surely opt for something like Windows 10 for greater kudos YES/NO?
If it is a problem & is considered to be useful for malware can someone private post me the amended code so I can carry out what I want to do quietly for my own purposes? My preferences are set to recieve emails I do not want to cause trouble or engage in arguments, life is too short for that. I am asking for help can someone help Please?
P.S. I was going to ask if there could be an undo portion of code to undo the changes in a separate file that I could compile but I think that is going to be too ambitious as a request.
Best Regards,
Jackngill
modified 31-Aug-20 8:07am.
|
|
|
|
|
Here is one encouraging bit of news though I have stumbled upon the very thing I need called WFPReplacer, it is a commandline windows utility that pretty well does what I want & generally in the same manner. it disables WFP for both singular files & can be used for wholesale switching off of WFP if the right file is replaced. All I need to do is write a batch file as a front end to back up the system files I want to disable use WFPReplacer.exe. So if in the event of the proceedings the routine gets stuffed I can revert back to the backed up files. I think this program uses the same type of embedded coding but is written in Delphi/pascal, it is called Remko Weijnen's Blog (Remko's Blog) "replacing Wfp protected files".
I generally like to leave whatever I am doing on a positive note. And NO I do not have any interest in coding Malware, so just in case someone else lands on this forum & is trying to accomplish a similair exercise here is the code that one can compile (This is not my code it belongs to Remko Weijnen's Blog (Remko's Blog)) Please be advised it is NOT C++ it is a commandline exe Delhi/Pascal found at this link, so all credits belong to him. The link is:
https://www.remkoweijnen.nl/blog/2012/12/05/replacing-wfp-protected-files/
DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)
hServer = hServerVar;
}
nts = SfcRedirectPath(lpSrc, (int)&v8);
if ( nts >= 0 )
dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;
else
dwResult = RtlNtStatusToDosError(nts);
dwResultVar = dwResult;
MemFree(v9);
return dwResultVar;
}
Also as one further warning (Unless you know what you are doing!!!) do not attempt to use this program, ALWAYS ALWAYS ALWAYS backup your system files before deletion or alteration.
What this program will do is disarm WFP for 60 seconds whilst you intercange or amend your files. Example usage for example is:
WfpReplacer.exe c:\windows\Notepad.exe (Errorlevel true or false will be produced on execution).
Best Regards
David
|
|
|
|
|
jackngill wrote:
My question is there a equivelent C++ code for the SystemDrive variable... Check out SHGetKnownFolderPath() or SHGetFolderPath() .
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Hi David,
Thanks for your post but your answer I think is for vista & above could be wrong but my ? is related to XP
Found this though:
Most of the constants are based on documented CSIDL's ( http://msdn.microsoft.com/en-us/library/bb762494%28v=VS.85%29.aspx ) except temp and quicklaunch IIRC. There is no documented api to get the systemdrive AFAIK so ReadEnvStr is as native as this is going to get.
ReadEnvStr $0 "SYSTEMDRIVE"
status: open --> closed
But even that is not even injectable into the line SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1); as the above only states open or closed status. I think ultimately I am flogging a dead horse, was hoping for a quick easy interchange of code but looks like the answer will require multi-lines of code & I am incapable of undertaking that.
But regardless many thanks for the response david
|
|
|
|
|
jackngill wrote: There is no documented api to get the systemdrive AFAIK Maybe, maybe not. But taking the first letter of CSIDL_SYSTEM or CSIDL_WINDOWS , for example, will get you the correct drive.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
|
How exactly would that function return the desired information?
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
AS you suggested:
call any of the SHGetFolderPath(), ... with CSIDL_WINDOWS
and then pass the returned path (say, windowsDir) into PathGetDriveNumber:
WCHAR letter = L'A' + PathGetDriveNumberW(windowsDir);
|
|
|
|
|
But the return value from SHGetKnownFolderPath() already contains the system's drive letter. There's no need to pass that path to PathGetDriveNumber() , have it return a number, and then convert that number back into a drive letter that was already obtained.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|