Distrust

On Monday, I had a particularly trying time with Windows. I had the following symptoms:

• Clicking anything - link or button - in Internet Explorer hung the process
• Outlook would randomly hang
• MSN Messenger would randomly hang

When these processes hung, nothing would kill them. I could kill from Task Manager or Explorer or Process Explorer or even attaching in Visual Studio and Stop Debugging - and the damn things kept going. I was even unable to log off or shut down. Hard resets do work, but then I've yet to find anything that wasn't affected by a power off!

What do these things have in common? Well, I figured it was a networking thing. Particularly the IE thing. I tried Firefox, and lo and behold, it works! "Hmm." thinks I. "Well, I guess I could live with Firefox rather than IE, and I rarely use MSN, but Outlook is a problem." I went looking for info on WinInet crashes, and found variants of viruses - but none present on the machine. I was thinking that only device drivers caused hanging like this - but I can't exactly do without network connectivity, either.

I eventually managed to get MS Symbol Server support in Visual Studio (don't forget to copy the new symsrv.dll over the old VS one!) and broke into a process to narrow it down... and guess what IE does when you click a link, or Outlook receives an e-mail, or a contact signs in on MSN?

I was annoyed at not having clicked earlier, but I don't have speakers or headphones on the work machine, and so I'd completely forgotten about - the soundcard. Indeed, it was crashing deep, deep within PlaySound... I assume that it was DeviceIoControlling and hung up waiting for the device driver IRP.

Now, I'm not going to blame Microsoft for the awful SoundMAX device drivers*. Since I don't use the sound anyway, I just turned it off in the BIOS - and now everything works just fine. What I will blame them for, however, is what it is that keeps a process alive if it's waiting for a hung device driver - the "hung IRP problem". It would be so easy for Windows to be able to at least provide me with the information saying which driver is hung. If Mark Russinovich can identify the IRP owner, the Windows team should have no trouble.

Why is this behaviour still here? I've encountered it numerous times. I know that ideally we'd all have bug-free drivers - but that never, ever, ever happens, and WHQL is not a guarantee. And as an end-user (in this particular situation) I'm not going to run checked builds of XP, am I?

As Ice Age quote Blake's 7, "Trust is a hard thing to come by these days". Yet I wish that Microsoft would trust less, so that we can trust it more.

According to my father, who is battling with USB devices, the USB drivers in Windows are also poor. You'd hope that if a USB device deviated from the standard that Windows would step on it and disable it, hopefully putting a helpful message in the Event Log... at least, you'd hope it wouldn't do what it does, which is to hang the entire machine without any information. Or spontaneously reset.

Third-parties are inherently untrustworthy. We don't write software with the expectation that the user will never click the wrong button, nor should we write libraries with the expectation that people will not break the preconditions. I lock my car and set its alarm, not because I actually expect people to break in, nor because it will stop 100% of all car thieves - but because the protection is sensible.

Microsoft is learning... slowly, too slowly, but learning.

Are you?

I wonder whether I could craft a special USB device that would give me code execution at Ring 0? I can crash it, I wonder if it has an exploitable buffer overflow. The ultimate hacker tool - walk into a bank, open an account, ask for a cup of coffee, then when the assistant walks out to get it, whip the device in the machine. Five seconds later, it's installed a keystroke logger - at kernel level - and I take it back out. The assistant comes back and is pissed because his machine is hung, so I leave and receive his and everyone else's logins and passwords when he reboots.

Sigh. Maybe if I make up enough stories like that one, someone will fix the bugs.

* Why are soundcards still dreadful? I remember a trying time with Gravis' Ultrasound card (a dark red, full-length ISA card), and crashes with SoundBlaster clones - but surely things have improved?