- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Isn't it obvious? Chris killed Charles and absorbed all his power, experiences, and job responsibilities. There can be only one CSR!
Admin
Google is your friend. Use "Chris Carmichael"
Admin
even so it's an abysmal idea if it's used in either circumstance
Admin
This is TRWTF:
This should obviously be replaced by:
Microsoft, I expect this fixed in the next service pack, along with all the other things random anonymous people complain about on the internet.
Admin
OK, less sarcastically, I don't get that position. Pretty much at all. Yes, spaces makes some things less convenient, but it makes lots of other things more convenient, especially in the GUI world, where there's essentially zero problems because of spaces. Even in the command line and scripting world, it's usually only a somewhat mild inconvenience because now you have to type a few more quotes or escapes.
But computers are here for humans to use. We use spaces, very reasonably. Why should I have to call a file "01_In_The_Flesh"? It's called "In The Flesh"! Computers should be programmed to match our thinking as best as possible, not the other way around. "You shouldn't be able to use spaces in file names" is, IMO, almost the quintessential example of the exact wrong way to think.
Also, you have some chronology messed up. But whatever. And none of this is really intended to justify the Windows behavior of just trying different breaks between commands and arguments, though I do suspect their hand may have been forced a little because of backwards compatibility problems.
Admin
"MMPORG"? Massively Multiplayer Playing Online Role Game, Alex?
Admin
Windows 95, 98 & ME also stored names like c:\progra~1 for backwards compatibility. The 1 at the end would change to a 2 and so forth to prevent collisions, but I guess somehow it failed here. Perhaps the badly-written program was doing something directly that triggered a filesystem bug?
Admin
Sorry, it's not working for me. I'm not intent on proving that an incorrectly quoted command line will run C:\PROGRAM.EXE because that's obvious. What I'd like to see is an example where an incorrectly quoted command line will cycle through the spaces until it finds a runnable program then split the rest off as the argument list.
CMD.EXE uses CreateProcess because that's the only way to create a process. CMD must do some processing on the command line before calling CreateProcess to ensure the wrong behavior doesn't pop up.
In XP CMD:
In XP Window-R run program
In XP Window-R run program
In Windows XP
STARTUPINFOA siStartupInfo; PROCESS_INFORMATION piProcessInfo; memset(&siStartupInfo, 0, sizeof(siStartupInfo)); memset(&piProcessInfo, 0, sizeof(piProcessInfo)); siStartupInfo.cb = sizeof(siStartupInfo); if (CreateProcessA(NULL,_strdup("c:\\program files\\Malwarebytes' Anti-Malware\\mbam.exe -hello"), 0, 0, FALSE,CREATE_DEFAULT_ERROR_MODE, 0, 0,&siStartupInfo, &piProcessInfo) != FALSE); WaitForSingleObject(piProcessInfo.hProcess, (5000)); exit(0);... ooh, that works. Now find me an example that is accessible by users.
Admin
This seems to be talking about pre-NT windows-32. So before XP, like win95 perhaps. At least before NTFS which has native long filename support.
Admin
Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe. -Al E.
Admin
[quote user="deckard"][quote user="Andrew"][quote user="deckard"] CreateProcess is the function that creates processes, so what's left for you to miss? Cmd.exe imports it just like every other Win32 subsystem application that launches other processes. [/quote]
Then why does cmd.exe empirically not work this way?[/quote]
Because it parses the command line itself. It doesn't just hand it straight to CreateProcess.
Admin
I would imagine that many apps use CreateProcess internally to run other processes. Any of these would trigger the problem.
Admin
So, it was McAfee after all.. I had a feeling that it was NAV but I was wrong.
Admin
Hm, I want to run program x and pass it arguments y and z;
Do I pass a program name and args
createProcess("unambiguous x that doesn't need quotes", "y z")
or do I needlessly append a bunch of strings
createProcess(NULL, ""x that most likely needs quotes" y z") ???
Tough choice...
Admin
I was actually playing EverQuest in 2006, and frequented the forums. Never once seen a thread about it, and something this large would definitely have a bunch of long locked threads. Additionally a good amount of people on the server I play on knew me as the guy to ask when ya have tech problems, can't say I ever heard of anything like this.
Admin
Considering what site I'm on I know what I'm guessing...
Admin
Woah woah woah......
We all know it's WINWORD.EXE, not WORD.EXE
Admin
Piss people off by creating booty trap files with things such as hyphen as the first character.
Admin
Piss off windows users by creating folders with names beginning with a space.
Admin
For those who refuse to believe:
http://xato.net/hardening/the-programexe-problem
From 2007. (I found it while trying to see if I could find who wrote such a stupid way of handling "infected" files.) "Microsoft has been aware of this issue since Windows NT 4". So definitely not just a Windows 95 thing.
This is probably an example, with XP SP2: http://www.computerforum.com/49546-tons-cpu-hogging-program-exes.html
And it could be worse... there were installers for stuff on OS X that didn't quote path names in shell scripts. And the default name of the hard drive volume is "Macintosh HD". But the root volume's name doesn't appear as part of the path hierarchy; you have to mount a volume with a space in the name to see this kind of problem! (Also, users can create folders with spaces in the name, etc.)
Admin
I once worked somewhere which insisted on using a locally manufactured antivirus solution because it was locally manufactured, not because it worked.
One of the interesting properties of this antivirus package was that it stripped all paths to all executables of all quote marks within the entire Windows Registry, so that all document file extensions attempted to launch "C:\Program.exe" when a file was double-clicked in Windows Explorer.
Of course, management was angry with me for pointing this out and reminded me quite sternly that it was strict policy to use local suppliers where available.
Admin
just saying....
Admin
I should be able to create that filename in Windows, right?
I should be able to dump whatever random garbage I want into my computer and it will sift it all out, right?
I should never have to learn anything or follow any rules to use the most complicated piece of machinery ever built -- the only major invention that leverages your mind not your dumb brute strength. There should be no investment at all on my part for the incredible benefits I will receive. You take a class and pass a test to operate a simple steering wheel, gas pedal and brake, but no training for computers! They're special! They're ideal for the dumbest of the dumb! We want a world where our computers are all smarter than we are!
I wish I could ship you all to another planet.
Admin
More importantly, it doesn't try to guess what a space means. If a command contains a space, it's always interpreted as a separator unless quoted or escaped.
Admin
You're looking at two quite different things: a command line parser, and an API. The parser is probably what's preventing this behavior from being a problem. It's the same with path separators; Windows accepts / as a path sep, but most command-line parsers depend upon it for options, and so can't use it for paths. But quotes can sometimes override that; I can, on XP, type:
copy con "/path/filename"
and it creates that file in that path.
CreateProcess has a gotcha that almost nobody will ever discover except through massive confusion like this.
Admin
As much as I hate M$, I have to agree with you. The antivirus was to blame here and was VERY poorly designed. This could, and probably did, result in actual malware being run repeatedly. Kind if the opposite of what it was supposed to do.
+1 Internets to you, Sir, for your use of the Captcha.
Captcha: abigo. "That antivirus was abigo pile of WTF."
Admin
To clarify:
So, while the WTF is plausible, it seems limited to systems where (a) #3 works differently (I'm on Win7, I think someone mentioned it working differently in Vista) and (b) InterferAV dumps quarantined stuff in C:\ (presumably due to failing to check for a botched environment variable or something).
Admin
Those that defend Microsoft have a valid point about backwards compatibility. My argument is that Windows took a long time to be not junk as a result of that because DOS was garbage. A hobby OS bought at the last minute that was not fit for purpose. It's up there with IE6. The problem isn't how bad it is/was, but the fact that it has to break so much stuff in the future.
You can claim they need to do backwards compatibility, but it would be nice for them to build their foundations out of stone rather than straw. Though to be fair, we are talking history now, we just all wish history went a different way.
Admin
Or possibly (a') #3 is replaced by some other thing that eventually reaches CreateProcess(). I don't grok the details of that one so I'll just file it under "maybe" and let other folks continue to work it over.
Admin
And let's also not forget that you can use Nt/ZwCreateProcess directly and get yet a different set of behavior...
Admin
Therefore: you make what the people want, first; second, you make it correct. If you reverse the two, you'll find yourself in a position where it is irrelevant whether you ever make anything at all.
Admin
TRWTF is updating the executable, rather than data, every time there's a new game released.
Admin
I actually have a live case of a program being that brain dumb: http://en.wikipedia.org/wiki/Hercules_%28video_game%29
After installation on a Windows '95 machine, the game's main program icon was pointing to 'C:\Program'.
Admin
... And that is where you would be wrong.
It is, was, and would be very rare for a Windows app to use CreateProcess unless it was a script or an app ported from another OS.
Not to say that it would never happen, but it's rare enough that I've be reading and writing Windows apps for 15 years and I've never seen it happen except in VB or OpenSource apps.
All current versions of Windows have a light-weight thread API, and a clunky create-process API (I understand that in unix it's the other way around??), and it's standard to call functions from standard Dynamic Link Libraries rather than from standard executables (I understand that in unix it's the other way around??)
Admin
That might be true. Perhaps you are too young to remember that IE6 became the dominent browser because it was so much better than the market leader.
Kind of like FF.
Admin
Admin
Unfortunately I'm not too young to remember that. Ahh the bad old days of dealing with Netscape 4.7 and the like.
Hmm, maybe the fault of the IE6 legacy was the integrating of OS and Browser for political reasons rather than technical ones, making the upgrade path at the time more difficult.
I must admit though, the continuation of Netscape as the Mozilla sweet was awful, until somebody decided it was time for a full re-write as Phoenix, I mean Firebird, I mean Firefox.
Admin
Norton, Symantec, McAfee, take your pick. Whenever any anti-virus software-induced s**t happens it's almost certainly one of those.
Admin
I know for a fact that Windows 95 and Windows 98 did, in fact, behave in this way. I have a dim recollection that Windows 2000 did too, but I'm not sure enough about that.
And yes, it's a horrid bug, and, yes, it is, primarily, Microsoft's fault.
Shachar
Admin
Mmmm Mozilla sweets*.
suite
Admin
This also identifies the AV product as AVG... well whaddya know, A/V braindamage that isn't Symantec/Norton/McAfee.
Admin
I'm not sure it was McAfee, if you look at the info from the guy who sent the registry dump it was AVG. OTOH it sounds like exactly the sort of thing that McAfee would do, seeing AVG there was a bit of a surprise.
Admin
AVG appears to have been on the system when the registry dump was generated, but the poster said he'd uninstalled McAfee. There would be no need to have McAfee on there, the process could be: (1) McAfee makes "C:\program.exe", (2) McAfee gets deleted and replaced with AVG, (3) McAfee is gone but "C:\program.exe" lingers, continuing to cause the trouble.
It definitely sounds like something that one of the big bloatware flavoured AV programs would do!
Admin
Sure . I didn't know to this day that you could simply C:/Program Files/whatever/exe.exe without using the double quotes - maybe I'm too holy for windows --
Admin
And the fact that it does all that in Windows is the icing on the poison.
Admin
And that restricts us to ultima online and what other mmo ?
Admin
And there I was thinking it must've been an old MMO for that windows 9x problem to arise ...
Admin
DOOM has cheat codes. One of them allows you to change to desired level (idclev).
Admin
And how would you know ? If you're such an ignorant as to think Windows is NOT responsible of the major fail here, how could your point of view be worth a shit ?
Programs are allowed to be shittier than OS's and that's the point in Linux too - it's just that here the OS is such a piece of crap that AV software doing that is just par for the course.
Admin
Interesting. Was not aware of this.
But ayup, at the CMD line I'm certainly able to replicate this under Windows 7. (copied notepad.exe to the root, renamed it program.exe and then tried to execute
Program Files\Internet Explorer\iexplore.exe
Notepad came up and gave me a file not found error. VERY interesting.