Windows 8 Bluescreens
Posted: September 24, 2011 Filed under: Windows Internals Leave a comment »
There are always silly articles when a new version of Windows is leaked or becomes available for preview. Windows was once supposed to have a chartreuse screen of death when Vista was released. This is the “new” BSOD, at least so far.
It’s perhaps too cute to make the release, but it’s functional, considering that in most instances I am troubleshooting from the crash dump or the event log so it’s not as important that I have the specific bugcheck code on the screen.
Unfortunately, some vendor’s drivers will make this screen harder to diagnose from; Intel provides the storage drivers for virtually all of their desktop boards, including our Dells at SATV and my laptop. When that driver crashes the machine, it does so with a bugcheck code of 0×8086. Which is a “vendor defined” code that is nowhere to be found in a search. It means you need to bug Intel for a driver fix. I’m not sure if that code will present itself in this blue screen.
I have a suggestion for a new blue screen design:
Bad Hardware Day: More on Hardware Bluescreens
Posted: July 1, 2010 Filed under: Windows Internals Leave a comment »
I was hoping not to follow up to my last post.
Sure I wasn’t.
I have had bluescreens and other odd behavior for the two days since I last posted.
That’s my MSI K9N Neo F AMD/nVidia based motherboard. Four years ago to the month, it replaced another MSI board that died prematurely due to bad capacitors.
Guess what we see in the image above? Note the swollen tops of two capacitors just above the PCIE connector.
Note this too:
The CMOS battery—which is not the exact one in the photo, I changed it out—was reported bad.
Its voltage was completely flat when I put it in my battery tester. It also was corroded. You may be able to see some ugly brown residue from who knows what on the battery holder, just above the capacitor. Whatever it is, it has gotten to the board, as seen at the lower left side of the battery holder.
When I discovered all this, I was trying to decode the Machine Check Status code I posted last time. I wasn’t really happy with my non-answer and wanted to find the definite source.
Since I have an AMD processor, I found the AMD manuals. I’ll give a link to the Intel equivalents, but I mention AMD because I had a hard time tracking down their reference material, whereas Intel is mentioned everywhere in searches.
These are the AMD manuals I refer to:
- BIOS and Kernel Developer’s Guide for the AMD Athlon™ 64 and AMD Opteron™ Processors
- AMD64 Architecture Programmer’s Manual Volume 2: System Programming
I’ll use a crash dump I got today (one of 4!!!) Unlike the last time I saw a defective motherboard bluescreen, these bluescreens are remarkably consistent, all with a bug check code of 0×124 (WHEA_UNCORRECTABLE_ERROR) with nearly the same status codes from what I’ve been able to tell. It’s a testament to the much-improved error handling in Windows Vista and Seven. I’m going to skip most of the debugger output, since that’s in my last post, and go to the specific processor machine check:
!errrec fffffa800528a038
[…]
===============================================================================
Section 2 : x86/x64 MCA
-------------------------------------------------------------------------------
Descriptor @ fffffa800528a148
Section @ fffffa800528a2d0
Offset : 664
Length : 264
Flags : 0x00000000
Severity : Fatal
Error : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4)
Status : 0xb200001000010c0f
.formats 0xb200001000010c0f
Evaluate expression:
Hex: b2000010`00010c0f
Decimal: -5620492266238833649
Octal: 1310000001000000206017
Binary: 10110010 00000000 00000000 00010000 00000000 00000001 00001100 00001111
Bits Mnemonic Description
63 VAL Valid
62 OVER Status Register Overflow
61 UC Uncorrected Error
60 EN Error Condition Enabled
59 MISCV Miscellaneous-Error Register Valid
58 ADDRV Error-Address Register Valid
57 PCC Processor-Context Corrupt
56–32 Other Information
31–16 Model-Specific Error Code
15–0 MCA Error Code
In our status code, bit 63 is set so it is valid. Bit 62 is unset so there’s no overflow. Bit 61 indicates an uncorrected error and bit 60 indicates an error condition enabled. Bit 57 is set and indicates processor context corrupt.
OK, it’s a fatal error and couldn’t continue.
Other information in bits 56-32 is not set but the documentation says that the field is used for, amongst other things, ECC information, which I just do not have in that (or any) client PC. (SATV may have a server with ECC memory. Someday.) Bits 31-16 (the third word) is for the model-specific error code.
The model-specific error code is 00000001b. I have an Athlon X2 4800+ Brisbane CPU that is at least three years old; the AMD documentation says I should look up the error code in a manual specific to that CPU but I couldn’t find one on their website. I would expect to see that field used on Opterons, their server CPU.
Moving on to the MCA error code, the last word, bits 15-0, is:
Binary: [omitting the first three words] 00001100 00001111
The MSB in binary, 00001100, indicates a bus error, so I’ll use this field to decode it: 0000 1PPT RRRR IILL, where PP is Participation Processor, T is Timeout, R is Memory Transaction Type, I means Memory or I/O and L is Cache Level.
PP is 10b, “Local Node Observed Error as Third Party (OBS)” OK, whatever.
The timeout bit is not set so I presume it wasn’t something timing out.
R is 00b and that is a Generic error, which I assume to be “error not otherwise categorized”.
I is 11b, and that is also a generic error (“Something bad happened but I don’t know where?!”)
L (cache) is also 11b and also generic.
All this work by hand to get this error message:
Error : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4)
But you almost have to read the manual anyway just to skim the keywords as this message is composited from several keywords that describe specific types of errors and where and how they were found by the CPU that incurred the machine check. (FYI, most of the relevant information was gotten from the AMD BIOS and Kernel Developer’s guide, pages 120-130 of Chapter 3, “Memory System Configuration” and all of Chapter 5, “Machine Check Architecture”.)
For most people it’s just enough to know the board was bad, but I hated the way I closed out my last post (“oh, I don’t know what the MCI status is and I don’t care!”) and I wanted to know this stuff. I still don’t know what “Bank 4” refers to, if it even refers to memory (I had shuffled my DIMMs around in the system hoping the error would follow a specific DIMM. Didn’t happen.)
Besides, it’ll help some poor guy or gal searching through Bing.
I know I will be making Newegg happy again very soon.
P.S. The Intel manual that describes machine checks for Intel CPUs is in two parts:
UPDATE: The NT Debugging blog has posted on the WHEA bugcheck. Geoff Chappell’s web site has a entry for 0×124 WHEA_UNRECOVERABLE_ERROR and a page describing the bug check function that WHEA invokes when it can’t fix an error.
Diagnosing Hardware Bluescreens
Posted: June 29, 2010 Filed under: Windows Internals Leave a comment »
Screenshot from NirSoft’s BlueScreenView
This morning I was waking my computer before breakfast to check on a FedEx shipment (much needed cooling fans for my apartment!) and when my machine woke up this is what I got.
I restarted it and the BIOS told me, “could not read disk, press Ctrl-Alt-Del to restart”. I power-cycled the machine and got Windows to boot.
I checked my hard drive with Crystal Disk Info, but found nothing out of line in the SMART data—in fact, my terabyte HD, nearly a year old, has never had an error or a remapped sector or anything odd. Had my partition table been truly corrupted, that would usually cause another bluescreen when I tried to boot.
OK, Windbg:
0: kd> !analyze -v [banner omitted] WHEA_UNCORRECTABLE_ERROR (124) A fatal hardware error has occurred. Parameter 1 identifies the type of error source that reported the error. Parameter 2 holds the address of the WHEA_ERROR_RECORD structure that describes the error conditon. Arguments: Arg1: 0000000000000000, Machine Check Exception Arg2: fffffa800435c038, Address of the WHEA_ERROR_RECORD structure. Arg3: 00000000b2000010, High order 32-bits of the MCi_STATUS value. Arg4: 0000000000010c0f, Low order 32-bits of the MCi_STATUS value.
I’d already guessed when the error happened, but to be sure, here’s the stack:
Child-SP RetAddr Call Site fffff800`00ba8ac8 fffff800`02e2b917 nt!KeBugCheckEx fffff800`00ba8ad0 fffff800`02fe84d3 hal!HalBugCheckSystem+0x1e3 fffff800`00ba8b10 fffff800`02e2b5dc nt!WheaReportHwError+0x263 fffff800`00ba8b70 fffff800`02e2af2e hal!HalpMcaReportError+0x4c fffff800`00ba8cc0 fffff800`02e1ee8f hal!HalpMceHandler+0x9e fffff800`00ba8d00 fffff800`02ed0eac hal!HalHandleMcheck+0x47 fffff800`00ba8d30 fffff800`02ed0d13 nt!KxMcheckAbort+0x6c fffff800`00ba8e70 fffff880`03dd11f2 nt!KiMcheckAbort+0x153 fffff800`00b9cc98 fffff800`02ee013a amdk8!C1Halt+0x2 fffff800`00b9cca0 fffff800`02edadcc nt!PoIdle+0x53a fffff800`00b9cd80 00000000`00000000 nt!KiIdleLoop+0x2c
The machine woke up to Windows, started running, and did its normal CPU idle procedure; in all modern machines, the CPU halts when it is not otherwise running user or kernel code. It’s possible the exception happened during the transition to sleep when I put the machine to bed the night before, in this event log entry:
The previous system shutdown at 11:27:54 PM on 6/28/2010 was unexpected.
OK, so it’s hardware. What is the WHEA_ERROR_RECORD?
WHEA stands for Windows Hardware Error Architecture in Vista, 2008, Seven and 2008R2. It replaces the Machine Check Architecture mechanism in earlier versions of Windows.
Parameter #2 of the bugcheck points to the hardware error record:
0: kd> dd fffffa800435c038fffffa80`0435c038 52455043 ffff0210 0003ffff 00000001fffffa80`0435c048 00000002 000003a0 000c1114 140a061dfffffa80`0435c058 00000000 00000000 00000000 00000000fffffa80`0435c068 00000000 00000000 00000000 00000000fffffa80`0435c078 cf07c4bd 4e18b789 731fc4b3 3171b52cfffffa80`0435c088 e8f56ffe 4cc5919c ab6588ba bb1349e1fffffa80`0435c098 0ced40e1 01cb1314 00000000 00000000fffffa80`0435c0a8 00000000 00000000 00000000 00000000
Right. That’s clear. Fortunately there are debugging extension commands for WHEA in the latest debugger. I’ll try them.
0: kd> !wheaError Source Table @ fffff80003062b380 Error Sources
OK, not much info there, I’ll try one of the others.
0: kd> !errrec fffffa800435c038===============================================================================Common Platform Error Record @ fffffa800435c038-------------------------------------------------------------------------------Record Id : 01cb13140ced40e1Severity : Fatal (1)Length : 928Creator : MicrosoftNotify Type : Machine Check ExceptionTimestamp : 6/29/2010 12:17:20Flags : 0x00000000 ===============================================================================Section 0 : Processor Generic-------------------------------------------------------------------------------Descriptor @ fffffa800435c0b8Section @ fffffa800435c190Offset : 344Length : 192Flags : 0x00000001 PrimarySeverity : Fatal Proc. Type : x86/x64Instr. Set : x64Error Type : BUS errorOperation : GenericFlags : 0x00Level : 3CPU Version : 0x0000000000060fb1Processor ID : 0x0000000000000000 ===============================================================================Section 1 : x86/x64 Processor Specific-------------------------------------------------------------------------------Descriptor @ fffffa800435c100Section @ fffffa800435c250Offset : 536Length : 128Flags : 0x00000000Severity : Fatal Local APIC Id : 0x0000000000000000CPU Id : b1 0f 06 00 00 08 02 00 - 01 20 00 00 ff fb 8b 17 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 Proc. Info 0 @ fffffa800435c250 ===============================================================================Section 2 : x86/x64 MCA-------------------------------------------------------------------------------Descriptor @ fffffa800435c148Section @ fffffa800435c2d0Offset : 664Length : 264Flags : 0x00000000Severity : Fatal Error : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4) Status : 0xb200001000010c0f
We’re getting somewhere. The Processor Generic section categorizes this as a bus error. Section 2 gets a bit more detailed:
Error : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4) Status : 0xb200001000010c0f
I’ve seen a lot of quirks with this particular system but this is a new one. I’ve often had BIOS messages that tell me,
A HyperTransport sync flood occurred on last bootHit F1 to Resume
Local News Site Crashes, Part 3: Resolution?
Posted: May 17, 2010 Filed under: Windows Internals Leave a comment »
After nosing around for a while and not finding any clue on the local news site crash, it’s back to the beginning.
Does anything in the stack show up in search? Here are the top 15 or so of over 80 entries in this thread’s stack:
0:005> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
0301a500 695981c2 00000000 00000000 00010100 mshtml!CMarkup::DetachElemCtxStream+0x64
0301a520 69575a5e 00000000 00000000 09e34b40 mshtml!CMarkup::DetachElemCtxStream+0x30
0301a554 694b7f43 04fd6c30 10e49194 04fc3830 mshtml!CAPProcessor::Evaluate+0x21d
0301a59c 69598299 00000000 00000000 09e34b40 mshtml!CDoc::SubmitForAntiPhishProcessing+0x1c4
0301a5b4 694c4e81 0301a628 125d82b8 00000000 mshtml!CMarkup::CheckCtxInfoThreshold+0x4c
0301a5c8 694250c2 09e34b40 00000002 00000001 mshtml!CElement::AddCtxInfoHelper+0xa5
0301a5e8 69478a42 00000002 69478a4c 125d82b8 mshtml!CAnchorElement::AddCtxInfoToStream+0x1e
0301a5f0 69478a4c 125d82b8 0301a778 00000000 mshtml!CImgElement::ExitTree+0xa (FPO: [0,0,0])
0301a614 693565e0 0301a628 09e34b40 00000000 mshtml!CAnchorElement::Notify+0x142
0301a768 693559f2 0301a874 002a7ea0 00000001 mshtml!CSpliceTreeEngine::RemoveSplice+0x2eb
0301a848 69356ea9 0301a880 0301a88c 11f74090 mshtml!CMarkup::SpliceTreeInternal+0x83
0301a898 693561ea 0301a8d4 0301a910 00000001 mshtml!CDoc::CutCopyMove+0xca
0301a8b4 692fcfd6 0301a8d4 0301a910 00000001 mshtml!CDoc::Move+0x16
Local News Site Crashes, Part 2
Posted: May 17, 2010 Filed under: Windows Internals Leave a comment »
As mentioned in my last post, a local news site was crashing on me and I wanted to learn more about what was causing it. I had the HTTP request records from Fiddler, but I didn’t think its results were conclusive enough for me. What could I find out in the debugger? It’s the first tool I run for a kernel crash (bluescreen) but I had never tried to analyze an application crash with it.
First, I tried !analyze –v. This command is the title of an internals blog I regularly read, but it is also the command that automatically analyzes a dump and determines the cause of a crash. It is the first command often given in a kernel debugging session. What is it here?
1: *** Your debugger is not using the correct symbols ***
2: *** ***
3: *** In order for this command to work properly, your symbol path ***
4: *** must point to .pdb files that have full type information.
5: *** ***
6: *** Certain .pdb files (such as the public OS symbols) do not ***
7: *** contain the required information. Contact the group that ***
8: *** provided you with these symbols if you need this command to ***
9: *** work. ***
10: *** ***
11: *** Type referenced: jscript!FncInfo ***
12: *** ***
13: *************************************************************************
14: *** ERROR: Symbol file could not be found. Defaulted to export symbols for msidcrl40.DLL -
OK. I’m not in Microsoft so I won’t get those symbols. I probably wouldn’t even posted this if I were in MS. However, WinDbg helpfully tells me that “an exception of interest can be accessed via .ecxr”. Let’s see this exception record:
0:005> .ecxr
eax=00000000 ebx=00000000 ecx=04fef280 edx=0301a424 esi=04f934a0 edi=00000000
eip=695981f6 esp=0301a4f0 ebp=0301a500 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
mshtml!CMarkup::DetachElemCtxStream+0x64:
695981f6 8b07 mov eax,dword ptr [edi] ds:002b:00000000=????????
We’re getting someplace. This is almost certainly where IE went boom. The EDI register is supposed to point to somewhere in memory where the data is, but it is all zeroes so when it is dereferenced…it’s a null pointer.
0:005> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
0301a500 695981c2 00000000 00000000 00010100 mshtml!CMarkup::DetachElemCtxStream+0x64
0301a520 69575a5e 00000000 00000000 09e34b40 mshtml!CMarkup::DetachElemCtxStream+0x30
0301a554 694b7f43 04fd6c30 10e49194 04fc3830 mshtml!CAPProcessor::Evaluate+0x21d
0301a59c 69598299 00000000 00000000 09e34b40 mshtml!CDoc::SubmitForAntiPhishProcessing+0x1c4
0301a5b4 694c4e81 0301a628 125d82b8 00000000 mshtml!CMarkup::CheckCtxInfoThreshold+0x4c
0301a5c8 694250c2 09e34b40 00000002 00000001 mshtml!CElement::AddCtxInfoHelper+0xa5
0301a5e8 69478a42 00000002 69478a4c 125d82b8 mshtml!CAnchorElement::AddCtxInfoToStream+0x1e
0301a5f0 69478a4c 125d82b8 0301a778 00000000 mshtml!CImgElement::ExitTree+0xa (FPO: [0,0,0])
0301a614 693565e0 0301a628 09e34b40 00000000 mshtml!CAnchorElement::Notify+0x142
0301a768 693559f2 0301a874 002a7ea0 00000001 mshtml!CSpliceTreeEngine::RemoveSplice+0x2eb
The full trace was over 80 entries deep! The usual strategy is to look at the topmost 5 or 10 entries in the stack since they’re “near” the problem area. The crash happened in CMarkup::DetachElemCtxStream. On the left the arguments to the function (args to child) are listed. Some are zero, suggesting that that function got the bad pointer from one of its parent callers.
I disassembled the code of DetachElemCtxStream and traced through it:
0:005> u @eip
mshtml!CMarkup::DetachElemCtxStream+0x64:
695981f6 8b07 mov eax,dword ptr [edi]
695981f8 57 push edi
695981f9 ff5004 call dword ptr [eax+4]
695981fc 8b8680000000 mov eax,dword ptr [esi+80h]
69598202 8b08 mov ecx,dword ptr [eax]
69598204 50 push eax
69598205 ff5108 call dword ptr [ecx+8]
69598208 899e80000000 mov dword ptr [esi+80h],ebx
While it seems to involve jumping to a previously-constructed dispatch table, I don’t know what else to make of it. I did trace through its callers for a bit but didn’t know what I was looking for. (I am familiar with x86 assembly code but do not code in it or look at it regularly.) Instead, I wanted to look at some registers and some stack arguments to see if they pointed to interesting data. Now you know why I wanted a full user dump.
We’ll see if some of the registers or stack arguments point to interesting text.
For the most part, most of the registers and the arguments to the first five entries off the top of the stack weren’t interesting. In earlier debugging sessions with different dumps of IE, I once found a long list of URL’s in Unicode. A very long list. I wasn’t able to find that in this dump without spending all week on it. I found one interesting text pointed by the ECX register, about 572 bytes in:
0:005> db @ecx + 0n672
04fef520 1f 00 00 00 00 00 00 00-68 00 74 00 74 00 70 00 ........h.t.t.p.
04fef530 3a 00 2f 00 2f 00 77 00-77 00 77 00 2e 00 73 00 :././.w.w.w...s.
04fef540 61 00 6c 00 65 00 6d 00-6e 00 65 00 77 00 73 00 a.l.e.m.n.e.w.s.
04fef550 2e 00 63 00 6f 00 6d 00-2f 00 00 00 00 00 00 00 ..c.o.m./.......
04fef560 00 00 00 00 00 00 00 00-37 aa c0 36 00 00 00 8c ........7..6....
04fef570 2f 00 61 00 6a 00 61 00-78 00 2f 00 6c 00 69 00 /.a.j.a.x./.l.i.
04fef580 62 00 73 00 2f 00 73 00-77 00 66 00 6f 00 62 00 b.s./.s.w.f.o.b.
04fef590 6a 00 65 00 63 00 74 00-2f 00 32 00 2e 00 32 00 j.e.c.t./.2...2.
Local News Site Crashes, Part 1
Posted: May 17, 2010 Filed under: Windows Internals Leave a comment »
Our local paper redesigned its website a month ago. Ever since, this is what I and many others have seen when opening it for the morning.
Sometimes, a website will crash one time due to an isolated error. A third-party web analytics site once made an error in its HTML that brought down every site that used their services. This sort of error gets found and corrected very quickly.
But this went on over days. Rarely, the site would stay open for reading only to crash when opening another story I wanted to find the problem, even though I have no stake or obligation to do so. I didn’t think I could get the newspaper interested in my bug report so I tried to find out what I could with my own knowledge of Windows internals.
First of all, I needed a crash dump of the failed process, to wit, Internet Explorer. Windows 7 (and Vista) do not save crash dumps for applications by default. (Note that this has nothing to do with the settings for kernel dumps or bluescreens; those are handled through the familiar sysdm.cpl control panel applet.)
MSDN has a page describing how to configure user-mode dumps.
There’s only one setting we need to enable the dumps. In Regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps. Under that key, create a new DWORD value named DumpType. Set its value to 2. This will make Windows perform full dumps of the application, which we will need to make any headway in this diagnosis. Restart the computer.
When an app crashes, Windows will now put its full crash dump in the LocalApps folder (normally c:\users\<user>\AppData\Local\CrashDumps.) It will store up to 10 dumps before overwriting any. These defaults can be changed per the MSDN page but these are fine here.
Next, I installed Fiddler. This is a really ingenious HTTP proxy. It uses the built-in proxy settings, that you may have seen in the Internet Options dialog, to redirect HTTP traffic to itself, capture it and display it, much like WireShark and Network Monitor, but with special emphasis on HTTP debugging. It would tell me what was requested when IE crashed. Fortunately, the crash was repeatable so I captured it with Fiddler:
The main window of Fiddler is very much like other network tracing tools. A list of sessions opened is in the left pane. The right pane has details on a particular session and the lower right pane has even more details.
There are a lot of requests made to open the typical web page. In a crash like the one I experienced, the web page pops up and one can see headlines and content, but a few second later, the crash dialog comes up.
Note request #149 which I have circled. It goes to watson.microsoft.com. This is where Windows Error Reporting sends your crash data. The crash had happened already here. Any of the requests prior to this could have crunched IE, either immediately or a short time afterwards. I have highlighted the prior request, #148, which is to ad.trafficmp.com, a very common ad-serving site. The requests that came afterwards occurred when I dismissed the error dialog and IE tried to reload the page.
I’d hoped there was some Javascript code from that site that would pop out at me as being “bad” (recursive code with a bug, say.) But nothing stood out.
Since I had full dumps of IE during the crash, it was time to run the Windows debugger. That’s my next post.
16-Bit Installer Support in Windows 64
Posted: February 18, 2010 Filed under: Windows Internals 3 Comments »
Followup to my TIE Fighter post. I was not wrong about 16-bit installer support. From MSDN:
…For older applications that use a 16-bit stub to launch a 32-bit installation engine, 64-bit Windows recognizes specific 16-bit installer programs and substitutes a ported 32-bit version.
16-bit DOS, Windows, or OS/2 applications often use a 16-bit stub to check the machine type, then launch a 32-bit installation engine to actually perform the installation. To enable installation of applications that use this technique, 64-bit Windows substitutes 32-bit versions for the following 16-bit installer programs:
- Microsoft Setup for Windows 1.2
- Microsoft Setup for Windows 2.6
- Microsoft Setup for Windows 3.0
- Microsoft Setup for Windows 3.01
- InstallShield 5.x
The registry key that defines these installer shims is at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NTVdm64. The list, according to Microsoft, cannot be extended.
I was certain that TIE Fighter used InstallShield (as did the majority of apps in the era) but what version?
I used Sysinternals’ Strings utility on the setup file (on the install CD, \INSTALL\SETUP.EXE). And got this (redacted a bit):
CompanyName InstallShield Corporation, Inc. FileDescription Setup Launcher ( SETUP.EXE) FileVersion 3.00.111.0 LegalCopyright Copyright InstallShield Corporation, Inc. 1990-1996 Phone : (847) 240-9111 ProductName InstallShield ProductVersion 3.00.111.0
That is it. The installer is version 3.0 and the shim only works with 5.x. I noted elsewhere in the Strings output, clues as to the real age of the installer at the time—there are references to MIPS and Alpha architectures, which have not been in Windows for a very long time (MIPS was discontinued around the time of NT4 and Alpha never made it past Windows 2000 before being assimilated by Compaq.)
So much for that.
Diagnosing Feed Reading Problems in IE, Part 2
Posted: January 10, 2010 Filed under: Windows Internals Leave a comment »
In the last post, I used PowerShell to talk to the Windows RSS Platform, give me my feeds, retrieve a particular feed, Toolmonger, and mark it read. If this had worked, the Toolmonger item in the IE feeds list would be unbolded and marked as read.
The RSS platform does mark the feed appropriately, as you can see, but IE does not indicate it as read.
As I write this, I’m still looking for the answer. Here’s what else I’ve found.
The RSS feed database, which is one for each user on the machine, is stored in each user profile under appdata\microsoft\feeds:
Note the FeedsStore.feedsdb-ms. It may keep track of unread items. Note too that all the feed folders have a tilde (~) appended to them; this is true for all folders, subfolders and feeds. I’m not sure what the hidden GUID folder is about, but it was last changed when my old profile was imported from Vista into Seven.
Here’s the Technology folder:
The files are binary blobs with bits of XML (the feed content) embedded within. Enclosures and images don’t appear to be included.
While I have no solution yet for my problem, there are a few things you can try if your RSS feeds don’t work in IE.
Most likely symptom you’ll have is that one feed may never update or IE may report feed errors. Check first that it isn’t a problem with the site (IE 8 is much better with RSS compatibility, but some sites still break it) and that the feed still exists. Then try these things in order:
- Quit IE. Delete Feedsstore.feeds-ms. Restart IE. Your feeds will all be marked as unread.
- If you know the feed causing problems, delete it and quit IE. Restart IE, go to the web site with the feed and try readding it.
- If you don’t know the problem feed—and sometimes you may not—you may need to open PowerShell and walk through each of your feed folders as detailed in Part 1. Corrupt items won’t be retrievable; the one that isn’t is the bad one.
- You may need to export all your feeds and recreate them. In IE go to File/Import and Export and select Export to A File. Click Next. Select Feeds. Click Next. It will export to an OPML file in your directory. Delete all your feeds in IE. Quit IE and restart it. Go to File/Import and Export and select Import from a File. Select Feeds. Select the OPML file you just created and click OK. Click Import.
A frustrating scenario you might run into is when the IE export runs into a corrupted feed and won’t finish. I’ve used Process Monitor to determine what feed is choking, in which case I have to delete the feed and try the export again.
I’ve only done the first step, deleting feedsstore.feeds-ms, in my case. It didn’t work. I haven’t tried the others because I wanted to learn more about the problem. I also hate turning my machine upside down only to find the problem still persisting; there are many Windows reinstalls that did nothing to fix things, that turned out to have some other cause that reinstalling would never fix.
I think that, rather than the feeds manager not working, IE is not properly refreshing the feeds window to reflect the current status. I note that when I manually mark feeds as read in IE, the feed is updated (unbolded) properly. I also note that some feeds will update their unread status immediately when I close their associated windows. Other feeds will not. I haven’t discovered any commonality between feeds that update their status and feeds that don’t.
Throughout this, the feeds manager has been working and giving me plenty of feed items to read.
I’d like to find a solution. It is a minor problem, but it is also a significant fit-and-finish problem for the IE team. UI appearance matters. I’d be happy to share this with the IE team if I knew where to file a report.
Diagnosing Feed Reading Problems in IE, Part 1
Posted: January 10, 2010 Filed under: Windows Internals Leave a comment »
For several months, I’ve been having an annoying problem with IE8. This is going to be a long post, an excuse to explain some IE RSS internals.
I use IE’s built in RSS reader and read items as seen in the screenshot above. Unfortunately, when I close one feed and go to the next, the feed is often still marked as unread, even though I’ve read it. The popup tells the truth: I’ve read all the posts in Gadget Freak, yet the feed name is still highlighted, meaning “unread”, as is the common convention for RSS readers (and Usenet/web forum readers before that.)
The IE RSS feeds manager is a component built into IE that is available to all Windows applications. It’s documented in MSDN and known as the Windows RSS Platform. It can be accessed through the COM object “Microsoft.Feedsmanager”, and it is very useable and discoverable in PowerShell.
First, reference the Feedsmanager:
$feeds = new-object -com "Microsoft.FeedsManager"
What can we do? Get its methods:
$feeds | gm
TypeName: System.__ComObject#{a74029cc-1f1a-4906-88f0-810638d86591}
Name MemberType Definition
---- ---------- ----------
AsyncSyncAll Method void AsyncSyncAll ()
BackgroundSync Method void BackgroundSync (FEEDS_BACKGROUNDSYNC_ACTION)
DeleteFeed Method void DeleteFeed (string)
DeleteFolder Method void DeleteFolder (string)
ExistsFeed Method bool ExistsFeed (string)
ExistsFolder Method bool ExistsFolder (string)
GetFeed Method IDispatch GetFeed (string)
GetFeedByUrl Method IDispatch GetFeedByUrl (string)
GetFolder Method IDispatch GetFolder (string)
IsSubscribed Method bool IsSubscribed (string)
Normalize Method string Normalize (string)
BackgroundSyncStatus Property FEEDS_BACKGROUNDSYNC_STATUS BackgroundSyncStatus () {get}
DefaultInterval Property int DefaultInterval () {get} {set}
ItemCountLimit Property int ItemCountLimit () {get}
RootFolder Property IDispatch RootFolder () {get}
You may remember the Default Interval and Item Count Limit if you’ve configured RSS in IE.
Let’s get the root folder and its properties:
$feedsfolder = $Feeds.RootFolder
$feedsfolder | gm
TypeName: System.__ComObject#{81f04ad1-4194-4d7d-86d6-11813cec163c}
Name MemberType Definition
---- ---------- ----------
ItemCount AliasProperty ItemCount = TotalItemCount
UnreadItemCount AliasProperty UnreadItemCount = TotalUnreadItemCount
CreateFeed Method IDispatch CreateFeed (string, string)
CreateSubfolder Method IDispatch CreateSubfolder (string)
Delete Method void Delete ()
ExistsFeed Method bool ExistsFeed (string)
ExistsSubfolder Method bool ExistsSubfolder (string)
GetFeed Method IDispatch GetFeed (string)
GetSubfolder Method IDispatch GetSubfolder (string)
GetWatcher Method IDispatch GetWatcher (FEEDS_EVENTS_SCOPE, FEEDS_EVENTS_MASK)
Move Method void Move (string)
Rename Method void Rename (string)
Feeds Property IDispatch Feeds () {get}
IsRoot Property bool IsRoot () {get}
Name Property string Name () {get}
Parent Property IDispatch Parent () {get}
Path Property string Path () {get}
Subfolders Property IDispatch Subfolders () {get}
TotalItemCount Property int TotalItemCount () {get}
TotalUnreadItemCount Property int TotalUnreadItemCount () {get}
Type ScriptProperty System.Object Type {get="folder";}
Now, subfolders:
$feedsfolder.Subfolders Type Name ItemCount UnreadItemCount ---- ---- --------- --------------- folder Microsoft Feeds 396 302 folder Moisan's Feeds 40015 1459
Let’s skip ahead. My feeds are stored in “Moisan’s Feeds” and I want to see the “Technology” folder:
$feedstech = (($feedsfolder.GetSubfolder("Moisan's Feeds")).GetSubfolder("Technology")).Feeds $feedstech Type Name ItemCount UnreadItemCount ---- ---- --------- --------------- feed adafruit industries blog 200 0 feed bunnie's blog 77 0 feed Dark Roasted Blend 200 0 feed Design News - Gadget Freak 57 0 feed Flylogic Engineering's Analytical Blog 16 0 feed Gadget Freak 200 0 feed hack a day 200 0 feed Hacked Gadgets 200 10 feed HacknMod.com - You name it. We hack it. 200 0 feed Hotsolder 37 1 feed How To Spot A Psychopath 200 1 feed It Ain't Dead Yet 30 0 feed Jeff Duntemann's ContraPositive Diary 200 1 feed Keith's Electronics Blog 88 2 feed LED Luminaries 78 1 feed Lifehacker 200 9 feed Made By Monkeys 159 2 feed MAKE: Blog 200 103 feed Modern Mechanix 200 0 feed Neato Coolville 200 0 feed OTA HDTV Reception Q&A 37 0 feed Paleo-Future Blog 88 1 feed Retro Thing 200 7 feed Safety Graphic Fun 200 12 feed There, I Fixed It. 200 20 feed Toolmonger 200 32 feed Uplinks
We’ll get Toolmonger:
$feedstoolmonger = (($feedsfolder.GetSubfolder("Moisan's Feeds")).GetSubfolder("Technology")).GetFeed("Toolmonger") $feedstoolmonger Type Name ItemCount UnreadItemCount ---- ---- --------- --------------- feed Toolmonger 200 32
Here are the properties of the feed:
$feedstoolmonger | gm TypeName: System.__ComObject#{33f2ea09-1398-4ab9-b6a4-f94b49d0a42e} Name MemberType Definition ---- ---------- ---------- AsyncDownload Method void AsyncDownload () CancelAsyncDownload Method void CancelAsyncDownload () ClearCredentials Method void ClearCredentials () Delete Method void Delete () Download Method void Download () GetItem Method IDispatch GetItem (int) GetItemByEffectiveId Method IDispatch GetItemByEffectiveId (int) GetWatcher Method IDispatch GetWatcher (FEEDS_EVENTS_SCOPE, FEEDS_EVENTS_MASK) MarkAllItemsRead Method void MarkAllItemsRead () Merge Method void Merge (string, string) Move Method void Move (string) Rename Method void Rename (string) SetCredentials Method void SetCredentials (string, string) Xml Method string Xml (int, FEEDS_XML_SORT_PROPERTY, FEEDS_XML_SORT_ORDER, FEEDS_XML_FILTER_FLAGS, FEEDS_XM... Copyright Property string Copyright () {get} Description Property string Description () {get} DownloadEnclosuresAutomatically Property bool DownloadEnclosuresAutomatically () {get} {set} DownloadStatus Property FEEDS_DOWNLOAD_STATUS DownloadStatus () {get} DownloadUrl Property string DownloadUrl () {get} Image Property string Image () {get} Interval Property int Interval () {get} {set} IsList Property bool IsList () {get} ItemCount Property int ItemCount () {get} Items Property IDispatch Items () {get} Language Property string Language () {get} LastBuildDate Property Date LastBuildDate () {get} LastDownloadError Property FEEDS_DOWNLOAD_ERROR LastDownloadError () {get} LastDownloadTime Property Date LastDownloadTime () {get} LastItemDownloadTime Property Date LastItemDownloadTime () {get} LastWriteTime Property Date LastWriteTime () {get} Link Property string Link () {get} LocalEnclosurePath Property string LocalEnclosurePath () {get} LocalId Property string LocalId () {get} MaxItemCount Property int MaxItemCount () {get} {set} Name Property string Name () {get} Parent Property IDispatch Parent () {get} Password Property string Password () {get} Path Property string Path () {get} PubDate Property Date PubDate () {get} SyncSetting Property FEEDS_SYNC_SETTING SyncSetting () {get} {set} Title Property string Title () {get} Ttl Property int Ttl () {get} UnreadItemCount Property int UnreadItemCount () {get} Url Property string Url () {get} {set} Username Property string Username () {get} Type ScriptProperty System.Object Type {get="feed";}
An excerpt of the feed itself:
$feedstoolmonger.Items Title : Overpriced Center Finder Link : http://toolmonger.com/2009/11/30/overpriced-center-finder/ Guid : http://toolmonger.com/?p=35079 Description : <p><a href="http://toolmonger.com/wp-content/uploads/2009/11/center-finder.jpg"><img class="aligncenter size-full wp-image-3509 8" src="http://toolmonger.com/wp-content/uploads/2009/11/center-finder.jpg" alt="" width=450 height=475></a></p> <p>When I first saw Eagle’s Marking Center Finder, I thought, “Cool, that works on the same principle as <a title="Previous Art icle" href="http://toolmonger.com/feed/2008/03/17/center-mortises-with-rocklers-router-baseplate/">Rockler’s mortise-centering router baseplate</a>.” Looking at the PVC-made jig, I figured it’d be 5 to 10 bucks tops, but then I saw $25 price tag and figu red I’d tell everyone they should spend 15 minutes in the shop and make one with a with a piece of scrap wood and a section of dowel instead.</p> <p>It’s simple geometry that if you build it right, drilling three evenly spaced holes on a line, the resulting jig should be p retty accurate in finding the center of a board. And if you build your own you won’t be limited to the width of a 2×4 like Eagl e’s model.</p> <p><span id=more-35079></span> Why would you want to build one in the first place? It’s handy for marking the center of board e dge when you’re laying out mortises, holes for dowels, centering biscuits, and doing plenty of other operations. If you find yo u’d actually want to purchase Eagle America’s marking center finder, they generously throw in a pencil for your $25.</p> <p><a title="Marking Center Finder Manufacturer" href="http://www.eagleamerica.com/product/400-2048/eagle_originals">Center Fin der</a> [Eagle America]<br> <a title="Marking Center Finder At Amazon" href="http://www.amazon.com/dp/B001CMNCAU?tag=toolmonger-20">Via Amazon</a> [<a href ="http://toolmonger.com/amazon-links/">What’s This?</a>]</p> PubDate : 11/30/2009 12:05:29 PM Comments : http://toolmonger.com/2009/11/30/overpriced-center-finder/#comments Author : Benjamen Johnson Enclosure : IsRead : True LocalId : 2830 Parent : System.__ComObject DownloadUrl : http://toolmonger.com/feed/ LastDownloadTime : 11/30/2009 10:25:27 PM Modified : 11/30/2009 12:05:29 PM EffectiveId : -77766319
How many unread items are in Toolmonger?
$feedstoolmonger.UnreadItemCount 32
Let’s mark them all read to see if IE updates the status:
$feedstoolmonger.MarkAllItemsRead() $feedstoolmonger.UnreadItemCount 0
They are marked as unread.
Did it work? See the next post, which explains where IE stores its feed database and what do to for common problems.
Missing Search Provider Icons in Internet Explorer
Posted: November 9, 2009 Filed under: Windows Internals Leave a comment »
I saw this problem recently: I, like most IE 8 users, use multiple search providers in IE, all of them with their icons that appear when selected.
The search provider icons for several providers, including Bing, my default, were missing and showed only the generic magnifying glass icon. Restarting IE didn’t help nor did rebooting.
I found a simple workaround to fix this but I first want to explain search provider internals in some detail.
In Internet Explorer, a search provider is an XML document with a a specially-coded URL based on the OpenSearch specification. IE comes with Bing as its default search provider; users can add more providers. In the screenshot, you can see I have Bing, which is defaulted, Google, Wikipedia and WolframAlpha as my providers.
Providers are stored in the user’s registry under HKU:\<user SID>\Software\Microsoft\Internet Explorer.
Each Search Provider is listed under a GUID; DefaultScope is a string value with the default provider listed. It points to Bing’s entry in this case:
Most of the values are self-explanatory. Of particular interest in my problem is the FaviconPath and FaviconURL string values. Let’s say the Bing icon is missing. Its path is C:\Users\davidmoisan\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{533B8DE4-C0F4-4C0F-ABA8-79A79086865C}.ico.
Here are all my search icons. They are in c:\users\<userprofile>\AppData\LocalLow\Microsoft\Internet Explorer\Services\:
Note the filenames are of the form search_{GUID}.ico. With that in mind, I fixed my problem the hard way: I found an Bing icon elsewhere on my system, copied it to this directory, renamed it to match the filename in FaviconPath and restarted IE.
It worked!
(This explains why there are multiple instances of a few icons in the screenshot above. You will normally have just one icon per each provider, but the extra icons aren’t hurting anything.)
However, a much easier solution that I recommend for regular users:
- If you have more than one provider, and the provider with the missing icon is not your default provider, click on the search bar drop down and select Manage Your Providers. Right-click on that provider and select Delete. Close the window and try to re-add that provider. Its icon should reappear and you are done.
- If you only have one provider, or if the provider with the missing icon is your default provider, click on the search bar drop-down button and select Find More Providers. Add a search provider from the screen that comes up (any provider will do.)
- Click the search bar drop-down and select Manage Search Providers.
- Right-click on your new provider and select Set As Default.
- Select your old provider, right-click it and select Delete.
- Close that window and click on the search bar to select Find More Providers.
- Find and re-add your old provider. Its icon should re-appear.
- If desired, go back into Manage Search Providers and re-select your old provider as the default.
This problem may also be caused by a recent security update, KB974455, and its later update KB976749, which was released to Microsoft Update last week. I first noticed this problem after applying the latter update, but I can’t confirm that either update caused this. If you do install the updates, install 974455 first before installing 976749; installing 976749 without the former update may cause IE to stop working.
In my case both updates were already on the machine in the correct order. I might never know how the icons disappeared but now we know how to make them reappear. Happy searching!
