HTTP Modules and HTTP Handlers

ASP.NET has a pretty interesting HTTP runtime architecture if you have ever dug into the covers. The basic run-time support has API’s as powerful as ISAPI (in IIS). ASP.NET offers IHttpHandler and IHttpModule interfaces that offer you similar functionality. I will get into each one in a little bit of detail, but at a high level IHttpHandler is analogous to what would be an ISAPI extension in IIS and IHttpModule would be analogous to what a ISAPI filter in IIS. As a matter of fact, each page (.aspx) you have in your project is essentially an HTTP Handler.

HTTP Handlers: The “handlers” are nothing but assemblies (class libraries) that implement IHttpHandler and IHttpAsyncHandler interfaces. Essentially, ASP.NET maps each http request to a http handler. The handler in turn enables processing individual url’s or groups of url’s with similar extensions such as .aspx, .asmx, .ascx, .disco, etc. The handler can be synchronous or asynchronous, the earlier does not return until it finished processing and the latter typically launches a separate process.

When you inherit from IHttpHandler handler, you need to implement both the ProcessRequest method (which processes the individual http requests) and the IsReusable property (which specifies if pooling is supported or not). If you have a more complex set of logic then you should look at inheriting IHttpHandlerFactory, as that allows finer control and you can create different handler based on your need. E.g. you can create a separate handler for GET and PUT.

When you are finished building the handler (essentially compiling your assembly), you need to register it to use it. To register a handler essentially you copy the assembly in the bin folder of where you web app is running and create a section in the web.config. (I’ll have a sample in a bit in this post). You might also want to ensure that the HTTP handler’s extension is registered with IIS.

General process of Building a Handler:

  1. Implement the IHttpHandler interface
  2. Handle the ProcessRequest method and IsRuseable property.
  3. Deploy the assembly
  4. Register the handler

Below is an example of a handler that processes request for the files with the extension “.desigeek”. Note, that you do not need to have a physical file present with that extension.

public class DesigeekHandler : IHttpHandler
bool IHttpHandler
return false

void IHttpHandler.ProcessRequest( HttpContext context )
response = context.Response;
    response.Write( “< html>” );
“< body>”
“< h1> Hello from Desigeek custom handler. < /h1>”
“< /body>”
“< /html>”

Register the HTTP handler by creating an entry in the web.config:

    <add verb=* path=*.desigeek type=MyHTTPHandler.DesigeekHandler, MyHTTPHandler

Below is a sample of what the request would look like. Notice the URL requested is “foo.desigeek” (and there is no physical file with that name on the file system. The first screen-shot is of the web application (which basically is one label which is updated with the system time on PageLoad). The second one is where the handler kicks in.

HTTP Module: HTTP modules are classes that can be configured to run in response to events that fire during the request for an ASP.NET resource (which can be serviced by any handler). An HTTP module is an assembly that implements the IHttpModule interface and handles events. ASP.NET ships with a number of modules out of the box e.g. SessionStateModule is used to supply session state services to an application.

If you check your machine.config you will there are a number of handlers that come with ASP.NET. e.g you might look at something like:
< httpModules>
    < add name=”OutputCache” type=”System.Web.Caching.OutputCacheModule, …/>
    < add name=”Session” type=”System.Web.SessionState.SessionStateModule, …/>
    < add name=”WindowsAuthentication” type=”System.Web.Security.WindowsAuthenticationModule, …/>
    < add name=”FormsAuthentication” type=”System.Web.Security.FormsAuthenticationModule …/>
    < add name=”PassportAuthentication” type=”System.Web.Security.PassportAuthenticationModule …/>
    < add name=”UrlAuthorization” type=”System.Web.Security.UrlAuthorizationModule, …/>
    < add name=”FileAuthorization” type=”System.Web.Security.FileAuthorizationModule, …/>
< /httpModules>

Basically you follow the similar process as HTTP handlers. Once you have created your assembly you deploy it to the bin folder and register your handler. The general process for writing an HTTP module is:

  • Implement the IHttpModule interface.
  • Handle the Init method and register for the events you need.
  • Handle the events.
  • Optionally implement the Dispose method if you have to do cleanup.
  • Register the module in Web.config.

Here is an example which hooks into the BeginRequest and EndRequest events of HttpApplication and adds “DesigeekModule: Begin of Request“ and “DesigeekModule: End of Request“ to the response being send out to the client. The Init() function is where your register the hooks you want.

public class DesigeekModule : IHttpModule
//you register the events you are want to hook in this function
void IHttpModule.Init( HttpApplication context )
        context.BeginRequest += ( new EventHandler( this.App_BeginRequest ) );
        context.EndRequest += ( new EventHandler( this.App_EndRequest ) );

    private void App_EndRequest( object source, EventArgs e )
        HttpApplication app = (HttpApplication)source;
        HttpContext context = app.Context;
        context.Response.Write( “DesigeekModule: END of Request” );

    private void App_BeginRequest( object source, EventArgs e )
        HttpApplication app = (HttpApplication)source;
        HttpContext context = app.Context;
        context.Response.Write( “DesigeekModule: BEGIN of Request” );

    public string ModuleName {
        get {
            return “DesigeekModule”;

You register the HTTP Module by adding the following section in your web.config.

< httpModules>
< add name=DesigeekModule type=MyHTTPModule.DesigeekModule, MyHTTPHandler/>
< /httpModules>

When you run this (see the screen shots below), you will notice that when I goto the default.aspx I see the label with the date-time and the BEGIN and END strings. Another interesting point, if I get to one of my custom handler (e.g. foo.desigeek) then as shown below I get output from both the HTTP Module and HTTP Handler, which means there are many powerful things you can get by combining these.

Overall, the image below shows graphical representation of the process of a ASP.NET HTTP pipeline. The process starts with a request arriving at IIS. If the requested resource is configured to be handled by the ASP.NET ISAPI Extension, IIS dispatches the request to the unmanaged aspnet_isapi.dll ISAPI Extension. This ISAPI Extension passes off the request to the managed ASP.NET engine. It is important to note that during the request life cycle, one or more HTTP modules may execute, depending on what modules have been registered and what events they have subscribed to. Finally, the ASP.NET engine determines the HTTP handler that is responsible for rendering the content, invoking the handler and returning the generated content back to IIS, which returns it back to the requesting client. If you want to get creative and do some more processing, you can use the HTTP Factory. Remember, an HTTP handler factory is a class that is not directly responsible for rendering the content, but instead is responsible for selecting and returning an HTTP handler instance. This returned HTTP handler instance is then the one that is tasked with rendering the requested resource.

More Information:

Microsoft takes Firefox seriously (or at least their developers do)

I was pleasantly surprised to find out that Microsoft’s developers have fixed the code issues when you use Firefox to view the sample code in MSDN. The code would all be screwed up and “mushy”, but now that has been fixed and Live bookmarks also work that earlier use to break. The fix for the code is supposed to be only in CSS, and you can read up on all the gory details.

Google Labs Aptitude Test (GLAT)

I am sure you might have seen these in some magazines or the other, this is the second one I have seen and I think they are a pretty neat idea to find the right talent. Remember these are “aptitude tests” so look at how you think and how creative you can be and not necessarily how fast you can write some piece of code (or how efficiently). Here is what is it – could you solve any of these? What answers would you have? Here they are:

How much aptitude do you have for the sort of mind-bending engineering problems encountered each day at Google labs? Take the GLAT and find out. Simply answer all the questions to the best of your abilities (cheaters will answer to the karma police), fold completed exam in attached envelope and send to the Google Labs. Score high enough and we’ll be in touch. Good luck.

  1. Solve this cryptic equation, realising of course that values for M and E could be interchanged. No leading zeros are allowed.
  2. Write a haiku describing possible methods for predicting traffic seasonality.
  3.        1
          1 1
          2 1
       1 2 1 1
    1 1 1 2 2 1

    What is the next line?

  4. You are in a maze of twisty little passages, all alike. There is a dirty laptop here with a weak wireless connection. There are dull lifeless gnomes strolling about. What dost thou do?
    1. Wander aimlessly, bumping into obstacles until you are eaten by a grue.
    2. Use the laptop as a digging device to tunnel to the next level.
    3. Play MPoRPG until the battery dies along with your hopes.
    4. use the computer to map the nodes of the maze and discover an exit path.
    5. Email your resume to Google, tell the lead gnome you quit and find yourself in whole different world.
  5. What’s broken with Unix? How would you fix it?
  6. On your first day at Google, you discover that your cubicle mate wrote the textbook you used as a primary resource in your first year of graduate school. Do you:
    1. Fawn obsequiously and ask if you can have an autograph.
    2. Sit perfectly still and use only soft keystrokes to avoid disturbing her concentration.
    3. Leave her daily offerings of granola and English toffee from the food bins.
    4. Quote your favourite formulae from the textbook and explain how it’s now your mantra.
    5. Show her how example 17b could have been solved with 34 fewer lines of code.
  7. Which of the following expresses Google’s over-arching philosophy?
    1. “I’m feeling lucky“
    2. “Don’t be evil“
    3. “Oh, I already fixed that“
    4. “You should never be more than 50 feet from food“
    5. All of the above
  8. Part A: How many different ways can you colour an icosahedron with one of three colours on each face? Part B: What colours would you choose?
  9. This space intentionally left blank. Please fill it with something that improves upon emptiness.
  10. On an infinite two-dimensional, rectangular lattice of 1-ohm resistors, what is the resistance between two nodes that are a knight’s move away?
  11. It’s 2pm on a sunny Sunday afternoon in the Bay area. You’re minutes away from the Pacific Ocean, redwood forest hiking trails and world class cultural attractions. What do you do?
  12. In your opinion, what is the most beautiful math equation ever derived?
  13. Which of the following is NOT an actual interest group formed by Google employees?
    1. Women’s basketball
    2. Buffy fans
    3. Cricketer’s
    4. Nobel winners
    5. Wine club
  14. What will be the next great improvement in search technology?
  15. What is the optimal size of a project team, above which additional members do not contribute productivity equivalent to the percentage increase in the staff size?
    1. 1
    2. 3
    3. 5
    4. 11
    5. 24
  16. Given a triangle ABC, how would you use only a compass and straight edge to point P such that triangles ABP, ACP and BCP have equal perimeters? (Assume that ABC is constructed so that a solution does exist).
  17. Consider a function which, for a given whole number n, returns the number of ones required when writing out all numbers between 0 and n. For example, f(13) = 6. Notice that f(1) = 1. What is the next largest n such that f(n) = n?
  18. What’s the coolest hack you’ve ever written?
  19. ‘Tis is known in refined company, that choosing K things out of N can be done in way as many as choosing N minus K from N: I pick, you the remaining.

    Find though a cooler bijection, where you show a knack uncanny, of making your choice contain all K of mine. Oh, for pedantry: let K be no more than half N.

  20. What number comes next in the sequence: 10, 9. 60, 90, 70, 66, ?
    1. 96
    2. 1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    3. Either of the above
    4. None of the above
  21. In 29 words or fewer describe what you would strive to accomplish if you worked at Google Labs.

Update on Google Desktop Search (with screenshots)

After my previous post on Google Desktop search, I thought what the heck and took out some time to play with it and below are my findings. To get around the installation issue, I had to uninstall the MS Firewall Client.

Here are the screen shots of the installation, but before that, it runs locally ( on port 4664. So if you were to browse to then you would get an “Invalid Request“ error which makes it seem like its running a small web server.


Does not like Firefox, Outlook and Word running

The GoogleDesktop.exe process has spawned two other processes, the first one is the GoogleDesktopIndexer and the other is the GoogleDesktopCrawler.

Above is the properties of the image file. What is interesting is its got the “/install” parameter. You can click on the image to see the gory details.

Resources that are being used. This was soon after installation, so not sure if its fully kicked in or not.

You can see the memory usage go up.

It has two threads – one for the indexer and one for the crawler.

Default ACL’s that the process uses.

Environment details used by the process.

VS.NET 2005 ClickOnce Review

I was playing with ClickOnce which is new in Visual Studio 2005 and thought it was pretty cool. Basically, ClickOnce is a deployment technology that enables self-updating Windows applications that can be installed and run with minimal user interaction.

ClickOnce applications can be self-updating; they can check for newer versions as they become available and automatically replace any updated files. You can specify the update behaviour; an administrator can also control update strategies, (e.g. making an update mandatory). Updates can also be rolled back to a previous version by the end user or administrator.

ClickOnce deployment overcomes three major issues inherent in deployment:

  • Difficulties in updating applications – earlier any time an application is updated, the user must reinstall the entire application; now the updates can be provided automatically, and only those portions of the application that have changed will be reinstalled.
  • Impact to the user’s computer – till now, applications often rely on share components with the potential for versioning conflicts; now, each application is self-contained and cannot interfere with other applications.
  • Security permissions – Windows Installer deployment requires administrative permissions; but now non-administrative users can install and grant only those permissions necessary for the application.

How does it work?

The core ClickOnce deployment architecture is based on two XML manifest files,an application manifest and a deployment manifest.

  • The application manifest (created using mage.exe) describes the application itself, including the assemblies, dependencies and files that make up the application, the required permissions, and the location where updates will be available.
  • The deployment manifest (also generated using mage.exe) describes how the application is deployed, including the location of the application manifest and files and the version of the application that clients should run.

After a deployment manifest is created, it is copied to the deployment location which can be a Web server, network share, or even a CD/DVD. The application manifest (and all application files) are also copied to a deployment location that is specified and this can be the same as the deployment location or different.

The users can download and install the application as simply as clicking an icon pointing to the deployment manifest file on a Web page or in a folder. In most cases, the user will be presented with a simple dialog box asking the user to confirm installation (including elevated permissions if needed), then installation will proceed and the application will be launched without further intervention.

The application is added to the user’s Start menu and to the Add / Remove Programs group in the Control Panel. Unlike other deployment technologies, nothing is added to the Program Files folder, the registry, or the desktop, and no administrative rights are required for installation!

When the application developer creates an updated version of the application, he/she also generates a new application manifest and copies files to a deployment location. The administrator updates the deployment manifest to point to the location of the new version of the application.

Also, the deployment manifest also contains an update location (a Web page or network file share) where the application will check for updated versions. You can set properties to specify when and how often the application should check for updates. Update behaviour can be specified in the deployment manifest, or can be presented as user choices in the application’s user interface by means of the ClickOnce APIs. The, Publish properties can be employed to make updates mandatory or to roll back to an earlier version.

Icon for the sample application in the Start menu

The test application running locally after being installed

During the deployment, specifying the location where this would reside. Look at the examples which give you an idea on the various distribution strategies.

What is the target “platform“?

Where to check for updates?

Use a key for signing

Summary Screen

Screen shot of the deploy location. You can see various versions of the sample application present and also the dependencies (such as the .net runtime).

When the user starts an application and an update exists the user is prompted to either install it or skip it.

Snapshot of the registry that shows how the application version is tracked, etc. Here you can see the packages installed along with their versioning detail.

I will probably have more meaningful posts on this when I had a chance to use it in the “real world”.

Can you run the new Google Desktop Search?

I guess you have heard all the flutter on Google’s new Desktop Search that lets you find stuff on your own hard disk and all the articles pointing to its a direct challenge to Microsoft, etc. But the real question is, has it been able to work for you? When I try to install it on one of my computers (this instance is running Windows 2000 Professional SP4, I get the following error:

Google Desktop Search problem
Google Desktop Search is not currently compatible with another program on your system. You will need to uninstall this program if you would like to install Google Desktop Search. The following may help to identify the program:

Different network providers:
WinSock Proxy [udp]
C:\Program Files\Microsoft Firewall Client\wspwsp.dll


Click OK to report this problem to Google, or click cancel to exit without reporting the problem.

So, one would think, kill the Microsoft Firewall Client and then install it and go your merry way, right? Nope, not that fast. After closing that, I still get the same error. Also what is the “I01” in the above message? Is that a error ID?

Also, how many cpu cycles does this actually take? Has someone done a benchmark? The FAQ on perf. does not really answer the question and leaves much more to be desired. Also, what privileges does the process run under? Does it need admin or system privileges? Can I exclude any of the information? Does Google get any of the info? If so, how can I “opt out” of that? Also, does it “dial home” every now and then to get/upload stuff, if so on what ports?

Also, seems like there are a lot of applications that conflict partially with Desktop search (but the question is conflict why):

  • NetLimiter (nl_lsp.dll)
  • Microsoft Firewall Client (wspwsp.dll)
  • webhdll.dll (WebHancer Customer Companion)
  • Panda AntiVirus
  • or newdotnet (QuickSearch Toolbar and Quick!)
  • FilterPak
  • Msx2.dll (computercops)

And then there are apps that just don’t plain work:

  • NOD32 AntiViru
  • mclsp.dll (McAfee Privacy Service)
  • Vetredir.dll (VET Antivirus)
  • aslsp.dll (from Aventail)
  • stplayer.dll
  • Mwtsp.dll (V MicroWorld Escan/Mailscan)
  • farlsp.dll or fbm.dll (Hacker Smacker Firewall)
  • cwhook.dll (ContentWatch Internet Filter)
  • Netdog.dll (V Armor2net personal firewall)
  • Armor2net
  • Mwtsp.dll (escan Monitor)
  • Ndpwsspr.dll
  • Connwsp.dll (Port Magic)
  • Idmmbc.dll (V Internet Download Manager)
  • Inetcntrl.dll (V Bsafe Online Internet Content Filter)
  • Ictload.dll (V Accelenet Internet Accelerator)
  • Pxlsp.dll (ProxyConn)
  • SmartPass

I don’t really have the time at this point to dig through this, but if someone has then let me know or whenever I can take out some time, then will play with this then.

Cell Phones can cause Ear Tumours

Thanks to Murthy for sending this one. BBC has a story, where Swedish researchers found that using your cell phone for 10 years or more increases the risk of ear tumours by four times! The Karolinska Institute study of 750 people found the risk of acoustic neuroma rose by 3.9 times on the side of the head the phone is used. There was no increase in risk on the other side of the head – giving an overall rise in risk of 1.9 times. Acoustic neuroma is a benign tumour in the auditory nerve, which can cause brain and nerve damage. It affects one in 100,000 people.

Maybe its about time you thought of using a hands-free (be it wired or wireless), its not only safer while driving but apparently you won’t have things growing out of your ear!

Space tours to the far reaches of cosmos – and back home in time for dinner

Celestia is probably one of the coolest apps (ever) that I have come across and it really gets the geek-meter high up there, not to mention it is so educational as well, so if you are a geek, or hungry for some knowledge and exploring or got kids in school who might benefit then read on. You can see the giant hurricane on Jupiter, take a quick spin to the moon Io, set off for icy Europa and zoom back to Earth. All these computer simulations are possible using Celestia which is a free real-time space simulation that lets you experience our universe in three dimensions. Unlike most planetarium software, Celestia doesn’t confine you to the surface of the Earth. You can travel throughout the solar system, to any of over 100,000 stars, or even beyond the galaxy. All travel in Celestia is seamless; the exponential zoom feature lets you explore space across a huge range of scales, from galaxy clusters down to spacecraft only a few meters across. A ‘point-and-goto’ interface makes it simple to navigate through the universe to the object you want to visit.

You control your position and velocity using a series of simple keystrokes and you can have shortcuts that transports you to say Mars, Saturn or any location in the universe that you define. In addition to space, you can also travel through time. For example you can position yourself outside the solar system and watch the planets zip around the sun as if the universe was running on fast-forward. You can also visit the Russian space station Mir starting on Feb. 20th 1986 (when it was launched) to March 23 2001 (when it fell back to Earth). If you try and find it on say March 24th 2001, then you won’t find it.

The coolest factor is that this is all open source which allows everyone to improve it and contribute to it. There are many people who had created add-ons. Celestia can also take you to places that never existed, because many people created add-ons that re-create fictional words from scifi such as the planet Tatooine (from Star Wars) or the space station from 2001: A Space Odyssey.

This allows you to create your own customised tours through the galaxies and also allows you to share it with the others on the net. The author, Chris Laurel is a Microsoftee, who took a year and half off to explore his 3D graphics programming skills.

If you are interested in creating your own add-ons then check out the Introduction to Celestia Addons.

Pocket PC Emulator Issue in VS 2005 Beta (Refresh 1)

I was recently playing with the new compact framework part of Visual Studio 2005 Beta 1 (which is released with the VSTS Edition) and am having a tough time getting to the emulator to wok when I try and debug the application. This is a simple hello world application and I tried using all of the following emulators with no luck:

  • Pocket PC 2003 SE Emulator
  • Pocket PC 2003 SE Emulator (Legacy)
  • Pocket PC 2003 SE VGA Emulator

Every time I try and “Deploy” to that the emulator comes up fine and I can connect to it, etc. but it cannot install the application for it and always get the Deploy error message (see the screen shots below). Also every time I try and “Power Off” the emulator, it comes right back up and does not really quit – it does not matter, if I save the state or do a soft or hard reset. All this time VS.NET is waiting for the emulator to exit. Ultimately I have to kill the process (DeviceEmulator.exe).

Image 1: The Emulator “Boots” Fine

Image 2: Other applications work fine

Image 3: I can also connect to the internet

Image 4: VS.NET is not Happy

I also get the following errors below, which are probably the crux of the issue.

No way to resolve conflict between “System.Xml, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” and “System.Xml, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac”. Choosing “System.Xml, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” arbitrarily.

No way to resolve conflict between “System, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” and “System, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac”. Choosing “System, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” arbitrarily.

No way to resolve conflict between “System.Windows.Forms, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” and “System.Windows.Forms, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac”. Choosing “System.Windows.Forms, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” arbitrarily.

No way to resolve conflict between “System.Drawing, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” and “System.Drawing, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac”. Choosing “System.Drawing, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=969db8053d3322ac, Retargetable=Yes” arbitrarily.

ResGen.exe /useSourcePath /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\Microsoft.WindowsCE.Forms.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\mscorlib.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Data.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Drawing.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Windows.Forms.dll” /r:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Xml.dll” /compile Form1.resx,obj\Debug\PocketPCApplication1.Form1.resources

Csc.exe /noconfig /nostdlib+ /warn:4 /define:DEBUG;TRACE /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\Microsoft.WindowsCE.Forms.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\mscorlib.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Data.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Drawing.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Windows.Forms.dll” /reference:”..\..\..\Program Files\Microsoft Visual Studio 8\SDK\v2.0\CompactFramework\WindowsCE\System.Xml.dll” /debug+ /optimize- /out:obj\Debug\PocketPCApplication1.exe /resource:obj\Debug\PocketPCApplication1.Form1.resources /resource:obj\Debug\PocketPCApplication1.Properties.Resources.resources /target:winexe Form1.cs Form1.Designer.cs Program.cs Properties\AssemblyInfo.cs

Does anyone have any idea on what is wrong or point me in the right direction?

Another week, a bunch of MS Security holes plugged!

Microsoft today just released another update on a security hole. This honestly is good, that the holes are being identified and being plugged. Yes, I am sure there are the “bashers” who would scoff at it, but the reality is, in the millions of lines of code across various products, such thing creeps in and its better to accept the responsibility (Microsoft) and do something about it rather than being in denial.

The bulletin today affects various components of the OS that address network-based remote compromise vulnerabilities in the SMTP service, NTTP service, and NetDDE. Also, on the client side a serious vulnerability has been discovered in compressed (zip) folders. Below is a breakdown of the products:

  1. SMTP Vulnerability (MS04-035)
    • Exchange Server 2003
    • Windows Server 2003
    • Windows XP 64-bit edition
  2. NNTP Vulnerability (MS04-036)
    • Exchange 2000 Server
    • Exchange Server 2003
    • Windows NT 4.0
    • Windows 2000 Server
    • Windows Server 2003
  3. NetDDE Remote Compromise (MS04-031)
    • Windows 2000
    • Windows XP
    • Windows NT 4.0
  4. Compressed Folders Vulnerability (MS04-034)
    • Windows XP
    • Windows 2003

NNTP – A remotely-exploitable buffer overflow condition exists in the NNTP service of modern Windows operating systems. An attacker may gain full control of a vulnerable system through a maliciously-crafted NNTP query. The NNTP service is only enabled by default on installations of Exchange 2000 Server, although it can be manually enabled on other installations.

NetDDE – Network Dynamic Data Exchange is a protocol used for disparate applications to exchange data across a network. It has been largely and essentially was the precursor to DCOM. The NetDDE service contains a buffer overflow vulnerability which might be exploited by a remote and unauthenticated attacker. The NetDDE service does not start by default on modern Windows operating systems. The NetDDE service may be launched without user knowledge by legitimate applications On Windows 2000 and XP. This makes it possible for a user to inadvertently start the NetDDE service. However, on Windows Server 2003 and XP SP2, the NetDDE service is disabled and cannot be started unless explicitly enabled.

Zip/Compressed Folders – Windows XP and Windows Server 2003 have support for Zip file archives bundled in with the operating system through a feature called “Compressed Folders”. If a user can be persuaded to open a maliciously-crafted Zip archive, a buffer overflow vulnerability can be triggered which could lead to remote code execution. Zip archives are commonly regarded as a more-trusted file format, increasing the potential for exploitation.

More Information:

Top 20 computer threats

BBC is running a story that has the Top 20 computer threats unveiled which covers both Windows and Unix/Linux. Here are the top 10 Windows threats:

  1. Web servers & services
  2. Workstation service
  3. Windows remote access services
  4. Microsoft SQL server
  5. Windows authentication
  6. Web browsers
  7. File-sharing applications
  8. LSAS
  9. E-mail programs
  10. Instant messaging

And the top 10 Linux/Unix threats:

  1. Bind domain name system
  2. Web server
  3. Authentication
  4. Version control systems
  5. Mail transport services
  6. Simple Network Management Protocol (SNMP)
  7. Open secure sockets layer (SSL)
  8. Misconfiguration of enterprise services
  9. Databases
  10. Kernel

Update: Change in C# 2.0 and Initialising static fields correctly

If you recall the previous post on instantiating static fields, there seems to have been a flurry of activity at Microsoft. As Peter Hallam writes, it made sense to improve the perf. for the static field initialisers and this you should see in Beta2 of Whidbey. The main issue here as Peter explains is if you have a field initialiser for a static field, which initialises the static field to its default value, you still get a static constructor, or .cctor in CLR speak) which is a significant performance penalty. So this begs the question, why did we not add this optimisation for static fields?

There is a subtle difference between instance field initialisers and static field initialisers. When an instance field initialiser begins execution the value of the field being initialised is guaranteed to be the default value. This is a result of 2 things – instance field initialisers run as the first thing after the object is allocated, even before the call to your base class constructor, and during an instance field initialiser, you cannot reference other instance fields of the object being created. This guarantee, that a field’s value is the default before the initialiser is run, does not hold for static fields. This is illustrated by this nasty example:

class C
    public C () {}

    // Ugh! assigns y = 5
    private static int x = (C.y = 5);

    // … always does work! changes y from 5 back to 0!!!
    private static int y = 0;

More Information:

Google SMS

Google released a new service enabling you to use SMS to run searches. This service as of now is available only in the US. As their FAQ states e.g. Right now, Google SMS only works in the U.S. We’re working hard to make it available when and wherever you’re on the go. In the meantime, how about a little slice of heaven in Little Italy? (try ‘pizza 10013’) (that is a New York zip code for those outside of US). This service includes information like:

  • Phone book listings, including addresses and phone numbers for US businesses and residences.
  • Online product prices for comparison shopping.
  • Answers using Google’s calculator function.
  • Dictionary definitions

How to sending a query?

  • What’s the number I should send queries to?
    • The 5-digit US shortcode 46645 (which corresponds to GOOGL on most phones)
  • Are queries case-sensitive?
    • Nope. You can type ‘help’ and we’ll come to the rescue just as quickly as if you’d typed ‘HELP’.
  • I have big fingers and a tiny keyboard. Can you spare me some typing with a few shortcuts?
    • Glad you asked. We built some nifty shortcuts into Google SMS that should save you from severe finger cramping.
      • Put a period between the business name and the location to make sure you get business listings (‘pizza.10013’ or ‘pottery ma’)’
      • Use ‘D’ or ‘Define’ before the word for dictionary definitions (‘D prosimian’)
      • Use ‘F’ before the product, or ‘price’ or ‘prices’ at the beginning or end of your query to find prices using Froogle (‘F Sony Handycam’ or ‘Sony Handycam price’)

Google SMS (Short Message Service) enables you to easily get precise answers to specialized queries from your mobile phone or device. Send your query as a text message and get phone book listings, dictionary definitions, product prices and more. Just text. No links. No web pages. Simply the answers you’re looking to find.

What you should know about a new Vulnerability in ASP.NET

Microsoft is currently investigating a reported vulnerability in ASP.NET (does not affect ASP) where an attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This issue affects anyone running any version of ASP.NET on Microsoft Windows 2000 Professional, 2000 Server, XP Professional, and 2003 Server.

The issue at hand really is that does not perform a proper canonicalization (will get to what it is in a minute) of some URLs.

So what should you do? Good question, to begin add additional canonicalization safeguards to your Web application. To easily do this add the Application_BeginRequest event handler in your Global.asax file. Since, this event handler executes for each Web request, it is a convenient location to insert code to help safeguard against canonicalization issues. Here is a sample:

void Application_BeginRequest(object source, EventArgs e) {
    if (Request.Path.IndexOf(‘\\’) >= 0 ||
        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {
        throw new HttpException(404, “not found”);

What is Canonicalization? It is the process by which various equivalent forms of a name can be resolved to a single, standard name – the so-called canonical name. Data in canonical form is in its most standard or simplest form. Canonicalization is the process of converting data to its canonical form. File paths and URLs are particularly prone to canonicalization issues and many well-known exploits are a direct result of canonicalization bugs.

For example, consider the following string that contains a file and path in its canonical form:

The following strings could also represent the same file:

  • somefile.dat
  • c:\temp\subdir\..\somefile.dat
  • c:\  temp\   somefile.dat
  • ..\somefile.dat
  • c%3A%5Ctemp%5Csubdir%5C%2E%2E%5Csomefile.dat

In example above, characters have been specified in hexadecimal form:

  • %3A is the colon character.
  • %5C is the backslash character.
  • %2E is the dot character.

You should generally try to avoid designing applications that accept input file names from the user to avoid canonicalization issues. Consider alternative designs instead. For example, let the application determine the file name for the user.

If you do need to accept input file names, make sure they are strictly formed before making security decisions such as granting or denying access to the specified file.

More Information:

Quiz: Initialising static fields correctly

Brad Adams has an interesting post on this blog, but before you go and read it, take a crack at it here and let me know what your answer is. There is an interesting thread going on there and I honestly cannot figure out the “bug” and being the impatient fool I am, I need to know the answer! 🙂

A dev on the team recently found a bug in Whidbey a long these lines…  Say you want to initialize the value of a static int to zero… which code should you use (C1 or C2) and, of course the most important point, why?


    class C1


        private static int value = 0;



    class C2


        private static int value;


 You can read it all on Adam’s blog.

Coolest Google View/Browser (yet)

If you have not checked out TouchGraph, then I would recommend to do so. You need Java JRE 1.3+ to view it but it will map out the url and graphically show you how others link to it. You can zoom in/out, limit the lines between the sites, etc. If you want to use it to the max, then make sure to read the instructions.

Below is a snapshot of this Blog – click on it to see the full version.

Update: Instead of clicking on the JRE link above, if you want to get just the Java runtime then get it from – click on the “Get it Now”.

Second Peek at Microsoft's Search Engine

The folks at Redmond, just released a 2nd preview to their new search engine. Based on my little bit of playing around, if this is their answer to Google, then unfortunately there is still a fair amount of work left. I was quite disappointed and instead of “wasting” more time in it went back to Google. E.g. if you search on my name “Amit Bahree” both on Microsoft’s new search or Google you get very different results. What have your findings been?

Patent office rejects Microsoft's FAT Patent

Picked this up from Karan’s post and was quite glad to read it. FAT has been around fro ages and Microsoft trying to patent it does not fit in the common sense mode thinking that most of us are use to (ya right!). Its the same as some bright people in USA tried to patent some of the Ayurvedic medicines that have been practises in India for the past five thousand years, which identify a person’s constitution and treats the person with diet, exercise, meditation, herbs, massage, sun, and breathing to bring harmony to the physical, mental, and spiritual health of the individual.