The Case of the Notepad that Wouldn't Run

A couple of editor notes

Nic — Mon, 02 Oct 2006 08:11:39 GMT

Hi Mark,

As usual, a very nice writeup that's so helpful to us who sometimes have to investigate why Windows does what it does. I just wanted to warn you that there are two editor's notes (in brackets) still embedded in your entry.

Thanks, and keep up the good work!

Smells of old microsft style a mile away

Gaetano Giunta — Mon, 02 Oct 2006 13:42:02 GMT

Thanks a lot for your article, which lives up to the usual standard (ie. the best windows insight ever, period).

There are a couple of things that I found really interesting here, which are:

- a small, simple piece of software as notepad refusing to run without any kind of error message because its does not find language-specific locales. I hope it is an RC-XX kind of problem, but I have huge fears it will not be as easy as that: I have just been confronted by a (poorly coded?) .aspx app that refused to load and gave strange error messages on users that had their IE preference language set up as "en-securid" (most likely some braindead bsecurity sw was to blame here for th e change, but what about the warped mind of the api designers that let web apps be designed without a fallback language?)

- the doc about uac was illuminating, in its description of the mechanism used for detecting when an executable is an installer and when it is not. I really cannot find any way to define it other than 'laughable': poor design that will lead to security headaches for years to come. Can't MS just stick to common security methodologies that have been in the field for decades? eg. let the user run whatever frickin' executable he wants, and make sure that user-level executables cannot do system-level damage, ever. Was it too hard asking for admin credentials at the very moment when the app tries to access critical section of the system, intead to guestimating 'what it might look likely to try to do'?

Just my 2c.

re: The Case of the Notepad that Wouldn't Run

Norman Diamond — Mon, 02 Oct 2006 13:45:07 GMT

> Then I launched it, expecting to see a
> Consent dialog like the one below ask me to
> grant the renamed Notepad administrative
> rights:

Yikes. I thought that dialog was only asking for consent to run the program.

For safety that dialog ought to be modified to provide three possibilities:
Run the program with administrative rights.
Run the program with ordinary rights.
Don't run the program.

For a lesser amount of safety, just change the wording to say what it will do in each case:
Run the program with administrative rights.
Don't run the program.

The reason the latter change is less safe is that users who want to run the program will surely choose to run it as administrator rather than not running it.

re: The Case of the Notepad that Wouldn't Run

Ilya — Mon, 02 Oct 2006 14:10:46 GMT

Interesting, but I did not catch how new Vista technology would provide better security? Is it somehow restricted to run all these things (to become an admin for some particular file) in scripts.

The case of the Notepad which wouldn’t run « MogBlog

The case of the Notepad which wouldn’t run « MogBlog — Mon, 02 Oct 2006 23:45:12 GMT

PingBack from http://dancmorgan.wordpress.com/2006/10/02/the-case-of-the-notepad-which-wouldnt-run/

re: The Case of the Notepad that Wouldn't Run

catfish — Tue, 03 Oct 2006 00:28:24 GMT

Thanks again for another great post. It does bring up a question. Why is there an assumption that all setup programs require admin access? Since there is no limitations on running programs from your profile (although that would be interesting) as long as the program doesn't enhanced access why single out installers? There may be a few situations where you want to install a program just on one user or test out a program in the relative safety of limited user. I also wonder that since limited user only has full write access to their profile, where should an program should be install into by default? Create a %USERPROFILE%\Program Files\... ? Thinking about any nt based windows, not just vista. And not just .msi files.

re: The Case of the Notepad that Wouldn't Run

Mike Dimmick — Tue, 03 Oct 2006 00:31:45 GMT

Gaetano: how would you stop an application constantly trying to perform administrative functions and spamming the user with consent dialogs? How would you handle programs which work fine on Windows XP as a limited user, which correctly handle the error return values when attempting to perform some administrative task? UAC creates a consent dialog at the start of a program, and that's it. Ilya: UAC only kicks in when a program is run from Explorer. No consent dialogs appear when running a program from a command prompt, from within a script, or programmatically. They run with the permissions of the parent process (typically CMD.EXE). To perform administrative tasks from a command window, right-click a Command Prompt shortcut and select Run As Administrator.

re: The Case of the Notepad that Wouldn't Run

Norman Diamond — Tue, 03 Oct 2006 05:44:35 GMT

Monday, October 02, 2006 5:31 PM by Mike Dimmick > Gaetano: how would you stop an application > constantly trying to perform administrative > functions and spamming the user with consent > dialogs? Not being Gaetano, my answer might be different. When an application tries to perform an administrative function, Windows will ask the user. If the user approves, the application gets the privileges. If the user disapproves, the application gets the denial. If the user asks to be asked again later, then Windows will make some decision about this time but will ask the user again the next time the program tries to perform an administrative task. There is precedent for this. When a program tries to access the network, Windows Firewall asks the user. The user can say to approve, disapprove, or be asked again later. If the user chooses to be asked again later then Windows decides whether or not to grant the access this particular time. Of course the precedent also shows an improvement that could be made: the user could be given a chance to deny this time but be asked again later.

re: The Case of the Notepad that Wouldn't Run

Gaetano Giunta — Tue, 03 Oct 2006 11:11:47 GMT

Mike: I would imagine that a sort of granted-security-permissions cache is present, so that after an app. has triggered a 'need more perms' dialog once, subsequent provileged calls will not trigger it anymore (afaict both sudo and macosx do it). I also strongly agree with catfish: why should a security dialog pop up if the software just wants to be installed in the user folders / reg hive, and needs no special admin privileges? Besides, I can only imagine that the 'bad guys' will immediately make sure their self-installing code has the correct name and resource strings to escape this basic security anlysis, so there seems to be little security added in doing the 'guestimate'. Also, I do not see how asking beforehand for admin privileges would change with apps "which correctly handle the error return values when attempting to perform some administrative task". I am not too versed in windows development, but I can imagine keeping backwards compatibility with 'bad' apps can be a gret hinderance. Isn't the introduction of a new OS the best (only?) opportunity to deprecate old habits and force third party developers to straighten up their act? ps: Note to self: always count to a hundred before posting flames.

re: The Case of the Notepad that Wouldn't Run

kiwiblue — Tue, 03 Oct 2006 12:13:41 GMT

So the next piece of malware is going to come as email message with 'windows_update.exe' attachment. User gives the consent with UAC, and puff, there's a cloud of orange smoke.

Where's the real benefit of UAC?

bluvg — Tue, 03 Oct 2006 22:46:07 GMT

I have the same concern that many others have--if users weren't stopped from clicking through warnings on running unknown executables on XP SP2, why should we expect them not to click through the dialogs to allow an install of a piece of malware with the filename "setup.exe"?

re: The Case of the Notepad that Wouldn't Run

Dean Harding — Thu, 05 Oct 2006 03:06:35 GMT

> I have the same concern that many others have--if users weren't stopped from clicking through > warnings on running unknown executables on XP SP2, why should we expect them not to click through > the dialogs to allow an install of a piece of malware with the filename "setup.exe"? There are only so many hoops that you can make people jump though. Internet Explorer (and I assume Outlook Express?) run in Protected mode which provides more, well, protection, than running a program from windows explorer. But there's still nothing stopping a user from download a malware application, saving it to their desktop, double-clicking it, and clicking on "Allow". As Larry Osterman says, if people want to see the dancing bunnies, they damnit, they'll SEE the dancing bunnies. > I am not too versed in windows development, but I can imagine > keeping backwards compatibility with 'bad' apps can be a gret hinderance It's actually a GOOD app that would correctly handle an "access denied" error and degrade gracefully. It's the bad apps that would require the prompt as soon as they tried to do something admin-y. Good apps that ARE admin-y should be asked up-front (to provide a better experience). Good apps that do not need to be admin-y should not get asked at all. Now the better experience I mentioned was that if you launch an admin-y app, and if the admin-consent dialog only popped up on your first admin-y thing, then each time you run it, the admin-consent dialog would pop up in seemingly random places (depending on what admin-y thing you did first). Popping it up at the start provides a consistent experience.

re: The Case of the Notepad that Wouldn't Run

Scotlandard — Thu, 05 Oct 2006 11:03:20 GMT

I like your article Mark, very informative. But in next articles can you turn off some strong colors like you do in this article. They look pretty much like flowers.

re: The Case of the Notepad that Wouldn't Run

kiwiblue — Thu, 05 Oct 2006 13:47:54 GMT

"Popping it up at the start provides a consistent experience." Agree, but it looks like UAC itself is not providing _any_ new protection in such case. You only need to give the consent once at program startup, through dialog confirmation - just like you do today. Given the extremely intrusive nature of UAC, the question is: was it worth implementing in the first place?

re: The Case of the Notepad that Wouldn't Run

Gaetano Giunta — Thu, 05 Oct 2006 19:49:25 GMT

"Popping it up at the start provides a consistent experience." It probably does. I have not downloaded and tested vista myself (yet), but there are many, many blogs that complain about how the UAC dialogs always pop up at unexpected times / are very hard to correlate to the specific permission that is being asked to the user. Otoh I have tested ubuntu and macOsX, and every single time the root pwd is asked, it easy very easy to tell why (of course, I'm an it guy, not avg. joe). I think this reflects a very common ui strategy on the part of microsoft: every time something is deemed too hard to understand by the user, "hide it". Note that is is very different from "make it simpler" or "remove it alogether". This is sadly a great burden for everybody, because users are never pushed towards learning the way their computer works / why things happen, but instead get accustomed to use a magical-mysterious-tool that works almost ok 50% of the time and the other 50% is just plain crazy. A golden standard of this was removal of filename extension from the default view in explorer: the extension part is still there, and it is what is actually being used by the os to take decisions, but it is not shown to the user anymore. Sense is lost forever. No new user will ever learn that renaming a file changing the extension will change its icon and make it open with a different app. I still am convinced that in this case "sense" is lost, too: uac dialogs are there to augment security. renaming an app to setup.exe has nothing to do with security. uac dialogs should not be triggered. as easy as aristotle would have had it...

re: The Case of the Notepad that Wouldn't Run

andy vt — Thu, 05 Oct 2006 20:54:27 GMT

The real benefit of UAC is that the user account is running as a user instead of an administrator, unless they opt-in to an escalated context. It is true that you cannot stop someone from destroying their PC if they really want to. Installing a piece of software is always a risk, even from established vendors (never had an Office install go horribly awry?). But UAC adds real value because it adds a tangible layer of protection when not installing software. When the majority of applications that a user runs don't prompt them to authorize the application, they should realize there is a difference between normal applications and the one that's asking for permission and think twice about why the application is causing the computer to look funny. I have issues with UAC, but I've learned to live with it for the most part. It is annoying, but there are enormous benefits to not having admin rights all the time. Trust me, it beats the snot out of running as a user in XP.

re: The Case of the Notepad that Wouldn't Run

kiwiblue — Thu, 05 Oct 2006 22:18:03 GMT

"But UAC adds real value because it adds a tangible layer of protection when not installing software." As you can see above, it's trivial to make UAC think you're installing something. 'setup' or 'update' in the filename is enough. Maybe there are some benefits of UAC, but malware will easily work around its "protection".

re: The Case of the Notepad that Wouldn't Run

David Levine — Fri, 06 Oct 2006 19:22:54 GMT

The reason why it did not launch the app should be logged to the event log. It should not take a person of Mark's capbilities just to figure out why an application did not run. A failure like that should leave some breadcrumbs somewhere in the system to help diagnose the problem.

re: The Case of the Notepad that Wouldn't Run

kshipper — Fri, 06 Oct 2006 20:28:00 GMT

Another good one Mark! May I suggest you do the same investiagtion on Adobe Reader next time? Even the full version 7.0 seems to bring even the best PCs to it's knees. What is this program doing that causes the long delays?

re: The Case of the Notepad that Wouldn't Run

Wed, 11 Oct 2006 03:32:06 GMT

Scotlandard: Those colors are from Windiff.

re: The Case of the Notepad that Wouldn't Run

sandeep kumar — Fri, 13 Oct 2006 15:13:03 GMT

Interesting!!! I went one step ahead to find what is in an exe that lets UAC decide that this is setup or not and i could find this by opening the file I named notepad-setup.exe in notepad itself. I noticed that it had something like "I n t e r n a l N a m e N o t e p a d" in this file. Which when i replaced by "I n t e r n a l N a m e S e t u p " (Taking care of not removing white spaces, assuming they are mere white spaces) and saved this file.

Next time running notepad-setup.exe i could see the Consent UI launching.

Last thing i wanted to point here is a correction/addition to your article that when you copy .mui file to your profiles directory then you also need to change the name to notepad-setup.exe.mui to get things working.

re: The Case of the Notepad that Wouldn't Run

Ruy Lopez — Fri, 13 Oct 2006 16:24:50 GMT

This is really an echoing of catfish's sentiments regarding "/Program Files." Is there really a pressing need for every setup.exe to use this directory? And why isn't there, as catfish says, some userland version of "Program Files", for applcations which, in their normal execution, don't require elevated privileges. I guess it redounds upon the developers to isolate aspects of their applications which require privileges - the execution of which would prompt a user for his admin password - from the run-of-the-mill processes that don't need elevation. Mark's investions, as always, are comprehensive. But I can't see my neice following the debugging output wheneven her ponys.exe doesn't work.

re: The Case of the Notepad that Wouldn't Run

Vince P — Mon, 23 Oct 2006 02:12:05 GMT

It's funny reading the complaints about Notepad's original code not handling these errors gracefully or to some silly n'th degree.

Did it occur to you people that Notepad was coded with some assumptions in mind so that the errors that Mark forced to happen probably didn't justify the cost involved in handling them.

I'd love to see some of your code and then see how you live up to your own expectation of others.

re: The Case of the Notepad that Wouldn't Run

Henrik Brandbye — Mon, 23 Oct 2006 17:59:11 GMT

Sandeep:

When you made the change of "I n t e r n a l N a m e S e t u p " in the file, you probably messed up the signing (hash value, or whatever), making the new .exe appear to NOT be an orriginal MS program (which it isn't anymore).

That is why you saw the Consent UI.

re: The Case of the Notepad that Wouldn't Run

Aaron — Wed, 25 Oct 2006 23:52:34 GMT

Mark, this is a bit off topic, but I would be interested to see you blog about the controversy over "Patch-Guard" that has been publicized in the last month. I'd like to see an unbiased opinion of whether patch-guard is something that will improve Window's security or whether it will cripple security solutions' ability to fight malware.

Just a suggestion.

~Aaron~

re: The Case of the Notepad that Wouldn't Run

Austin — Mon, 30 Oct 2006 00:59:03 GMT

Mike Dimmick:

Try running diskpart.exe in command prompt and you will get a UAC prompt.

re: The Case of the Notepad that Wouldn't Run

Stanislav — Tue, 31 Oct 2006 09:02:09 GMT

Mark - nice article! It is pitty you do not write more often. Does it mean, that now when in Microsoft, you see there are so many things to fix(?)...- and therefore do not have time for blogging?.

Anyway, thanks for any upcomming articles! Stanislav

re: The Case of the Notepad that Wouldn't Run

Cheong — Thu, 02 Nov 2006 05:08:23 GMT

Preheps it'll be better if certain warning message will show up if ther mui file cannot be found.

Or perheps if Windows treat it as the ".file" content folder when you save a webpage in IE with "Webpage, complete" option, that if you move it around, the folder will be moved too.

re: The Case of the Notepad that Wouldn't Run

Mike — Wed, 08 Nov 2006 19:52:31 GMT

What I want to know, is whether regedit.exe still opens a UAC prompt.

Under Vista beta 1 (i think) I was /unable/ to run regedit as a limited user.

re: The Case of the Notepad that Wouldn't Run

Deimos — Mon, 13 Nov 2006 01:55:57 GMT

Hi Mark,

I just did realize that you have moved into Microsoft.

First thought i had when I realized that it wasn't a mistake when i tried to reach your old site, was that you somehow had betrayed all of

us, but now i'm considering the idea that this could bennefit all of us. For you i guess is a great oportunity, and for us because sure you will mark a difference inside there.

I want to thank you for all the GREAT work you have bring to us, and i hope that with you inside microsof, it will finally become a OS, an OS that really works the way it should!

Best regards and whishes,

Deimos

re: The Case of the Notepad that Wouldn't Run

moodjbow — Sat, 02 Dec 2006 00:37:13 GMT

====================

"that heuristic setup detection only applies to files that don’t have an embedded manifest that specifies a security TrustLevel. Notepad, like all the Windows executables in Windows Vista, does include a manifest."

So what would stop the bad guy to write the same manifest in a malicious software?

re: The Case of the Notepad that Wouldn't Run

FalconZ — Thu, 05 Apr 2007 00:15:47 GMT

I am surprised only one person has commented at all on NOTEPAD's inablity to find the mui file. I feel even though it's included with windows that it is quite surprising the assumsion was made to hardcode the relative folder path to the ".mui". I can't say that I usually make additional copies of notepad.exe (although WinPE disk are a good example) but, why would there not be a check (say, a REG key) for the default MUI location? Then check the relative path, and maybe the folder the EXE started from. Last resort fall back on staticly linked strings table in the EXE. I know including the strings would impact filesize but, as large as things are these days, what's a few string's (could even be abbrievated since it's a fallback option). On the other hand MS has never cared about bloat have they? Regaurdless there should have at least been a 'MUI File not Found ERROR'.

Random irreverent thoughts about the Ultimate Fallback

Sorting It All Out — Thu, 05 Jul 2007 00:54:54 GMT

Last night on TBS was an old Friends episode, The One With the Ultimate Fighting Champion. In it, Pete

re: The Case of the Notepad that Wouldn't Run

Promo — Sat, 09 Feb 2008 03:09:27 GMT

I've grown to loathe the UAC in Vista.

Falconz, the default locations and overall folder structure changes in Vista I'll never understand.