Skip to main content

Posts

How do we list out files in Recycle Bin (Windows 7)

In this post, I tried to enumerate files within recycle bin using a small Win32 program. As we know that recycle bin is a special folder on Windows File System. The location of this directory is not in the registry; it is marked with hidden and system attributes to prevent the user from moving or deleting it. The steps to list out the contents of Recycle bin are as below: 1. It's a special folder denoted by CSIDL_BITBUCKET, which we need to pass to the function SHGetFolderLocation() method. 2. Source code snippet, I've avoided checks as much as possible to make the code simple and clean: int _tmain(int argc, _TCHAR* argv[]) {     LPITEMIDLIST pidlWinRecycleFiles    = NULL;     LPITEMIDLIST pidlItems                = NULL;     IShellFolder *psfWinRecycleFiles    = NULL;     IShellFolder *psfDeskTop       ...

Locking a physical disk on windows....

In this, I've tried to lock a physical disk using a small Windows C++ program. The steps to follow to achieve this are: 1. Get the Physical Drive and volume mapping. Say, the computer is attached with three physical drives, and we're interested to lock the Physical Drive 1 ("\\\\.\\PhysicalDrive1"). Then we need to figure out how many volumes are there on that physical disk. 2. Then Lock that volume one by one using control code FSCTL_LOCK_VOLUME . 3. Do the stuff we'd like to perform on the disk and then unlock each volume using control code  FSCTL_UNLOCK_VOLUME . 4. Close disk and volume handle(s). Few things to remember here. As per Microsoft documentation, a. The NTFS file system treats a locked volume as a dismounted volume. b. Lock volume call will fail with Access Code 5 (Access Denied) if the volume is in use. If we're not sure who's using the volume, just unmount it once. c. The FSCTL_DISMOUNT_VOLUME control code functions similarl...

Starting with Windows Media

I've decided to spend some more time on a few areas which I've learned during my association with my gurus in the software industry. There are few people in the United States and also in India who have helped me to shape myself. Predominantly I'm not an outspoken person, but those seniors understood that I had little hunger for knowledge and provided me that information and helped me to come to this stage. Windows Media Stack, when I started working on it, I was the most nervous person because very soon I realized this is not going to be easy stuff to handle. Indeed, it's the most complex programming world I've ever faced or challenged before. I started my journey on Media Stack for Windows with the help of James Dailey. I can remember those days when he came from the US and delivered his series of lectures. It was amazing. This was an entry towards a world where programming, troubleshooting, debugging, etc isn't an easy task at all but also full of great lear...

Deep Dive to Windows, Part 4

Launched a process sample_Hello through WinDbg and observed following events: ModLoad: 00400000 0041c000    Sample_Hello.exe ModLoad: 77980000 77b00000    ntdll.dll ModLoad: 76b10000 76c20000    C:\Windows\syswow64\kernel32.dll ModLoad: 76d20000 76d67000    C:\Windows\syswow64\KERNELBASE.dll ModLoad: 67fd0000 680ce000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCP80D.dll ModLoad: 670e0000 67201000    C:\Windows\WinSxS\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_e4a70117006762dd\MSVCR80D.dll ModLoad: 77050000 770fc000    C:\Windows\syswow64\msvcrt.dll (3c0.1324): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=fb480000 edx=0008e3c8 esi=fffffffe edi=00000000 eip=77a20fab esp=0018fb08 ebp=0018fb34 iopl=0          nv up ei pl zr na pe...

Detect Antivirus installed on Windows 7

In this article, I've tried to show how we can detect antivirus product installed on a Windows system. The code is written is specifically for Windows 7. The basic idea here is to use WMI from C++. Here are the steps: 1. To Setup WMI consumer, set up COM by calling CoInitializeEx . 2. Initialized COM process security by calling CoInitializeSecurity . 3. Obtained the initial locator to WMI by calling CoCreateInstance. 4. Obtained a pointer to IWbemServices for the root\cimv2 namespace on the local computer by calling IWbemLocator::ConnectServer . 5. Set IWbemServices proxy security so the WMI service can impersonate the client by calling CoSetProxyBlanket . 6.Used the IWbemServices pointer to make requests of WMI. This executes a WQL query for the antivirus product installed by calling IWbemServices::ExecQuery . The following WQL query is one of the method arguments. SELECT * FROM AntiVirusProduct The result of this query is stored in an IEnumWbemClassO...

About Windows Executable File Size

This post is basically an effort to know what happens when we compile a simple Hello World program on Windows. In this case, I've used Visual Studio 2005. First I've written a small usual Hello World program with all default settings provided by Visual Studio 2005. The program looks like below: int main(void) {     printf("Hello World build on VS 2005--Default\n");     return 0; } The program compiled against the default C-runtime library. No changes have been done in any settings. I've built it in Debug as well as in release mode. In Debug build, the program size is  40 KB . In release build: Its size is 6 KB . Now I've written another Hello World Program but switched off the default C-Runtime library. Rather, I've used the standard Windows library and provided definitions of functions like printf as well as the CRT start-up function. I've also switched off Buffer Security Check and Basic Runtime checks set to Default. The last two setti...

HDD enumeration and info retreive - another way

In this part I tried to enumerate all physical hard disk drive (HDD) attached to the system and tried to query to those attached physical drive to get the disk information like Vendor ID, Product ID, Product Revision, Serial number etc. In my last blog, I've tried to get physical hard disk drive count through volume map, but in this post, I tried get it through "SetupDiGetClassDevs" API. All the SetupDiXXX APIs are very powerful APIs. These APIs along with DeviceIoControl API helps to retrieve very useful information regarding devices. So, I'm not going to talk much on this rather let MSDN to speak about this APIs. Let's see what are other information that we can get on HDD attached to the system through the usage of this API: void printStorageDeviceProperty(UCHAR *outBuf, const DWORD returnedLength) {     PSTORAGE_DEVICE_DESCRIPTOR            devDesc;     PUCHAR       ...