Most Viewed in January 2017

This site had 21,240 visits in January 2017, from 15,003 unique visitors. The list below is of pages that were each viewed at least 100 times in January 2017.

The stand-out new performer is not what I’d most like to be known for. I don’t look for security vulnerabilities, but when I document API functions I do of course note what errors I’m aware of in the implementation. One such was immediately obvious as letting even a low-integrity user-mode program crash Windows. Almost as obvious was that the coding error has survived unchanged from even the oldest Windows version that I ever received on MSDN discs (now over 20 years ago). I reported it to the Microsoft Security Research Center at the end of December and asked for guidance about how the error could be kept unpublished without compromising my documentation of the relevant functionality. A few weeks later, wanting to move on and not knowing when Microsoft’s timetable might prompt me to return to the subject, I wrote up the details anyway. As I finished, having been ignored for weeks, I published. Within two hours of my linking the published page from any other in the site (so that it could be found), Microsoft asked for removal. Apparently, Microsoft had only just that day got round to examining my report and thus noticed the newly published details. Accept this as coincidence. The point to so-called co-ordinated disclosure is not that it buys the vendor a few weeks in which to do little or nothing. So, I left the page in plain view. Within a day the page had hundreds of visits. So now I know that at least some handful of people follow what I write, and then get the word around if what I write has security implications. I don’t complain of the attention, and I even hope good may come of it, yet it’s not an obvious fit with my vision of this site as an information resource for Windows programming. There’s more than a little for me to think from this. The business model for research into Windows as an aid to Windows programming is tenuous. That it gets attention for the wrong reasons may be a sign that it actually is wrong-headed of me to pursue it.

Nothing else that’s truly new from the preceding year’s revival of research and writing has yet made the cut. The page on Native API Functions, with 130 visits, is new as its own page, but a lot of its text is nearly 10 years old. It was merely assembled into this new page to explain to user-mode programmers why my documentation of NTDLL exports whose names begin with Nt or Zw is in the Kernel section even if the functions aren’t exported for kernel-mode use. Still, there are encouraging signs that what documentation I have yet written of those functions is getting read.

Bubbling under this list, at 99 visits each, are two pages that genuinely are new from last year. One is a practical Demonstration of Self-Profiling, in which a program gets to sample the execution of selected routines in the program’s own code by using otherwise undocumented functions such as NtCreateProfile (only 64 visits, despite being vital to the crash described above). The other is my documentation of the KUSER_SHARED_DATA structure. Microsoft has always semi-documented this structure, in the sense of providing C-language definitions in header files, but from me you get at least the beginnings of some curation, by which I mean not just commentary on the members but also on their changes between versions.

On a personal note, I find myself intrigued by the visits to two old, casually written pages about bugs in Expression Web, as noticed in everyday use. Expression Web is the editor I use for all pages at this site. To a large extent, I seem to be stuck with it from my arguably naive decision to use Front Page when it handily came with other Office programs all the way back in 1997. Front Page was not without its occasional crash, but its development into Expression Web produced what is easily the most bug-ridden commercial software I have ever used. What always astonished me most, however, was not Microsoft’s lack of care but that books and blogs were written about this software and described in some detail this and that feature without ever hinting at the sort of ridiculous misbehaviour that I saw as easily established just from an hour or two of casual observation. Whenever I think of what’s wrong with the software industry, all that writing about Expression Web reminds me that defects in software and the consequent abuses of consumers are not just problems of manufacturing. We who write about software have responsibilities too.

Rank Page Visits
1 (1) Geoff Chappell, Software Analyst 3,739
2 (new) Bug Check From User Mode By Profiling 3,250
3 (2) Licensed Memory in Windows Vista 1,556
4 (3) The Windows Explorer Command Line 1,275
5 (4) KERNEL32 Functions 971
6 (7) Edit Boot Options in Windows Vista 797
7 (22) BCD Elements 766
8 (6) The First Run Page in Internet Explorer 754
9 (12) NTDLL Functions 470
10 (15) Kernel 451
11 (11) Win32 443
12 (9) Kernel Versions 395
13 (29) Notes 390
15 (18) Boot Configuration Data (BCD) 349
16 (19) ADVAPI32 Functions 347
17   Compiler Options 313
18 (5) Notes on Internet Explorer 301
19 (28) Visual C++ 257
20 (27) NTDLL Versions 252
21 (26) SHELL32 Functions 241
22 (20) Boot Options: nx 239
23 (21) Shell 234
23 (10) Consultation 234
25 (14) About This Site 225
26 (33) BCD Objects 222
27 (23) The Advanced Boot Options Menu in Windows Vista 212
28 (12) What’s New? 210
29 (25) The Boot Status Data Log 209
30 (24) Windows Diagnostic Infrastructure 193
31 (30) The API Set Schema 184
31 (34) KERNEL32 Versions 184
33 (32) Boot Options: detecthal 177
34 (28) Internet Explorer 168
35 (51) MSHTML Versions 165
35 (31) Boot Options: truncatememory 165
37 (44) Disable Global Hot Keys 146
38 (42) KERNELBASE Functions 145
39 (41) Windows Kernel Exports 138
40 (40) Software Analysis By Reverse Engineering 137
41 (35) Boot Options: numproc 136
42   The x86 BIOS Emulator 130
42   Native API Functions 130
43 (39) Windows API Sets 125
44 (17) Feedback 122
46 (45) Problems With Tables in Expression Web 119
47 (36) API Sets Added For Windows 10.0 117
48 (50) SYSENTER and SYSEXIT in Windows 116
49 (47) The Service Control Manager Eventlog Provider 110
50 (16) Terms 108
51   The Format Painter in Expression Web 107
51 (8) America Online Exploits Bug in Own Software 107
53   IERTUTIL Functions 106
54 (53) The Windows Explorer 102

The faded titles are just index pages which I presume are viewed only or mainly on the way to others, especially while moving from one Table of Contents (TOC) to another. One of those index pages is just the skimpiest of placeholders, pending my writing an introduction, which I likely never will get round to. The TOCs are omitted entirely. The rank in brackets is from the previous month.