Saturday, November 14, 2009

The Performance of Everyday Things

10:43 PM  cyber news  No comments

I've spent much time fixing code optimizations that added no business value (with often matching performance value). Please do not try to make your code faster unless you need to. The way I handle performance issues on my projects:

  1. Define acceptable performance.
  2. Write my code as simply as possible.
  3. Measure performance: against definition, if performance > acceptable - goto DONE.
  4. /*Performance not acceptable*/ Profile; Fix as simply as possible; goto Measure.
  5. DONE

To be explicit: I'm comfortable using slower patterns if they are clear and simple. As soon as I've hit my acceptable performance bar - I'm done.

With that out of the way, let me discuss a performance riddle I hit this week. I was wandering through some powershell code that processed slews of objects (over 200K of 'em): 
$interestingObjects = @()
foreach ($object in $inputObjects) 
{
    if ($object.IsInteresting) 
    {
        $interestingObjects += $objects
    }
}

$interestingObjects



I'm a real fan of succinct code so I replaced the code with the following and it was much faster:




$inputObjects| where {$_.IsInteresting}



I prefer the succinct version of the code, but why is this one liner so much faster? The answer lies in the type of $interestingObjects:




PS C:\Users\igord> $interestingObjects.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array



$interestingObjects is an array, so when we add an item, we could end up doing an expensive operation - for example:




$Array + $item :=
     $newArray = new Object[$array.Length+1]
     $array.CopyTo(newArray,0)   # O(N) copy - nasty for large datasets.
     $newArray[$array.Length] = item
     return $newArray



BTW - in .NET List is implemented via an ArrayList. ArrayList is an Array with the helpful property that Add is mostly O(1):








  • If Count already equals Capacity, the capacity of the list is doubled by automatically reallocating the internal array and copying the existing elements to the new array before the new element is added.


  • If Count is less than Capacity, this method is an O(1) operation. If the capacity needs to be increased to accommodate the new element, this method becomes an O(n) operation, where n is Count.

Read More

Friday, October 23, 2009

Do your certificate management in Powershell

11:59 PM  cyber news  No comments

I do a lot of security work, and that means lots of time poking at certificates. Tooling for certificates was never something I was happy with until I stumbled upon powershell. Let me give you a demo: 

PS C:\> cd cert:

PS cert:\> cd .\LocalMachine\My
PS cert:\LocalMachine\My> dir

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My


Thumbprint                                Subject
----------                                -------
4EE3FDE4FFF422935CAA0CA2783EF2CA601D6DE5  CN=NonSecretGlobalEncryptKey
272BDAC53C26CC5A8067FE6076D2F74797F69AF7  CN=igordm1, OU=Workstations, OU=Machines, DC=redmond, DC=corp, DC=microsof...


PS cert:\LocalMachine\My> cd\
PS cert:> cd .\CurrentUser\Root
PS cert:\CurrentUser\Root> dir | where {$_.Subject -like "*Veri*"}


    Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root


Thumbprint                                Subject
----------                                -------
18F7C1FCC3090203FD5BAA2F861A754976C8DD25  OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stampin...
85371CA6E550143DCE2803471BDE3A09E8F8770F  OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized us...
742C3192E607E424EB4549542BE1BBC53E6174E2  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4F65566336DB6598581D584A596C87934D5F2AB4  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5  CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2...
24A40A1F573643A67F0A4B0749F6A22BF28ABB6B  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet


PS cert:\CurrentUser\Root> $cert = gi 24A40A1F573643A67F0A4B0749F6A22BF28ABB6B

PS cert:\CurrentUser\Root> $cert.ToString()
[Subject]
  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet

[Issuer]
  OU=VeriSign Commercial Software Publishers CA, O="VeriSign, Inc.", L=Internet

[Serial Number]
  03C78F37DB9228DF3CBB1AAD82FA6710

[Not Before]
  4/8/1996 5:00:00 PM

[Not After]
  1/7/2004 3:59:59 PM

[Thumbprint]
  24A40A1F573643A67F0A4B0749F6A22BF28ABB6B

PS cert:\CurrentUser\Root>
Does the output of $cert.ToString() look familiar? It's actually the ToString() on X509Certificate2. This means as well as having a great certificate store browser, you also get to access the CLR certificate classes interactively - Yeehaw!
Read More

Wednesday, October 21, 2009

Need another monitor? Try a USB Video Card.

8:00 PM  cyber news  No comments





I use 3 monitors at work and it is awesome. My laptop only drives two monitors so for the 3rd monitor I picked up a USB video card,  the  EVGA 100-US-UV16A1 . This thing works (*). The device installs drivers automatically and works like a charm on Windows 7. It only supports upto 1600x1200.  Also, I don't play games so I can't tell you how well that works, but for reading email and viewing OneNote  I can't tell this is a USB video card.



(*) If you're not impressed this thing works, you should be. A back of the envelope bandwidth analysis:



Required Bandwidth:



= 1600pixels x 1200pixels x 24 bits per pixel x 30 frames/second

= 1.38 Gbps



Actual USB 2.0 bandwidth:

= 480Mbps
Read More

Saturday, October 17, 2009

Using TShark

12:55 AM  cyber news  No comments

Today I realized this blog lost its google analytics (GA) tracking. Ooops, I accidentally erased the javascript that talks to Google Analytics in my blog template. I fixed the template on my blog, and wanted to verify my browser was sending data to GA. It takes the GA UI a while to show you data is coming in, so I decided to use tshark to see if my tracker code is working.

Tshark is the command line version of Wireshark, an Ethernet level packet sniffer. Lets see what HTTP GETs occur when I connect to one of my posts:


C:\Program Files\Wireshark>tshark.exe | findstr GET
Capturing on Microsoft
1) 67.936320 192.168.1.100 -> 64.233.169.191 HTTP GET  /2009/07/finding-clr-exceptions-with-visual.html HTTP/1.1 
2) 68.211983 192.168.1.100 -> 64.233.169.191 HTTP GET /dyn-css/authorization.css?targetBlogID=7821316&zx=defa99ec-5585-4463-a42d-a32bf4868482 HTTP/1.1
3) 68.393167 192.168.1.100 -> 64.233.169.139 HTTP GET  /__utm.gif?utmwv=4.5.8&utmn=1895005015&utmhn=ig2600.blogspot.com&utmcs=UTF-8&utmsr=1600x1200&utmsc=32-bit&ut
mul=en-us&utmje=1&utmfl=10.0%20r32&utmdt=Igor%27s%20Computer%20Blog%3A%20Finding%20CLR%20exceptions%20without%20visual%20studio&utmhid=396081822&utmr=0&utmp=%2F
2009%2F07%2Ffinding-clr-exceptions-with-visual.html&utmac=UA-6806517-1&utmcc=__utma%3D91978370.809539203.1241314101.1255744665.1255763228.10%3B%2B__utmz%3D91978
370.1255744665.9.3.utmcsr%3Dblogger.com%7Cutmccn%3D(referral)%7Cutmcmd%3Dreferral%7Cutmcct%3D%2Fhtml%3B HTTP/1.1 
4) 68.393325 192.168.1.100 -> 64.233.169.191 HTTP GET /navbar.g?targetBlogID=7821316&blogName=Igor%27s+Computer+Blog&publishMode=PUBLISH_MODE_BLOGSPOT&navbarType=
BLUE&layoutType=LAYOUTS&searchRoot=http%3A%2F%2Fig2600.blogspot.com%2Fsearch&blogLocale=en_US&homepageUrl=http%3A%2F%2Fig2600.blogspot.com%2F&targetPostID=61412
67244510925043 HTTP/1.1
5) 68.517559 192.168.1.100 -> 64.233.169.191 HTTP GET /2009/07/finding-clr-exceptions-with-visual.html?action=backlinks&widgetId=Blog1&widgetType=Blog&responseTyp
e=js&postID=6141267244510925043 HTTP/1.1
6) 68.601057 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/ifr?url=http%3A%2F%2Fwww.google.com%2Ffriendconnect%2Fgadgets%2Fmembers.xml&container=peoplesense&p
arent=http%3A%2F%2Fig2600.blogspot.com%2F&mid=0&view=profile&libs=opensocial-0.8%3Askins%3Adynamic-height%3Agoogle.blog&v=0.463.3〈=en&country=US&communityId
=02722510552710003866&caller=http%3A%2F%2Fig2600.blogspot.com%2F2009%2F07%2Ffinding-clr-exceptions-with-visual.html HTTP/1.1
7) 68.807944 192.168.1.100 -> 64.233.169.118 HTTP GET /gadgets/deps.js HTTP/1.1


What is that __utm.gif we GET in frame 3? How strange that it includes my screen resolution. A quick bing search finds this is indeed the connection to GA. So, my tracking code is good, and you should go learn how to use tshark.
Read More

Wednesday, September 30, 2009

Query the windows event logs via the command line

9:59 PM  cyber news  No comments

Today someone told me "You can find if bibblebob happened by looking in the event viewer". I automate things so I went hunting for a CLI tool to accomplish this task. wevtutil is its name-o.

The query language for wevtutil is confusing. I recommend using the eventvwr.exe GUI to build a custom query, and then pass that query to wevtutil.

Here's an example of finding all the times DHCP started:


C:\Windows\System32>wevtutil qe System /rd:true /f:text /q:"*[System[(EventID=50036)]]" |more
Event[0]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-22T17:42:54.667
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started

Event[1]:
  Log Name: System
  Source: Microsoft-Windows-Dhcp-Client
  Date: 2009-09-17T20:46:36.179
  Event ID: 50036
  Task: Service State Event
  Level: Information
  Opcode: ServiceStart
  Keyword: N/A
  User: S-1-5-19
  User Name: NT AUTHORITY\LOCAL SERVICE
  Computer: igordm1.redmond.corp.microsoft.com
  Description:
DHCPv4 client service is started


Good Hunting!
Read More

Friday, September 25, 2009

Use cdb to see what files your application is opening.

10:11 PM  cyber news  No comments

In this post I'll show you how to use CDB to intercept CreateFile and see what files your application is opening. For this problem, Process Monitor is often a better tool, but the techniques I demonstrate work for any API you should learn them.

This won't take much time, so if you've never done this before I recommend you follow along.

First Load CDB against cmd: 
 

    C:\Program Files\Debugging Tools for Windows (x64)>cdb.exe cmd.exe

    Microsoft (R) Windows Debugger Version 6.12.0000.526 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    CommandLine: cmd.exe
    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is:
    ModLoad: 00000000`49fc0000 00000000`4a018000   cmd.exe
    ModLoad: 00000000`77c10000 00000000`77db8000   ntdll.dll
    ModLoad: 00000000`779f0000 00000000`77b0e000   C:\Windows\system32\kernel32.dll
    ModLoad: 000007fe`fde90000 000007fe`fdef9000   C:\Windows\system32\KERNELBASE.dll
    ModLoad: 000007fe`febd0000 000007fe`fec6f000   C:\Windows\system32\msvcrt.dll
    ModLoad: 000007fe`fc850000 000007fe`fc858000   C:\Windows\system32\WINBRAND.dll
    ModLoad: 00000000`77b10000 00000000`77c0b000   C:\Windows\system32\USER32.dll
    ModLoad: 000007fe`fee70000 000007fe`feed7000   C:\Windows\system32\GDI32.dll
    ModLoad: 000007fe`febc0000 000007fe`febce000   C:\Windows\system32\LPK.dll
    ModLoad: 000007fe`fe2b0000 000007fe`fe37a000   C:\Windows\system32\USP10.dll
    (1268.1dfc): Break instruction exception - code 80000003 (first chance)
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
    ntdll!CsrSetPriorityClass+0x40:
    00000000`77cbb790 cc              int     3
    0:000> g
    ModLoad: 000007fe`fe640000 000007fe`fe66e000   C:\Windows\system32\IMM32.DLL
    ModLoad: 000007fe`fe530000 000007fe`fe639000   C:\Windows\system32\MSCTF.dll
    Microsoft Windows [Version 6.1.7110]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

    C:\Program Files\Debugging Tools for Windows (x64)>
    (1268.1c1c): Control-C exception - code 40010005 (first chance)
    First chance exceptions are reported before any exception handling.

Next find something like CreateFile to breakpoint: 
 
    0:001> x *!*CreateFile*
    00000000`779fd6a0 kernel32!CreateFileMappingA ()
    00000000`779ffb30 kernel32!CreateFileMappingW ()
    00000000`77a02740 kernel32!CreateFileW ()
    00000000`77a124b0 kernel32!CreateFileA ()
    00000000`77a3b980 kernel32!CreateFileMappingNumaW ()
    00000000`77a54d50 kernel32!CreateFileMappingNumaA ()
    00000000`77a63740 kernel32!LZCreateFileW ()
    00000000`77a66450 kernel32!CreateFileTransactedW ()
    00000000`77a665f0 kernel32!CreateFileTransactedA ()
    00000000`77c5ea20 ntdll!NtCreateFile ()
    00000000`77c5ea20 ntdll!ZwCreateFile ()
    000007fe`fde94990 KERNELBASE!CreateFileW ()
    000007fe`fde96270 KERNELBASE!CreateFileMappingNumaW ()
    000007fe`fdea3120 KERNELBASE!CreateFileMappingW ()
    000007fe`fdec9cc0 KERNELBASE!CreateFileA ()

Set the breakpoint on Kernel32!CreateFileW (You can figure that out by looking on MSDN) 
 
    0:001> bm kernel32!CreateFileW
    breakpoint 1 redefined
      1: 00000000`77a02740 @!"kernel32!CreateFileW"

Lets open a file and make sure our function is called!
 
    0:002> g

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\foo.txt
    Breakpoint 1 hit
    kernel32!CreateFileW:
    00000000`77a02740 48895c2408      mov     qword ptr [rsp+8],rbx ss:00000000`0024e180=000000000031df00
    0:000>


Our breakpoint is hit. Lets figure out the filename being opened. To do this, we lookup the parameter list of CreateFile on MSDN. Filename is the first parameter. Next we look up the calling convention. On AMD64, the first paramater lives in rcx. Lets dump rcx as a unicode string: 
 
    0:000> du rcx
    00000000`0031a310  "c:\foo.txt"
    0:000>

Awesome - it worked. Lets make our breakpoint automatically print, and continue execution so it's non-intrusive.
 
    0:000> bm kernel32!CreateFileW "du @rcx;g"
    breakpoint 1 redefined
      1: 00000000`77a02740 @!"kernel32!CreateFileW"
    0:000> g

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\fo2.txt
    00000000`0031a310  "c:\fo2.txt"
    The system cannot find the file specified.

    C:\Program Files\Debugging Tools for Windows (x64)>type c:\IgorOpenedThisFile.txt
    00000000`0031b9e0  "c:\IgorOpenedThisFile.txt"
    The system cannot find the file specified.

    C:\Program Files\Debugging Tools for Windows (x64)>

Notice the debugger spew intersperesed with cmd output. Anytime we open a file we'll see it in the spew! Use this approach to debug all sorts of I wonder what's going on problems.
Read More

Tuesday, September 8, 2009

Copying files across parallel directory structures.

10:39 PM  cyber news  No comments

It happens to all of us, you've made a change in branch2, now you need to copy it to branch1. Here's a trick I use to accomplish this task:

C:\src\branch1\mydir\mydir2\mydir3\mydir4>xcopy %cd:branch1=branch2%\foo*
Overwrite C:\src\branch1\mydir\mydir2\mydir3\mydir4\foo.txt (Yes/No/All)? y
C:\src\branch2\mydir\mydir2\mydir3\mydir4\foo.txt
1 File(s) copied


How'd that work? Use echo to find out what happened:

C:\src\branch1\mydir\mydir2\mydir3\mydir4>echo %cd:branch1=branch2%
C:\src\branch2\mydir\mydir2\mydir3\mydir4

For more information run help set.
Read More