Paranoia and Filtility

While trying to figure the reason Vista sometimes can't seem to read optical media, I came across this rather amusing nugget regarding mini-filters, aka file system filters:
"A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. "
Source: http://www.microsoft.com/whdc/driver/filterdrv/default.mspx

Well, golly, seems sort of scary to me; as if it weren't bad enough having keyboard hooks for any aspiring malware writer to whet their skills with, now Microsoft makes it easy for any skript kiddie to get themselves inserted between me and my data.  

I realize this functionality existed before, but, gosh, it's just so EASY now.  What's eye opening to me, though, is I had no idea about it; it's been around since XP!  

Obviously, the first thing I did after reading about it was to see what was hanging about on my system:

C:\bin\si>fltmc

Filter Name                     Num Instances    Altitude    Frame

------------------------------  -------------  ------------  -----

aswFsBlk                                7       388400         0

PROCMON20                               1       385200         0

aswMonFlt                               9       320700         0

luafv                                   1       135000         0

SbieDrv                                 8        86900         0

FileInfo                                9        45000         0

Huh.  Happily, Microsoft provides a handy reference in the form of an excel spreadsheet for any 'registered' filters: http://www.microsoft.com/whdc/driver/filterdrv/alloc-alt.mspx (File System Minifilter Allocated Altitudes); aswsFsBlk belongs to... Avast.  As does aswMonFlt.  The amusing part is that I only use Avast to scan some large data drops... never for residential shield. (For that matter, I don't use any AV... but I also don't use IE, so... it works.).  It looks like Avast needs its wedge to exist constantly.  This, I think, is the final straw regarding antivirus for me; I'm tossing the lot of them (AVG, Avast, Avira... ) into a vm and scanning from there.

I mean, seriously, why does a program need a filter in place to open and read a file?  When that's ALL I want it to do?  

ProcMON20, of course, is Process Monitor's wedge.  This one makes sense; it needs to monitor all file I/O to show me pretty screens of ACCESS DENIED.  I like that.

luafv, on the other hand, belongs to Microsoft.  This blog post: http://fsfilters.blogspot.com/2010/02/deal-with-luafvsys.html does an excellent job of explaining what it is, and its functionality.  

However, I don't need that; I'm running as Admin, and I want my misbehaving programs to do so with wild abandon!  This one was easy to get rid of; I just had to turn off UAC's virtualization. 

SbieDrv is Sandboxie's wedge. This one's existence makes sense, as well --- except, again, I get annoyed at programs that keep running after I've closed them.  For fun, I wanted to see if I could unload it (since it wasn't running):

C:\bin\si>fltmc unload SbieDrv

Unload failed with error: 0x801f0010

Do not detach the filter from the volume at this time.

Huh; doesn't seem I can.  Certainly there must be some performance penalty, to have every filesystem api call traverse a filter chain, no?  Granted, altitudes decide just what they 'see', but, still... mightn't this be just one more drop in the bucket of what made Vista such a dog?

Moving on, to the last one, we've got FileInfo.  This is simply bloat.  It serves both ReadyBoost and Superfetch: both of which I've disabled.  (This is a decent explanation of it: http://winprogger.com/?p=971)

Despite having them disabled, this filter is still loading, and, presumably, being referenced every time filesystem I/O occurs.

Naturally, I wanted to get rid of it, so, expecting it to behave, I bopped into regedit, and set the service start type to 4... and it still started... which admittedly had me scratching my head.

(DISCLAIMER: Following random advice on the Internet is BAD. Don't do this on your own system.)

So, I took the sledgehammer approach, and simply deleted the service key altogether... and it worked!

As I type this, I get the following Kirsten Dunst Turning Japanese (NSFW) warm and tingly feeling giving result:

C:\>fltmc


No filters loaded


Vunderbar! I can't say it feels faster, but I know my bits appreciate not being fondled quite as much; at least, that's what the voices in my head told me, when I was changing my tinfoil headgear.

Vista x64 SP1 Doesn't Refresh CD/DVD Drive View (Volume / Directory)

Ah, the frustration of a Microsoft operating system.  This one's got me stumped.

A brief description of the issue:  After ejecting a disc, and putting a new one in, the old directory shows up, and not the one from the newly loaded disc.  This is in Explorer, in a command prompt, and also in FreeCommander.  A procmon watch of Freecommander shows it's calling CreateFile on the drive and getting the old list directly from Windows, and not some cached file.  At least, the caching's not taking place in the userland file manager.  With Imgburn, I can eject and load, have it show stats of the disc (as well as using DVDIdentifier), but Windows Explorer, cmd, and FC all display the stale information.  From some googling, it doesn't look like anyone's found a real solution to this, and it appears to still exist on Windows 7.

The often mentioned fix is:

gpedit.msc
-Local Group Policy
--User Configuration
---Administrative Templates
----Windows Components.
-----Windows Explorer.
Double click on “Remove CD burning features“.
Set the value to “Enabled”

Or, for anyone fixing a system with Home on it:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Create a DWORD, name it NoCDBurning, and put a 1 in it.

The above does fix the issue where Vista sees a UDF disc as blank and wants to format it, but wasn't much use to me.

Another solution which tends to be mentioned is to enable Autorun, which is counterintuitive for those of us who have specifically disabled it.  However, in true Microsoft fashion (and to get a Princess Bride reference in), they tell us, "I do not think that word means what you think it means." and go on to create much confusion.  The following apply to HKLM\SYSTEM\CurrentControlSet\Services\Cdrom and not to Windows Explorer.

http://technet.microsoft.com/en-us/library/cc960238.aspx says AutoRunsAlwaysDisabled "Suppresses the Media Change Notification (MCN) message for particular CD-ROM drives."

http://technet.microsoft.com/en-us/library/cc976182.aspx says Autoruns "Determines whether the system sends a Media Change Notification (MCN) message to the Windows interface when it detects that a CD-ROM is inserted in the drive. The MCN message triggers media-related features, such as Autoplay.
If the MCN message is disabled, the media features that use it do not operate."

This is great, except the official documentation says the upshot of this is, if Media Change Notification isn't enabled, you have to hit F5 or select Refresh to show changes; obviously not the issue here, since hitting F5 or refresh just shows the previous disc directory listing, again.

Am I the only one flabbergasted Vista can't _list the damn contents of a DVD_?! And, this IS Vista (and Windows 7?) specific.  In XP, you might see something almost like this, but deleting the \burn directory would clear it right up.  This also isn't the same issue as Upper and Lower filters by idiotic programs.  This really seems to be some new 'feature' present in cdrom.sys from Vista forward.  The cynic in me would tend to think it has to do with ci.dll (code integrity) and the Protected Environment Authentication crap, but, then again, it could just be some sort of stupidity in the file system parsing code.  

As a point of amusement, leaving an Explorer window open to a share on a NAS... goes blank after an amount of time (files are still there, the view just disappears until it's refreshed).  

My temporary 'solution' (obviously, rebooting fixes this, as everyone knows.  However, rebooting every damn time you want to read a new disc is ludicrous) is to right click on the drive in device manager, Uninstall, select 'no' to the query to reboot now (you'll note the drive's still there, unlike in XP...) and then Scan For Hardware Changes.  This _works_.  Explorer now sees the disc that's actually IN the drive.  Rinse, repeat.

Of note is there doesn't seem any nice (and hence, scriptable) way of doing this using devcon; the drive isn't happy to be restarted or disabled/enabled there, and happily reports its status as running the whole time.

Some info for anyone digging into this:

X64 Vista SP1 Ultimate

i975x chipset 

Drive:

C:\bin\devcon\i386>devcon stack @IDE\CDROM*

IDE\CDROMSONY_DVD_RW_DRU-190A____________________1.65____\5&36E1B51B&0&0.0.0

    Name: SONY DVD RW DRU-190A ATA Device

    Setup Class: {4d36e965-e325-11ce-bfc1-08002be10318} CDROM

    Controlling service:

        cdrom

1 matching device(s) found.

There isn't any third party junkware installed (no sonic, or easycd, or even Nero; no daemontools, or poweriso, etc).  Imgburn is used exclusively to burn.  Services HAVE been trimmed, but nothing that should be related to this have been modified; most are set to 'manual' (remote registry to disabled, etc).  Nothing is odd looking at the service registry entries.

Based on the other posts regarding this issue by people who obviously don't tinker about with their system, I doubt it has to do with anything I've messed with.

So, it begs the question: where is Vista saving this, WHY is Vista saving this, and how does one stop it?

Update #1:  Interesting tidbit; using dskprobe (yes, from the Windows Support Tools for XP2) and the LOGICAL volume, I can happily read 2048 sectors (arbitrarily picked to test) and see the 'real' new disc, despite even Disk Manager showing the stale volume header.  So, the problem must be in the file system driver and caching... 

Update #2: Another quicker solution than the uninstall temporary solution: Using diskmgmt.msc, eject disc, and then (in my case, because computer is actually in another room; gotta dig strings of cables and KVMs) using Imgburn to reload, works: Drive is refreshed.  However, using Imgburn, or Windows Explorer even, to eject, or the button on physical drive, _doesn't_ refresh.  

For All Your Glowing Rod Of Light Needs...

If you're in the UK, you're no doubt familiar with the experience of being told that "this video is not available in your country" on streaming websites such as Hulu. This is particularly problematic if you're looking for anime shows, versus more shared genres.


Good news, then: AnimeOnUK.tv is back! The webmaster has had the cobwebs dusted off and is bringing the site firmly into the Internet video age, with plans to feature listings of which sites have what, plus breaking news about UK digital distribution of anime.


After all, no one should be without a little bit of Noir.

Vista x64 All Tasks aka "God Mode"

The recent hype over Windows' "God Mode" likely hasn't done much to put to rest the contention the whole operating system is little more than a rather cheesy game.

http://brandonlive.com/2010/01/04/the-so-called-god-mode/ (of ambiguous officialness by a Microsoft employee) goes into a little bit of detail; but the main point of interest is the general amount of hawing from Microsoft, and the tossing around of how goofy and silly people are for their use of this 'trick'.  Vista, and Windows 7 both illustrate this mentality of giving their users what Microsoft has decided they'll need, rather than what, perhaps, their customers actually want.

Sadly, no one in Redmond seems to be asking what the significance of all this interest being shown by so many less technologically-savvy and historically oblivious users in what should be system errata could mean.

An obvious answer, of course, is by hiding so many system settings and focus grouping ease of configuration into oblivion, users of Microsoft's newer versions of Windows have become so desperate for a way of getting at the options they remember from the older releases that the 'All Tasks' view must indeed seem diety-given.

Whatever the case, it's handy for not having to wade through the sometimes mind-bogglingly unintuitive depths of control panel applets when doing initial system setup by having most of the published settings in a simple list.

After all, as we all learned from random girls throwing themselves off rooftops after being bit by T-virus infected subjects, a little information really can save lives. (I'm not at all insinuating that the Umbrella corporation is in anyway controlled by Microsoft. Please stand the black helicopters down now..)

For those folks privileged enough to be running x64 Vista and would rather not crash their shell (if using Explorer), the following method perhaps will give more joyous results.  Create a shortcut, and use the following command line:
explorer.exe shell:::{ED7BA470-8E54-465E-825C-99712043E01C}


Then, simply pin to start menu and enjoy; a productive citizen is a happy citizen!


Some further reference:
http://www.windowsvalley.com/blog/windows-7-god-mode-behind-the-scenes/

A not so useful list:
http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx