I've had a client ask if it's possible to rename his server log file whilst the server is running but not allow deletion. This is harder than you'd expect to achieve. The established view of "the internet" is that NTFS doesn't support permissions to allow file renaming and still prevent file deletion. This is true. If you want to allow renaming you need to create or open the file with FILE_SHARE_DELETE access and this allows rename AND delete. The reason for this is that a rename is actually a process of creating a copy of the file with a new name and then deleting the old file. I pointed this out to my client and he immediately responded with "I can rename a running exe but am prevented from deleting it.". This, of course, is true. Executable files can be renamed and not deleted if they are currently running.

The fact that executables can work this way gave me the hint I needed. I figured it's likely the fact that the file is mapped into memory that prevents the deletion...

Adding some code that uses CreateFileMapping() to create a file mapping object from the log file's file handle, and then holding the file mapping open whilst we're using the log, gives the results that my client wants. A log file that can be renamed but not deleted. Note that you don't actually have to map the file mapping into memory, just hold the handle open.

Note that the file in question needs to contain at least one byte to be able to create the file mapping but that's easy to work around for us.

As of the latest Chrome, Edge, Opera, and FireFox updates all of my 'obsolete' hardware (routers, NAS drives, network switches, etc) are inaccessible as they don't use TLS 1.2. I'm unlikely to be alone in this. I can understand the technical decision but IMHO it's wrong and, actually pretty stupid. To make it more than a click through warning to access these obsolete devices on my local subnet. Sure ban connections to other subnets (that would cause me pain too as I manage some stuff via a VPN) but 90% of users would be fine.

So now we'll see a lot of "The client and server don't support a common SSL protocol version or cipher suite." or "This site can't provide a secure connection" errors when trying to access older hardware.

I now have an old version of FireFox installed with updates disabled and I know to only use it for my local stuff that doesn't work with updated browsers. It's a bit clunky, even with shortcuts which run the browser with the correct URL, but it works. I'm not sure that everyone will end up with this kind of set up; they may just have someone suggest that they downgrade their main browser and turn off updates...

Allowing access to the local subnet with a click through scary warning would probably be 'safer' than forcing people to find out how to work around the problem or preventing them from ever adjusting their routers, or whatever, again...

I'm sure there are lots and lots of valid reasons for the decision; they're just all wrong when the end result will be non-technical users downgrading their browsers and turning off updates.

As I mentioned in May last year, I'd was having trouble with a client's system where a UDP DDOS was causing Windows Server machines to use all available non-paged pool and then blue screen.

The issue could be reproduced with, what I thought at the time was, a minimal test program that simply created a UDP socket, bound it to a port and then didn't do anything with it. If something sent a stream of datagrams to that port then non-paged pool usage would grow in an uncontrolled manner until the box became unusable and eventually died.

The client's DDOS issue was resolved up-stream from them and we promptly forgot about this strange behaviour but recently we've been doing some load testing and we've run into it again so, once I worked out what was going on, I revisited the tests to make sure the minimal code could still be used to reproduce the problem.

Unfortunately the test program wasn't quite minimal enough, as well as creating and binding it also set the socket's recv buffer size to 'max int'. Before the Windows Update that first cause the problem this didn't seem to matter, possibly because the value was being ignored or Windows stopped buffering when non-paged pool usage got too high. After the Windows Update that brought the issue to my attention Windows does just what you ask it and buffers the data and doesn't care that its using all your non-paged pool whilst it's doing that... Or, perhaps, before non-paged pool wasn't used by this buffered data...

Removing the 'set recv buffer size to max' calls seems to fix the problem. Setting the value to something large, but not too large, and then watching the non-paged pool and Microsoft Windows BSP Dropped Datagrams counters perfmon counters clearly shows what's happening. Data is buffered until the buffer space is used and then datagrams are dropped. The buffered data uses non-paged pool in addition to whatever memory is also used for the data.

Deciding on what size buffer you need is complicated by the fact that the socket recv buffer is in bytes and is used up by the payload bytes in the datagrams whereas the non-paged pool usage appears to be "per datagram", so if the sender is sending large datagrams then the recv buffer space is used up sooner and datagrams begin to be dropped with less non-paged pool memory being used. With very small datagrams the non-paged pool usage becomes dangerous far sooner.

Working out a trade-off that allows for normal usage patterns but protects against a DDOS with small amounts of data may be complicated and may require auto-tuning based on the dropped datagrams and non-paged pool perf counters...