This is a bugfix release for the previously posted port of nGallery to ASP.NET 3.5. The following changes are incorporated:

• Bugfix: slideshow had "photos/" hardcoded in nGalleryLib (for navigation buttons)
• Bugfix: Event log exceptions, please see Get GoogleBot to crash your .NET 2.0 site (plus ASP.NET 2 + url rewriting considered harmful in some cases). Nicolas Sorel was nice enough to provide me with his .browser definition files.
• Bugfix: default_highlight_image.jpg no longer resided in /photos and therefore caused an exception for galleries that had no highlighted image; moved it back to \photos
• Change: AlbumHandler no longer implements IHttpHandler
• Change: AssemblyInfo.cs changed version to 2.0 to differentiate from original 1.6.1

That's all the changes that happened, here are the source and deployment files:

nGalleryTNG2_ProjectFiles.zip (2.95 MB)
nGalleryTNG2_WebFiles.zip (1.03 MB)

I posted a version of the Really Simple Guestbook - With XLinq for Orcas Beta 2 earlier on this blog. Today, I updated this small application for VS2008 RTM. The following changes are incorporated:

• It is now a Web project, no longer file system based
• It includes AIP for form spam protection (aka captcha)

I decided to not include the Microsoft Anti-Cross Site Scripting Library V1.5, that is up to the reader if additional security is required (note: you'd have to add this to AddEntry.aspx's logic of inserting new guestbook entries).

Download: XlinqGuestbook.zip (165.53 KB), License: BSD

I updated the TFS Code Comment Checking Policy so that it works with VSTS 20008 RTM. The downloaded labeled as Beta 1 comes with the well-known setup, the changes to the August test version are only minimal: the parser has been updated (to better support C# 3.0), and all projects now target .NET Framework 3.5.

Please use the discussions to report any issues you find.

TechEd Developers 2007 is over, and before moving on (and flying back to snow in Austria), here is the list of sessions I attended this year:

• TLA201 - A Tour of Visual Studio 2008 and the .NET Framework 3.5
• OFF401 - .NET Developers Advanced Introduction to SharePoint 2007
• TLA324 - What's New in Team System for Software Testers
• SEC301 - CLR Security in .NET Framework 3.5
• DAT201 - Entity Framework Introduction
• WEB401 - Building Highly Scalable ASP.NET Web Sites by Exploiting Async Programming Models
• TLA304 - Building Services with the Service Factory: Modeling Edition
• DAT303 - Entity Framework: Application Patterns
• TLA305 - Continuous Integration With and Without Team System
• TLA307 - Improving Code Performance with VSTS 2008 Team Edition for Software Developers
• DAT304 - Managing Unstructured Data in SQL Server 2008: Introducing the FileStream Datatype
• TLA403 - Loose Coupling in Practice: CAB in the Real World
• ARC401 - Designing High Performance, Persistent Domain Models
• TLA407 - Dealing with Concurrency and Multi-Core CPUs with Today's Development Technologies
• SBP307 - Modeling and Composition of Applications
• TLA319 - The Joins Concurrency Library
• TLA405 - Parallel and Async Functional Programming on .NET with F#
• WEB403 - Securing your High-Risk ASP.NET Web Applications - A Case Study

Compared to last year, I managed to attend more sessions, however, there were also more duds. The last session (WEB403) turned out to be the one that earned the raspberry this year (a close runner-up: TLA403). Coming out on top I decided to nominate three: OFF401, TLA307 and DAT303.

XSSDetect is a static code analysis tool that helps identify Cross-Site Scripting security flaws found within Web applications. It is able to scan compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze dataflow paths from sources of user-controlled input to vulnerable outputs. It also detects whether proper encoding or filtering has been applied to the data and will ignore such "sanitized" paths. Download

Article at The Register: How ASP.NET began in Java. Reminds me of the "C# is COOL" t-shirt I have...

If you are interested in IronPython, you should check out Matt's latest SharpDevelop addin: IronPython Integration In SharpDevelop 2.2. His blog post details the status of code completion, Windows Forms designer support, plus: converting code from C# or VB.NET to IronPython.

Please note that this is a work in progress, and that the official release of this addin will be for SharpDevelop 3 and IronPython 2.0.

The recently released version of CruiseControl.NET has a small issue with MSBuild Output in the Web dashboard: Unable to load transform: c:\ccnet\webdashboard\xsl\msbuild.xsl. A fix can be found in this thread in the fourth post. The reason to upgrade to 1.3? CC.NET now runs on .NET 2.0 (it has been ported), and it has a feature I want to try: integration queues.

Microsoft released a UAC demo. It is just basic process elevation (read: save the time by not downloading it), which I described in more detail (with more reuseability) in UAC Elevation in Managed Code: Starting Elevated Processes.

I have been patiently waiting for this one, quote from the download page: “Acropolis” builds on the rich capabilities of Microsoft Windows and the .NET Framework, including Windows Presentation Foundation (WPF), by providing tools and pre-built components that help developers quickly assemble applications from loosely-coupled parts and services.

Download

Bill Staples put together a post on what's new in IIS7 Beta 3. He also talks about the all-new IIS7 FTP server (which I knew about for a long time - I had hoped Beta 3 would be available for my MSDN Briefing in Vienna last month, but no such luck). Also, he mentions the GoLive! license for IIS7.

The video recordings for the main tracks of FOSDEM 2007 are online now. Of interest for .NET developers might be Miguel's session on "Turbocharging Linux with Mono".

At long last at least a CTP is available. Definitely worthwhile to check out.

I admit it: UAC Elevation in Managed Code: "Talking" to an Elevated Process via WCF is a kludge. The reason why I dabbled with this approach at all is that I failed to implement COM elevation with managed code (not elevating a COM component, but the COM component itself). However, at long last, I succeeded in that respect too: I now present you the all-managed code solution to UAC elevation!

Once again I built myself a small demo frontend application:

As you can guess, the first button does plain vanilla COM InterOp without any UAC elevation. Thus its code is rather simple:

private void simpleCallButton_Click(object sender, EventArgs e)
{
  Type t = Type.GetTypeFromCLSID(new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4"));
  object o = Activator.CreateInstance(t);
  t.InvokeMember("SayHello", BindingFlags.InvokeMethod, null, o, null);
}

Why this reflection magic? Well, the COM component I am calling here is implemented in .NET - and both VS as well as tlbimp balk at reimporting the exported type library.

The COM component in question has been regasm'ed & gacutil'ed (ManagedElevator project in the download). Although the name implies that I am after elevation, it is pretty much a standard COM component written using C#:

public class TheGuids
{
  public const string IHelloWorld = "B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9";
  public const string ClassToElevate = "71E050A7-AF7F-42dd-BE00-BF955DDD13D4";
  public const string AppId = "75AB90B0-8B9C-45c9-AC55-C53A9D718E1A";
}

[Guid(TheGuids.IHelloWorld)]
[InterfaceType(ComInterfaceType.InterfaceIsDual)]
public interface IHelloWorld
{
  [ComVisible(true)]
  void SayHello();
}

[Guid(TheGuids.ClassToElevate)]
[ClassInterface(ClassInterfaceType.None)]
public class ClassToElevate : IHelloWorld
{
 public ClassToElevate()
 {
 }

 [ComVisible(true)]
 public void SayHello()
 {
  MessageBox.Show("Hello World");
 }
}

So how do you go from "standard" "plain-vanilla" COM component to COM elevation? The part that stumped me for so long was the ClassInterface attribute - if you forget this guy, you'll end up with an InvalidCastException thrown by UACManager.LaunchElevatedCOMObject.

But that's not quite all to get up and running with COM elevation: in addition, you need to modify the default registration for this component - specifically, you need to configure the DllSurrogate. This is where the AppId GUID comes into play: it isn't used in code (kept there for documentation purposes only), but in registryadditions.reg. It binds the various registry keys. And speaking of this .reg file, please take note of the LocalizedString value: it contains the text for the UAC prompt (also check out UACPrompts.rc, resource.h, compilerc.bat as well as the properties of the ManagedElevator project where the compiled .res file is referenced).

Note Before importing the .reg file into the registry make sure to fix the file path contained in LocalizedString! And if you create your own elevated COM component DO NOT reuse any of my three GUIDs - use guidgen.exe to create your personal ones.

From there, UAC elevation is smooth sailing. The Reflection version of COM elevation looks very similar to non-elevated calls:

private void managedElevation_Click(object sender, EventArgs e)
{
  // CLSID
  Guid classId = new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4");

  // Interface ID
  Guid interfaceId = new Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9");

  object o = UACManager.LaunchElevatedCOMObject(classId, interfaceId);

  Type t = o.GetType();
  t.InvokeMember("SayHello", BindingFlags.InvokeMethod, null, o, null);

  Marshal.ReleaseComObject(o);
}

Of course this is not really a good solution (late binding). So instead I manually imported the IHelloWorld interface:

[
ComImport(),
Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9"),
InterfaceType(ComInterfaceType.InterfaceIsDual)
]
  interface IHelloWorld
  {
   [
   MethodImpl(MethodImplOptions.InternalCall, MethodCodeType = MethodCodeType.Runtime),
   PreserveSig
   ]
    void SayHello();
  }

Which makes calls into the elevated COM object much easier and cleaner:

private void managedElevationInterface_Click(object sender, EventArgs e)
{
  Guid classId = new Guid("71E050A7-AF7F-42dd-BE00-BF955DDD13D4");
  Guid interfaceId = new Guid("B8CD5C09-9ACD-49b0-BF6F-C7B0F29795F9");

  object o = UACManager.LaunchElevatedCOMObject(classId, interfaceId);

  IHelloWorld ihw = (IHelloWorld)o;
  ihw.SayHello();

  Marshal.ReleaseComObject(o);
}

So why should you use the COM elevation solution instead of starting the process? Well, there are a couple of reasons:

• You can package more than one component into a DLL and still have custom UAC prompts thanks to LocalizedString
• Your users don't get "an unidentified program..." warnings. Thank you COM registration
• If you ever need to talk more extensively with the elevated process then this approach can be adapted more easily

The source code

ConsumeMyElevatedCOM.zip (97.56 KB)

You will find a file aptly named notes.txt in the ManagedElevator project that describes all the necessary steps to get up and running.

I hope you find this sample useful and not have to spend as much time as I did. Cheers!

In the blog post UAC Elevation in Managed Code: Starting Elevated Processes I talked about how to start an elevated process. However, just starting a process might not cut the mustard, for example if you need to hand over data to the elevated process. You could achieve this by passing, let's say, some data as command line arguments to ProcessInfo before starting the elevated process. But that seriously limits communication.

So how can you perform communication with an elevated process? My first idea was to use .NET Remoting. Once I thought through the multi-instance scenario, I quickly realized that this meant the server had to be running in the non-elevated application, because only it could properly choose a port. And because I am not a fan of Remoting anyways, I decided to give WCF (Windows Communication Foundation, a pillar of .NET 3.0) a try.

It looked like smooth sailing at first, but then I realized that with WCF too I needed to implement the service inside the non-elevated application. This time, however, the reason was "How do I know when the elevated application has initialized before I can actually start communicating with it?". Back to the drawing board.

The final solution now looks like this: the non-elevated application starts a service. The operations contract specifies a callback, which, once the elevated application has signalled its readiness, can be used by the non-elevated application to "talk" with the elevated application. I didn't intend to go duplex, but hey, if there's no other way I am willing to take plunge. Speaking of tricks of the trade: I am using imperative binding to a named pipe. Reason? Well, WS bindings won't work (see here and here), and the TCP channel would pop up a firewall warning. That's why.

Let's look at the applications - first the non-elevated one:

This time I forfeited eye candy (the shield button). Same (missing eye candy) goes for the elevated application as it is a console application only:

Solution-wise, this simple two-application scenario is split into four projects:

So where do we start? With the easy part inside ElevationContract:

[ServiceContract(Namespace = "http://Christoph.Wille.Samples",
CallbackContract = typeof(IElevatedProcess))]
public interface IWaitForElevatedProcess
{
  [OperationContract(IsOneWay = false)]
  void ElevatedProcessStarted();
}

[ServiceContract(Namespace = "http://Christoph.Wille.Samples")]
public interface IElevatedProcess
{
  [OperationContract(IsOneWay = false)]
  void SayHello(string message);
}

The interface IWaitForElevatedProcess is implemented in StandardUserApp. It is the service endpoint that is initialized before the elevated process is started - and once the elevated application is up and running, it calls into ElevatedProcessStarted. And we are in business for using the IElevatedProcess callback that is implemented in the ElevatedProcess console application.

So how is the service endpoint intialized - let's take a look inside:

private const string theProcess = @"..\..\..\ElevatedProcess\bin\Debug\ElevatedProcess.exe";

private void tryitButton_Click(object sender, EventArgs e)
{
  string channelIdentifier = MiscHelpers.CreateRandomString(64);
  MyUACServiceHost.StartService(channelIdentifier);

  // starting it modal doesn't work (obviously - unless we have more threads, of course)
  ElevatedProcess.Start(theProcess, channelIdentifier);
}

Interesting tidbit #1 is CreateRandomString: it creates a random string to use for the address. Why? Well, if multiple instances of our application are running and trying to elevate a process, we are in trouble. Which brings me to StartService:

internal static void StartService(string pipeEndPoint)
{
  NetNamedPipeBinding binding = new NetNamedPipeBinding();
  binding.Name = "uacbinding";
  binding.Security.Mode = NetNamedPipeSecurityMode.Transport;

  Uri baseAddress = new Uri("net.pipe://localhost/uac/" + pipeEndPoint);

  myServiceHost = new ServiceHost(typeof(SampleService), baseAddress);
  myServiceHost.AddServiceEndpoint(typeof(IWaitForElevatedProcess), binding, baseAddress);
  myServiceHost.Open();
}

As I said before, I am doing it imperatively (no configuration in app.config necessary). That's all there is to getting the service up and running.

Now let's switch to the console application's Main method: