Another partial malware diagnosis

Computing, Development, Malware, Tools

A customer reported a problem with starting our application today.  The error reported by our application was strange and was not one we’d encountered before:

Exception 'Exception' in module _________.exe at 004904CB
Unable to hook API functions for print preview [-1,-1,-1,0,0,0,0]

In effect the error told us that 4 out of 7 API hooks failed.  I was called upon to try and diagnose the issue.

Initially I looked for a 3rd party application that could be hooking the calls in question (RegisterClassA, RegisterClassW, RegisterClassExA, RegisterClassExW).  But there were no unusual applications running according to Process Explorer, and no unexpected DLLs in memory in the process.  After disabling the antivirus in case that was causing the problem, and running both RootkitRevealer and Procmon with no clear outcomes, I decided I’d need to go deeper.

Time to break out windbg.  I started our process and looked at the disassembly for one of the functions that failed to hook.  Here’s what I saw:

0:000> u user32!registerclassexw
user32!RegisterClassExW:
7e41af7f 8bff            mov     edi,edi
7e41af81 55              push    ebp
7e41af82 8bec            mov     ebp,esp
7e41af84 8b4508          mov     eax,dword ptr [ebp+8]
7e41af87 833830          cmp     dword ptr [eax],30h
7e41af8a 0f850be70200    jne     user32!RegisterClassExW+0xd (7e44969b)
7e41af90 6800010000      push    100h
7e41af95 6a00            push    0

That’s pretty normal, the usual mov edi,edi that most Windows API calls start with, and what we were expecting.  So I continued execution until the error occurred, and took another look at that point.

0:000> u user32!registerclassexw
user32!RegisterClassExW:
7e41af7f e9cc93d281      jmp     00144350
7e41af84 8b4508          mov     eax,dword ptr [ebp+8]
7e41af87 833830          cmp     dword ptr [eax],30h
7e41af8a 0f850be70200    jne     user32!RegisterClassExW+0xd (7e44969b)
7e41af90 6800010000      push    100h
7e41af95 6a00            push    0
7e41af97 6a00            push    0
7e41af99 50              push    eax

Huh, that’s kinda different.  Now we were jumping off into a very unexpected part of memory.  A quick check of that address revealed that it was not mapped into the normal address space of any modules.  I had a look at the code in question.

0:000> u 144350 L...
00144350 55              push    ebp
00144351 8bec            mov     ebp,esp
00144353 83ec30          sub     esp,30h
00144356 f605e029150004  test    byte ptr ds:[1529E0h],4   ; 001529e0
0014435d 56              push    esi
0014435e 8b7508          mov     esi,dword ptr [ebp+8]
00144361 7433            je      00144396
00144363 e8595bffff      call    00139ec1
00144368 84c0            test    al,al
0014436a 742a            je      00144396
0014436c 85f6            test    esi,esi
0014436e 7426            je      00144396
00144370 833e30          cmp     dword ptr [esi],30h
00144373 7521            jne     00144396
00144375 8b4608          mov     eax,dword ptr [esi+8]
00144378 e8fdfeffff      call    0014427a
0014437d 85c0            test    eax,eax
0014437f 7415            je      00144396
00144381 6a30            push    30h
00144383 56              push    esi
00144384 8d4dd0          lea     ecx,[ebp-30h]
00144387 51              push    ecx
00144388 e818010000      call    001444a5
0014438d 8945d8          mov     dword ptr [ebp-28h],eax
00144390 8d45d0          lea     eax,[ebp-30h]
00144393 50              push    eax
00144394 eb01            jmp     00144397
00144396 56              push    esi
00144397 ff1568141300    call    dword ptr ds:[131468h]   ; -> 02200126
0014439d 5e              pop     esi
0014439e c9              leave
0014439f c20400          ret     4

A bit hard to know what it was doing but there was a call at the bottom there that was worth a quick look.

02200126 8bff            mov     edi,edi
02200128 55              push    ebp
02200129 8bec            mov     ebp,esp
0220012b e954ae217c      jmp     user32!RegisterClassExW+0x5 (7e41af84)

Yep, as expected it was a jump back to the original API function, 5 bytes in. That looked like a hook library was being used because the callback to the original function was in a separate memory block.  But no real info.  But again, looking at the address space revealed it belonged to no known module.

0:000> !address 2200126
    02200000 : 02200000 - 00001000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000040 PAGE_EXECUTE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD

At this stage, it was clear we were looking at malware, so I decided to look for some strings in the data area referenced earlier (in blue, above).  Initially I found only strings pointing to Application Data and other uninteresting sources.

0:000> dd 1529e0
001529e0  00000000 02181ea0 0000001c 83f6f0a1
001529f0  00000000 00130000 7c800000 7c900000
00152a00  02200000 00000000 7c90d7fe 00000000
00152a10  0220000a 7c916a02 0000000c 00152a24
00152a20  00000000 00040001 00000000 00000000
00152a30  00000000 00000000 ffffffff 02181ee0
00152a40  003a0043 0044005c 0063006f 006d0075
00152a50  006e0065 00730074 00610020 0064006e

But eventually I struck gold:

0:000> dd
00152f5c  00000000 000006b0 00000000 004f0053
00152f6c  00540046 00410057 00450052 004d005c
00152f7c  00630069 006f0072 006f0073 00740066
00152f8c  0041005c 006b0067 00610065 00000064
00152f9c  00000000 00000000 00000000 00000000
00152fac  00000000 00000000 00000000 00000000
00152fbc  00000000 00000000 00000000 00000000
00152fcc  0019c110 ffffffff 00000000 00000000

This proved to be a suspicious registry key:

0:000> du 152f68
00152f68  "SOFTWARE\Microsoft\Agkead"

A quick glance at that registry key showed the following suspicious registry entries:

I picked up a few other interesting strings as well:

0:000> du 152fe8
00152fe8  "Global\{451EEC04-7C31-7A30-8C56-"
00153028  "BCE6C174342E}"
0:000> du 1527e0
001527e0  "Enfok"

The following string was also interesting:

0:000> du 1523d4
001523d4  "\Documents and Settings\Receptio"
00152414  "n_2.PGE\Application Data\Ewacg\o"
00152454  "xmo.hio"

While the folder existed, I was unable to see the file oxmo.hio.  This, as well as the fact that I could not see any user mode activity doing the hooking of the functions in question, really suggested a rootkit which was doing some cloaking, rather than simple user-mode malware.

A reference to the string Agkead was on ThreatExpert.

But by now I was really only continuing out of interest, so I handed the machine in question back to the client, with the advice that they rebuild it — difficult to be sure that the machine is clean any other way.  While it would have been fun to analyse the malware further, it’s not really my job 🙁

Hobart’s Top 10 Climbs, #6: Strickland Avenue

Cycling, Hobart's Top Ten Climbs, Photos, Strava
Strickland Ave: my favourite stretch of the climb, climbing towards Big Bend

This is the fifth post of a series on some of the great road cycling climbs around Hobart. You can be notified of new posts in the series by following me on Twitter.  No matter what you may think, this is the definitive list of climbs in Hobart. At least until someone else comes up with a better one!

Earlier in the series:

Strickland Avenue is one of Hobart’s best known climbs, winding its way through South Hobart and The Cascades into the foothills of Mount Wellington. It’s one of several approaches to Mount Wellington, and probably the most popular route to get there from Hobart by bike.

I ride Strickland Ave several times a week as it is part of one of my commute routes. Despite the familiarity, I still enjoy the climb and still find new scenery to look at each time I ride – unless I’m trying to beat my personal best time up the hill, in which case I really don’t see anything as I ride in a vortex of pain…

Strickland Avenue was the first part of the Team Time Trial route for Stage 1 of the 2011 Tour of Tasmania. The TTT then continued to the summit of Mt Wellington.

The climb starts at Cascade Brewery in South Hobart, a mere 10-15 minute ride from the city centre along Macquarie St. I break the ascent into 3 sections, with Hobart Rivulet crossings forming the divisions between the sections. The first section from Cascade Brewery to the bridge is wide and flowing and it is tempting to ride hard and fast along it, as the road is smooth and relatively easy going. So you can set a cracking pace here but you may regret it!

At the bridge over Hobart Rivulet, the road curves steeply back on itself, and narrows dramatically, with overhanging gum trees providing welcome shade on hot days. Soon on the right you’ll see a yurt-like house as you climb a steep bend (go up a gear and power up it!). The climb continues at a steady 6%, winding through Cascades until you reach the second crossing over Hobart Rivulet, on a corner which is also the steepest pinch. After the pinch comes a gentler section that finishes at a T-Junction with Huon Rd.

Turn left to roll back to Hobart, or right to continue on what I think are some of the best cycling roads in Australia. No joke. Also turn right if you are heading to Mt Wellington.

Your Challenge: beat Andrew Crawley’s KOM of 10:48 (25.4 km/h). Did I say the challenges have to be achievable?

Coming up, a great climb for nearly any day of the year…

Strickland Ave
Distance 4.6km
Category 3
Elevation 247m
Gradient 5.4%
Maximum Gradient 15%
Time from city 15 minutes
Traffic medium
Strava http://app.strava.com/segments/627474

How to get to the climb: Ride up Davey St to the Southern Outlet, then turn right and left onto Macquarie St. climb starts at Cascade Brewery (you won’t have trouble finding it).

I did say you wouldn’t be able to miss Cascade Brewery

The bridge which marks the end of the first segment of Strickland Ave

Yurt corner: the first of two steep pinches

Smooth road, out of suburbia at last

Big Bend

The final straight

Just about at the top of the climb now

Other posts in this series:

A story, or will pay anybody five pounds to remove database from one computer to another

Computing, Networking, SQL, Tools

Today I needed to download a recent backup of a database from a server in the data centre for testing major changes to the database locally…  Things don’t really go as well as I expect:

  1. Backup is 12GB.  Yike, that’s going to take ages to download!
  2. OK, so let’s zip it.  20 minutes later… we have a 2GB zip file.  Well, that was worth doing.
  3. Now copy (encrypted) zip to a server with HTTP access (much faster than downloading over SSH).  About 1 minute (yep, nice fast network in the data centre)
  4. Download zip to database server on local network.  Takes about 45 minutes.
  5. So try to unzip on server with Win Server 2003 Zip tool.  Huh.  It doesn’t support files > 4GB (plus it’s running low on disk space, so a bit of a juggling act to have enough space to unzip anyway).
  6. OK, move the zip file to a client machine.  5 minutes on LAN
  7. Unzip locally then move 12GB backup back to server.  Best part of an hour.  Yes, it’s a slow client machine and the LAN is only 100mbit.
  8. Try to restore to SQL Server.  Oops, old version of SQL Server on that server.
  9. So install SQL Server 2008 on another server.  That takes 45 minutes (including adding .NET framework).
  10. Can’t do anything with it until we have patched SQL Server.  So download and run SQL Server 2008 SP3.  20 minutes to download.
  11. Installer starts while I’m not at computer, automatically cancels when screensaver starts (consent.exe)
  12. Drat.  Download SQL Server 2008 SP3 again as IE has deleted installer from cache.  This time I save the service pack installer.  20 minutes.
  13. Finally! Install SQL Server 2008 SP3.  10 minutes.
  14. Restore database to new server.  5 minutes.

And finally it works.

Why do the little things take so much energy?

Hobart’s Top 10 Climbs, #7: Mt Rumney

Cycling, Hobart's Top Ten Climbs, Photos, Strava
Climbing Mt Rumney

This is the fourth post of a series on some of the great road cycling climbs around Hobart. You can be notified of new posts in the series by following me on Twitter.  The order of these climbs is completely my own whimsy.  No doubt you’ll disagree with me: leave a comment to tell me what I got wrong.  Maybe I’ll see you out on one of these climbs?

I recently rediscovered Mt Rumney on a lovely spring lunch ride. Mt Rumney is on the Eastern shore of the Derwent River in Hobart, and is accessed via old Cambridge Rd from Mornington. The climb starts with a brief (and if you want, blisteringly fast) climb up Tunnel Hill, and then turns right onto Mt Rumney Rd at the very crest of the hill. From here, the road has a varying gradient, but is never overly steep, and winds its narrow way around both sides of the hill, alternating between views of Seven Mile Beach and the airport, and Hobart, the Derwent River, and Mt Wellington. Whatever point you are at though, the road is smooth, and the climb is great!

Tunnel Hill is named after the tunnel that was built under it as part of the short-lived Bellerive-Sorell Railway.  The tunnel is not visible from the road but is easy to find.

The last kilometre of the climb is dirt, and some riders prefer to turn at the end of the tarmac (especially if you’ve been smashing it up the climb!) but it is definitely worth riding those last few metres for the views at the top. And for the telco tower.  The dirt section is a bit steeper, averaging 10%, but not particularly difficult.  When I rode up recently, it was pretty smooth and no trouble on a road bike.  Did I mention good views from the summit?

The descent is fast and windy and therefore fun, but because the road is quite narrow and sight lines are not great, it is important to be careful of oncoming cars.

Your Challenge: Ride the entire climb at a cadence of 100 (I don’t care which gear)

In my next post, you’ll find one of the most frequented climbs in Hobart…

Mt Rumney
Distance 3.3km (4.3km with dirt)
Category 3
Elevation 226m
Gradient 6.9%
Maximum Gradient 12%
Time from city 25 minutes
Traffic low-medium
Strava http://app.strava.com/segments/641042

How to get to the climb: Cross the Tasman Bridge on the southern side, and ride through Rosny along Riawena Rd, right on Rosny Hill Rd, left on Bligh St, right on Shackleton St, left onto Mornington Rd, straight through the roundabout. Keep riding and you’ll reach Tunnel Hill.  Sounds complicated but actually pretty straightfoward when you get there.

The start of Tunnel Hill

Tunnel hill is a short, windy ascent

First glimpse of Mt Rumney Rd

The tunnel which Tunnel Hill is named after passes under the intersection with Mt Rumney Rd

One of many views, this one south I think

Quiet woods

The tarmac ends: the climb gets interesting from here

The dirt is pretty smooth, no trouble on a road bike

The telco towers at the top.  Not very interesting, huh?

Fantastic views from the summit

Looking out over Acton Park and Cambridge

North towards Coal Valley (lots of great cycling roads there)

Amazing views of Hobart and Mt Wellington

Other posts in this series:

Working around limitations in Strava’s Segment Efforts API

Computing, Cycling, Strava

The Strava API has a call to retrieve the first 50 efforts for a segment.  In theory, the API supports an offset parameter to allow you to download additional efforts after the first 50.  However the offset parameter does not work currently in the segment efforts API.  I didn’t want to wait until V3 of the API, so…

Additionally, the segment efforts API returns efforts ordered fastest to slowest, so a naive date-based retrieval does not work, and this may also be why the offset parameter is not currently supported.

I now have a workaround which does the job (albeit a little more slowly): use the startDate and endDate parameters, which do work, to initially pull the efforts across “all time” (or, say, from 2010 to now).  If you receive 50 efforts back from the call, then split the time window in half, and retrieve each half.  Rinse and repeat until you receive less than 50 efforts for a window, at which point you know you have all the efforts for that window.  It’s simple enough to merge the arrays that you receive in response.

This works fine, but is a bit more load on the Strava servers.  For example, a segment with 425 efforts required 28 calls as opposed to 9 if the offset parameter worked, or just 1 if you could request the full set of efforts (which is still not a huge download, although really busy segments may be a bit more problematic).

I now optimise to retrieve all efforts for segments just once, then just the last few days worth later on.  The downside is that new subscribers will not have old efforts uploaded (to resolve this I may periodically do the full sync again). New segments would also bump into this issue until a global sync is done.

My implementation is not perfect (I’m ignoring errors for now), and if there are 50 efforts in less than 1 second then I’ll get none of them 🙂  Nevertheless, this little PHP code snippet is one way it could be done.

  function getSegmentEfforts($segmentId, $startDate = 0, $endDate = 0)
  {
    if($startDate == 0 && $endDate == 0)
    {
      $startDate = mktime(0,0,0,1,1,2010);
      $endDate = time();
    }
   
    if($startDate >= $endDate) return null;
   
    $startDateString = date(“Y-m-d\\TH:i:s\\Z”, $startDate);
    $endDateString = date(“Y-m-d\\TH:i:s\\Z”, $endDate);

    $efforts = $this->callApi(“/v1/segments/$segmentId/efforts?startDate=$startDateString&endDate=$endDateString”);
    $numEfforts = sizeof($efforts->efforts);
   
    if($numEfforts == 50)
    {
      // split the time period in 2
      $midDate = round(($startDate + $endDate) / 2, 0);
      $firstEfforts = $this->getSegmentEfforts($segmentId, $startDate, $midDate);
      $secondEfforts = $this->getSegmentEfforts($segmentId, $midDate, $endDate);
      if($firstEfforts == null) return $secondEfforts;
      if($secondEfforts == null) return $firstEfforts;
      $firstEfforts->efforts = array_merge($firstEfforts->efforts, $secondEfforts->efforts);
      return $firstEfforts;
    }
   
    return $efforts;
  }

Hobart’s Top 10 Climbs, #8: Longley to Neika

Cycling, Hobart's Top Ten Climbs, Photos, Strava
Huon Rd: what’s around the next corner?

This is the third post of a series on some of the great road cycling climbs around Hobart. You can be notified of new posts in the series by following me on Twitter.  The order of these climbs is completely my own whimsy.  No doubt you’ll disagree with me: leave a comment to tell me what I got wrong.  Do go and ride these climbs 🙂

Now for the climb! Longley International Hotel is a famous little pub at the base of this climb. The pub features as the starting point for the annual Wellington Challenge time trial to the summit of Mt Wellington, a 1100m climb, with the current record holder being Richie Porte, who did the climb in 2008 in 49:51, with an astonishing average speed of 25.43 km/h. In this post I only look at the first third of the climb, as the Mt Wellington climb itself will be a separate post.

The climb from Longley to Neika is very pleasant, low traffic, with mostly farmland scenery just starting to edge into the mountain forests as you approach the top. The climb is not particularly steep, averaging 5.7%, but it is long enough at 5.5km that you’ll have to work to make it to the top. The turnoff to Leslie Vale is roughly at the 40% point, which makes a nice milestone. Until you reach this corner, your views will be focused on the North West Bay River valley as it winds its way around the back of the Wellington plateau from Wellington Falls down to the sea.

After the turn-off, you continue climbing on the other side of the ridge. The views are now massive vistas of Storm Bay and the D’Entrecasteaux Channel between the Tasmanian mainland and Bruny Island. I particularly enjoy the two corners which have a divider in the centre of the road; they are also great waypoints and once I pass the second one, I know I am near the top of the climb. The gradient is relatively consistent, until a slightly steeper ramp at the very end as you approach the old Neika Schoolhouse.

I can’t think of much more enjoyable riding than this climb on a sunny summer morning!

This road is also wonderful for descending, without any overly steep corners and a decent surface. Just watch out for damp shaded sections and leaves, even in summer.  (Note: roadworks in recent weeks has trashed the surface and left lots of mud on the road…  I hope they clean up their mess.)

Your Challenge: ride this climb entirely over your heart rate anaerobic threshold.

Coming up in my next post, a climb that is not in the foothills of Mt Wellington

Longley to Neika
Distance 5.5km
Category 3
Elevation 314m
Gradient 5.7%
Maximum Gradient 8%
Time from city 45 minutes
Traffic low
Strava http://app.strava.com/segments/629095

How to get to the climb: The nice way: Take the “commando” route south through Kingston and turn right towards Sandfly just before Margate. Cross the Huon Hwy and turn right into Longley. This route takes more than 45 minutes — just take Davey St and stay on the same road until you get to Longley for the short route.

Longley Pub (or Longley International Hotel)

The valley at the base of the climb

Your climb starts here!

The first third of the climb is lined with sparse gums

Leslie Rd to the right will take you towards Kingston

The climb continues

If you are taking it easy, enjoy the views.  If you are trying to beat Richie’s record, here’s a view that you missed…

And more views

Evening light

Onward and upward

Lots of shaded (damp) corners

Waterfall on the way

Near the top here!

And there’s the crest!  Sprint!

The climb in winter — a little more treacherous!

Early morning descent

Descending Huon Rd with my daughter

Other posts in this series:

Hobart’s Top 10 Climbs, #9: Nelson Rd

Cycling, Hobart's Top Ten Climbs, Photos, Strava
Bend 3 of the 7 famous hairpins.

This is the second post of a series on some of the great road cycling climbs around Hobart. You can be notified of new posts in the series by following me on Twitter.  I have ordered these climbs according to my own preference.  No doubt you’ll disagree with me: just tell me in the comments!  I hope this will inspire you to go and ride these climbs 🙂

Enough blather, what about the climb?  I was in two minds as to whether or not I’d include Nelson Rd in this catalogue of climbs. It is quite a suburban road, and doesn’t have the quiet back road feel of most of the other climbs around Hobart that I’ve chosen for my top 10. However, the road has some unique and fun features, particularly 7 hairpin bends, and it is also well suited to a tempo style climb for each straight. This allows you to build up a nice rhythm with a high tempo run to each corner, out of the saddle to power around the hairpin, and then back on the seat and into your previous cadence on the next straight. Unfortunately, the lumpy road surface does throw your rhythm as you bump over driveway ramps, but I guess that’s all part of the fun!

I mark the start of this climb at the intersection between Churchill Ave and Nelson Rd, although Nelson Rd does start down at the Casino at sea level. The section of the climb between the Casino and Churchill Ave has a lot of traffic and the intersection with Churchill Ave is a hassle because of the traffic, so I’ve excluded that from the climb.

As I said above, the best features of Nelson Rd are the seven hairpin bends, which make great waypoints on the climb. Although after Bend 4 one starts to lose track and there’s always a bend or two more than you hope!  In future years, no doubt these will be commemorated with the names of famous cyclists who have conquered this climb.  I think I’d like to have Bend 3 (pictured above); you can claim one of the other ones.

After the seventh bend, marked by two big water tanks, you crest onto the “plateau” of the hill and follow the climb, which continues at the same gradient, albeit without all the zigzagging, to the finish at the intersection with Olinda Grove. This section of the climb is not very interesting but you will need to keep the power on all the way to the very end if you want to take the KOM in Strava!  (I should mention that the KOM is currently mine and I’d like to keep it that way, okay?)

Take a left at the end to ride to Mt Nelson Signal Station for incredible views over south eastern Tasmania (definitely recommended) and coffee. Turn right to take the quick way down on Proctor’s Rd. Or if you are crazy, down the Southern Outlet.

Your Challenge: ride 3 repeats in a lunch break

The next post describes a climb with a very different feel

Nelson Rd
Distance 3.9km
Category 3
Elevation 232m
Gradient 6%
Maximum Gradient 10%
Time from city 10 minutes
Traffic medium (watch for buses)
Strava http://app.strava.com/segments/628934

How to get to the climb: Take Davey St south, and turn left onto Antill St, and follow Antill St/Regent St/Churchill Ave through the University. Nelson Rd is on your right just after the University.
Nelson Rd: the climb starts here.  Bend 1 is immediately ahead

Nelson Rd is made up of long straights, and …

… Hairpin bends.  This is Bend 2

Lumpy driveways to negotiate ahead

Pleasant scenes on the climb

Bend 3

And another long straight!  Keep that tempo going

Bend 4!

More trees provide some shade

Bend 5…  Two to go.

Bend 6 ahead

Gardens to distract from the pain

Bend 7, no more hairpins after this, just a slog to the top

And here’s the top

You can ride back down Proctor’s Rd — take it easy though, it’s busy!

Other posts in this series:

Hobart’s Top 10 Climbs, #10: The Domain (Carriage Drive)

Cycling, Hobart's Top Ten Climbs, Photos, Strava
Carriage Drive on The Domain

This is the first post of a series on some of the great road cycling climbs around Hobart. You can be notified of new posts in the series by following me on Twitter.  I have ordered these climbs according to my own preference.  No doubt you’ll disagree with me: just tell me in the comments!  I hope this will inspire you to go and ride these climbs 🙂

Onto the climb!  The Domain is a great little climb within 5 minutes ride of the city centre. My friends and I use it for doing repeats. The climb starts at the bottom of Carriage Drive, a smooth little one way road that winds its way up the Domain. Be aware that the road becomes two-way half way up the climb.  Initially a gentle gradient, the climb lures you into a pace of up to or even over 30 km/h, until you round a bend half way up and the gradient triples! This is guaranteed to pour that lactate pain in as you drop through the gears.

But immediately after the steep pinch, the road levels out for a couple hundred metres, where no doubt you’ll work hard to put the pace back on again. On reaching a 4 way intersection, turn right (don’t forget traffic in your pain-induced haze), and follow the curves in the second half of the climb around to the summit of the hill. Keep following the road straight round the circle at the top, and back down the hill, then roll round to the bottom of Carriage Drive to do it all again!

See if you can fit in 5 repeats in a lunch break!  Coming up in my next post, a climb that zigs and zags…

The Domain
Distance 2.2km
Category 4
Elevation 102m
Gradient 4.6%
Maximum Gradient 15%
Time from city 5 minutes
Traffic low
Strava http://app.strava.com/segments/634467

How to get to the climb: From the Cenotaph, ride under the highway, turn right, and immediately after entering the highway, exit left. Carriage Drive is 50m ahead on your left.

Your climb starts here

Continuing up the hill

Governor’s digs on your right

Watch for traffic as you fly through this intersection

Round past the sports grounds

Turn right here

Road surface is a bit rougher now

Almost there!

The top of the climb

Other posts in this series:

Weird filename globbing in Windows

Bugs, Computing, Windows

Can anyone explain this result?  (note: folder name has been obscured)

D:\...\exe\tds>dir *337*
 Volume in drive D has no label.
Volume Serial Number is 4279-DECE

Directory of D:\...\exe\tds

05/12/2011  02:39 PM        12,432,384 tds-8.0.324.0.exe
11/04/2011  02:41 PM        13,268,480 tds-8.0.337.0.exe
2 File(s)     25,700,864 bytes
0 Dir(s)  129,676,939,264 bytes free
D:\...\exe\tds>dir *337.0.exe
Volume in drive D has no label.
Volume Serial Number is 4279-DECE

Directory of D:\...\exe\tds

11/04/2011  02:41 PM        13,268,480 tds-8.0.337.0.exe
1 File(s)     13,268,480 bytes
0 Dir(s)  129,676,324,864 bytes free

I can’t figure out why tds-8.0.324.0.exe is matching *337*, in this folder.  There are lots of other files in the folder with similar names that don’t match.  chkdsk returned no errors.  Any ideas?

Update 4:45pm: I did a little more investigation.  The error can be reproduced on other computers, so it is not related to the state of the filesystem, or the path name.  The following command narrowed down the match a little:

c:\temp\tds>dir *d337*
Volume in drive C is OS
Volume Serial Number is 8036-7CEB

Directory of c:\temp\tds

12/05/2011  02:39 PM        12,432,384 tds-8.0.324.0.exe
1 File(s)     12,432,384 bytes
0 Dir(s)  12,700,200,960 bytes free

But the following did not match:

c:\temp\tds>dir td337*
Volume in drive C is OS
Volume Serial Number is 8036-7CEB

Directory of c:\temp\tds

File Not Found

Curiouser and curiouser.  Procmon did not provide much insight into the issue:

procmon

Where to now?  It’s Sunday afternoon, and I don’t feel like breaking out a kernel debugger to trace that any further right now.

Update 7:30pm: Well, I was puzzled so I did a little more research.  And ran across a mention of 8.3 filenames.  All of a sudden everything clicked into place.

D:\...\exe\tds>dir /x *337*
Volume in drive D has no label.
Volume Serial Number is 4279-DECE

Directory of D:\...\exe\tds

05/12/2011  02:39 PM        12,432,384 TDD337~1.EXE tds-8.0.324.0.exe
11/04/2011  02:41 PM        13,268,480 TDD938~1.EXE tds-8.0.337.0.exe
2 File(s)     25,700,864 bytes
0 Dir(s)  129,670,885,376 bytes free

Yes, even today DOS comes back to bite us.  So just beware when doing wildcard matches — especially with that old favourite del.

Phone Slamming Again

Family|Bible|More

I wrote a couple of months ago about a phone slamming attempt.  I contacted Telstra via Twitter and they responded that they’d follow it up.  Unfortunately, Twitter’s history is a little poor so I cannot find the full conversation now… (Updated: found it in my RSS archives)

Today we got another phone slamming attempt, and I was a bit better prepared.  Again this conversation is not verbatim, but the gist is as follows:

Caller: Natasha from SimplyTel

Natasha: “I’m calling about your Telstra business line.  Can I speak with the account holder please.”
Me: “Are you calling from Telstra?”
Natasha: “I’m calling from Telstra wholesale division.”

I then asked some more questions to collect some more details, including website, and got the actual company name and contact details, before letting her know that I’d be reporting the call because she identified herself as operating on behalf of Telstra.