A customer had a question about waitable timers. If you create a waitable timer with a callback, the callback runs only on the thread that created the waitable timer, and only when the thread “enters an alertable await state.” Does this mean specifically an alertable await state on that specific timer? Or will any alertable wait do?

Any alertable wait will do. You don’t even have to wait on any objects. Calling SleepEx(n, TRUE) is an alertable wait on zero objects, and that will process Asynchronous Procedure Calls (APCs).

Associated with each thread is a queue of asynchronous callbacks, and many operations append work to that list. There are actually three categories of APC, user APCs, normal kernel APCs, and special kernel APCs.

The two kernel APCs are available only to kernel mode. Kernel APCs are pretty much invisible to user mode, but their side effects may be visible. For example, they contribute to the uselessness of the Pulse­Event function and threads waiting on a synchronization object waking in non-FIFO order (not that FIFO was ever guaranteed). They are also the mechanism by which the SuspendThread function asks threads to suspend, and the delay in transmitting the kernel APC is detectable from user mode.

The third type of APC is the user APC. This one can be created both from kernel mode and user mode. The most common source is I/O completion callbacks, but waitable timers also use this mechanism, and you can create your own by calling the Queue­User­APC function.

They are called asynchronous procedure calls because the request is queued up and processed when the thread reaches a state where the corresponding code is ready to be interrupted.

• User APCs run when the thread enters an alertable wait state.
• Normal kernel APCs run when the kernel is about to return to user mode, which means that no kernel code is active on the thread.
• Special kernel APCs¹ run when the kernel is below APC level. This allows them to interrupt normal kernel processing, but not other APCs, hardware interrupts, or other higher-priority events.

The idea behind APCs is that a particular category of APC can interrupt code that is lower in the hierarchy, but it will wait until all other code at the same or higher level in the hierarchy has indicated that they are ready to run the APC.

higher ↑
Non-passive kernel mode	Special kernel APC
Passive kernel mode	Normal kernel APC
User mode	User APC

Okay, so let’s look specifically at user APCs, since those are the ones queued by waitable timers. A thread indicates that it is ready to accept user APCs by calling an alertable wait function. If there is a user APC waiting to run, it runs, and then the alertable wait returns with the code WAIT_IO_COMPLETION² to indicate “The wait completed due to one or more user APCs.” The caller can then choose to reissue the wait, or it might decide to do something else, say, because it really was just waiting for the user APC.

The user APC dispatching code doesn’t care who queued the APC or what the alertable wait is waiting for. Once a thread goes into any alertable wait state, the kernel will dispatch any pending user APCs for that thread. It doesn’t try to filter only to APCs related to the things that caused you to enter the alertable wait.

Bonus analogy: You can think of a user APC as Post­Message and an alertable wait as an unfiltered Peek­Message that dispatches all pending queued messages.

¹ Kernel APCs are collectively known as KAPCs, which means that the special kernel APC is the “Special K” APC.

² The name of the return code strongly hints that I/O completion was the original use case for user APCs.

The post When I create a waitable timer with a callback, do I have to wait alertably on that specific timer before the callback will run? appeared first on The Old New Thing.

An application hang report showed that the application was stuck in this stack:

win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
win32u!ZwUserMessageCall+0x14
user32!SendMessageWorker+0x823
user32!SendMessageW+0xda
contoso!CContosoWindow::WndProc+0xa5d
user32!UserCallWinProcCheckWow+0x2f8
user32!DispatchClientMessage+0x9c
user32!__fnDWORD+0x33
ntdll!KiUserCallbackDispatcherContinue
user32!_InternalCallWinProc+0x2a
user32!InternalCallWinProc+0x1b
user32!DispatchClientMessage+0xea
user32!__fnDWORD+0x3f
ntdll!KiUserCallbackDispatcher+0x4c
win32u!NtUserGetMessage+0xc
user32!GetMessageW+0x30
contoso!WindowThreadProc+0x9b
kernel32!BaseThreadInitThunk+0x14
ntdll!RtlUserThreadStart+0x21

Inspecting the local variables at each recursive call shows that the message is always WM_DRAW­CLIPBOARD. The Contoso window receives the WM_DRAW­CLIPBOARD message, does its work, and then forwards the message to the next clipboard viewer window, just like the book says. While waiting for that window to respond, another WM_DRAW­CLIPBOARD message arrives, and the cycle repeats.

The clipboard viewer chain is a linked list of windows that have all subscribed to clipboard notifications. This linked list is managed cooperatively: When you add yourself to the chain, you are given the handle of the previous head of the chain. And when you finish dealing with a clipboard notification, you forward the notification to the next window in the chain. That way, all the windows in the chain eventually learn about the clipboard.

The clipboard viewer chain was developed back in the days of 16-bit Windows, when all programs were cooperatively multi-tasked and generally were trusted to behave properly. The clipboard viewer chain used the same trick that window hooks used to save space: It externalized the cost.

Here’s a sketch of how the clipboard viewer chain worked in 16-bit Windows:

HWND hwndClipboardViewer;

HWND SetClipboardViewer(HWND hwndNewViewer)
{
  HWND hwndOldViewer = hwndClipboardViewer;
  hwndClipboardViewer = hwndNewViewer;
  return hwndOldViewer;
}

HWND GetClipboardViewer()
{
  return hwndClipboardViewer;
}

HWND ChangeClipboardChain(HWND hwndRemove, HWND hwndNewNext)
{
  if (hwndClipboardViewer == hwndRemove) {
    hwndClipboardViewer = hwndNewNext;
  } else {
    SendMessage(hwndClipboardViewer, WM_CHANGECBCHAIN,
        (WPARAM)hwndRemove, (LPARAM)hwndNewNext);
  }
}

void NotifyClipboardViewers()
{
  if (hwndClipboardViewer) {
    SendMessage(hwndClipboardViewer, WM_DRAWCLIPBOARD, 0, 0);
  }
}

And that’s it! The entire clipboard viewer feature in 30 lines of code.

Okay, so back to our customer’s problem.

The window registered itself as a clipboard viewer, and the clipboard contents changed, causing it to receive a WM_DRAW­CLIPBOARD message. The window dealt with the clipboard change, and then dutifully called Send­Message to forward the WM_DRAW­CLIPBOARD message down the chain. Every window in the chain deals with the message, and then calls Send­Message.

What happened here is that some window in the chain is hung, and that causes all the other windows in the chain to hang, since they are all blocked on each other via Send­Message:

Window 1
↓	SendMessage
Window 2
↓	SendMessage
Window 3
↓	SendMessage
Window 4	hung

In order for Window 1’s Send­Message to complete, Window 2 needs to return. But Window 2 is stuck in a Send­Message to Window 3, which is in turn stock in a Send­Message to Window 4, which is hung. That one hung window has caused a chain of windows to stop responding.

The Contoso window got caught in the chain of windows that are all waiting for that other hung window to process the WM_DRAW­CLIPBOARD message.

So what can Contoso do about this?

The best solution is to leave the game. Instead of using the old and busted clipboard viewer chain, use the new hotness Add­Clipboard­Format­Listener function to register to be notified when the clipboard contents change and escape the clipboard viewer chain.

Fortunately, converting from a clipboard viewer to a clipboard format listener is fairly simple and even involves deleting some code, so that’s a nice bonus.

• Change Set­ClipboardViewer to Add­Clipboard­Format­Listener.
• Delete the variable that held the previous clipboard viewer.
• Delete the code that handled the WM_CHANGE­CB­CHAIN message.
• Change case WM_DRAWCLIPBOARD to case WM_CLIPBOARDUPDATE.
• Delete the Send­Message(hwndNextViewer, WM_DRAWCLIPBOARD, wParam, lParam).
• Change Change­Clipboard­Chain to Remove­Clipboard­Format­Listener.

If for some reason you really want to be a clipboard viewer, you can at least switch to using Send­Notify­Message to forward the WM_DRAW­CLIPBOARD message to the next window in the chain. The Send­Notify­Message function is like Send­Message except that it doesn’t want for the recipient to return. It’s a fire-and-forget Send­Message.

The post The case of the recursively hung <CODE>WM_DRAW­CLIPBOARD</CODE> message appeared first on The Old New Thing.

hardaker writes: I wrote up the results from studying graphs of CO2 measurement data during a trip I took from Sacramento, California to London to attend the IETF-115 conference. Since CO2 is considered to be a potential proxy for measuring exposure to airborne viruses, it provided me with a rough guess about how safe (or not) I was at various points of my travel. TL;DR: big conference rooms: good, busses: bad, everything else: in between. "Numbers alone do not effectively measure risk absolutely," the page concludes. "You must combine numbers with logic and common sense. Airlines with good filtering systems are likely ok. But do aim the fans at you with maximum air flow..." "Hallways and crowded coffee tables are where we need to worry the most. Unfortunately, the masking policy at IETF-115 was sort of backward: in the rooms the circulation was quite good, but in all my graphs you can see a spike as I wandered from one room to another, and this is where masking policies were more lax allowing participants to remove their masks."

Read more of this story at Slashdot.

Read 23 remaining paragraphs | Comments

When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.

The findings came in a report released by Sen. Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into fraud tied to Zelle, the “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.

Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, even if a great many customers still don’t know it’s there.

Sen. Warren said several of the EWS owner banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren did get the requested information from PNC, Truist and U.S. Bank.

“Overall, the three banks that provided complete data sets reported 35,848 cases of scams, involving over $25.9 million of payments in 2021 and the first half of 2022,” the report summarized. “In the vast majority of these cases, the banks did not repay the customers that reported being scammed. Overall these three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.”

Importantly, the report distinguishes between cases that involve straight up bank account takeovers and unauthorized transfers (fraud), and those losses that stem from “fraudulently induced payments,” where the victim is tricked into authorizing the transfer of funds to scammers (scams).

A common example of the latter is the Zelle Fraud Scam, which uses an ever-shifting set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud Scam often employs text messages and phone calls spoofed to look like they came from your bank, and the scam usually relates to fooling the customer into thinking they’re sending money to themselves when they’re really sending it to the crooks.

Here’s the rub: When a customer issues a payment order to their bank, the bank is obligated to honor that order so long as it passes a two-stage test. The first question asks, Did the request actually come from an authorized owner or signer on the account? In the case of Zelle scams, the answer is yes.

Trace Fooshee, a strategic advisor in the anti money laundering practice at Aite-Novarica, said the second stage requires banks to give the customer’s transfer order a kind of “sniff test” using “commercially reasonable” fraud controls that generally are not designed to detect patterns involving social engineering.

Fooshee said the legal phrase “commercially reasonable” is the primary reason why no bank has much — if anything — in the way of controlling for scam detection.

“In order for them to deploy something that would detect a good chunk of fraud on something so hard to detect they would generate egregiously high rates of false positives which would also make consumers (and, then, regulators) very unhappy,” Fooshee said. “This would tank the business case for the service as a whole rendering it something that the bank can claim to NOT be commercially reasonable.”

Sen. Warren’s report makes clear that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments.

“In simple terms, Zelle indicated that it would provide redress for users in cases of unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer a payment,” the report continued. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently induced by a bad actor into making a payment on the platform.”

Still, the data suggest banks did repay at least some of the funds stolen from scam victims about 10 percent of the time. Fooshee said he’s surprised that number is so high.

“That banks are paying victims of authorized payment fraud scams anything at all is noteworthy,” he said. “That’s money that they’re paying for out of pocket almost entirely for goodwill. You could argue that repaying all victims is a sound strategy especially in the climate we’re in but to say that it should be what all banks do remains an opinion until Congress changes the law.”

UNAUTHORIZED FRAUD

However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received,” the report notes.

How did the banks behave individually? From the report:

-In 2021 and the first six months of 2022, PNC Bank indicated that its customers reported 10,683 cases of unauthorized payments totaling over $10.6 million, of which only 1,495 cases totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers that reported cases of fraud without recourse for fraudulent activity that occurred on Zelle.

-Over this same time period, U.S. Bank customers reported a total of 28,642 cases of unauthorized transactions totaling over $16.2 million, while only refunding 8,242 cases totaling less than $4.7 million.

-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America refunded only $56.1 million in fraud claims – less than 45% of the overall dollar value of claims made in that time.

–Truist indicated that the bank had a much better record of reimbursing defrauded customers over this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist claims were reimbursed over this period. Overall, however, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received.

Fooshee said there has long been a great deal of inconsistency in how banks reimburse unauthorized fraud claims — even after the Consumer Financial Protection Bureau (CPFB) came out with guidance on what qualifies as an unauthorized fraud claim.

“Many banks reported that they were still not living up to those standards,” he said. “As a result, I imagine that the CFPB will come down hard on those with fines and we’ll see a correction.”

Fooshee said many banks have recently adjusted their reimbursement policies to bring them more into line with the CFPB’s guidance from last year.

“So this is heading in the right direction but not with sufficient vigor and speed to satisfy critics,” he said.

Seth Ruden is a payments fraud expert who serves as director of global advisory for digital identity company BioCatch. Ruden said Zelle has recently made “significant changes to its fraud program oversight because of consumer influence.”

“It is clear to me that despite sensational headlines, progress has been made to improve outcomes,” Ruden said. “Presently, losses in the network on a volume-adjusted basis are lower than those typical of credit cards.”

But he said any failure to reimburse victims of fraud and account takeovers only adds to pressure on Congress to do more to help victims of those scammed into authorizing Zelle payments.

“The bottom line is that regulations have not kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment scam losses have outpaced credit card losses and a regulatory response is now on the table. Banks have the choice right now to take action and increase controls or await regulators to impose a new regulatory environment.”

Sen. Warren’s report is available here (PDF).

There are, of course, some versions of the Zelle fraud scam that may be confusing financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year began with a text message that spoofed the target’s bank and warned of a pending suspicious transfer.

Those who responded at all received a call from a number spoofed to make it look like the victim’s bank calling, and were asked to validate their identities by reading back a one-time password sent via SMS. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and that one-time code sent via text by the bank’s site was the only thing the crooks needed to reset the target’s password and drain the account using Zelle.

None of the above discussion involves the risks affecting businesses that bank online. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account getting drained, most banks will not reimburse that loss.

This is why I have always and will continue to urge small business owners to conduct their online banking affairs only from a dedicated, access restricted and security-hardened device — and preferably a non-Windows machine.

For consumers, the same old advice remains the best: Watch your bank statements like a hawk, and immediately report and contest any charges that appear fraudulent or unauthorized.

An anonymous reader quotes a report from NPR: It's well known that weightlifting can strengthen our biceps and quads. Now, there's accumulating evidence that strengthening the muscles we use to breathe is beneficial too. New research shows that a daily dose of muscle training for the diaphragm and other breathing muscles helps promote heart health and reduces high blood pressure. "The muscles we use to breathe atrophy, just like the rest of our muscles tend to do as we get older," explains researcher Daniel Craighead, an integrative physiologist at the University of Colorado Boulder. To test what happens when these muscles are given a good workout, he and his colleagues recruited healthy volunteers ages 18 to 82 to try a daily five-minute technique using a resistance-breathing training device called PowerBreathe. The hand-held machine -- one of several on the market -- looks like an inhaler. When people breathe into it, the device provides resistance, making it harder to inhale. "We found that doing 30 breaths per day for six weeks lowers systolic blood pressure by about 9 millimeters of mercury," Craighead says. And those reductions are about what could be expected with conventional aerobic exercise, he says -- such as walking, running or cycling. A normal blood pressure reading is less than about 120/80 mmHg, according to the Centers for Disease Control and Prevention. These days, some health care professionals diagnose patients with high blood pressure if their average reading is consistently 130/80 mmHg or higher, the CDC notes. The impact of a sustained 9 mmHg reduction in systolic blood pressure (the first number in the ratio) is significant, says Michael Joyner, a physician at the Mayo Clinic who studies how the nervous system regulates blood pressure. "That's the type of reduction you see with a blood pressure drug," Joyner says. Research has shown many common blood pressure medications lead to about a 9 mmHg reduction. The reductions are higher when people combine multiple medications, but a 10 mmHg reduction correlates with a 35% drop in the risk of stroke and a 25% drop in the risk of heart disease. So, how exactly does breath training lower blood pressure? Craighead points to the role of endothelial cells, which line our blood vessels and promote the production of nitric oxide -- a key compound that protects the heart. Nitric oxide helps widen our blood vessels, promoting good blood flow, which prevents the buildup of plaque in arteries. "What we found was that six weeks of IMST [inspiratory-muscle strength training] will increase endothelial function by about 45%," Craighead explains. [...] There may also be benefits for elite cyclists, runners and other endurance athletes, he says, citing data that six weeks of IMST increased aerobic exercise tolerance by 12% in middle-aged and older adults. "So we suspect that IMST consisting of only 30 breaths per day would be very helpful in endurance exercise events," Craighead says. It's a technique that athletes could add to their training regimens. Craighead, whose personal marathon best is 2 hours, 21 minutes, says he has incorporated IMST as part of his own training.

Read more of this story at Slashdot.