NEWVIEW 1.0 - PRELIMINARY DOCUMENTATION Copyright ©, 1994-1995 by Frank E. Haggar ALL RIGHTS RESERVED THIS PROGRAM CAN BE REGISTERED USING CompuServe. The cost is $49.95 + S/H THE SWREG # IS 4146 OR - you may send a check or money order in US funds, made payable to Frank E. Haggar at: Frank E. Haggar 21118 Madria Circle Boca Raton, Fla 33433 $49.95 - registered version of NEWVIEW! $4.00 S/H in the US, $6.00 S/H outside the US. (Fla residents please include 6% sales tax) Copyright © 1994-1995 by Frank E. Haggar CIS:(75672,1206) ----------------------------------------------------------------------------- Description of the origins for NEWVIEW Version 1.0: As many of you that follow the CompuServe WINSDK forum regularly are probably aware, I have been using Microsoft's EXEVIEW sample program as a "workbench", or "testbed" for over a year. During this time the program's been significantly enhanced. It was never my intent to write a technical OS/programming tool based on EXEVIEW. Since my main purpose was to learn, I wanted to be able to easily and quickly investigate the potential of an idea. I would often write a function for a command, and set EXEVIEW up to call the function via some keystroke and mouse click sequence. Therefore, this is MORE of a PROGRAMMING TOOL than it is an END-USER PRODUCT! But I think it's got enough power to captivate your interest and earn your desire to register it. I think the nominal cost of this program is justified when compared to the amount of time you'd spend finding, studying, and coordinating all the samples. Using this program has helped me considerably, and has provided many answers to WINSDK messages. It's part of the reason I was fortunate enough to win the [MVP] award in Q4, 1994 for the WINSDK forum! ----------------------------------------------------------------------------- Here's an overview that highlights the *NEW* functionality: Recent Files List History of Files Active Tasks Active Modules Active Window Classes Active Windows Active Installable Drivers Active Installed Hooks Active MakeProcInstance Thunks Task/Module Usage Tree Stack Walk for all Tasks System Task/Header Proceedures Read and process WIN.INI, CONTROL.INI, PROGMAN.INI, WINFILE.INI, DOSAPP.I (AND MORE....) ----------------------------------------------------------------------------- =================================== HERE'S THE MENU'S CURRENT CONTENTS: =================================== File Open... Run... Close History List Recent Files Exit List Task Names Task Header Procs Task Execution Stacks Task/Module Tree Module Usage Counts Auxiliary Drivers Hooks and Owners Callback Thunks Class Names and Owner Window List and Owner View Configuration WIN.INI C-Panel Driver List CONTROL.INI File Manager Extensions WINFILE.INI Font Settings WIN.INI Program Manager Icons PROGMAN.INI File &Associations WIN.INI Popular Programs APPEXEC.INI MS-DOS Executables DOSAPP.INI Debugging History WLDR.INI,BCHKW.INI Custom Control Libraries ANY OF THE FOLLWING SDK Dialog Editor DLGEDIT.INI Resource Workshop WORKSHOP.INI AppStudio APSTUDIO.INI Scan Registry Database REG.DAT GRP Files *.GRP PIF Files *.PIF Drive and Subdirectory List Directory List of Programs Report Relocation Duplicate Summary... All Relocation Tables... CrossReferences to File... Unmangled Export Names Version Resource Contents Tools Address Lookup Location Hex Dump Save Chained Fixup... Preferences... Fonts and Tabstops OpenFile Usage Logging ----------------------------------------------------------------------------- Here are some details on the level of improvements I've made, as well as the depth of the new functionality I've added: (I) RESOURCE DISPLAY: I've improved support for resources, including: (a) 3D - Viewing dialog boxes via CTL3D. (can be disabled, if desired) (b) BORDLG/BORGRAY and other dialog classnames are supported automatically (c) BWCC and custom controls that support the Dialog Editor (d) ASCII/HEX dump individual resources, and unknown resource types. (e) Support for playing WAV sounds stored as resources (f) Auto-loading of custom controls or global window classes in dialog boxes, (g) Reorganized presentation of a font resource item's information (h) String table display supports text/line formatting options (i) Show all the icon resources at once, per your video display (j) Improved bitmap support (palette handling, window scrolling, keyboard support) (k) Version resource support accesses the system's "Language" string tables. (l) Better use of internally stored names for custom resource types (m) Accelerator table keystrokes shown with their corresponding menu command (You can frequently use the accelerator report to get a hotkey list of keystrokes for menu commands. This one feature helped fix a bug in a fellow programmer's resource data because it made the typo quite noticable. Assigning the wrong keystroke explained why the command would not respond to the keyboard) ----------------------------------------------------------------------------- (II) HEADER/SEGMENT INFORMATION: (a) Added additional header summary report (b) Display MZ header info in HEX (c) More complete information provided (d) Almost all reports can be used to select a new file to view (e) Almost all reports provide additional in-depth info by clicking on various items (f) ASCII/HEX dumps of entry points segments, relocations, and more (g) Various relocation reports available by IMPORT module, by SEGMENT, by Reloc Type ----------------------------------------------------------------------------- (III) SIZE/SPEED TOOLS FOR YOUR EXE (a) A new [Size Analysis] button has been added. This button provides a breakdown of either unnecessary, or potentially unnecessary excess space in an EXE file. This routine is heavily based on Matt Pietrek's EXESIZE program, published in the July 1993 issue of Microsoft Systems Journal. (see below for more information. Thanks again, Matt!) (b) There are a variety of available diagnostics to help you determine if your EXE contains duplicate relocaton records. One list presents every unique relocation record that occurs in a segment, with counts of the duplicate and chained entries for that unique relocation. Another lists the totals by segment for each of the types of relocatiosn, and if they are chained or duplicated. (c) Make YOUR Tlink'd programs up to 15% smaller with 10% faster loading!!! The EXECHAIN program in the WINSDK forum was originally, and still is, part of NewView's features. NewView can also compress TLINKed executables by chaining the relocations, resulting in a 5%-15% savings in file size (depending on the sector alignment values used and the number of relocations). The reduced volume of data to read and elimination of unnecessary proceedure address resolutions performed by the Windows loader often results in 10% faster speed in loading. ----------------------------------------------------------------------------- (IV) SELECT FROM ACTIVE MODULES / LAUNCH APPS (a) I found myself freuently using NewView's common dialog box to specify the name of an executable that I had just launched using ProgMan's RUN command and Browse option. Since this usually involved performing the same steps to change drive/directory and select the same filename, I decided to make life easier and list the tasks so you could pick the programs you're already running and view them. (b) I also found myself frequently using ProgMan's Run command and Browse option to reenter the name of a file I was currently viewing, so I added a Run command to NewView's functions. Thus, NewView can view running apps/modules/drivers, etc.. or it can launch the app it's currently viewing!! ----------------------------------------------------------------------------- (V) RUNTIME USAGE OF EXE FILE'S INFORMATION (a) Window and class information displayed as text instead of hex pointers. This program takes advantage of the available relocation information by presenting the traditional window and class lists with a twist. Instead of displaying a hexidecimal address representing a pointer to a function or thunk, NewView will do it's best to find out the NAME of that function. This means it will often tell you the actual name of the callbacks for classes and windows instead of some hex address that doesn't mean anything to me. And, by running the list at various times you'll even be able to see window subclassing and the module that performed the subclass as well as the name of the new window or class proceedure. (b) The program can list the "User-Installable Drivers". Select the command to see the information. If you hold the SHIFT and CTRL keys down, then pick the command from the menu, and then release the SHIFT+CTRL keys, you will see more information in the report. (c) The program can list the information hidden inside the Task Database, including function pointers, MakeProcInstance Thunks, and even the installed hooks. Whenever possible, these items are reported by either name or module.ordinal, and hex is the last resort. (d) The program can provide a tree representing the implicit links performed by each of the tasks. The modules which are left over were either dynamically loaded or are orphans (or both). This tree implementation doesn't use the same technique as Matt Pietrek's NUKEDLL, because it was developed independantly and coincedentally at the same time. It will basically achieve the same results (although Matt does point out that my method makes you scroll to the bottom of the list to find the potentially orphaned DLLs, and in my logic the existance of multiple instances of any program can sometimes cause less than accurate results as far as the trailing module's usage counts are concerned.) (e) Using ToolHelp, the program can walk the stack of all tasks, including itself. When this command actually performs the walk, all of the other tasks are idle. That does take some of the excitement out of it once you have run it a couple of times, but it is very useful when trying to determine what routine a given task called to go idle. The information displayed should be adequate to indicate if another task called GetMessage, WaitMessage, DirectedYield, IsDialogBoxMessage, etc and how that eventually ends up in WAITEVENT inside of KERNEL. This technique itself is something I think of as a little bit special. The way it works lets it tell you the actual routine called, even if the code uses ASM to jump elsewhere via near addressing inide the segment. ----------------------------------------------------------------------------- (VI) PROGRAMS, LIBRARIES, and RELOCATION ANALYSIS REPORTS (a) The program can cross reference relocation information by import library , by segment, or for the entire executable being viewed. It will attempt to display the actual names of the ordinals, the contents of data, etc. (b) The program can generate a list of all the entry points and all the relocation records in chronological order. It's NOT a disassembler, and I don't know INTEL ASM well enough to write one. But, it's often a reasonable estimate that often provides enough insight to help get your current problem resolved. This list is only available to create a disk file, and not to interactively view the contents of the output file it creates. Use a standard text editor to view the XRF file, since the output is a simple ASCII report. ----------------------------------------------------------------------------- (VII) SHOWS INI, GRP, PIF, and REG.DAT The program can list the registration database entries, file associations, ProgMan information, group file contents, control panel driver configurations, etc. The program also keeps track of recently viewed files as well as a history of every file you've loaded into NewView. (a) The main system INI files will automatically be searched and parsed by a variety of commands. These include a font module list capability, file associations, graphics and text filters, control panel drivers, etc. (b) The GRP files can either be referenced from the contents of PROGMAN.INI, or they can be presented in a list of all GRP files in a given directory. This allows you to use GRP files which are not yet installed (or are outdated) as well as using the same GRP files ProgMan does, reguardless of the location of that GRP file. (c) The PIF files will be read if a GRP entry specifically refers to one, if the user selects the command to list the PIF files in the local directory, or if the user selects the command to list the contents of DOSAPP.INI and it contains a .PIF filename as an item. (d) The entries contained in REG.DAT that refer to program filenames can be displayed. By holding down the SHIFT+CTRL when selecting the command, the entire contents of REG.DAT will be provided to you. ============================================================================= SPECIAL THANKS to MSJ and Matt Pietrek I'd like to formally thank Matt Pietrek for his constant help answering my flood of questions over the past year. (If Matt didn't reply to a forum message, it's probably MY fault for keeping him preoccupied, so this program should make you feel better!) EXESIZE's underlying logic has been incorporated into NewView with the permission of Microsoft System's Journal and Matt Pietrek. EXESIZE is the sample program that was printed in the July 1993 MSJ article by Matt, titled "Liposuction Your Corpulent Executables and Remove Excess Fat". I want to personally thank MSJ (and, of course, Matt) for their contributions to this program by way of great articles and columns from great writers in a great magazine. ============================================================================= THANKS must also go to the hard working people behind the MSDN CD. This program is the best argument I can give as to why you should own the MSDN CD. Almost everything I've done came from various samples on the MSDN CD. Many of the things that educated me about chained relocations, etc, came from Matt Pietrek's articles and sample code from MSJ. But... that information is also on the CD. It's expensive, but a bargain. It really is! THANK YOU, MS! ============================================================================= <<< *CREDITS* >>> All of the information and techniques contained in this program can be found in the following list of knowledge resources. These include online services, Magazine publishers, and authors of books, articles, columns, TechNotes, and WINSDK forum messages on CompuServe. LIST OF SERVICES: ----------------- CIS: WINSDK CIS: NSL CIS: MSDNLIB LIST OF PUBLICATIONS: --------------------- NSDN CD Microsoft Systems Journal 1992, 1993, 1994 PC Magazine LIST OF BOOKS: -------------- Undocumented Windows Windows Internals Programming Windows 3.1 LIST OF INDIVIDUAL CREDITS: --------------------------- Scott McCraw Krishna Nareddy Dave Edson/Brian Woodruff Matt Pietrek Jeff Richter Kyle Marsh BTS [MS] MSS [MS] Eric Flo Bob Chiverton Michael Geary Douglas Boling Charles Kindell/Debbie Watkins Mark Bader/WINCAP team Mark Gamber Richard Herrmann Charles Petzold Ray Duncan Walter Bright Roger Alley Matt Pietrek/Andrew Schulman/David Maxey (All of the above people can get a *FREE* registered copy just by sending me a note with a mailing address!!) ============================================================================= COMMENT: I always suggest folks to look at the EXEVIEW sample, that it's part of the MSDN CD and it's in the WINSDK, MSDNLIB, and probably MSL as well. Scott McCraw did a great job with the original offering. I think the number of downloads, references, and acknowledgements it's recieved are well deserved. This program is simply the sincerest form of flattery! (Look what happened just because you got me interested, Scott!) I recommend running this program on any Windows NE file after you download it. I feel much better about running a program after getting an idea what it's going to do to my system. It's also great for double-checking a program just before it's released. I'm not a Systems Programmer by profession. I'm just an applications developer that got further involved with NE file formats than I intended to. But, think of it this way... If it's easy for _ME_ to decode your program and I don't even know ASM, just imagine what a REAL disassembler and OS expert (like those listed above) could do to your poor vulnerable executable file! I think it's easy to see why I've been happy and content to keep this program to myself!! But unforseen circumstances have caused me to try and generate income by selling my tools, and this program happens to be one of them. Therefore, my misfortune can be your oppertunity to get the best deal around on *THE* most unique programmer's tool you can find!! ONLY $49.95 + S/H --- IT'S A STEAL! PLEASE REGISTER ON COMPUSERVE USING SWREG# 4146 OR By mailing a check or money order, payable to: Frank E. Haggar 21118 Madria Circle Boca Raton, Fla 33433 Thank you!! Frank E. Haggar CIS: (75672,1206)