Creating Dataset from custom XSD

Scenario

Lets say you want to create a Custom XML Schema for your project so you add an XSD file to your project and design your elements.

Next you want to generate a typed dataset to use this schema in your application and here begins the confusion between VS 2003 vs 2005.

Visual Studio 2003

In Visual Studio 2003 there was a feature to generate a Dataset that was available from the design surface of an XML Schema by right-clicking and checking the “Generate Dataset” option.

 

Unfortunately this is no longer available in VS 2005.

Visual Studio 2005

The solution for VS 2005 projects might be to take a different design approach all together to this kind of scenario but lets assume you still want to use the XSD. To accomplish the same thing as in VS 2003 you can do the following:

1. Add an XML Schema and design it like you normally would
2. Go into the properties dialog of the XSD file and change two property values:
   1. Build Action = Content
   2. Custom Tool = MSDataSetGenerator

Now rebuild your project and you should see a new .CS/.VB file added with a typed dataset for your project.

Conclusion

There does seem to be a work around for this problem but honestly I am far from the expert here. I merely found what looks like a solution and want to share it with you. Please test this carefully to make sure it meets your architectural needs.

StringBuilder truncates string

Today I was looking at some very simple code yet was puzzled: Why was the StringBuilder truncating the string?

I quickly realized that this was happening due to the .Length Property. When this Property is adjusted on a StringBuilder with text in it, if the Length is set smaller then the contents it will truncate the text down to the specified length. Lets look at this simple example:

Example:

StringBuilder sb = new StringBuilder(5); // .Length = 5
sb.Append("123456"); // Extends the .Length to 6
sb.Length = 2; // Truncates everything down to two characters

(Capacity property remains set to the capacity at maximum which was 6)

This behavior is actually described in the MSDN Documentation for the Length property, but I never read it before today.

Here is the official MSDN quoted text:

If the specified length is less than the current length, the current StringBuilder object is truncated to the specified length. If the specified length is greater than the current length, the end of the string value of the current StringBuilder object is padded with the Unicode NULL character (U+0000).

Microsoft Certification for Developers

I had recently started to get ready to potentially take some Microsoft Certification exams in the developer track. Now that I work for Microsoft I feel a certain level of responsibility to "eat my own dog food" in this area.

I am not without experience with certification as a few years back I had taken the VB 6.0 70-175 and 70-176 exams and at that time became an MCP.

What brings me to this specific post is to help others clarify the recent confusion in certification terminology and talk a little bit about the new upcoming exam tracks for Visual Studio 2008.

MCSD: .NET 1.1

It used to be that MCSD was the main certification developers tried to attain. Many people still use the term MCSD when reflecting on the certification they plan to get, and that's where the problem comes in. Most of these people are now talking about the .NET 2.0 Framework of certifications and MCSD does not cover 2.0. Here is the official statement on what MCSD is:

The Microsoft Certified Solution Developer (MCSD) for Microsoft .NET credential is the top-level certification for advanced developers who design and develop leading-edge enterprise solutions using Microsoft development tools and technologies in addition to the Microsoft .NET Framework 1.0 and Microsoft .NET Framework 1.1.

Notice the words "Framework 1.0 and Microsoft .NET Framework 1.1".

Note: MCAD is also part of the .NET 1.0/1.1 Track

.NET 2.0: MCTS & MCPD

The new certification that covers .NET 2.0 is Microsoft Certification Technology Specialist and Microsoft Certified Professional Developer. MCTS seems to be the simpler certification with MCPD covering the heavier and more in-depth track.

Another change Microsoft has made since the 1.1 exams is more focus on specialization (something I really like). For example here is how both MCTS and MCPD tracks are broken down into specific areas:

MCTS Track

• Technology Specialist: .NET Framework 2.0 Web Applications
• Technology Specialist: .NET Framework 2.0 Windows
• Applications Technology Specialist: .NET Framework 2.0 Distributed Applications

MCPD Track

• Professional Developer: Web Developer
• Professional Developer: Windows Developer
• Professional Developer: Enterprise Applications Developer

As you can see both tracks focus on Web, Windows or Distributed/Large scale systems. To me this makes perfect sense as certification should help people lead towards a particular goal that can help them in a specific job area. After all this isn't college, this is certification, it should be focused and to the point.

Architect Track?

In addition MCPD can move you towards the Architect level of certification. Unfortunately this is not an area of interest to me at the moment and beyond the image above I don't have personal knowledge of this track.

To find out more information on your own click here.

Visual Studio 2008 Is here, so now what?

While it is true that Visual Studio 2008, .NET 3.5 and other new technologies have arrived, testing still lags behind. Currently Microsoft is working on the next batch of exams (See this link) but nothing is out yet. Expect the first test to start appearing in March/April 2008.

So what should you do, wait for the new exams or get certified now? This answer is simple, start today if you have a need or passion to do it, just be smart and follow a track that can upgrade into 2008 exam paths. For more information see this link: Microsoft Visual Studio 2008 certification—how they know you know

Closing

Overall I really like the direction certification has evolved to with .NET 2.0 specialization tracks, and now a clear "building-block" type path for .NET 3.5 / VS 2008 exams that are coming up this year. I want to wish the best of luck to anyone that tries for these certification as its definitely worth having but is not an easy road.

If any corrections are needed to this post please feel free to post your comment or send me an email.

Unsafe Keyword

Today I was looking at the source code of Jon Skeet's blog post: Visualising the Mandelbrot set with LINQ - yet again. What interested me (out of all things) is a block of code with the keyword Unsafe.

I never used Pointers in C# and therefore had no clue that you needed to use the Unsafe keyword block around anything that had "unsafe code", which included Pointers in his case.

This is another good example of why looking at source code is so important, even when its not your own or of immediate work importance. You never know what you will learn.

For more interesting source code I would recommend Scott Hanselman's Code Series on his blog, that can be found by clicking here.

For more information on Unsafe keyword, check out this MSDN page: http://msdn2.microsoft.com/en-us/library/t2yzs44b.aspx

Building The "Right" Solution

ASP.NET vs. SmartClient

About a year ago I was 100% positive that SmartClient* architecture was the way to go for a system I was tasked with building. The requirements called me to build it using ASP.NET but I knew it would be the wrong approach and not provide the interface and performance enhancements the users were looking for.

Making the case for such a drastic change was not easy, people were comfortable with ASP.NET and deploying Windows Applications brought back to many bad memories of installation and maintenance nightmares. Most of the bad memories were simply “legacy ghosts” and not real issues with the approach I was suggesting, a SmartClient.

Being fairly focused on delivering the best solution and experience for my users I decided to peruse getting approval for my architectural approach. After some consideration the best strategy I found was to build a series of prototypes supported by presentations that made my case.

Enter the Prototype

The first series of prototype’s and demos focused on User Interface enhancements and easy deployment/Maintenance using ClickOnce technology (hence the SmartClient references). During my demos of these prototypes it was clear the a Windows Application with in-memory caching, powerful and responsive grids, combined with the “feel” of a Windows App served the interface requirements very well.

Deployment was also an impressive “one click” implementation as long as the machine had sufficient rights to install an App and the .NET Framework. One concern we had to overcome is that many machines did not have the .NET Framework 2.0 preloaded. To solve this we merely had our field technicians deploy the Framework to all computers that needed it, while others simply self-installed it using an FAQ we provided.

(Admittingly the desktops Framework deployment and maintenance was not a huge issues since we controlled all the users desktops involved, there were not that many of them and Citrix was our backup.)

Another major concern we had to overcome was connectivity. The application had to be responsive on the various users desktops/Physical locations while querying web services located in our server farm out of NYC. To test this I created a simple application that would check the rate at which data was transferring between the client and the web services back-end. This test application was executed from all the key locations around the country and we found no significant latency issues to be concerned with.

Its Deployed and it Works

Today the users of this application enjoy a powerful interface of a locally installed full fledged windows application and they are happy with its usability and performance

On the IT side the SmartClient ClickOnce upgrade model is working without issue keeping the pressure off our technicians.

This is exactly the kind of success story that makes .NET a powerful platform with hundreds of solutions and options to meet the requirements of the business while at the same time making the end users and IT pros happy.

Special Thanks: My Development Team

This application would NOT have been successful if it was not for the hard-work and good coding put into it by my local development team and our our-sourced resources. While I pushed for this approach they are the ones who made it possible in the end. Thank you guys, you know who you are.

(* The concept behind SmartClients if anyone is unfamiliar is a Winform Application that is deployed to user’s desktops using ClickOnce technology. ClickOnce then maintains the application at the latest published version automatically either on start-up or shutdown of the application, depending on configuration. This of course is a simplified explanation and you can get all the details here: SmartClient FAQ)

Getting started with WMI in .NET

WMI Overview

Being a Software Engineer first and an IT person second I never find servers as interesting as the software that they run. The big change for me is when I bring the two together in a project. One such project did exactly this by allowing me to interface with a core server services called WMI to automate parts of a deployment process.

What is WMI? Here is the definition found on the Wiki page:

A set of standards specifications that allow for management information to be shared between management applications

Combine this interface with the ability to use it directly from .NET code makes for some interesting possibilities. Imagine being able to query remote servers for Environment variable data, Disk Driver statistics, Running process information, or any of the other useful statistics exposed through WMI.

WMI though can be very complex to implement properly but the basics are simple. For example to query for information like Environment Variables on a remote server:

1. Create a ConnectionOptions object and specify a set of credentials if your connecting to a remote box (you don't need credentials if your connecting locally)
   
2. Create a ManagementScope object providing it the name of the machine which will be in your "scope" and provide the ConnectionOptions object you created earlier
   
3. Create a ObjectQuery object and specify your query, for example: select VariableValue from Win32_Environment where name = "SystemRoot"
   
4. Create a ManagementObjectSearcher object by providing it the ManagementScope and ObjectQuery. Once created you would simply execute the Get() method and get your
   ManagementObjectCollection collection that can be iterated through to retrieve
   ManagementObject with the actual data.

WMI can also be scripted from JScript, command-line or tools like FinalBuilder, PowerShell, etc. This extends WMI automation beyond just the development group letting other savvy IT professionals to manage their system without our assistance.

Getting Started with WMI for .NET Developers

Recommenced Learning Path

To get started with WMI in .NET 2.0 I would recommend the following steps:

• First read up on what WMI is from a more complete source then this blog, like this Wiki article:

WMI Wiki Page: http://en.wikipedia.org/wiki/Windows_Management_Instrumentation

• Second learn about WMI's query language WQL as its very useful to query information out a remote server:
  

WQL (SQL for WMI): http://msdn2.microsoft.com/en-us/library/aa394606.aspx

• Third learn all about the .NET WMI implementation and check out the various code samples on the MSDN library:

MSDN: WMI .NET Overview: http://msdn2.microsoft.com/en-us/library/ms257340(VS.80).aspx

Other References

• WMI Made Easy For C#(By Kevin Matthew Goss): http://www.csharphelp.com/archives2/archive334.html
  
• A Quick Introduction to WMI from .NET (By Jim Murphy)
  http://www.ondotnet.com/pub/a/dotnet/2003/04/07/wmi.html

WMI is extremely useful in various scenarios and I hope this reference post helps you get started.

Reversing a String using C#... why not?

After doing a lot of coding and finally getting my program to do what I wanted I decided to take a break and try something new (for me).

One thing I never had to do for any application is reverse a string. As with anything I never did before I decided to give it a try, so I cooked up a few functions.

Reverse1 below is the most basic way of doing it, but is the slowest. Since in .NET string are immutable (See Jon's Article for details) each time we concatenate it will create a new string object to keep our updated text. This can be very slow for large text blocks.

Reverse2 is a StringBuilder version which uses the power of mutable strings to avoid our performance problem above.

Reverse3 is an example I found trying to look for alternatives to my first two functions. (Thanks Justin Rogers for your post)

My Reverse String Examples

private static void Reverse1()
{
    string Data = "hello world";
    string Data2 = string.Empty;

    // Reverse using strings
    for (int i = Data.Length - 1; i >= 0; i--)
    {
        Data2 += Data.Substring(i, 1);
    }

    Console.WriteLine("Basic Strings: " + Data2);
}

private static void Reverse2()
{
    string Data = "hello world";
    StringBuilder sb = new StringBuilder();

    // Reverse - String Builer for Performance
    for (int i = Data.Length - 1; i >= 0; i--)
    {
        sb.Append(Data.Substring(i, 1));
    }

    Console.WriteLine("StringBuilder: " + sb.ToString());
}

private static void Reverse3()
{
    string Data = "hello world";
    char[] DataArray = Data.ToCharArray();

    Array.Reverse(DataArray); // reverse
    string Output = new string(DataArray); // back to string

    Console.WriteLine("Array Reverse: " + Output);
}

.NET CLR Profiler: Waiting for application to start common language runtime

Today I decided to try a tool called CLR Profiler. If you never heard of this tool before, here is what MSDN says about it:

The CLR Profiler includes a number of very useful views of the allocation profile, including a histogram of allocated types, allocation and call graphs, a time line showing GCs of various generations and the resulting state of the managed heap after those collections, and a call tree showing per-method allocations and assembly loads.

My first step in using the tool was to download it, so I Googled the words "CLR Profiler" and the very first link took me to the download page for "CLR Profiler (v1.1)".

For about half a second I wondered "Does v1.1 mean its for Framework 1.1?", but that thought passed and I wrongly assumed it was merely a version number coincidence. That was a mistake on my part.

I started the tool and used the "Start Application" button with all the default settings to try and profile a very basic application I had built specifically for this purpose. Doing so though did not seem to work, the profile would get stuck on the message "Waiting for application to start common language runtime" and after I would exit my test application, CLR Profiler would crash.

Puzzled by this I went back to the download page for the profiler and quickly discovered the problem, my original thought should have been pursued, this really was the profiler for .NET Framework 1.1! A link at the bottom of the download page pointed to the correct version: CLR Profiler for the .NET Framework 2.0.

Now that I am using the correct version of the utility it works perfectly. It is worth noting though that the interface really looks the same between the two versions, so don't let that fool you either.

CLR Profiler 2.0	CLR Profiler 1.1

SSIS: Reading and Setting package variables using C#

There are many occasions when an SSIS package has User Defined Variables that need to be modified at runtime by C# code. Here is an example that both reads and sets such variables.

Example: Reading and Setting Package Variables

// Set the path to your package file (.dtsx extension)
string PackagePath = @"c:\SSISPackages\MyPackage.dtsx";

// Create Application Instance and Package placeholder
Application app = new Application();
Package p = null;

// Load the package
p = app.LoadPackage(PackagePath, null);

// In this example i want to change the variable that holds the
// path to my source file
p.Variables["SourceFilePath"].Value = @"c:\SourceFiles\testdata.xls";

// Execute my package
p.Execute();

// My package sets an internal variable that i want to
// pull out, this is how i do it
string InsertedKey = p.Variables["InsertedKey"].Value.ToString();

Note: You will need to add a reference to Microsoft.SQLServer.ManagedDTS assembly and add the using Microsoft.SqlServer.Dts.Runtime; namespace reference in order to make this sample work

Windows Vista Upgrade Advisor Doesn't Like .NET 2.0 (v2.0.50727.42)

The other day a good friend of mine called me with a very odd comment, "Why is .NET 2.0 not compatible with Windows Vista?". I was puzzled, what the heck was he talking about?

As far as I knew .NET 2.0 and up was definitely working on Windows Vista, in fact I have even heard various people using Vista as their development machine using Visual Studio 2005.

My friend though insisted, he told me that a Microsoft application was telling him this, and he could send me a screenshot. Below is that screenshot from Upgrade Advisor that as seen in the last column clearly states "This program might have minor compatibility issues after upgrading to Windows Vista, Click Here to download an update."

While the Click Here link in that screenshot might take my friend to a solution, based on his initial reaction it makes me think that the Upgrade Advisor needs to do a better job at communicating issues and their importance to users. (Perhaps simply insisting they run Windows Update to full patch level before this program can correctly analyze their machine)

I tried Googling various variations of words to try and find more information regarding what the compatibilities issues are but have had no luck. Perhaps someone can reply to this post with more details as I am very curious.

Object reference not set to an instance of an object. ... A C# story

Today I was writing a small console application and ran into an issue that wasted a good half hour of my time. The console application consisted of one class that I instantiated as MyObject and attempted to run two methods .LoadPackage(), followed by .Execute().

The detailed explanation of the actual object functionality is not necessary but lets talk about what I did inside from a technical perspective:

• I added a private field of another object, basically saying ABCObject abc = null; I did not want it initialized until the LoadPackage() method was run
• In the LoadPackage() method I wanted to say abc = new ABCObject(); but instead I wrote ABCObject abc = new ABCObject();
• Due to this very basic mistake above when I executed .Execute() that tried to do abc.Run() it failed with a "Object reference not set to an instance of an object" error

Looking back at this I of course realize what happened, by defining the variable again inside of the LoadPackage() function I made it a local variable in the scope of the method, so my field version of abc never got set and the Execute() method always had a null reference. My biggest frustrations with this whole situation are:

• When setting a breakpoint inside of the LoadPackage() function I didnt see this problem right away since until the method exited the object looked just fine
• Visual Studio 2005 does not warn me when I override a field in this fashion, perhaps there should be some sort of visual cue?

As my friend from DevBlog would say "this is a classic scope problem" and I know wasting time on this was all my fault, but I definitely feel the tool could be smarter in these kinds of scenarios.

Your thoughts?

Properties in C#

Properties are a great way to define public get and/or set variables on your classes. With Visual Studio 2008 improvements have arrived to make working with properties even cleaner.

(If you don't know what properties are then I highly recommend you read Rajesh VS's post on c-sharpcorner for the basics)

Visual Studio 2005

Below is an example of a basic property.

Example:
private string _PackageName = string.Empty;
public string PackageName
{
    get { return _PackageName; }
    set { _PackageName = value; }
}

A nice feature added for .NET 2.0 is the ability to make one of the properties accessors private. For example here I will change the above codes SET accessir to make the setting only possible from inside of the class:

private set { _PackageName = value; }

Visual Studio 2008

In the next release of Visual Studio this is being enhanced even further by allowing something I like to call Short Properties (but the official name is Automatic Properties). This enhancement allows you to skip the body definition if all the code does is the basic SET/GET operation for a value. Here is an example:

Example:

public string PackageName { get; set; };

You can also use the private keyword in the same fashion to limit who can set the property vs. read the property:

public string PackageName { get; private set; };

In my opinion this syntax is much better in the majority of cases as it avoids having to define a private supporting variable and makes for neater and cleaner looking code.

Automatic Properties: C# 3.0 not .NET 3.0

Versions, acronyms, uhh ... confusion.

If anyone else is overloaded with technology like me you probably have suffered at one time or another from a mental block related to reading version numbers. The key to Automatic Properties is that its a C# 3.0 feature, not a .NET 3.0 feature. This is why it is only available with Orcas aka Visual Studio 2008, not as part of the .NET 3.0 extensions for 2005.

Acknowledgments: Special thanks to Jon Skeet for pointing these concepts out to me. I highly recommend everyone check out his new book called C# in Depth coming March 2008. (Click here to view the first chapter for free)

Pre-compiling Winform .NET Applications

Questions and Confusion

Before the new year holiday I had a good friend of mine ask me a question I must admit I didn't fully understand. The main point of his question was centered around the lifecycle of the MSIL code once its compiled into binary. Did the compiled copy get created per application session? Is it stored in a cache? When and how does it expire?

The main confusion I had was context, is he talking about Winform or ASP.NET? I assumed Winform as I know my friend understands ASP.NET very well and I was right. After talking to him he explained that his main concern was the performance of .NET code vs native C++ code. He assumed that the difference would be minimal if the code can be pre-compiled as the JIT would be one of the biggest performance hit in this kind of scenario.

To be honest I didn't know the answer to his question, but doing some research I believe I have come up with the answer.

NGEN Utility

NGEN is a utility that comes with the .NET Framework and can be located at paths such as the one below for the 2.0 edition:

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\NGen.exe

For more information on how NGEN works I recommend this article from MSDN magazine May 2006 issue: CLR INSIDE OUT: The Performance Benefits of NGen. This article talks in detail on how to use NGEN to gain performance benefits but here is the general idea.

The basic idea behind JIT for .NET in a scenario were NGEN pre-compile is not used is as follows

• You call for the execution of a .NET managed EXE or DLL
• The JIT (Just-in-time compiler) kicks in and compiles it inside of the windows directory (best guess of the location, more on this later) under some funky name
• As long as you keep running your program, it stays in the Native Image Cache (NIC)
• When your program terminates the Native Image is cleaned out of the NIC. Meaning that next time you run your program, it will need to recompile again

When using NGEN to install your application through the "NGEN INSTALL c:\yourapppath\yourapp.exe" command the application and its dependencies are pre-compiled into the %WINDIR%\assembly directory. This save startup time and avoides the constant JIT compilation on every start.

The downside to using NGEN (as noted in various articles and blogs) is that the disk footprint of your application becomes larger, since the compiled Native Image is larger then the MSIL code. With today's hard drives though I don't see how this would be an issue in most circumstances.

To me based on this information using NGEN seems like a smart move that can benefit any application but especially large ones or those that spin-up and spin-down often.

Unfortunately I do not have time right now to try all of this for myself so all my information should be taken with a grain of salt.

Pending Questions about NGEN

I also have a few important questions pending. I will attempt to answer them at a later point as time allows:

• I cant seem to find where the JIT Native Images are stored when not using NGEN. I'm guessing the location is %WINDIR%\. This assumption is based on the following blog post talking of issues with JIT, Windows Directory and permissions on Citrix Servers: .Net Framework Applications Writing to the Windows Root Directory
• I don't know when using NGEN starts making sense. Is there a natural point at which NGEN becomes a large performance benefit? JIT must be very fast for most modern applications?
• Is NGEN automatically called by the installer when you create an MSI form Visual Studio or 3rd party tools like InstallShield? Perhaps NGE is already used a lot more often then I realize
• Is .NET smart enough to recompile the Native Image in the Cache automatically if you update the EXE/DLL but don't run NGEN UPDATE command? If this is not the case then I see a major downside to using the pre-compile for applications that are updated manually

If anyone has any insights into these questions please feel free to post a comment reply to this blog entry, id love to hear from you.

Additional Resources

While doing my research I found a few other links worth mentioning:

1. Improving WPF applications startup time: This post by the WPF Performance PM (no name given in Blog) talks about various points that can hurt WPF performance and touches on NGEN. Interesting article worth reading
2. NGEN in MSDN Magazine: Another great NGEN article
3. Windows Forms Performance Tips in MSDN Magazine: Talks about various way to improve the performance of your windows applications

Underlying Concern: Performance of the CLR

What drives this whole topic more then any other issue is the concept of performance. When comparing .NET C# vs lets say C++ native code people can definitely point fingers and claim various performance benefits in doing thing closer to the platform with C++. Fortunately anything gained by native code is in most situations outweighed by the productivity gained when using an easy to develop in managed environment as provided by VS 2005/2008 and .NET C# or VB.NET.

There is a time to build super efficient code and there is a time to deliver solutions quickly. Make the choices that make sense for your project and don't look back.

.NET Remoting - Memories and Ironies

Memories

In the near future one of the potential .NET technologies I will have to develop in will be .NET Remoting. I have never worked with Remoting as Web Services has been my focus for many years now, but this does not phase me. I am encouraged at every opportunity to use a technology I never worked with and this sounds exciting. (I love making systems talk to each other)

Even though I never used this technology, I am not without history in the area. Approximately two years ago I had a chance to look at .NET Remoting vs Web Services as both technologies were relatively new to the industry. At that time .NET Remoting was seen by many forum posters and blog writers as a "Dated technology that is loosing support from Microsoft in light of the success with web service". This led me to abandon my research even before prototyping as deadlines were tight and Web Services seemed like a good route to go (and it did work out).

Come late 2007 and once again I am faced with this technology, this time around though the implementation is not debatable as its already built into the architecture. Talking to someone about this project I couldn't help but mention my previous experience where my research made Remoting seemed like a dead technology. Even though I made this comment I still insisted something I really believe: even if this is not the future of the technology direction .NET Remoting works. Taking that into account I have no issue with using it to solve a problem for the business and see no immediate need to chase different technology for the sake of change.

Ironies

As I started looking at learning all I can about .NET Remoting Google helped me locate a great article called .NET Remoting Versus Web Services. This seemed like a natural place to start as I am already familiar with Web Services and contrast is a powerful learning tool. In addition I decided to also review the official Microsoft website on the subject. The irony is that the first two links on this website Microsoft .NET Remoting: A Technical Overview and An Introduction to Microsoft .NET Remoting Framework are broken links! After a quick laugh I reported the problem to Microsoft and decided to (for now at least) focus on the 3rd party documentation on this subject.

Gut Feelings

My long-term gut feeling is that .NET Remoting is being replaced by WCF technology. Finding an article called From .NET Remoting to the Windows Communication Foundation (WCF) is a good hint that I might be on the right track.

I look forward to learning more about .NET Remoting and WCF in the coming days to be the most well rounded Engineer I can be when the time comes to hit the keyboard and get rolling.

.NET 2.0 Multi-threading and Memory Management (GC)

The problem with most modern software development is its greatest productivity point: “Easy of development”. This is especially true in the .NET/Microsoft space where the tools and Frameworks are simply amazing and hide most of the complexity.

Fortunately though for those of us who need to create more custom/complex solutions or simply want to fully understand their environment there are many ways to learn and interact with concepts such as Multi-threading and Memory Management (The Garbage Collector in .NET).

The following links are some of the best resources I have found to learn from or fresh your memory on these subjects. If you never visited them before I highly recommend adding these to your bookmarks and required reading lists.

Multi-threading

Multi-threading in .NET (by Jon)
http://www.yoda.arachsys.com/csharp/threads/

Memory Management

Garbage Collection: Automatic Memory Management in the Microsoft .NET Framework Jeffrey Richter
http://msdn.microsoft.com/msdnmag/issues/1100/GCI/default.aspx

Garbage Collection—Part 2: Automatic Memory Management in the Microsoft .NET Framework
http://msdn.microsoft.com/msdnmag/issues/1200/GCI2/default.aspx

Exception: "Attempt to put an instance with no defined key"

Problem

Recently one of my work projects presented a good scenario for a management console that could help configure servers using WMI. The requirements themselves were simplistic as the utility would only need to manage a server list and update system-level environment variables based on the servers category.

To check the feasibility for building such a solution i started to research example applications that automate WMI using C#/.net 2.0 and found many straightforward candidates. The samples used the ManagementObject and seemed to do what i needed.

Coding my first prototype everything seemed to go well until i attempted to execute enough code to actually update the environmental variable which immediately hit an Exception on the .Put() method of the ManagementObject, the exception being "Attempt to put an instance with no defined key".

My first instinct was to Google the exact error but to my horror zero results were returned. Trying MSDN and LIVE search also resulted in zero documented cases of this Exception. As most Software Engineers today i am spoiled by Google's ability to provide me an answer to all programming questions and this particular case bothered me greatly as it seemed like a simplistic 10 lines of code that someone must have coded before.

Solution

After many hours of trying to debug this strange Exception and looking at other peoples samples i realized that the MSDN's example was actually very close to my code except it used a different overload on the line which would query the variables:

MSDN Code: SelectQuery wmiQueryObject = new SelectQuery("Win32_Environment", "UserName=\"\" and Name=\"SystemRoot\"");

My Code: SelectQuery wmiQueryObject = new SelectQuery("select VariableValue from Win32_Environment where name = \"SystemRoot\"");

In hopes this would solve my problem I decided to try their method overload instead my WQL variant while leaving the rest of the code alone and it worked perfectly! I really do not understand why switching the overload causes the .Put() method to work but at least i was able to get beyond an Exception that is not even documented and my project moves forward. I hope this Blog entry or my MSDN Wiki content posting saves someone time and documents this Exception.

In general i believe this is a great example of why the source code for .NET should be released, and thankfully this is happening in .NET 3.5! (to read more see Scott Gu's blog posting on this subject)

Reference

My MSDN Wiki Post

http://msdn2.microsoft.com/en-us/library/system.management.managementobject_methods.aspx

Helpful WMI Link

http://www.csharphelp.com/archives2/archive334.html (By Kevin Matthew Goss)

http://msdn2.microsoft.com/en-us/library/aa720264(VS.71).aspx (Managing Applications Using WMI on MSDN)

http://en.wikipedia.org/wiki/Windows_Management_Instrumentation (WMI Overview on Wikipedia)

Security Analysis

Overview

Building applications that are exposed directly to the Internet presents many challenges to engineers especially those working in smaller and less mature development shops. Security tends to be one of these challenges and in my opinion is one of the hardest to approach correctly.

Two years ago in 2005 I found myself architecting and building an ASP.NET 2.0 application from the ground-up. This particular project would expose sensitive personal information to the Internet directly for the first time in my company’s history and we had no experience on keeping it secure. (Citrix was used for all previous projects which added the extra security wrapper). A flawed design had the potential to hurt thousands of people so I took this topic very seriously.

My security analysis started on a long flight from the United States to the Ukraine for a family visit (what better way to pass the time of a long flight then geek out on security?). To begin my analysis I started to piece together the various aspects of the system that needed security considerations and soon realized I was struggling on creating what I would consider a complete list.

The root of my problem was I neither had a solid reference-base to start with, nor a large amount of experience in security. To try and overcome these limitations I immediately began to piece together every major system or concept my application would interact with and had security considerations. Four hours later this warped into the Security Zones Diagram featured above. This simple diagram breaks up the various part of the system that needed my attention in any security analysis phase of an ASP.NET application.

(Click on the above diagram to see high-resolution version)

Zones and Examples Breakdown

• Personnel (People Factor)
  Example: Have we made an effort to train our end-users not to respond to emails requesting their password?
• PC (End-user computers)
  Example: Have we considered what impact key-logging Trojans might have on our security?
• Internet (External Network Traffic)
  Example: Have we made an effort to security all traffic from our application as it crosses the Internet?
• Firewall
  Example: Have we considered all the ways a firewall can help block our application from harm such as limiting sensitive resources access to specific restricted IP ranges?
• Load Balancer
  Example: Have we considered all the ways a load balancer can help block our application from harm such as real-time layer-7 traffic analysis?
• IIS Servers (Web and App) Configuration
  Example: Have we locked down our IIS server to only expose the type of physical files required to run our application and not sensitive resources such as code assemblies?
• Your ASP.NET hosted code
  Example: Have we made sure our custom authentication code locks out users when a dictionary attack is suspected?
• .NET Framework
  Example: Have we made sure to service-pack the .NET framework with all the latest security hot-fixes?
• SQL Servers Configuration
  Example: Have we configured our SQL servers in a secure way that restricted which resources can talk to it directly?
• SQL Server Code (Users, T-SQL code, etc)
  Example: Have we limited our user’s access to the minimum rights such as Stored Procedure execution rights in only a specific database?
• SSL Tunnel
  Example: Have we made sure that all sensitive information is transferred using SSL when it leaves our network?
• Network Data (Internal)
  Example: Have we setup VLAN’s and Routers to segment off our internal sensitive traffic away from the general network where it could potentially be intercepted?
• Email Communication
  Example: Have we made sure no services send sensitive information in clear-text emails?

Documenting and Analyzing

Once you consider all the various aspects that could potentially impact your application you will quickly realize that the list can grow to such a size that it can almost feel unmanageable. This is something that must be avoided if you are to have a constructive analysis process that leads to actual actions. Here is my recommended approach for managing this:

• Get all the key player(s) thinking about the Security Zones or some other common method of highlighting all the key areas. (and do this early on in the process)
• Time-box this exercise and demand feedback if possible. Otherwise you’ll never get input, people are busy after all.
• Use SharePoint lists, Google Shared Documents or any list that can be easily viewed and updated by multiple people with minimum conflict. Making it easy for people to contribute and keeping the process transparent is essential
• Setup a meeting for a group review of the documented risks. Rate the risks into three categories: Priority, Next Phase or Won’t Fix. Priority items should be added to the development or networking tasks for your current project phase as critical-path items. These items cannot be seen as external to the key deliverables of the project
• Next Phase items should be added to your next-phase project plan and treated as priority critical-path items during that phase
• Won’t Fix items should remain documented but be considered irrelevant or so unlikely that investing time into resolving them would not be constructive
• Keep this process alive through the entire development cycle of your application since as the application evolves it will constantly bring new security challenges or considerations to the table

Conclusion

Having any process is better then having no process and while I will not claim to be a security expert the above has at least provided me a context from which I can analyze security risk.

Please feel free to use any part of my recommendations or even the diagram itself if it helps you.

Please Comment

Know of a better way? Have criticism of my approach? Have general feedback? Please post your comments, I really look forward to it.