From: Hector Santos on
David Ching wrote:

> "Hector Santos" <sant9442(a)nospam.gmail.com> wrote in message
> news:OgWhkPH$KHA.4316(a)TK2MSFTNGP04.phx.gbl...
>> +1, unless you are "master" in understanding manifest, and that means
>> using them, you can get really lost just trying to get applications
>> running probably without extensive debugging and tracing and not even
>> that will help sometimes, unless you know what you doing.
>>
>
> What does it mean to "master" manifests? It doesn't require (much) more
> than mastering DLL versioning. If you don't understand either, you
> don't deserve to be using DLL's period, you should be static linking and
> that's all there is to it.


I got DLLS all over the place, uses in all shapes and forms and NEVER
had a problem because it is well understood, under my control, and
early days were tough, I wrote my own "depends."

Manifest was a big kludge to say the least, removing basic
understanding of them at a basic level, hard to manage, especially
when there were problems.

If you never had a problem David, well then, you were the rare
exception and "master" of understanding them.

Please don't tell me it was just a matter of editing a text file and
trying to follow and match these guids around from tweak to tweak,
version to version, OS to OS, and even then when patches came around,
something could go wrong.

The bottom line I never needed them - the OS did.

>> The old school way - UNDERSTANDING basic DLL loading - in my view is
>> far easier and less distruptive.
>>
>
> I dare say understanding basic DLL loading is as misunderstood as
> manifests. Win9x looked in different paths for DLL's than WinNT, for
> example. .....


DUH, that is NOT RELATED to Manifest. That is exactly my point, what
you stated was well understood especially between versions,
understanding LoadLibrary(Ex), implicit or explicit, delay loading,
etc, all understood.

When it came to manifest, it "altered" things and when YOU thought you
had it figured out or maybe follows some BLOG to get around this stuff
and didn't work, it isn't fun.

> Bottom line is people think loading DLL's should be as
> automatic as loading EXE's,


I don't. Please don't lump all people who had issues with it as though
they were idiots or something.

Obviously Microsoft felt the same way because more than just idiots
has a problem. Even experts had issues, not because they couldn't
figure out, but it was a pain in the a$$. Who wants to spends hours
trying to figure something out when in reality most of the time it
wasn't your problem.

> DLL Hell "works"
> more often than manifests, and people would rather bury their heads in
> the sand even though it yields subtle problems like unresolved externals
> in the DLL or bad behavior due to breaking changes of using the wrong
> manifest, in addition you are at the mercy of whatever Joe Blow's
> installer was run last that installed who knows what version of the DLL!
>
> But I am glad at least for app local deployments, the basic rule that
> your local DLL will always be the one used for your app still rules
> supreme no matter for manifests or not. I stick to app local
> deployment, or static linking.

Well, maybe you do David. I won't. I need DLLS because we have a
plug-in system, a dynamic Virtual I/O system based on DLLS, a p-code
compiler langugge which requires 3rd party developers to import
libraries, etc. We don't need 'hidden' rules based on the OS issues
with loading different versions.

Maybe the problem is that MS is getting its OS vs Applications
integration issues confused with 3rd party ISV of the OS - they should
be independent, it was an Anti-Trust issue, you know? So when MS has
a bug or security patch for its own applications and services via a
system DLL, it could and has cause problems for others. Maybe
Microsoft should do a static link for their own application so their
once general DLLs they wanted to share with others but kept changing
them doesn't hurt others any more.

Maybe they should slow down the hidden hooking of your application
dlls in the name of monitoring, centralization or whatever. People
would be surprise how many dlls are hooked in even for the smallest
app with just 1 dll - one mismatch in the transparent hooking and you
are hosed.

All I know is I never used Manifest, yet, I had problems related to
it. Not by my choosing or wanting to learn it. I am glad MS did
something right for a change - get rid of something you don't need and
cause more problems than it solved.

--
HLS
From: David Ching on
"David Webber" <dave(a)musical-dot-demon-dot-co.uk> wrote in message
news:uy$ME5K$KHA.3840(a)TK2MSFTNGP02.phx.gbl...
> 2. With "DLL Hell", I never understood what anyone was talking about. I
> just put the MFC and CRT DLLs in my program directory since the first MFC
> version of my program released in 1996. Never had any problems at all
> until VS 2008 and manifests. Never. And I have never caused DLL Hell
> for anyone else by replacing someone's versions of MFC etc with the ones I
> am supplying.
>

Putting the DLL's in your program directory is called App local
installation. You are right that it never caused, nor was it a victim of,
DLL Hell. So you got a free pass! :-)

DLL Hell was caused when the DLL's in c:\windows\system32 were overwritten
by other people's installers or Windows Update or whatever, and these new
DLL's were incompatible with the ones your app was linked against.
Basically it means there can be only one version of each DLL globally
available for everyone's use, and anyone's app can update it. This leads to
all sorts of issues. Microsoft itself has released a couple versions of its
VC RTL DLL's that had bugs in them (I think VC 4 had an issue). Other
people's installers had bugs in them that they would overwrite newer
versions of the DLL's with older ones, they would not update the DLL's as a
set so there were left some old and some new DLL's, etc.)

Unfortunately, to fix the DLL Hell in c:\windows\system32, the manifest
solution made App local installation more troublesome, since for this, you
now had to have manifests in each .exe and .dll explaining which other dll's
it depended on and what their versions were (and not just versions, but
things like public key tokens, etc.) These were generated automatically and
worked fine, so long as you "rebuilt the world" and mainly caused issues if
you built a library or DLL with an old VC++ and wanted to use it as is in
your app built with the new VC++.


> 3. I too put out service releases of my software, and I can replace the
> MFC and CRT libraries easily enough if service releases of those have come
> out.
>

One reason MS pushed so hard for the manifest system is it let them issue
patched DLL's that could override even the ones you had in your program
directory. That's right, if you didn't read Jochen's blog (article "How to
make a really app local installation"), I'll bet you never knew that if
there was a newer version of the DLL's in c:\windows\system32, that when
Windows loaded your program, it would load those newer DLL's into your
program's process and not the DLL's that were in your program directory!

The prime example of why this was desired was the bug in gdiplus.dll that
caused a manipulated image file to be able to crash the app and gain Admin
access.

With all due respect, I don't think you would respond nearly as fast to
rebuild and redistribute your app with the new gdiplus.dll as Microsoft
could do by patching end user systems directly. Even if you did, the change
would not take effect unless your users updated, which again would cause a
delay. So for zero day attacks and other such things, no doubt about it,
manifests which enabled loading an updated DLL instead of the one in the
program file (at the same time retaining compatibility because the manifest
specified which version was originally used) was a key security boon.

Although how much effect this had in every day living I'm not sure, and
apparently so is MS which revoked the manifest system for important VC 2010
DLL's .


> 4. I agree that lack of good documentation of manifests was a major
> problem. Having to rely on the existence of Jochen Kalmbach's Blog (and
> find out about it) to find out how to put the dLL's in ones program's
> directory just points to how pathetic Microsoft's documentation is (but a
> real service to the world - thanks Jochen).
>
> 5. With VS 2008, I didn't want to use the Microsoft redistribution SxS
> installer, because my software ran on Windows 98, and I couldn't find any
> documentation about whether the Microsoft installer worked on Win 98 (an
> operating system they explicitly didn't support) and if it did, where it
> put things. I have always been particular about NOT replacing people's
> system DLLs in the Windows or System directories - see (2). So it was a
> real problem for me until I discovered (4).
>
> 6. Hard disk real estate is dirt cheap. There is no reason at all thee
> days NOT to put MFC etc in one's own directory.
>

Hard disk space is one consideration. Memory usage is another - if multiple
apps are running e.g. msvcr100.dll from separate folders, each one takes
memory, whereas only one copy would be loaded if they were using the one in
c:\windows\system32. Security is yet another (see above).

Also, one reason to *not* put MFC into your own directory is if you
distribute various .exe's all of which must for whatever reason be put into
their own folders (I.e. all your .exe's don't go into the same folder.)
This happens more often than I originally had thought, in which case app
local installation is not really an option.


> 7. Looking through the VS 2010 help (and I'm not sure I like the format
> but it's early days yet) I did find something which indicated one could
> put the MFC DLL in one's own directory, and there was no mention of
> needing a manifest. But I didn't find a parenthetic admission in capital
> letters that IN VISUAL STUDIO 2008 YOU NEEDED A MANIFEST WHICH WE DIDN'T
> TELL YOU HOW TO WRITE BUT WE SCREWED UP AND ARE VERY SORRY SO NOW YOU CAN
> DO IT WITHOUT A MANIFEST. Had that been there, I wouldn't have felt the
> need to ask for reassurance here :-)
>
> 8. Anyway thanks for a lot of good points on this thread: but I am
> resolved to do it my own atavistic way and put MFC and CRT in my program's
> own directory, as that way I understand what I'm doing, and it definitely
> can't interfere with anything else on anyone's machine (which makes me
> feel comfortable). After VS 2008 it feels suspiciously easy in VS
> 2010. All looks clear but I feel there are bad guys hiding behind the
> rocks ready to ambush me. We'll see :-)
>

I haven't created new C++ projects in VC2010 yet, but I believe they still
generate manifest (if for no other reason than the manifest marks the .exe
as it should not run have e.g. registry virtualization enabled), it would be
interesting to see if the manifest contains any dependencies on VC DLL's. I
don't think so, but it would be a good check.

BTW, while I like the protection manifests provided, I did indeed spend days
and even weeks over the years since VC2005 (manifests were introduced in
VC2005, not VC2008, btw) diagnosing problems with manifests containing e.g.
dependencies on 2 versions of mfc80.dll. And it really burned me when MS
introduced the ATL Security Update thing summer 2009 that broke builds and
even releases to customers because MS updated Visual Studio redist without
telling us. So I have been burned and it has cost real money.

But the bottom line is manifests let *you* control which DLL's get loaded
into your app and *no one* can screw that up, especially Joe Blow and his
stupid installer that doesn't check that the old DLL's he's stupidly copying
into c:\windows\system32 are one year older than the ones you diligiently
supplied with your app!



-- David

From: David Webber on


"David Ching" <dc(a)remove-this.dcsoft.com> wrote in message
news:E0CDF9B1-D002-4326-8467-C7BF728A8652(a)microsoft.com...
> "David Webber" <dave(a)musical-dot-demon-dot-co.uk> wrote in message
> news:uy$ME5K$KHA.3840(a)TK2MSFTNGP02.phx.gbl...

>> 2. With "DLL Hell", I never understood what anyone was talking about. I
>> just put the MFC and CRT DLLs in my program directory since the first MFC
>> version of my program released in 1996. Never had any problems at all
>> until VS 2008 and manifests. Never. And I have never caused DLL Hell
>> for anyone else by replacing someone's versions of MFC etc with the ones
>> I am supplying.
>>
>
> Putting the DLL's in your program directory is called App local
> installation.

So I gather, but the phrase "App local installation" was only invented long
after everyone was doing it - probably only when VS 2008 made it such a
complicated issue :-)

> You are right that it never caused, nor was it a victim of, DLL Hell. So
> you got a free pass! :-)

It has just always seemed so obvious.

> DLL Hell was caused when the DLL's in c:\windows\system32 were overwritten
> by other people's installers...

Yes. I could just never work out why everyone didn't do "app local
installation". Of course the original idea of DLLs was that you only
needed one copy of a DLL on your hard drive and lots of programs could share
it (and originally in Win3.1 IIRC only one copy of the code was ever loaded
in memory). But hard disk space stopped being an issue long ago.

>> 3. I too put out service releases of my software, and I can replace the
>> MFC and CRT libraries easily enough if service releases of those have
>> come out.
>
> One reason MS pushed so hard for the manifest system is it let them issue
> patched DLL's that could override even the ones you had in your program
> directory. That's right, if you didn't read Jochen's blog (article "How
> to make a really app local installation"), I'll bet you never knew that if
> there was a newer version of the DLL's in c:\windows\system32, that when
> Windows loaded your program, it would load those newer DLL's into your
> program's process and not the DLL's that were in your program directory!

No I didn't :-( So Big Brother is still watching me :-(

> The prime example of why this was desired was the bug in gdiplus.dll that
> caused a manipulated image file to be able to crash the app and gain Admin
> access.

Didn't know about that either :-( (But I only started using gdiplus at my
VS2008 release.)

> With all due respect, I don't think you would respond nearly as fast to
> rebuild and redistribute your app with the new gdiplus.dll as Microsoft
> could do by patching end user systems directly....

Well, I'm not too bad: my users tend to rate my support well enough. I
rarely go three months without putting out a service release for some minor
bug or other. If there are reasonably easy work-arounds, I usually wait
until 2 or 3 have been reported, (because patches which fix all previous
releases tend to grow as time goes on). But (very occasional)
show-stoppers get fixed pretty much immediately. Of course users have to
press "Check for updates" on the Help menu to find when there's a service
pack, as I have been loth to have my software go down the internet without
the user actually asking it to. There are enough on my Yahoo user group
that they gang up on me soon enough if something definitely isn't right.

> Even if you did, the change would not take effect unless your users
> updated, which again would cause a delay. So for zero day attacks and
> other such things, no doubt about it, manifests which enabled loading an
> updated DLL instead of the one in the program file (at the same time
> retaining compatibility because the manifest specified which version was
> originally used) was a key security boon.
>
> Although how much effect this had in every day living I'm not sure, and
> apparently so is MS which revoked the manifest system for important VC
> 2010 DLL's .

There must have been a lot of complaints. Microsoft *does* like to be in
control :-)

>...
> Hard disk space is one consideration. Memory usage is another - if
> multiple apps are running e.g. msvcr100.dll from separate folders, each
> one takes memory, whereas only one copy would be loaded if they were using
> the one in c:\windows\system32. Security is yet another (see above).

I thought that since win95, programs simultaneously using the same DLL all
loaded their own copies of it: code and data both????

> Also, one reason to *not* put MFC into your own directory is if you
> distribute various .exe's all of which must for whatever reason be put
> into their own folders (I.e. all your .exe's don't go into the same
> folder.) This happens more often than I originally had thought, in which
> case app local installation is not really an option.

Well I suppose it would be inelegant if you distributed 153 different small
exes all using the same big DLL, but it's still an option: even 153 copies
of a 1MB DLL on a terabyte hard disk aren't that much of a problem - but I
take your point: I wouldn't do that.

> I haven't created new C++ projects in VC2010 yet, but I believe they still
> generate manifest (if for no other reason than the manifest marks the .exe
> as it should not run have e.g. registry virtualization enabled), it would
> be interesting to see if the manifest contains any dependencies on VC
> DLL's. I don't think so, but it would be a good check.

I have just imported my existing project - complete with directions to MFC9
etc manifest stuff in the resources - like

#ifndef _DEBUG
IDR_DLLMANIFEST RT_MANIFEST "res\\mzw32m.manifest"
#endif

in the RC files. It seems to be ignored (on the machine with Visual Studio
installed).

> BTW, while I like the protection manifests provided, I did indeed spend
> days and even weeks over the years since VC2005 (manifests were introduced
> in VC2005, not VC2008, btw)

Yes, but one never had to find out what they did with VC2005 :-)

> diagnosing problems with manifests containing e.g. dependencies on 2
> versions of mfc80.dll. And it really burned me when MS introduced the ATL
> Security Update thing summer 2009 that broke builds and even releases to
> customers because MS updated Visual Studio redist without telling us. So
> I have been burned and it has cost real money.
>
> But the bottom line is manifests let *you* control which DLL's get loaded
> into your app and *no one* can screw that up, especially Joe Blow and his
> stupid installer that doesn't check that the old DLL's he's stupidly
> copying into c:\windows\system32 are one year older than the ones you
> diligiently supplied with your app!

Yes. But app local is the easy way to avoid Mr Blow :-)

Thanks for an informative post!

Dave

--
David Webber
Mozart Music Software
http://www.mozart.co.uk
For discussion and support see
http://www.mozart.co.uk/mozartists/mailinglist.htm



From: Oliver Regenfelder on
Hello,

Tom Serface wrote:
>
> I think DLL hell is slightly better than Manifest hell, but I guess that
> remains to be seen. They may have been better off just beefing up the
> error message that came up for an out of version runtime (the message
> that popped up was pretty dumb).

Yes it only stated "The software hasn't been installed properly. Please
reinstall to solve the problem" or something along these lines.

But if the manifest was wrong (or missing), reinstaling didn't really help
much.

Best regards,

Oliver
From: Oliver Regenfelder on
Hello,

Liviu wrote:
> Right, and that was my very point. Failing "if they are not there" is an
> unconditional decision forced upon by the "manifest hell", while the
> "dll hell" allows the application some latitude as to how to proceed
> (in most common cases, not counting "borderline exotic" ones such
> as missing exports which prevent the PE from being launched at all).

It was an xml file, so they could have allowed to specify what to do
in case the DLL wasn't found. Like
<allow newer version>yes</allow ...>

So all that could have been made with the manifest. AND they could
have but an error message like

'Version 9.321.3 of the C runtime (blah.dll) required but not found!'

Not just 'Your application wasn't installed properly'.


I think they could have made manifests more usefull.

Best regards,

Oliver