Wednesday, October 1, 2014

Winner - Microsoft Most Valuable Professional, Windows Expert-IT Pro

Hey cats, your friendly neighborhood spider IT-man, was awarded Microsoft Most Valuable Professional in the area of Windows Expert-IT Pro today! 

I was 1 of 1031 pros out of pool of ~100M techs, awarded an MVP world wide today. Official press release here

                      MVP Program details here.

Wednesday, September 3, 2014

iStopCloud App - Stop nude photos syncing to the iCloud

Get the only application that will Stop iCloud-Hacking of Naked Photos of Yourself from your Windows desktop 

Prevent the iCloud hack that leaked nude photos of top celebrities including Kate Upton, Jennifer Lawrence, Kaley Cuoco, Leaha Michelle and Selena Gomez, to name a few using iStopCloud (

Easily start and stop iCloud programs and services.
Get iStopCloud App @

Get iStopCloud App @

Friday, July 11, 2014

Complex Math Calculator with Seperate Measurement/Units Conversion Tool

    Microsoft Mathematics provides a set of mathematical tools that help students get school work done quickly and easily. With Microsoft Mathematics, students can learn to solve equations step-by-step while gaining a better understanding of fundamental concepts in pre-algebra, algebra (matrix math), trigonometry, physics, chemistry, and calculus. Any college or university student will find this calculator extremely helpful.

    You can download this amazing tool for free from Microsoft here.

    Bonus tools, include a handy unit converter, which may seem redundant given online calculators, but if you pin this (C:\Program Files\Microsoft Mathematics\ConversionTool.exe) to Start, you'll know it's accurate and virus free. 

    The Formulas and Equations yields a plethora of equations and constants. 

Thursday, July 10, 2014

Stuck Keyboard Tester - Windows Volume Keeps increasing or decreasing

Recently,  I came across a whole slew of issues in regards to Windows Volume that seems stuck and constantly increases or decrease on start-up. I could not find a good solution to confirm this so I built some apps to help.

1. Keyboard and Mouse State Tester, which will interrogate the current key you hold down and press Check Now button with.

Keyboard and Mouse State Tester.7z download, unzip ( and right-click runas Administrator. No install required. Requires .NET 4.0
Zip contains MouseKeyboardStateTest.exe. There is no bloatware, viruses or malware in this app.

Please donate a coffee!

2.Stuck Keyboard Tester, will display the current key pressed. The text box should be blank, until you press a key. The unique feature of this app, stuck key will appear and be counted.

Stuck Keyboard Tester.7z download, unzip ( and right-click runas Administrator. No install required. Requires .NET 4.0
Zip contains StuckKeyboardTest.exe. There is no bloatware, viruses or malware in this app.

Metadata Consulting Software Purchase request password to unlock.

Enter password

Monday, June 23, 2014

Determining if a file is an executable (.exe) pro-grammatically.

Ever look at hex dump of a exe file and wonder why it starts with MZ?

ffset:0(0x0)  size:131072( 0x20000 ) dump by 
00000000:  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010:  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020:  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030:  00 00 00 00 00 00 00 00  00 00 00 00 e8 00 00 00  |................|
00000040:  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050:  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060:  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070:  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

Well here's you trivial fact of the day...

In ASCII representation, 0x5A4D is MZ, the initials of Mark Zbikowski, one of the original architects of MS-DOS.

And guess what this is how we determine if this file is an executable, we just check for MZ at the beginning of it.

Why would you do this, well if you create a firewall rule to scan zip files you might want to scan if contains renamed zip files, by checking the "MZ"-ness.

 Here's the code

IMAGE_FILE_MACHINE extensive machine type enum list

A modest enumeration list of Machine Types with better descriptions. This came from my search to be able to determine an application architecture build type of a file. See Determining if App Executable is 32-bit or 64-bit discussion and code here.

  1. //
  2. //OVERLOADED _AMD64 = 0x8664,  seems to mean x64 app,
              OR _EMT64 
    = 0x8664, named IA-32e (later renamed EM64T, 
  3. then yet again renamed to Intel 64 by Intel to stave of AMD)       
  4. //            _I386 = 0x14c,           means x32 app
  5. public enum MachineType : ushort
  6. {
  7.    IMAGE_FILE_MACHINE_UNKNOWN = 0x0,        
  8.    IMAGE_FILE_MACHINE_ALPHA = 0x184,       //Digital Equipment Corporation (DEC) Alpha (32-bit)
  9.    IMAGE_FILE_MACHINE_AM33 = 0x1d3,        //Matsushita AM33, now MN103 (32-bit) part of Panasonic Corporation
  10.    IMAGE_FILE_MACHINE_AMD64 = 0x8664,      //AMD (64-bit) - Advanced Micro Devices oR IS IT ??? OVERLOADED _AMD64 = 0x8664 -  
  11.    IMAGE_FILE_MACHINE_ARM = 0x1c0,         //ARM little endian (32-bit), ARM Holdings, later versions 6+ used in iPhone, Microsoft Nokia N900
  12.    IMAGE_FILE_MACHINE_ARMV7 = 0x1c4,       //ARMv7 or IMAGE_FILE_MACHINE_ARMNT (or higher) Thumb mode only (32 bit).
  13.    IMAGE_FILE_MACHINE_ARM64 = 0xaa64,      //ARM8+ (64-bit)
  14.    IMAGE_FILE_MACHINE_EBC = 0xebc,         //EFI byte code (32-bit), now (U)EFI or (Unified) Extensible Firmware Interface
  15.    IMAGE_FILE_MACHINE_I386 = 0x14c,        //Intel 386 or later processors and compatible processors (32-bit)
  16.    IMAGE_FILE_MACHINE_I860 = 0x14d,        //Intel i860 (aka 80860) (32-bit) was a RISC microprocessor design introduced by Intel in 1989, this was depricated in 90's
  17.    IMAGE_FILE_MACHINE_IA64 = 0x200,        //Intel Itanium architecture processor family, (64-bit)
  18.    IMAGE_FILE_MACHINE_M68K = 0x268,        //Motorola 68000 Series (32-bit) CISC microprocessors
  19.    IMAGE_FILE_MACHINE_M32R = 0x9041,       //Mitsubishi M32R little endian (32-bit) now owned by Renesas Electronics Corporation
  20.    IMAGE_FILE_MACHINE_MIPS16 = 0x266,      //MIPS16 (16-bit instruction codes, 8to32bit bus)- Microprocessor without Interlocked Pipeline Stages Architecture
  21.    IMAGE_FILE_MACHINE_MIPSFPU = 0x366,     //MIPS with FPU, MIPS Technologies (32-bit)
  22.    IMAGE_FILE_MACHINE_MIPSFPU16 = 0x466,   //MIPS16 with FPU (Floating Point Unit aka a math co-processesor)(16-bit instruction codes, 8to32bit bus)
  23.    IMAGE_FILE_MACHINE_POWERPC = 0x1f0,     //Power PC little endian, Performance Optimization With Enhanced RISC – Performance Computing (32-bit) one of the first
  24.    IMAGE_FILE_MACHINE_POWERPCFP = 0x1f1,   //Power PC with floating point support (FPU) (32-bit), designed by AIM Alliance (Apple, IBM, and Motorola)
  25.    IMAGE_FILE_MACHINE_POWERPCBE = 0x01F2,  //Power PC Big Endian (64?-bits)
  26.    IMAGE_FILE_MACHINE_R3000 = 0x0162,      //R3000 (32-bit) RISC processor
  27.    IMAGE_FILE_MACHINE_R4000 = 0x166,       //R4000 MIPS (64-bit) - claims to be first true 64-bit processor
  28.    IMAGE_FILE_MACHINE_R10000 = 0x0168,     //R10000 MIPS IV is a (64-bit) architecture, but the R10000 did not implement the entire physical or virtual address to reduce cost. Instead, it has a 40-bit physical address and a 44-bit virtual address, thus it is capable of addressing 1 TB of physical memory and 16 TB of virtual memory. These comments by
  29.    IMAGE_FILE_MACHINE_SH3 = 0x1a2,         //Hitachi SH-3 (32-bit) - SuperH processor (SH3) core family
  30.    IMAGE_FILE_MACHINE_SH3DSP = 0x1a3,      //Hitachi SH-3 DSP (32-bit)
  31.    IMAGE_FILE_MACHINE_SH4 = 0x1a6,         //Hitachi SH-4 (32-bit)
  32.    IMAGE_FILE_MACHINE_SH5 = 0x1a8,         //Hitachi SH-5, (64-bit) core with a 128-bit vector FPU (64 32-bit registers) and an integer unit which includes the SIMD support and 63 64-bit registers.
  33.    IMAGE_FILE_MACHINE_TRICORE = 0x0520,    //Infineon AUDO (Automotive unified processor) (32-bit) - Tricore architecture a unified RISC/MCU/DSP microcontroller core
  34.    IMAGE_FILE_MACHINE_THUMB = 0x1c2,       //ARM or Thumb (interworking), (32-bit) core instruction set, used in Nintendo Gameboy Advance
  35.    IMAGE_FILE_MACHINE_WCEMIPSV2 = 0x169,   //MIPS Windows Compact Edition v2
  36.    IMAGE_FILE_MACHINE_ALPHA64 = 0x284      //DEC Alpha AXP (64-bit) or IMAGE_FILE_MACHINE_AXP64
  37. }

Determining if App Executable is 32-bit or 64-bit

Need to find out if your application executable is 32-bit or 64-bit reliably pro-grammatically in C#

My first attempt was to use the GetBinaryType() - using DLL Import
but reading comment in the MSDN Library reference indicates it is not reliable solution. 

So how can we examine a file to determine "bitness"? 

Again we head back to the source in a issue of February 2002 issue of MSDN Magazine "
Win32 Portable Executable File Format"

The format of an operating system's executable file is in many ways a mirror of the operating system. Although studying an executable file format isn't usually high on most programmers' list of things to do, a great deal of knowledge can be gleaned this way. In this article, I'll give a tour of the Portable Executable (PE) file format that Microsoft has designed for use by all their Win32®-based systems: Windows NT®, Win32s™, and Windows® 95. 

PE File Structure

      Now let's dig into the actual format of PE files. I'll start from the beginning of the file, and describe the data structures that are present in every PE file. Afterwards, I'll describe the more specialized data structures (such as imports or resources) that reside within a PE's sections. All of the data structures that I'll discuss below are defined in WINNT.H, unless otherwise noted.
      In many cases, there are matching 32 and 64-bit data structures—for example, IMAGE_NT_HEADERS32 and IMAGE_NT_HEADERS64.


      The IMAGE_NT_HEADERS structure is the primary location where specifics of the PE file are stored. Its offset is given by the e_lfanew field in the IMAGE_DOS_HEADER at the beginning of the file. There are actually two versions of the IMAGE_NT_HEADER structure, one for 32-bit executables and the other for 64-bit versions. The differences are so minor that I'll consider them to be the same for the purposes of this discussion. The only correct, Microsoft-approved way of differentiating between the two formats is via the value of the Magic field in the IMAGE_OPTIONAL_HEADER (described shortly).

An IMAGE_NT_HEADER is comprised of three fields:

 typedef struct _IMAGE_NT_HEADERS {
      DWORD Signature;
     IMAGE_FILE_HEADER FileHeader;
     IMAGE_OPTIONAL_HEADER32 OptionalHeader;

In a valid PE file, the Signature field is set to the value 0x00004550, which in ASCII is "PE00". A #define, IMAGE_NT_SIGNATURE, is defined for this value. The second field, a struct of type IMAGE_FILE_HEADER, predates PE files.

The PE File IMAGE_FILE_HEADER referenced in the above article as Figure 3 is quoted below. 

Figure 3
Meaning or Bitness
The target CPU for this executable. Common values are:
IMAGE_FILE_MACHINE_I386    0x014c // Intel 386
IMAGE_FILE_MACHINE_IA64    0x0200 // Intel 64

x86 (32-bit)
x64 (64-bit)

And this seems great we have found a way to distinguish x32 or x64 files. 

BUT, Accroding to MSDN Windows Dev Center documentation we have conflicting values.
Constant Hex Value Meaning


Intel Itanium


IMAGE_FILE_MACHINE_AMD64  is not Advanced Micro Devices (64-bit) processor indication, 
but correctly will give us where or not a dll or exe is 64-bit or it's "bitness".

Now coding this in C# we have  

using System;
using System.IO; 

public enum MachineType {Unknown = 0, 
                          x86 = 0x014c, 
                          i64 = 0x0200, 
                          x64 = 0x8664 }  

public string GetAppCompiledMachineType(string fileName)
            const int PE_POINTER_OFFSET = 60;            
            const int MACHINE_OFFSET = 4;
            byte[] data = new byte[4096];

            using (Stream s = new FileStream(fileName, FileMode.Open, FileAccess.Read)) {
                s.Read(data, 0, 4096);

            // dos header is 64 bytes, last element, long (4 bytes) is the address of the PE header
            int PE_HEADER_ADDR = BitConverter.ToInt32(data, PE_POINTER_OFFSET);
            int machineUint = BitConverter.ToUInt16(data, PE_HEADER_ADDR + MACHINE_OFFSET);
            return ((MachineType)machineUint).ToString();

Using the above code yields the proper results. I have tried this on numerous known 64-bit apps and it works properly, x64 is returned for 64-bit apps.