RealPlayer/RealDownloader poses as Firefox running on 64-bit Linux and sends HEAD and GET requests

I recently noticed some strange HTTP logs where a resource would be requested twice with two different User-Agent headers. In one case, the first request suggested the client was running Chrome on Windows, while the second request indicated that it was coming from Firefox on Linux. This didn’t make a lot of sense, so I did some digging.

The culprit turns out to be RealPlayer (and previously RealDownloader, a separate application that now seems to be abandoned). RealPlayer places an overlay over supported browsers (Internet Explorer, Firefox and Chrome and possibly others) that allows the user to save videos from web pages. It doesn’t seem to be a browser plugin as such – it runs in its own process and sends HTTP requests independently of the browser.

RealPlayer browser overlay

The software just happens to set the User-Agent header to something like Firefox running on 64-bit Linux. I sacrificed a virtual machine and installed all manner of RealPlayer software to try and reproduce this behaviour, and the latest version sends requests like the following:

My browser’s actual User-Agent header is:

Based on this blog post and this Yahoo! Answers question, the following User-Agent header was used by an earlier version of the software:

The Gecko build date and Firefox version number (but not the ‘rv’ token!) have been bumped up, but everything else (including the weird trailing ‘Chrome’ identifier) are the same.

Code samples on GitHub

I’ve put the code samples featured on this blog over the years on GitHub:

Fix Visual Studio 2013 Start Menu shortcuts

Click here to see this bug on Connect.

Visual Studio 2013 configures Start Menu shortcuts differently to earlier versions. Specifically, it adds a shortcut to ‘Visual Studio Tools’ (%PROGRAMFILES(X86)%\Microsoft Visual Studio 12.0\Common7\Tools\Shortcuts), where Visual Studio 2012 added a directory called ‘Visual Studio Tools’ and added copies of the shortcuts. This is all a bit confusing, but the end result is that searching in the Start Menu/Screen won’t bring up results for useful things like the Developer Command Prompt or Spy++.

This annoyed me sufficiently that I wrote a PowerShell script (run it as administrator) to restore the shortcut directory:

The Visual Studio Shortcuts directory doesn’t contain shortcuts to Spy++ (and a number of other programs). Here’s another script to restore shortcuts to Spy++:

ResEdit doesn't work with the Windows SDK 8.0 and above (use 7.1 or below)

ResEdit is a nice resource file editor for Windows programs. Regrettably, it has some issues with the latest versions of the Windows SDK (8.0 and 8.1) – it’s possible to create a resource script (.rc) file, but you won’t be able to open it again later. Even if %PROGRAMFILES(x86)%Windows Kits8.1Include is set as include path, symbols like VOS_NT_WINDOWS32 (defined in verrsrc.h) won’t be resolved and you’ll get ‘undeclared identifier’ errors if your resource script contains them.

Use an earlier version of the Windows SDK (like 7.1) and ResEdit has no problem reading the header files.

For reference, I’m successfully using the following include paths:
%PROGRAMFILES(x86)%Microsoft SDKsWindowsv7.1AInclude
%PROGRAMFILES(x86)%Microsoft Visual Studio 12.0VCinclude

It’s not just me experiencing this issue:
ResEdit started to be Annoying‘ (January 2012)
Resedit Problem‘ (June 2014)

Html.AntiForgeryToken() sets an X-Frame-Options header with the value 'SAMEORIGIN'

I recently migrated a project from ASP.NET MVC 4 to MVC 5 and the process went quite smoothly, except that all of a sudden my webpages were being returned with the X-Frame-Options header set with the value ‘SAMEORIGIN‘. This is actually a reasonable default as it helps mitigate the risk of ClickJacking. The website in question, however, is designed to run in an iFrame, and this header immediately caused issues.

After a fruitless search of all my code in Visual Studio for ‘X-Frame-Options’ and ‘SAMEORIGIN’, I decided to try Windows Grep as a last resort, and it found that ‘SAMEORIGIN’ was present in System.Web.WebPages.dll. Thanks to Microsoft making ASP.NET MVC open source, I was able to find the relevant code quite easily on GitHub; it turns out that the AntiForgeryWorker class adds the header when you call Html.AntiForgeryToken() as of August this year. Even better, there’s an easy way to prevent this behaviour: set the static property AntiForgeryConfig.SuppressXFrameOptionsHeader to true (I’ve done this in my Application_Start() method). MSDN doesn’t didn’t even document this property yet, so I’m lucky to have found it. Two other bloggers have written about this in English and Japanese.

Enabling the compatibility property sheet for (almost) all programs in Windows 8/8.1

Windows 8 and 8.1 hide the compatibility property sheet for certain programs (namely programs included with Windows, like Notepad, and those on a whitelist of programs known to run correctly on Windows 8/8.1 – defined in %WinDir%apppatchpcamain.sdb). In some cases, one can still run the ‘troubleshoot compatibility’ wizard by right-clicking on the file, which just presents compatibility settings in a novice-friendly, poweruser-unfriendly way.

The compatibility property sheet and context menu are defined in acppage.dll. By patching this DLL, we can enable the compatibility property sheet for (almost) all programs, including programs like Notepad and those whitelisted in pcamain.sdb.

Patching Windows system DLL files is probably a bad idea, and I take no responsibility if your computer explodes after you take the following steps.

I’ll write a tool to automate this process at some point, but for now, here are the manual steps if you’re feeling adventurous:

  1. Make a backup of acppage.dll from %WinDir%System32
  2. Take ownership of acppage.dll in %WinDir%System32:
  3. Grant administrator users full control over acppage.dll:
  4. Using your favourite hex editor (I like XVI32), overwrite the two bytes at the relevant address to 0x31 0xC0:

    • Windows 8.1 64-bit: 5A92 (the original bytes should be 0x8B 0xC7)
    • Windows 8.1 32-bit: 4B26 (the original bytes should be 0x8B 0xC6)
    • Windows 8 64-bit: 4DBB (the original bytes should be 0x8B 0xC3)
    • Windows 8 32-bit: 3D44 (the original bytes should be 0x8B 0xC6)

    Warning: If the existing bytes don’t match with what I’ve written above, don’t overwrite them! The addresses change with patches to Windows. The above addresses were current as of 2013-09-04.

  5. Restart explorer.exe

Voilà – the compatibility property sheet will appear for most programs now (I’ve noticed that it doesn’t show up for File Explorer):

Screenshot of Notepad.exe and the Compatibility property sheet

How does this actually work?

These two bytes are in the CLayerUIPropPage::Initialize function – this basically does a bunch of checks to determine whether the property sheet should be displayed or not. The original code (0x8B …) sets the return value (the EAX register) to the result of these checks – a non-zero result means the sheet won’t be displayed. We modify the function to always return 0 by using the instruction xor eax, eax (0x31 0xC0).

Short: Google Analytics doesn't support Windows Phone apps – pretend your app is a website, instead

Using Google Analytics in a Windows Phone 7+ app is really simple. There’s a small hurdle, however, in that Google Analytics doesn’t support Windows Phone, and if your property is configured as an ‘App’, you won’t be able to track any data. The solution is to configure your property as a ‘Web Site’ when you create it. You’ll miss out on niceties like screen tracking, but it’s possible to use events to record similar data.

Short: The Windows Phone Toolkit ContextMenu control's Foreground property does nothing

While the ContextMenu control in the Windows Phone Toolkit has a Foreground property, setting it has no effect, as it’s not used in the default control template (unlike the Background and BorderBrush properties, which work as expected). To change the text colour in a ContextMenu, set the Foreground property of MenuItems individually.

Keiki Usage Meter Version 3.2.1 Released

Tonight I released Keiki Usage Meter Version 3.2.1. This release was prompted by Optus changing some things on their end that stopped the Optus Broadband (Legacy) plugin from working. There are some changes to the way tooltips, buttons, group boxes, combo boxes, radio buttons and check boxes are rendered, but nothing particularly noteworthy.

I also published some (sparse) documentation on developing plugins. I’d be happy to publish third-party plugins on my website at some stage.