分类： Win故知新

原文链接：https://devblogs.microsoft.com/oldnewthing/20040723-00/?p=38363

When a process ends (either of natural causes or due to something harsher like TerminateProcess), the user-mode part of the process is thrown away. But the kernel-mode part can’t go away until all drivers are finished with the thread, too.

当一个进程被中止时（不论是通过比较自然的方式，还是比较严厉的如 TerminateProcess（译注：原文链接已失效，此处为MSDN上对应的文章目前可用的链接） 的方式），其用户模式下的部分就被抛弃了，不过其内核部分在线程中的所有驱动结束操作前，是无法被移除的。

For example, if a thread was in the middle of an I/O operation, the kernel signals to the driver responsible for the I/O that the operation should be cancelled. If the driver is well-behaved, it cleans up the bookkeeping for the incomplete I/O and releases the thread.

例如，如果某个线程正处在一个 I/O 操作中，内核将通知该 I/O 操作对应的驱动取消该操作。倘若这个驱动运作正常的话，就应当对这个未完成的 I/O 操作进行清理，并最终释放对应的线程。

If the driver is not as well-behaved (or if the hardware that the driver is managing is acting up), it may take a long time for it to clean up the incomplete I/O. During that time, the driver holds that thread (and therefore the process that the thread belongs to) hostage.

但如果驱动运作不正常（或其所管辖的硬件出现了问题），可能就需要比较长的时间来清理这个未完成的 I/O 操作。在此期间，该驱动将持续保有相应的线程（该线程所属的进程亦然）。

(This is a simplification of what actually goes on. Commenter Skywing gave a more precise explanation, for those who like more precise explanations.)

（这是对类似事情发生时的情况的一个简化描述，访客 Skywing 撰写了一份更加准确的描述（译注：链接已失效，我们永远都无法再知道那天dalao说了些什么了），喜欢细节描述的人可以去看看。）

If you think your problem is a wedged driver, you can drop into the kernel debugger, find the process that is stuck and look at its threads to see why they aren’t exiting. You can use the !irp debugger command to view any pending IRPs to see what device is not completing.

如果你认为问题出在某个加楔而入的驱动上，你可以打开内核调试器，找到那个（关不掉的）进程，检视其线程列表来判断为什么它不肯退出，也可以在调试器中使用 !irp 命令来观察处于等待状态下的 IRP（译注：I/O Request Package，I/O 请求包），并由此判断是哪个设备没有完成其操作。

After all the drivers have acknowledged the death of the process, the “meat” of the process finally goes away. All that remains is the “process object”, which lingers until all handles to the process and all the threads in the process have been closed. (You did remember to CloseHandle the handles returned in the PROCESS_INFORMATION structure that you passed to the CreateProcess function, didn’t you?)

当所有的驱动得知某进程被中止的情况后，该进程的『肉体』才终于消失，而剩下的只是一个『进程对象』继续等待着，直到所有面向该进程的句柄及进程的所有线程都关闭位置。（你应该有记得把在调用 CreateProcess 时在 PROCESS_INFORMATION 结构中返回的句柄们用 CloseHandle 都关掉来着（译注：原文链接已失效，此处为目前MSDN上的新链接），没错吧？）

In other words, if a process hangs around after you’ve terminated it, it’s really dead, but its remnants will remain in the system until all drivers have cleaned up their process bookkeeping, and all open handles to the process have been closed.

换句话说，如果某个进程在被中止后仍然挂在那里，实际上这个进程的确已经被中止了，只是还有点小『残余』留在了系统中，直到所有相关的驱动完成了针对这个进程的清理工作，以及所有由该进程打开的句柄被关闭为止。

原文链接：https://devblogs.microsoft.com/oldnewthing/20040722-00/?p=38373

If a user fires up Task Manager and clicks “End Task” on your program, Windows first tries to shut down your program nicely, by sending WM_CLOSE messages to GUI programs and CTRL_CLOSE_EVENT events to console programs. But you don’t get a chance to intercept TerminateProcess. Why not?

如果用户打开任务管理器，选中你的程序之后点击『结束任务』，Windows将首先尝试优雅地通知你的程序进行关闭，方法是向GUI应用发送WM_CLOSE消息，或者向控制台应用发送CTRL_CLOSE_EVENT事件。不过，你是不可能拦截 TerminateProcess 的。这是为什么呢？

TerminateProcess is the low-level process killing function. It bypasses DLL_PROCESS_DETACH and anything else in the process. Once you kill with TerminateProcess, no more user-mode code will run in that process. It’s gone. Do not pass go. Do not collect $200.

TerminateProcess（译注：原文链接已失效，此处为MSDN上对应的新链接）是一种底层结束任务的方法，可以绕过 DLL_PROCESS_DETACH 及进程中的任何东西。一旦调用 TerminateProcess 来结束进程的话，该进程中将不再有任何用户模式的代码可以运行。就那么结束了。别再想着过起点了，也别再想挣200块的事了。（译注：Do not pass go. Do not collect $200是原版“大富翁”游戏中直接将其它玩家送入监狱格的事件卡片背面文字，用于强调“啥也别想了，没救了”的意思。）

If you could intercept TerminateProcess, then you would be escalating the arms race between programs and users. Suppose you could intercept it. Well, then if you wanted to make your program unkillable, you would just hang in your TerminateProcess handler!

假设有办法拦截 TerminateProcess 的话，不过是恶化了程序和用户之间的军备竞赛而已。设想如果可以拦截它，那么，如果想让你的程序无法被中止，只要在你的 TerminateProcess 处理进程中挂起就好啦！

And then people would ask for “a way to kill a process that is refusing to be killed with TerminateProcess,” and we’d be back to where we started.

然后就会有人提出『如何中止拒绝被 TerminateProcess 杀掉的进程』这样的问题，于是我们又回到了问题的开头。

原文链接：https://devblogs.microsoft.com/oldnewthing/20040721-00/?p=38383

Windows 98 was the first version of Windows to support multiple monitors. And the limit was nine.

Windows 98是支持多显示器的第一个Windows版本，而显示器数量的上限是9。

Why nine?

为什么是9呢？

Because that allowed you to arrange your monitors like this. You have early seventies television to thank.

因为这个数字允许你将显示器的排列摆成这样（译注：即3×3的显示器阵列，类似老式高档电视中的多频道预览功能）。这一点你得感谢70年代早期的电视设计。

原文链接：https://devblogs.microsoft.com/oldnewthing/20040713-00/?p=38463

When writing documentation, one often has need to come up with a sample URL to illustrate some point or other. When you do, make sure the sample URL is under your control.

撰写文档时，有时需要一个示例 URL 来描述一些论点之类的东西，遇到这种情况时，留心让那些示例 URL 在你的掌控之下。

I remember a Windows beta that used the sample URL http://www.xxxxx.com/ in a dialog box. You can imagine where that actually goes.

我记得有一个 Beta 版的 Windows 在某个对话框中使用了 http://www.xxxxx.com/ 作为示例URL，可想而知这个网址指向的是什么地方。

This web site uses www.wallyworld.com as a sample URL. Perhaps they didn’t realize that it’s a gay porn site.

这个网站（译注：链接已失效）使用了 www.wallyworld.com 作为示例 URL，估计他们没想到这个网址是一个同性恋色情网站。

(Raymond’s strange dream story: One night I dreamt that I found a web site that had a complete Dilbert archive, and for some reason the name of the site was “Wally World”. In the morning, I checked out the site and was in for a big surprise…)

（Raymond 的怪梦小故事：某晚我做了一个梦，梦见有个网站上有 Dilbert 漫画的全集存档，并且不知为何网站的名字叫 Wally World。第二天早上，我搜了一下这个网站，结果非常令人“惊喜”。）

So play it safe. When you need a sample URL, don’t just make something up. If you do, odds are good that somebody is going to rush in and register it. Make your sample URLs point back to your company’s home page, or use http://www.example.com, which the IANA has reserved for use in sample URLs. If that’s too dorky, you can always go out and register the domain you want to use as your sample, so that nobody else can sneak in and steal it. (This does have the problem of incurring renewal fees.)

所以还是小心为妙。当需要用到示例 URL 时，不要随手编一个就算了，总有人会立马跑去把这个域名注册下来。你可以让这个示例 URL 跳转回贵公司的主页，或者直接用 http://www.example.com ，这是 IANA 为示例 URL 保留的一个域名。如果你觉得这样太傻了，你当然也可以选择（先）特意注册一个域名，然后将它用在你的示例 URL 之中，这样就不会有人悄悄地将其据为己有了。（不过这样也会有为其续费的问题存在。）

原文链接：https://devblogs.microsoft.com/oldnewthing/20040709-00/?p=38493

If the program doesn’t provide this information itself, Add/Remove Programs is forced to guess.

如果应用程序没有主动提供这些信息，『添加/删除程序』不得已就得用猜的了。

The problem is that there is no “obvious” way to map an entry in the Add/Remove Programs list to an actual program. Each entry in the list, for those who care about such things, comes from the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall registry key. The only mandatory properties for an uninstallable program are the DisplayName and the UninstallPath. Everything else is optional.

问题在于，『添加/删除程序』并没有一种明确的手段将一项（已安装程序的）条目与实际的应用程序关联起来。为关注相关事项的人服务一把：（『添加/删除程序』中的）每一个条目都取自注册表键 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall。对于每个可以卸载的应用程序而言，必需的条目是 DisplayName 和 UninstallPath，剩下的都是可选项。

Let’s suppose Add/Remove Programs is given a program registration like this:

假设有以下注册表信息被给予了『添加/删除程序』：

HKEY_LOCAL_MACHINE\
Software\
Microsoft\
Windows\
CurrentVersion\
Uninstall\
SomeProgram
DisplayName=REG_SZ:”Awesome Program for Windows”
UninstallPath=REG_SZ:”C:\WINDOWS\uninstall.exe -SomeParameters”

In order to get the “Last Used” and “Frequency” values, Add/Remove Programs needs to know the name of the EXE so it can ask the Start menu “Hey, how often did the user run this program, and when was the last time it happened?”

为了获取『最近使用时间』和『使用频率』的值，『添加/删除程序』需要知道应用程序主程序的EXE文件名，这样才能向开始菜单咨询：『嗨，用户有多经常运行这个应用程序，上次运行又是什么时候的事情呀？』

Notice that there are no clues in the registration above as to the identity of this EXE file.

请注意，上述注册表信息中，并无辨认应用程序主程序EXE文件的线索。

So Add/Remove Programs starts guessing. It goes through all the programs on your Start menu and compares their names with the display name of the uninstallable item. It looks for Start menu items which share at least two words with the words in the DisplayName.

于是『添加/删除程序』就开始靠猜的了。『添加/删除程序』遍历开始菜单，将上述注册表信息提供的、可卸载应用程序的『显示名称』与开始菜单中的条目进行比较，标准是有至少两个单词与 DisplayName 相同。

For example, if there were a Start menu item called “Pretty Decent Windows Program”, this would count as a two-word match (“Windows” and “Program”).

例如，如果有一个开始菜单条目叫『Pretty Decent Windows Program』，这样就算有两个单词相符（Windows 和 Program）（译注：前例中的 DisplayName 叫 Awesome Program for Windows）了。

It then takes the one with the most matches and decides, “Okay, I guess this is it.” Suppose for the sake of illustration that the best match is indeed “Pretty Decent Windows Program.lnk”, which is a shortcut to “C:\Program Files\LitWare\Decent Program\Decent.exe”. Add/Remove Programs would decide that “Awesome Program for Windows” should get the icon for “Pretty Decent Windows Program.lnk”, that the frequency of use and most-recently-used information for “C:\Program Files\LitWare\Decent Program\Decent.exe” will be displayed for “Awesome Program for Windows”.

『添加/删除程序』会挑选相似程度最高的一项，然后下定决心说：『行了，依我看就是它了。』假设在本例中，相似程度最高的一项正好是『Pretty Decent Windows Program.lnk』，而它是到『C:\Program Files\LitWare\Decent Program\Decent.exe』的快捷方式，『添加/删除程序』便由此决定『Awesome Program for Windows』应当采用『Pretty Decent Windows Program.lnk』的图标，而使用频率和最近使用时间的信息则取自『C:\Program Files\LitWare\Decent Program\Decent.exe』。

But wait, there’s more. There’s also the program size. Add/Remove Programs looks in your “Program Files” directory for directories whose names share at least two words in common with the DisplayName. The best match is assumed to be the directory that the program files are installed into. The sizes are added together and reported as the size of “Awesome Program for Windows”.

不过等等，还没完。还有一项信息叫『大小』。『添加/删除程序』将在『Program Files』目录中查找与 DisplayName 有至少两个单词相同的项目，而该项目则被视为应用程序的安装目录。将这个目录下的文件大小汇总一下，这个数字就作为『Awesome Program for Windows』的『大小』了。

A program can add some properties to its registration to avoid a lot of this guessing. It can set an EstimatedSize property to avoid making Add/Remove Programs guess how big the program is. It can also set a DisplayIcon property to specify which icon to show for the program in the list.

应用程序可以在向注册表中写入信息时主动指定对应的属性值来避免上述的猜测工作，比如可以通过设置 EstimatedSize 属性来省去『添加/删除程序』估算应用程序的大小，也可以通过设置 DisplayIcon 来指定在列表中应用程序的图标。

But if a program omits all of these hints, the guess that Add/Remove Programs ends up making can often be ridiculously wide of the mark due to coincidental word matches. In my experience, Spanish suffers particularly badly from this algorithm, due to that language’s heavy use of prepositions and articles (which result in a lot of false matches).

不过，如果某个应用程序完全无视这些提示的话，『添加/删除程序』估测出来的信息有可能因为巧合的单词相符而与实际情况大相径庭。据我个人经验而言，西班牙语（的条目）在面对这一算法时误差最大，原因是西班牙语中的介词和冠词的使用极其频繁（因而造成了大量的误匹配）。

Yes, this is all lame, but when you are forced to operate with inadequate information, lame is the best you can do.

没错，这个机制是很蹩脚，但当你被迫用不完整的信息来构建资料时，做到蹩脚已是最好的结果。

[July 15 2004: Emphasizing that this is done only if the program fails to provide the information itself. For some reason, a lot of people who link to this page fail to notice that little detail.]

（2004年7月15日更新：强调一下，『添加/删除程序』只有在应用程序未能提供相关信息时才会进行上述的猜测工作。不知为何，很多链接到这个页面的读者都忽略了这一细节。）