#300530 - 12/07/2007 20:26
Avoid WinDSX like the plague
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
My office recently moved to a new building and we had a security system installed. It turns out that the software interface to this system is called WinDSX, and it is one of the worst pieces of software I've ever seen.
The most notable way I came to this conclusion is that I wanted to move the "Communications Server" application, which was running on a standalone computer, to be a service on an existing server. All this program does is collect data from the security system itself and allow the client program access to this data. In fact, by default, this program does not have any user interface. You can run it with a "-visible" flag and it will show a basic window that simply shows a text log of system activity (badges read, etc.) and nothing else besides a File->Exit menu item. So it seemed like it should be trivial to get it to run as a service with instsrv and srvany. Except it's not.
It turns out that they specifically designed the application so that it could not be run as a service. At least that's what they tell me. My guess is that they in fact have no idea what they're doing, so they turned their bug that they didn't know how to fix into a feature. Of course, since this means that you have to log in to run this server application, it makes the computer running it virtually unusable for anything else. (One of the people I spoke to said something along the lines of "how can you be using a computer if you're not logged into it?".)
Then another excuse they gave me is that I wouldn't want to run it as a service concurrently on another computer anyway because "the program will consume about 80% of the available CPU cycles regardless of the speed of the PC." I will point out that while my observed CPU consumption was only about 50%, the security system is only controlling about four doors and a dozen sensors. And the security system is independent of this server. It's its own dedicated system; the software is used solely for monitoring and configuration, and there was no activity on the system. And just to make sure, I looked at the network utilization (all of the communication between the software and the security system is over the network) and it was pretty consistent at just under 4kBps, a large portion of which is bound to be normal Windows chattiness.
They also told me that it was a security concern. Apparently it's more secure for me to have to log into the computer and let it run logged in all the time than for it to run as a service. And, if I want to make sure that it starts on boot, I have to get Windows to autologin, which is so secure. They should really tell all the other software designers out there about their new security findings. It will change the face of network services forever.
And you say, well, at least you can segregate the computer from the Windows Domain. That will help with security a little. As it turns out, no. Because in addition to the network service, I also have to use Windows Networking to share the database files to the computers that will be accessing the service. Which would imply to me that the service isn't even servicing the clients more than coordinating concurrency as they write directly to the shared database files.
The biggest problem, though, is that they claim that these things are designed this way. They intended to soak the CPU. They intended to prevent me from running it as a service at all costs. Hell, the client application has no Windows buttons, no minimize, no maximize, not even close.
So, the moral of this story is: if you are ever party to selecting a security system, ask the vendor what software they use. If it's WinDSX, run. Run and don't stop.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300531 - 12/07/2007 20:53
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
Have you tried putting an amperstand after the executable name and adding it to your rc.local file?
Matthew
|
Top
|
|
|
|
#300532 - 12/07/2007 21:30
Re: Avoid WinDSX like the plague
[Re: matthew_k]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I didn't think that I needed to point out that it was a Windows application.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300533 - 12/07/2007 21:36
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
No, you didn't, I understand your frustration completely... I was just pointing out how a real operating system might deal with the problem.
Matthew
|
Top
|
|
|
|
#300534 - 12/07/2007 21:37
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
In the past, I've had good luck using FireDaemon to run programs as a service that weren't designed for that purpose. I agree that they simply don't know what they're doing in terms of windows programming and windows security. But if you're stuck using their product, FireDaemon can help.
|
Top
|
|
|
|
#300535 - 12/07/2007 21:37
Re: Avoid WinDSX like the plague
[Re: matthew_k]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Sorry. I'm clearly irony deficient right now.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300536 - 12/07/2007 21:43
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 30/04/2000
Posts: 3810
|
It never ceases to amaze how poor the security engineering is of companies that claim to be in the business of security.
|
Top
|
|
|
|
#300537 - 12/07/2007 21:48
Re: Avoid WinDSX like the plague
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Yeah, FireDaemon costs money now. However, Microsoft provides instsrv and srvany in the resource kit and they do the same thing, albeit with a worse user interface. But even when I get it running as a service, which is honestly not that difficult with those tools, it requires that a user be logged in for it to function correctly and the "interact with desktop" checkbox be checked. As long as a user is logged in, it works fine. As soon as they log out, it stops working. If someone logs back in again, it works fine again.
They've done something to explicitly prevent it from working when no one is logged in. While connecting to it via VNC, I did actually notice that when it gets started with no UI, it actually pops up that window for an instant before making it go away, so that's probably the problem.
But now the problem is that it consumes large amounts of CPU even while it's doing nothing. I'd consider running it as a VMWare image, but if it's going to consume that much CPU regardless, I can't even do that. Maybe VMWare has a CPU throttle?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300538 - 12/07/2007 21:57
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
pooh-bah
Registered: 12/02/2002
Posts: 2298
Loc: Berkeley, California
|
Quote: I'd consider running it as a VMWare image, but if it's going to consume that much CPU regardless, I can't even do that. Maybe VMWare has a CPU throttle?
As I read your post I was formulating basically those exact thoughts in my head. AFAIK, VMWare does have a CPU throttle, it costs about 2k per physical machine you want to run ESX on. Using VMWare Server, you can limit limit the machine to a single processor core, which would at least leave any remaining cores free. However, the app probably isn't multithreaded in the first place.
Matthew
|
Top
|
|
|
|
#300539 - 12/07/2007 22:14
Re: Avoid WinDSX like the plague
[Re: matthew_k]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Yeah, I meant freebie VMWare. Hm. Does Linux have a per-process CPU limiter? I could limit VMWare itself.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300540 - 13/07/2007 00:44
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 19/01/2002
Posts: 3584
Loc: Columbus, OH
|
Microsoft Virtual PC is free now too. Not sure if it could help...never used it.
_________________________
~ John
|
Top
|
|
|
|
#300541 - 13/07/2007 01:03
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 29/08/2000
Posts: 14493
Loc: Canada
|
Quote: Yeah, I meant freebie VMWare. Hm. Does Linux have a per-process CPU limiter? I could limit VMWare itself.
Yes, there was (and probably still is) a config flag for dumb dos/win programs in VMware almost from version 1.0 onwards -- I've forgotten what it was called, but something to do with keyboard polling I think.
Alternatively or in addition, you can probably renice the VMware process to a low priority.
Mmm.. I wonder if that wretched code will run under Wine ?
Cheers
|
Top
|
|
|
|
#300542 - 13/07/2007 01:50
Re: Avoid WinDSX like the plague
[Re: mlord]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I'm pretty sure it's VB, which would tend to make it more likely, I think.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300543 - 13/07/2007 05:52
Re: Avoid WinDSX like the plague
[Re: JBjorgen]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Quote: Microsoft Virtual PC is free now too. Not sure if it could help...never used it.
Microsoft Virtual Server is also free, and it does have resource throttling...
_________________________
-- roger
|
Top
|
|
|
|
#300544 - 13/07/2007 10:55
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
old hand
Registered: 20/07/1999
Posts: 1102
Loc: UK
|
Quote: Sorry. I'm clearly irony deficient right now.
Irony supplements might help...
pca
_________________________
Experience is what you get just after it would have helped...
|
Top
|
|
|
|
#300545 - 13/07/2007 13:26
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: I'm pretty sure it's VB, which would tend to make it more likely, I think.
Ah. That's the real reason why it sucks up CPU and won't run as a service.
For what it's worth, I've had VB programs that wouldn't run under Srvany, but ran fine under FireDaemon.
|
Top
|
|
|
|
#300546 - 13/07/2007 15:09
Re: Avoid WinDSX like the plague
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Quote: For what it's worth, I've had VB programs that wouldn't run under Srvany, but ran fine under FireDaemon.
Fair enough. I gave it a shot, and while it does allow the program to continue running properly after I log out, it requires that someone log in on boot to get it started, which pretty much defeats the purpose of running it as a service. Clearly this is not FireDaemon's fault. I've had good experiences with it before, and it did slightly improve upon instsrv and srvany on their own, but WinDSX is apparently so badly written that there's clearly just no way to make it work intelligently.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300547 - 13/07/2007 15:40
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Quote: it requires that someone log in on boot to get it started
There's gotta be a way around that somehow.
When you say "log in on boot", do you mean that the WinDSX program itself prompts for credentials?
|
Top
|
|
|
|
#300548 - 13/07/2007 15:43
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I finally broke down, and, at least for now, set it up to autologin and put a shortcut to the program in Startup along with a shortcut to automatically lock the screen (rundll32.exe user32.dll, LockWorkStation). With the autolock in place, it won't start up properly. I have to go to the console and unlock the screen before it will start up properly. I suppose I can create a batch file to wait for a minute or so before it locks the screen, but, really? It won't start while the screen is locked?
_________________________
Bitt Faulk
|
Top
|
|
|
|
#300549 - 13/07/2007 15:53
Re: Avoid WinDSX like the plague
[Re: wfaulk]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Wow, that's pretty fscked up.
|
Top
|
|
|
|
#300550 - 13/07/2007 17:25
Re: Avoid WinDSX like the plague
[Re: tfabris]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I also just discovered that it builds and tears down about four TCP sessions a minute, over which it seems to pass no, or at least very little, data.
_________________________
Bitt Faulk
|
Top
|
|
|
|
|
|