.NET Questions and Solutions

Symptoms
A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) attacks when the computer is powered-on or in the Standby power state, including when the desktop is locked.
BitLocker with TPM-only authentication allows for a computer to enter the power-on state without any Pre-boot authentication. Therefore, an attacker may be able to perform DMA attacks.
In these configurations, an attacker may be able to search for BitLocker encryption keys in system memory by spoofing the SBP-2 hardware ID by using an attacking device that is plugged into a 1394 port.
This article applies to the following systems: Systems that are left powered-on. Systems that are left in the standby power state. Systems that use the TPM-only BitLocker protector.
Resolution
1394 Physical DMA
Industry standard 1394 controllers (OHCI compliant) provide functionality that allows for access to system memory. This functionality is provided as a performance improvement. It enables large amounts of data to transfer directly between a 1394 device and system memory, bypassing CPU and software. By default, 1394 Physical DMA is disabled in all versions of Windows.There are two options to enable 1394 Physical DMA: An administrator enables 1394 Kernel Debugging. Someone with physical access to the computer connects a 1394 storage device that complies with the SBP-2 specification1394 DMA Threats to BitLocker
BitLocker system integrity checks protect against unauthorized Kernel Debugging status changes. However, an attacker can connect an attacking device into a 1394 port, and then spoof an SBP-2 hardware ID. When Windows detects SBP-2 hardware ID, it loads the SBP-2 driver (sbp2port.sys), and then instructs the driver to allow for the SBP-2 device to perform DMA. This enables an attacker to gain access to system memory and search for BitLocker encryption keys.

Symptoms
After you restart Windows Server 2008, the following event may be logged in the System log:

Log Name:System
Source:storflt
Event ID:5
Level:Warning
Task Category:None
Message:The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.
Resolution
This event is logged when one of the following scenarios is true:The virtual storage filter driver cannot attach to the virtual storage device. The virtual storage filter driver is included in Windows Server 2008. This driver optimizes the performance of disk I/O if Windows Server 2008 is running on a Microsoft Hyper-V Server.Windows Server 2008 is installed as the host operating system or as the guest operating system before the most recent version of Hyper-V Server is installed.

Symptoms
When you use Microsoft System Center Operations Manager 2007 to monitor system performance on Windows Server 2008-based computers, a memory leak occurs. Specifically, this memory leak occurs in the performance counters that are used by System Center Operations Manager 2007.
Note Any applications that use performance counters in Windows Server 2008 may also experience this problem.
Resolution
This problem occursbecause of a bug in the way that Windows Server 2008 manages allocated memory.

Symptoms
Assume that an application uses Image Mastering API version 2.0 (IMAPI v2) to burn some data onto a recordable DVD or CD on a computer that is running Windows Vista or Windows Server 2008. However, a 0xC0AA0007 error is returned.
This problem typically occurs with backup applications that use IMAPI v2. For example, this problem occurs when you try to create a system repair disc by using the Backup and Restore tool in the operating system. The job fails and you receive the following error message:

Fail to create system repair disc. (0xC0AA0007)
Resolution
In certain scenarios, the time that a device takes to close a session on a disc exceeds the time-out value in IMAPI. This behavior causes the image verification to fail. This hotfix increases the time-out value.

Symptoms
Microsoft Windows 2000 Server may stop unexpectedly, and you may receive an error message that is similar to the following:

Stop: 0×0000007f(00000008, 00000000, 00000000, 00000000)EXCEPTION_DOUBLE_FAULT
Resolution
This problem may occur if the Srv.sys driver enters into a recursive loop when the driver tries to flush files. The recursive loop occurs because the driver does not have write access to the files.
Srv.sys is a file system driver that handles the interaction with the lower levels of the protocol stack. The driver interacts directly with various file system devices to satisfy command requests, such as file read and write requests.

Symptoms
When you call the MethodInfo.Invoke method, you may receive the following error message:

An unhandled exception of type ‘System.Reflection.TargetInvocationException’ occurred in mscorlib.dll
Additional information: Exception has been thrown by the target of an invocation.
You may also receive an additional error message that is similar to the following error message:

Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. —> System.IO.FileLoadException: ‘ClassLibrary1′ is not a valid file.
File name: “ClassLibrary1″
at ClassLibrary2.Class1.GetString()
Resolution
You receive the System.Reflection.TargetInvocationException error because the common language runtime calls the MethodInfo.Invoke method by using reflection.
When you load an assembly by using the Assembly.LoadFrom method, the common language runtime places the loaded assembly in the LoadFrom context of your application. Any probes for the dependencies of the assembly first probe the current application directory. If this probe fails, the common language runtime then probes the LoadFrom context of your application.
You may load an assembly that has a simply-named dependency that has the same file name as a file in the current application directory. When you try to invoke a method in the loaded assembly by using the MethodInfo.Invoke method, and the invoked method uses the dependency, the common language runtime first probes the current directory path. When the common language runtime finds a file that has the same file name as the dependency, the probe stops. However, if this file does not have the same assembly identity as the dependency, the assembly bind fails, and the common language runtime generates a System.IO.FileLoadException error that is passed to the System.Reflection.TargetInvocationException error. Therefore, you may notice the behavior that is mentioned in the “Symptoms” section.