aphelion

Sure np, I tried PMing you but it didnt work. Send me one and I will shoot you the link. I'd have to get author's permission to release more widely I think Edit: My original work (psd, png, reg) is available here: https://mega.co.nz/#!zIIAzIQB!oIhhIDwjFBLlHClxKEA1fDYRRR8l1T7olsBufU3-XRs (needs Snowy8, files are named after the resource numbers)

Font matters. Try using an OpenType font with PostScript outlines and you won't see any color fringing. They render as ClearType Outline rather than Natural (Default). There's a whole complicated matrix. I leave ClearType enabled but banish all color by going through the tool, and using Helvetica Neue instead of Segoe UI/Tahoma/etc. There is also a registry key that the tuner modifies, that's supposed to be the end-all-be-all of whether your monitor supports subpixel antialiasing. Search for a value of "PixelStructure" and 0 means it's flat and to render using grayscale. But it still gets ignored if the font is Seogue UI.

Custom version of Snowy8 with less color, more transparency and blur

Amazon or CacheFly or Azure. For a pure CDN probably more of the first 2

Noel described the difference between whole themes and just the resource file we're calling an atlas here; applying the atlas to a theme other than the one specified (in this case Win8.x) will get you graphical artifacts. Just like you can't apply the Win10 atlas to Win8.1 (it won't glitch out completely due to the way the Win10 is an expansion of the Win8.x, but you won't get those big shadows Win10 has since they're outside of where the Win8.x theme looks for them), you can't apply an atlas for the default, like those in this thread, to some other theme. The atlas files in this thread are applied using the AeroGlassGUI.exe tool, not in the Personalize section of Desktop preferences. They can also be set with registry values directly.

Very minimal skin, removes all color and reduces border contrast in favor of increased blur radius and shadowing to draw separation between elements. Screenshot: The settings necessary for the look in the attached screenshot are: Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\DWM]"BlurDeviation"=dword:00000064"ColorizationColor"=dword:00ffffff"ColorizationColorBalance"=dword:00000064"ColorizationAfterglow"=dword:00ffffff"ColorizationAfterglowBalance"=dword:0000000a"ColorizationBlurBalance"=dword:0000000f"EnableWindowColorization"=dword:00000001"ColorizationGlassAttribute"=dword:00000001"ColorizationColorCaption"=dword:00ffffff"ColorizationColorBalanceInactive"=dword:00000064The glow should appear as a duotone: subtle white on black, and a faint gray on white, so that it's not intrusive or out of place. Update 1: Restore button fix Update 2 (11-14-14): - fixed 1px incorrect alpha on left window border - changed all window borders to match alpha of restore/min/max buttons for smoother look - added full transparency for captions and borders (reg settings handle the luminosity) - added BlurDeviation of 100 to enhance caption legibility - aligned the duotune shadow more accurately behind caption and with each other Screenshot:

First load is a bummer if you hadnt preloaded the spring dll. I found it worked best for me just letting it log out and slow down. Then i could type in everything fast enough and hold the title bar with the mouse to keep it from reloading in between

Same seen here, that works the same as setting the task bar to opaque using the winaero tool

No reason to do that. The method (caught by heuristics and HIPS) looks at memory for privileged processes (system integrity first then high integrity), finds their autorun point (autoruns.exe gives an idea how quickly that is done), checks permissions and overrides. Why target any one particular filename? That is unlikely, I agree Would a list of exploits that do this already convince you? Edit: fontsize keeps shifting every paragraph, anyone else getting that?

I concur. I think when BM has 'The utility is completely integrated into Desktop Window Manager without breaking any system protection or modifying system files.' on his page is aphelions issue. That and the fact of the watermark. He has monopolized this forum to the point that people are really paranoid. As I stated earlier, I do not see him taking Tihiy to task. I would love to. But, lawyers Not an issue here. Yes, sad. but a fact of life edit: I have said Tihiy's "sfotware" compromises security far more, I even posted a whole explanation with the certifcates. But I didnt pots the SC certs because even that creates create liability given a loose enough interpretation. The commands are provided in that pots to see them, as well as what to look for in process monitor to see its actions SIB not only hijacks some processes but hooks them and uses them to deliberately override system policies explicitly set to bypass proxy server settings, firewall settings, and even resorts to using the core SYstem process (PID 4) to send TCP requests. after denied repeatedly the access. If it fails on IPv4 it goes to v6 to obfustate the destination. Russia and almots half the world has to be blocked if using a broad netmask, so I am compiling a list of IP address ranges that I will publish when I am confident I hav eall of them, to keep that fro mhappening. Now that its clear there's more than one wrong thing in the world, there iare also many good ones. I report several bugs to Actual Tools, not far from Tihiy. Their CEO responds directly with none of the back and forth. Even when I get frustrated by lack of pprogress and decide to list out a half dozen bugs at a time, what do I get? Emails thta confirm each one as being in progress for a fix in the next release. This is not the only forum where I report bugs, just the same as its not the only software I use. It is by far the most hostlity of any of the others. And by it there's only one it for the most part as the others are just 3 or 4 people dropping in to try to understand what's going on. Which is certainly undestandable given my shared concern

Dude. You lied. That's why I said you lied. You still haven't denied it. Of course you can't because it would be lying again When I said perhaps ignore posts where you'd or ally lie, I guess it wasn't clear posts where you lie AND where you try to kind of day you didn't but do That's 2

Do you really think anyone would believe an answer like that held no ulterior motive? Just 1 line to not post. Sure, that makes sense. And to think I didn't even post so much as a command or a name of a binary even though the whole point of MSFN is where people come to know, is it not? Itt was just the very true fact that you lied to a user and it's not cool. I said don't try to discredit, but please do explain it if I;'m somehow mistaken. As for making my own app, what for? Aero? I don't need that, I already use an app for that,its yours. and I like it, which is why I not only donated multiple times but spent hundreds of times that amount of trying to get you to apply a security descriptor to your dll. And handing it to you ready made to copy and paste you tell me I am not allowed to post. Fine, my work is thrown away, and it was all for nothing. There's is a few dozen hours wasted trying to get a good app to get good security, but worse things have happened. Like leaving security holes in a popular app, for example. If you don't want to use security, does that mean you won;t be using bcrypt anymore either? Or is your use of security features going to be limited only to protect the donation status? Either way is perfectly fine with me, my system is patched and I can donate however many times is needed since I know that will keep the releases coming. I'll grab them from tor or a shell. It's just sad that I will have to keep patching mine as your interest in security lies only so far as donations, keys euros, whatever it is. Licenses now? I think? Why the name change? I don't care actually, no more than you care about your app apparently. Guess it's time to go full disclosure, which I trust you read the link to. This wasn't it. The PUP list is, and any app that runs a DLL unprotected in System security context qualifies. Congratulations.

Edit: did not delete, forum post did not update. So all that work, like I said in the beginning, for nothing? Okay. Go screw everyone over then. It is your app, so I guess they consented

S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 Thats TrustedInstaller. also known as windows mistakenly confusing overzelous obfuscation as security. but at least it doesnt make things less secure, just annoying to type

Nope, it was you who was complaining that Aero Glass is left unprotected in the user folder. So I just stated if user installs the software in the user folder then he should not complain that it is accessible without admin rights there. I think you are taking user folder to mean C:\Users\User\. Tkat's not what i am referring to. I am talking about a folder under LUA security context. That includes C:\AeroGlass under the way it is currently implemented in the setup, and it does not have to be that way. To get it to work properly in Program Files you can use integrity levels. The user gets a UAC prompt when you make the C:\Program FIles\AeroGlass folder. Thats a good thing. It means that folder is now protected. But harder to acceess. To acess you need to get tell the installer to write the equivalent of the following permissions to the DLL: AeroGlass.DLL NT SERVICE\TrustedInstaller:(I)(F)NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)NT AUTHORITY\SYSTEM:(I)(F)NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)BUILTIN\Administrators:(I)(F)BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)BUILTIN\Users:(I)(RX)BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)CREATOR OWNER:(I)(OI)(CI)(IO)(F)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Then the DLL will have no trouble loading. It's not a user problem when the dll cant load correclty, its an installer problem.. Or you could could use instead of "problem" the correct descriptor, "means of security enforcement"II can try to look up the docs for whichever installer it is.. Or I can write a command line that does it. Here is an .ACL file, same thing as a command line but easier to transfer and apply Edit: Out of disk space suddenly... I can paste the hex or this is the SDDL to apply by whichever means you choose. chml will take it as is, i dont believe icacls does without converting to acl file first/ AeroGlass.DLLD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)S:AIThat is only specific to the object though, and it inherits from the container. So the folder gets: AeroGlassD:AI(A;ID;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIIOID;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x1200a9;;;BU)(A;OICIIOID;GXGR;;;BU)(A;OICIIOID;GA;;;CO)(A;ID;0x1200a9;;;AC)(A;OICIIOID;GXGR;;;AC)S:AISo I dont know if the forum wont mangle that, but ive been asking for space for 4 days I think? i will try to find a hsot that takes non-images

You cannot, it is debug version intended for testing only as already stated. Release version will be available in several days. Aexl - you can donate or BM can stop lying but the seocnd is unlikely. You certainly can close it without killing the process and without violating the eula. And BM, I am saying that now bec I am so sick of this nonsense . Debate all the finer points of MessageBox vs MessageW until you are called out about it. then come out and straight up LIE, thats not cool. And dont bother trying to discredit, that has not worked. Just ignore the posts where you would normally lie Also, sorry to the non-donators: i do predict that this is iagainst the eula as of the next version

I already explained why I think this and it's especially the form of presenting it here. Sure, there is nothing wrong with questioning but it is wrong to state how Aero Glass behaves bad although it does not behaves in that way at all. And... as in the past, doesn't it look bad when user installs debug version and then he complains that it displays debug messages? It does to me and it is same in this situation, user installs the software into the user folder and then complains that it gets "on disk zero protection not even admin" and he can simply replace DLL with one batch file, because the file is protected in the same way as any file on the desktop. Am I misunderstanding that you just said most apps are installed in user space, without UAC prompts? Edit: Forgot where I am. Why ask questions. Let me answer that Not about what he said, because that only he can answer but about apps installing user space (where your temp files live so you can delete them, same exact permissions level). There are only 2 common apps that install in user space, Chrome and Dropbox. Everything else goes in ProgramF Files. And what triggers that prompt? It's the integrit ylevle of the program files with the write-up property set tot to true, wjhich enforces it upwards the tree. It can only be st on the command line. But it is not that hard, it just needs to be shpwmonce and done. Just the old legacy system can only do the all-or-nothing and has only the opposite direction for inheritance chaining available Edit: typos. and I type fine. Looks like something is throttling input (NOT GLASS like i'm about to get accused of). brb

Hats the problem I had when using similar (although as pointed out here these are superior) techniques on 7. Everything was super fast and great and some random thing wouldn't work, like MM And I just disabled 30 things none of which sound directly responsible, so maybe there ia second computer i can use t trace the execution path but probably not. Do I go one by one or 54 by 5? So in the end I opted to go full in as then taken dispassionately, the time spent diagnosing far outweighs the speed increases. However 8 installs so much quicker especially without the welcome screen so I suppose it's more reasonable Edit: typos

System integrity would be good since it gets that protection in memory, but on disk zero protection not even admin. i trust you are following up on that now even without acknowledging or saying anything. Hate repeating since ILs are easy to set but not on other people's systems, and impossible to know if what you saw or didn't. sometimes it's 1 line, other times very specific, but for the important fixes, nothing So I guess the only thing to do is wait and see. Without a fix it would be up to others to do based on some guide I'd have to write for what was left unseen. What a bigger waste of time than this post that would be. I can see why you think I hate Glass even though I clearly dont, its because of the frustration of documenting and screenshots for no idea if it went to anything good. I guess its your style, thats a personal choice

Sure. I appreciate you taking the time to answer those questions I had however roundabout the answers. Will certainly try to stay away from tht anyway given the answers turn out to take a while. But would need equal effort from your to not trivialize by focusing on one typo like such, where 20 times saying hijack and once saying hook that extrapolates out to no understanding of basic os principles, I'm sure you can see there is nothing productive to come from that. Would be like me saying its not MessageBox the issue but MessageW used for inter window communications you're misrepresenting a a dialog box function. It's just endless and I type it when I see clear need but would rather not Looking forward to future versions. Anything else I may wrap up in a day or two since I think i did not import the right symbols into IDA or there is something else missing for the moment. In any case as that wraps and if anything appears to be confirmed on my end I will try pm first now that I know that is a preference. There are many month old tickets, with the mentions not to email that it's easy to mistake that to mean no PM's as I did, but perfectly normal to use given it's the same thing on a forum. And the less distractions the better. Edit for typos on iPad. Noticed now it's session instead of process isolation. I'm sure that was a mistake since no way you missed command launch instructions, where session isolation is worked around. That would be deliberate and I'm sure it wasn't. Also process isolation is subset of integrity level if you want to add those so the dll can't be replaced by a batch file

Lots of bliss all over should you wish to seek it. Afraid this has turned into a thread "where people go to know". That is the title of the forum, isn't it?

I don't run Glass at work but that's because I'm not done analyzing it yet. I do run StartIsBack and that took a lot more work to get secure. It's a huge security nightmare and it doesn't help that it's all given the gold stamp of approval by a "trusted' root certificate authority. Which kinds of brings me back full circle to the very first screenshot I posted. Just because it's possible within the framework, and it hasn't yet been recognized as an attack vector or for whatever reason doesn't raise alarms, does that make it okay? Here's something I cooked up trying to figure out how it jumped out of my sandbox in 10 ms. Turns out this is all it takes. Do you trust me with that level of access? That's more than RSA and Verisign trust themselves. And it is perfectly slipstreamed into any installation right into the system store, no warning or notice to the end user as they have a new trusted friend with EVERY policy available to override, including microsoft's own certificate revocation list that's designed to prevent an abuse like this even if it's ever caught. The have been less revoked certs than I can count on two hands and the last one IIRC was years ago. So am I good to then start using this for “all purpose” access? That refers to encrypting data, confirming its authenticity, and decrypting any of it on demand using my private key. Data and purposes are checkboxes: server authentication, code signing, secure email, internet and system security (SSL and encrypted files). Even issuing and verifying other certificates. Do you still believe caveat emptor still applies here, well within established security protocols?That's exactly like the cert StartIsBack uses, except that one is from a strangely similarly named company in Israel. They might have a PO Box, they might not, or there may not be a they at all. Doesn't matter since apparently Windows trusts me just the same, so I don't need them either. I agree with what you said first about common sense, and would say let's stick with that. Analogies like the one you made can only hurt the message whic is in all other respects perfectly agreeable.

The consensus is clear from the first pagraph and matches up with my experience dealing with anyone who actually cares about, practices, or works in security related specialties. I let it go before but let's not propagate this falsehood unnecessarily

Everything you said is absolutely true and I agree with, except for the very last sentence that you somehow how an entirely incorrect impression. The security community uniformly disagrees with "security by obscurity" (I'm sick of that term too) as you describe "discretely reporting". It that was mentioned before as "usually in software development this is done in private" as though that's even remotely true. Find me one reputable source that says it results in more effective fixes and I'll throw away everything I know from personal and professional experience, and tell them that they're wrong too. Here's one of the thousands that disagrees, it's the same link I just posted about security by design. It's the first hit on google but I can't justify spending more time than that. It does seem like a good place to start if you believe that. And if you are in infosec then those sources are referenced there as well: http://en.wikipedia.org/wiki/Full_disclosure_(computer_security) Caveat emptor does not apply for security matters. Neither does this outdated idea. The only thing it helps is someone's feelings, if they haven't actualized themselves to that extent. That's not a primary concern Edit: nicer

The GDI performance in XP was vastly superior to the implementation Vista onwards. It has not improved in 7 or 8 but is hardly noticeable anymore as it's been uncoupled from the main thread since multi core. The affinity change seems to have been the "solution" here, and it's not ideal but one of those tradeoffs that is a personal choice. Certainly can understand people sticking with operating systems as long as all the risk factors are understood and accounted for