|December 29, 2014||• Printing.exe has been updated: it accepts a regular expression pattern for the printer selection (
• A bug in InputBox.exe has been fixed: if a timeout was specified, the program would return the unfiltered and unvalidated default answer when the timeout period expired, regardless of mask or regular expression; the new version returns the input entered so far, filtered and validated, with the appropriate errorlevel.
• A minor bug in Which.exe has been fixed: when
|December 24, 2014||• InputBox.exe has been updated: besides regular expression based filtering with its
|December 18, 2014||• UpdateCheck.hta has been updated.
Adding a new INI parameter DisplayName, to search the registry for program versions, forced me to rewrite part of the code, as it became too hard to maintain.
I also fixed a bug where the HTA would not save all intermediate results in separate files; when fixed, my computer became so littered with these files that I also added an optional
• ListProgs.bat is a helper batch file for UpdateCheck.hta's new DisplayName parameter: it lists all registry keys that have both
|December 12, 2014||• Which.exe has been updated: with the new optional command line switches
|December 10, 2014||• Scott Sumner found a bug in the (not quite) "fool proof" input routine for
I modified the code, the check for the errorlevel is now done before
|December 9, 2014||• Eelco Ligtvoet found some bugs in ListIntCmd.exe:
|December 8, 2014||• Which.exe has been updated: no more hard-coded list of internal commands, it now searches
• ListIntCmd.exe has been updated:
Since ListIntCmd.exe's code is also used in other programs (BatCodeCheck.exe and Which.exe), I really appreciate Eelco's help.
|December 7, 2014||• ListIntCmd.exe, a spin-off of BatCodeCheck, is a new tool to list all available internal commands.
Tested on my own Windows 7 system only, so far.
|December 5, 2014||• The C# Examples page has been restyled.
Besides a new icon style, a new icon has been added for each program, opening the program's help text when clicked.
• LoCase.exe and UpCase.exe have been updated: besides renaming files to all lower or all upper case, they can now also render redirected input to all lower or all upper case.
|December 4, 2014||• RxReplace.exe is a new, multi-line, regex based find and replace tool.
• Which.exe has been updated: the new optional command line switch
• I added a command to list all internal commands to my Short Command Line Tips page:
Tested on my own Windows 7 system only, so far.
|November 28, 2014||• UpdateCheck.hta has been updated.
Several new command line switches and INI file parameters were added, and the program list (INI file) itself is now checked for updates too.
Note that the new INI file parameters will not be recognized by UpdateCheck.vbs.
|November 20, 2014||• The new version 0.32 of BatCodeCheck went through a major reshuffle of command line switches.
If you created batch files to run BatCodeCheck, modify those accordingly.
BatCodeCheck now checks an environment variable
|November 15, 2014||• The new version 0.30.5 of BatCodeCheck accepts two new optional command line switches:
|November 10, 2014||• I created a new page with known issues for BatCodeCheck.
If you find any bugs, errors or unexpected results, please send the details to moc.eduowrednavbor@ofni .
|November 8, 2014||• BatCodeCheck has been added to UpdateCheck.hta's program list.|
|November 7, 2014||• BatCodeCheck had several minor updates again: it now also tests for invalid command line switches of several internal commands, and for unescaped ECHOed parenthesis inside code blocks.|
|October 30, 2014||• A tutorial on safely using
• BatCodeCheck now also tests for SET /P.
|October 29, 2014||• BatCodeCheck has been updated again: it now distinguishes between real errors (that do break your code) and bad practices (that may some day break your code).|
|October 28, 2014||• BatCodeCheck has been updated: case sensitivity has been corrected and several new tests for some common errors were added.|
|October 22, 2014||• I added a page on batch file best practices to this site: DOs and DON'Ts When Writing Batch Files.
• I also added a page dedicated to BatCodeCheck.
|October 13, 2014||• Wolfgang Struensee also found a bug in DropDownBox.exe: it didn't resize the prompt correctly if the window height was specified.
Besides, "\n" in the prompt string wasn't interpreted as a line break.
Both isssues have been fixed in version 1.01.
|October 12, 2014||• Wolfgang Struensee found a bug in DateTimeBox.exe: it didn't handle unspecified (default) date/time display formats correctly.
To fix the bug I changed the initial date and time patterns from
|October 9, 2014||• BatCodeCheck.exe has been updated, it now finds unquoted
• While testing the BatCodeCheck.exe update on my batch files I found another vulnerability in RoboMove.bat that previous tests had missed: unquoted
It is much safer to use
RoboMove.bat has been updated accordingly.
|October 7, 2014||• I had been pondering on a Batch Files Best Practices section for a while, and then the recent code insertion vulnerability disclosure made it clear I just had to add it, now!
The first part discusses some solutions for the vulnerability in (unquoted) %CD%, plus command line input validation and a safer alternative.
|October 2, 2014||• The impact of the security code insertion vulnerability for batch files is probably a lot greater than just these few scripts that used unquoted
Unquoted parsing of command line arguments (
Still, expect many updates of my existing batch files the next couple of weeks, and check your own batch files.
I will implement more "best practice" warnings in BatCodeCheck.exe too.
|October 1, 2014||• A security vulnerability for "shell scripts" (batch files) has been disclosed: http://www.thesecurityfactory.be/command-injection-windows.html.
In short, it warns against the use of unquoted
I urge you to read the details in the link above and investigate your batch files for the use of unquoted
I have my work cut out for me...
The disclosure includes a copy of my Own.bat for Windows 2000 to demonstrate vulnerable code.
Note that the batch file used as a sample has been updated to prevent the vulnerability, but I left the vulnerable code in comments for learning purposes.
• Now that I have to check many batch files for the code insertion vulnerability, I added a preliminary test for this vulnerability in BatCodeCheck.exe.
• An automated test on 417 batch files out of the 993 (mixed) source files hosted on this website took just under 2 minutes, and discovered 9 affected files. I will investigate these files and update them if necessary.
• Alarmed by the code insertion vulnerability disclosure, I updated InputBox.exe:
page last modified: 2018-04-16