Writing Secure Code for Windows Vista is Shipping!

I've recieved a number of emails from folks saying they have got their copies of our latest book, Writing Secure Code for Windows Vista.

David and I got our copies yesterday. The first things that hit me about the book are (a) it's the smallest book we've written (which is good!) and (b) it's very code dense (which is also good!)

One question posed was, "who wrote which chapters?" The easiest way is to look at bracket-styling for C or C++ code:


if (x)





if (x) {


So now you know 🙂

Comments (23)
  1. Nish says:

    Is this an indication that Michael has a Java background? I’ve mostly seen Java folks use the Michael-bracing style, whereas C/C++ folks who’ve never used Java usually (but not always) seem to use the David-bracing style.

  2. I’m a bit surprised your publisher or editor would allow the coding style to not be consistent. Anyhow, the book is in my Amazon wish list.

  3. Nish,

    >>Is this an indication that Michael has a Java background?

    No, not at all – it’s the Windows style 🙂

  4. brantgurga,

    One of the cool things about MSPress is they don’t try to override author style, and that includes language and coding. Luckily, David and I have a very similar writing style, we "talk", we don’t write!

  5. anonymous says:

    Hm… isn’t writing secure code for Vista like installing a heavy lock on a rotten wooden door?

  6. anonymous, this is an OS, not a religion.

  7. Tarun, thanks for the tip – 19 Sins is actually a damned good book 🙂

  8. VistaDan says:

    Hi Michael,

    Just wanted to let you know I’ve posted a short note about your new book on my blog, AdventuresInVista…


    Looks good – I hope to get a copy soon!

  9. Demigor says:

    David code looks more professional 🙂

  10. matthew says:

    Unfortunately, Amazon doesn’t expect to ship it for another month at least.

  11. matthew, that’s interesting, people are getting their copies… so I’m not sure what’s up @ Amazon.

  12. matthew says:

    In case other people ask, here’s what Amazon told me:

    "I have checked our records and see that there has been an unexpected delay in obtaining ‘Writing Secure Code for Windows Vista(TM)’… We expect to deliver it by May 22, 2007 to June 05, 2007."

    I’ll live – they bumped me up to two-day shipping for free. 🙂

  13. Matthew et al,

    I just spoke to the good folks here at MSPress, and here’s what they said, "Looks like there was more customer demand for this book before release than anticipated."

    Which is good (for me) I ‘spose 🙂

  14. James S. says:

    Explain again why a small book with a lot of code is a good thing?

    Anyway, I was amused that the MS Press website you link to says the book ships with a ‘1 null’ disk.

  15. Hunter says:

    Summary: David is correct. Michael is wrong.

  16. anonymous says:

    > anonymous, this is an OS, not a religion.

    Indeed, that’s why I’m asking why you treat it as a religion. "Writing secure code for Windows" would be much more reasonable. Who cares about the API enhancements in Windows Vista when this OS itself is horribly insecure and out of discussion in first place?

  17. anonymous, there’s a ton of security-enhancements in the OS, and people need to take advantage of these.

  18. anothr user says:

    One new subscriber from Anothr Alerts

  19. Peter.Delgado says:


    I purchased the book and I was a bit disappointed with Chapter 2. While it did give the fundementals, I felt that it glossed over some aspects of UAC.  In addition, the code samples appear to have used an older SDK because rather than use the definitions for SECURITY_MANDATORY_LOW_RID etc. you used the more complex and highly unreadable SID form and convert it to a SID.  This obscures what you are attempting to do within the code IMHO.

    There were some redeeming things within Ch2.  I was unaware that the "runas" string to WSH and ShellExecute would perform elevation on the launched executable.  However, you failed to mention that since the launched executable is actually in a different session, the environment that the executables "sees" is independant of the environment of the launching application.  Many times this makes a huge difference!

    Overall, I like the book.  The section on SAL is pretty good and I like some of the technical information on UAC and IE7.  

    I would have liked more information regarding elevation of a standard user to highestAvailable privileges though as this is not really mentioned because the book concentrates on running using a filtered administrator token.

    There are many cases when a group or user is granted a specific right and the executable or script must be elevated to highestAvailable in order to take advantage of the additional rights.

    PS: If you ever need a reviewer for your next book, let me know. I’d love to help! I can guarantee that I’ll read it cover to cover!


  20. Pete, I’m glad that overall you like the book. We really ran up against page count issues, and ch2 could have been huge!

  21. Peter.Delgado says:


    In your book, the last chapter (p165)contains the statement "TIP: As a general rule, we like to use the Abstract Type Library (ATL) when writing COM code.  ATL makes COM palatable."

    Is this "ATL" different than the "Active Template Library" that I use or is the author of this chapter simply mistaken WRT the name of the library used?


  22. Peter – you are correct – it’s the Active Template Library

Comments are closed.

Skip to main content