{"id":112488,"date":"2026-06-30T07:00:00","date_gmt":"2026-06-30T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=112488"},"modified":"2026-06-29T21:29:15","modified_gmt":"2026-06-30T04:29:15","slug":"20260630-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20260630-00\/?p=112488","title":{"rendered":"A compatibility note on the abuse of Windows window class extra bytes"},"content":{"rendered":"<p>During my discussion of <a title=\"The evolution of Windows window and class extra bytes in Windows\" href=\"https:\/\/devblogs.microsoft.com\/oldnewthing\/20260629-00\/?p=112484\"> the evolution of system-windows window and class extra bytes<\/a>, I noted that even though IDs are typically small integers, people liked to stash pointers there, so we had to expand the ID field to a pointer-sized integer.<\/p>\n<p>One thing I&#8217;ve learned is that anywhere it&#8217;s possible to hide a pointer, people will hide a pointer there. This is true even for small integers.<\/p>\n<p>As I was digging up the history of the extra bytes, I saw a special note in the 16-bit code for <code>Set\u00adClass\u00adWord<\/code>: It says that there&#8217;s an app that expects to be able to modify the value of <code>GWW_<wbr \/>CB\u00adCLS\u00adEXTRA<\/code>.<\/p>\n<p>Now, modifying this value has no practical effect because the memory for the class was allocated when you called <code>Register\u00adClass<\/code>. You can&#8217;t go back in time and change the allocation size.<\/p>\n<p>But one program realized that it could use this value as a place to store some private data, so they did. Sure, that&#8217;s not the purpose of the <code>GWW_<wbr \/>CB\u00adCLS\u00adEXTRA<\/code>, but that never stopped them.<\/p>\n<p>For compatibility, Windows lets 16-bit programs modify <code>GWW_<wbr \/>CB\u00adCLS\u00adEXTRA<\/code>. But at least it blocks it for 32-bit and 64-bit programs. One loophole closed. Countless more to go.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Finding an illicit place to hide data.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[2],"class_list":["post-112488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-history"],"acf":[],"blog_post_summary":"<p>Finding an illicit place to hide data.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=112488"}],"version-history":[{"count":1,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112488\/revisions"}],"predecessor-version":[{"id":112489,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112488\/revisions\/112489"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=112488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=112488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=112488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}