Abstract: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.

Abstract: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.

Abstract: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.

Abstract: Described is a technology by which encrypted content is pre-distributed to recipients during a pre-distribution timeframe, for example to distribute protected content to many clients in a controlled manner. At a release moment, a key for decrypting the encrypted content is released. For example, a software update may be pre-distributed in this manner, whereby many clients may receive the updates over time but the update cannot be analyzed for hacking purposes, e.g., to use the update to figure out a prior vulnerability. By rapidly and widely disseminating the key at the release moment, the update is installed on a large percentage of client systems before those systems can be exploited. The content may be allowed to expire before the key is released, or may be canceled or replaced. The content may include a complete file, and/or a delta file that changes another file into a resultant piece of content.

Abstract: A method and system for providing system event notifications to clients such as applications. Clients register for notification of one or more types of events with a registration mechanism, and a System Event Notification Service, (SENS), receives system event information and fires event notifications in response thereto. A distribution mechanism selectively communicates the fired event to each client registered for notification thereof based on the type of event. Events include network events, for which the service monitors the connectivity state of the machine, including whether a connection is established or lost, the type of connection (LAN/WAN) and bandwidth information. To monitor a LAN state, the service caches outgoing and incoming network information including errors and packet counts and statistically evaluates this cached information against current information to determine whether the connection is established or lost.

Abstract: A method and system for providing system event notifications to clients such as applications. Clients register for notification of one or more types of events with a registration mechanism, and a System Event Notification Service, (SENS), receives system event information and fires event notifications in response thereto. A distribution mechanism selectively communicates the fired event to each client registered for notification thereof based on the type of event. Events include network events, for which the service monitors the connectivity state of the machine, including whether a connection is established or lost, the type of connection (LAN/WAN) and bandwidth information. To monitor a LAN state, the service caches outgoing and incoming network information including errors and packet counts and statistically evaluates this cached information against current information to determine whether the connection is established or lost.

Abstract: A method and system for providing system event notifications to clients such as applications. Clients register for notification of one or more types of events with a registration mechanism, and a System Event Notification Service, (SENS), receives system event information and fires event notifications in response thereto. A distribution mechanism selectively communicates the fired event to each client registered for notification thereof based on the type of event. Events include network events, for which the service monitors the connectivity state of the machine, including whether a connection is established or lost, the type of connection (LAN/WAN) and bandwidth information. To monitor a LAN state, the service caches outgoing and incoming network information including errors and packet counts and statistically evaluates this cached information against current information to determine whether the connection is established or lost.

Abstract: Described is a technology by which encrypted content is pre-distributed to recipients during a pre-distribution timeframe, for example to distribute protected content to many clients in a controlled manner. At a release moment, a key for decrypting the encrypted content is released. For example, a software update may be pre-distributed in this manner, whereby many clients may receive the updates over time but the update cannot be analyzed for hacking purposes, e.g., to use the update to figure out a prior vulnerability. By rapidly and widely disseminating the key at the release moment, the update is installed on a large percentage of client systems before those systems can be exploited. The content may be allowed to expire before the key is released, or may be canceled or replaced. The content may include a complete file, and/or a delta file that changes another file into a resultant piece of content.

Abstract: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.

Abstract: A method and system for providing system event notifications to clients such as applications. Clients register for notification of one or more types of events with a registration mechanism, and a System Event Notification Service, (SENS), receives system event information and fires event notifications in response thereto. A distribution mechanism selectively communicates the fired event to each client registered for notification thereof based on the type of event. Events include network events, for which the service monitors the connectivity state of the machine, including whether a connection is established or lost, the type of connection (LAN/WAN) and bandwidth information. To monitor a LAN state, the service caches outgoing and incoming network information including errors and packet counts and statistically evaluates this cached information against current information to determine whether the connection is established or lost.

Abstract: Context-aware computing systems and methods are described. In some embodiments the context of a computing device is determined by assigning privacy levels to one or more applications that are configured to call a context service module on the computing device to obtain context information from the context service module. A device context is determined with the context service module using context information that is provided by multiple different context providers. A query is received from an application that requests context information pertaining to the context of the computing device and a privacy level associated with the application from which the query was received is determined. Device context information is then selected in accordance with the privacy level of the application from which the query was received. The selected device context information is then returned to the application from which the query was received.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

Abstract: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

Abstract: An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user's credentials, an access token is set up that may restrict the user's normal access in accordance with the security policy, such as to not restrict a user's processes beyond the user-based security information in the user's normal access token, while further restricting the same user's access to resources when connecting via a dial-up connection.

Abstract: A remote procedure call marshaling architecture provides remote procedure call interoperability between computers having arbitrary native data format pointer sizes not conforming to an on-wire multicanonical data representation of the remote procedure calls. The architecture includes an interface description language compiler having a code path generic to effecting marshaling of data structures containing non-conformant pointers. When compiled to run on a computing platform having a native, non-conformant pointer size, the code path is automatically configured to effect marshaling of data structure containing pointers of the computing platform's native pointer size.

Abstract: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource.

Abstract: A method and mechanism for interprocess communication between a thread of a client application and a thread of a server application. The mechanism includes a server listening thread and a client listening thread. The client thread sends a request to a server listening thread, and the server listening thread places the request in a message queue associated with the server thread. The request is received at the server thread and dispatched to a remote procedure for processing. Reply data received back from the remote procedure is sent to the client listening thread. The client listening thread notifies the client thread when the reply is received and gives the reply to the client thread.

Abstract: A method and system for delayed registration of a remote protocol for communicating between a client computer system and a server computer system. The server computer system has a communications process that registers a plurality of protocols. When the client process needs to communicate with the server process, it sends a request to the communications process along with an indication of the protocols that it supports. The communications process selects a protocol that is supported by both the client computer system and the server computer system and directs the server process to register that protocol. The communication process provides the server endpoint for that protocol to the client process which can then communicate directly with the server process.

Abstract: A method and mechanism for efficiently handling connections in a computer system between client sockets and data sockets of a server. The server includes a receive-any thread having a socket mask associated therewith to listen for new connection requests and for activity on data sockets handled thereby. The server further includes receive-direct threads associated with at least some of the data sockets for handling data communication. When a receive-direct connection has no activity for a period of time, the connection is migrated to a receive-any connection. When a receive-any connection becomes active, the connection is migrated to a receive-direct connection if a receive-direct thread is available.

Abstract: A method and system for preventing incorrect information from corrupting server object information maintained by a client machine. A DCOM client machine is provided with object reference information for accessing remote objects. DCOM unmarshals the information into server object information, including an object identifier and string bindings of a remote resolver through which the client machine may contact the remote server to obtain string bindings for that remote object. Each resolver string bindings received by a client machine are compared against known resolver string bindings and each unique permutation of string bindings is associated with a unique machine identifier locally generated therefor. Each object identifier is paired with its corresponding unique machine identifier so that all references to a remote object include the identity of the machine on which the object was created.