Beware of fake Paint.NET releases – or, there is no 4.0 yet!

I just received an e-mail from BetaNews this morning,


Someone just submitted an 4.0 Alpha of Paint.NET. Do you want us to post this release? We would of course not post it over top of v3.36, but we would post it as a seperate release.

Let me know.

Thank you

Well, that was strange — I haven’t publicly released anything! I have some people on the forum doing some private testing on the install/update changes, but nothing too exciting. So I wondered if one of them leaked it (they didn’t), and inquired further.

As it turns out, there’s another download site that’s hosting a file called "Paint.NET.4.00.Alpha.rar," no doubt based on a trusted user submission. This was then simply forwarded to BetaNews.

So I downloaded the file and pawed around, although I did not run the EXE inside of the RAR. Here’s what I found:

  1. The file size was wrong. Like I said in my previous post, the installer is currently 3.7mb. I really doubt that RAR can compress a heavily LZMA-compressed archive down by another 25%. (Or vice versa)
  2. The file name was wrong. "Paint.NET.4.00.Alpha.exe" is a good guess, but you can see even from the screenshot in my previous post that the file name I’m using is actually "Paint.NET.4.0.Install.exe" (I would put an Alpha in there for an Alpha release though, of course).
  3. The file version of the EXE was wrong. The real one would say for the EXE-inside-the-ZIP. This one was
  4. And here’s the kicker, the file wasn’t digitally signed by me. In fact, it wasn’t signed at all!

The first 3 can be faked easily enough, and I’m not worried about divulging that information. The last one cannot be faked*.

My conclusion was that it’s probably a virus, and so I told BetaNews not to publish the file. If it was a leak, that would be annoying but at least it would be reasonably "safe" (plus it would expire soon anyway, limiting the "damage").

So, how do you verify that you have a "genuine" Paint.NET installer? It all comes down to the 4th one: the digital signature. I sign every release of Paint.NET with a certificate that has the dotPDN LLC name on it. It will show up all throughout the process of downloading and installing it, because Windows and Internet Explorer like to remind you about it about 5 times.

Although, as a digression, the best way to make sure you have a "genuine" Paint.NET installer is to simply go to and go from there.

Anyway, when you run the installer EXE in Windows XP, you will get a dialog like this: (assuming you downloaded the ZIP from the website and ran the EXE from there — using something like WinRAR / WinZIP might not result in this)

Note how it highlights the Publisher name, which is dotPDN LLC. If you click on the name, you’ll get a dialog titled "Digital Signature Details". It should say, near the top, "This digital signature is OK." This is the same dialog you’ll see a little later in this post.

In Windows Vista, UAC will help you out here. You’ll get a dialog like this when you try to run the installer:

The dialog states "dotPDN LLC" again, and has the neutral colors as opposed to the big yellow warning version of the UAC dialog.

You can also verify the signature before you launch the program, which is of course a good thing. You want to get the installer EXE unpacked somewhere, then right click and go to Properties:

Next, go to the tab named "Digital Signatures." If there is no such tab, then the file is not signed and you’re done — the file is not from me, or is corrupted/incomplete somehow. You sould see an entry for dotPDN LLC:

Go ahead and click the "Details" button for the final step of verification:

The key here is "This digital signature is OK." At that point you know the file is "genuine", and neither corrupt nor incomplete.

And hey, if someone says, "Hey I found an alpha of Paint.NET version 4.0!" the first thing you should do is go to the Paint.NET website. If it’s not there, then it’s not real!

And yes, I’ve informed the other download site that the "Paint.NET 4.00 Alpha" is probably a virus and that they should remove it.

* Well, I shouldn’t say it can’t be faked. No doubt someone will hack around and prove me wrong eventually. For now though, it’s a fairly safe statement to make.

Paint.NET v3.36 is now available!

This is mostly a servicing release to make some small improvements and to fix a few important bugs.

You can get it via the built-in updater by going to Help -> Check for Updates, or by going to the website:


List of changes:

  • Improved: Effect rendering should be a little faster now.
  • Changed: Implemented some changes to the "Add Noise" effect that were suggested by a forum member.
  • Changed: The canvas background color is now always #c0c0c0.
  • Changed: The auto-updater should now correctly detect .NET 3.5 and newer, which will help to save bandwidth when Paint.NET v4.0 is released (it will require .NET 3.5).
  • Fixed: Paint.NET now works on a system that has the .NET 3.5 SP1 "Client Profile" installed.
  • Fixed: When zoomed in and the cursor is to the top-left of the image (negative coordinates), the ruler is now highlighted in the correct area. Fixed: The effect rendering system no longer sets the "Tag" property on the configuration dialog.
  • Fixed: Some incorrectly authored plugins would cause a crash when loading their support details (author, copyright, etc.).
  • Fixed: There was a bug in the color wheel for IndirectUI that caused it to show the wrong values at initialization.
  • Fixed: There was a performance problem for effects that used the IndirectUI color wheel control.
  • Fixed: In some rare cases, Paint.NET would crash while shutting down.
  • Fixed: When using the "Fixed Ratio" feature of the Rectangle Selection tool, it would crash if 0 was specified for both the width and height.

The Paint.NET install experience — Part 2, version 4.0

In my previous post I detailed the epic adventure of a normal user installing Paint.NET v3.xx on a "fresh" XP SP2 computer. I also said that I’ve made it a lot easier in Paint.NET v4. Let’s check it out:

Again, from the top, the user has excitedly downloaded the Paint.NET installer, and goes to double click on it …

The first thing we get is a dialog telling the user what’s going to be installed. Since this is a fresh XP SP2 box with no updates installed yet, they will need Windows Installer 3.1, .NET Framework 3.5 SP1, and of course Paint.NET. Compare this to the old dialog that tells the user what they need, and barely helps them to get it all.

Once the user clicks OK, the Windows Installer 3.1 package will be installed in automatic ("passive") mode. Installation will begin immediately, and the user will not need to click on any "Next" or "Finish" buttons. It will close once it’s done.

It installs fairly fast, and that’s good because most people will have no clue what any of the stuff on the dialog means.

Next, the .NET Client Profile package will also be installed in automatic ("passive") mode. Installation begins immediately — there’s no need to futz with buttons saying Accept, Next, or Finish, and it closes once it’s done.

This part can take awhile depending on your Internet connection, and I really wish they had a better UI to indicate this. The alternative is to add tens of megabytes to the download ZIP. I haven’t customized the graphics in the .NET Framework Client Profiler installer yet, but I plan to in order to make it more apparent that this is part of the Paint.NET install flow.

Finally, the Paint.NET v4 installer is launched! Ok, now the user finally has to worry about buttons saying Next, Accept, and Finish.

Note that the header graphics are just placeholders, I’m still figuring out what exactly I want there. I need a good "night" picture to put behind the white-text version of the logo 🙂

The installation progresses …

By the way, the "optimizing" portion of installation is much faster now with .NET 3.5 SP1 because of improvements to NGEN.

Once the user clicks "Finish" on the last page of the installer, they will be asked to reboot. This is because Windows Installer 3.1 requires it. (Remember, this blog post details installation on a "fresh" XP SP2 system! Most users will not have to worry about this rebooting nonsense.) I’ve written my install flow to only require a reboot at the very end of all the installations. Rebooting in the middle causes a lot of continuity problems and is a horrible user experience. Most systems won’t have to reboot though, as Microsoft has done a pretty good job of not requiring it for .NET itself. The v3.xx releases of Paint.NET actually cheat here and simply tell the user they should restart. Most people don’t see this, or ignore it, and it actually causes crashes and whatnot. So, yes, a new feature of Paint.NET v4: a reboot dialog! You heard it hear first! 🙂

And there you have it. Once the user has their hands on the Paint.NET v4 installer, that’s all they have to figure out. The rest is done for them. Once they restart, they’ve got Paint.NET installed. No ifs, ands, or buts. The barrier to entry for Paint.NET has been dramatically reduced.

So far the Paint.NET v4 download is about 3.7MB and includes Windows Installer 3.1, .NET Framework 3.5 SP1 Client Profile bootstrapper, Visual C++ 2008 SP1 runtimes (x86 and x64)*, the OpenMP redistributable (x86 and x64), and of course Paint.NET. I’ve done a lot of work and experimenting to figure out the best way to pack things together to get the smallest download possible — that 3.7MB actually expands to over 20MB in the temp directory!

Anyway that’s enough on the installer for now. My next chunk of work on Paint.NET v4 is in the guts of the rendering engine with the goal of dramatically reducing the memory footprint, and increasing rendering throughput on many-core (4x and up) systems.

* Version 3.xx uses the static versions of the runtime. Using the DLL version is preferred, for various reasons, and so I decided that Paint.NET v4 would finally switch to it.

The Paint.NET install experience — Part 1, version 3.xx

Note #1: This blog post is fairly long because it is image intensive. The point is to illustrate what a massive task this is 🙂 Don’t worry though, I ran the images through PNGOUT.

Note #2: If you haven’t already done so, I highly recommend that you go and install .NET 3.5 SP1 immediately!

Ok. I’ll admit it: getting Paint.NET v3.xx installed for many users is a massive chore. If you take a normal user, they almost certainly don’t have the .NET Framework installed. If it’s a newly formatted or purchased computer, it might even be a "fresh" XP SP2 installation that doesn’t even have Windows Installer 3.1 installed (which the .NET Framework requires).

One of the most educational things I ever saw was on Google Video called, "Paint.NET Install Part 1" (there’s also a part 2!). First, why should a tutorial be necessary? I should make my installer so easy as to make that completely unnecessary. Second, it was very enlightening to watch where the guy fumbled or was confused by things. I highly recommend watching that tutorial video if you want insight into just how unfriendly installing a .NET client application can be. (Note that I’m not trying to disparage the author of that video at all!)

Anyway, back to the blog post. Let’s journal a normal user’s adventure toward installing Paint.NET v3.xx. This user will excitedly download the 1.6MB Paint.NET v3.35 installer only to be bombarded with ridiculousness:

"Hi, I’m the Paint.NET installer. Hey, you need to install .NET — go here to download it!"

Ok, so the user goes to the website, fumbles around, clicks "Download" …

Then they click Open, and then … "Hi, I’m the .NET installer. You don’t have Windows Installer 3.1, come back when you do!"

(Why can’t it just download it for them?) When the user clicks "Exit Setup," they are left at a blank desktop. I think the next thought they have will be, "Huh? Now what?" But hey, let’s see what happens if the user gains psychic abilities and manages to find this mystical "Windows Installer 3.1" :

Forget for a moment that nobody other than people like myself and Scott Hanselman even know what "redistributable" even means (yes, I’ve had friends/family ask me if they are downloading the "right" thing as they were confused by what-in-the-world a "redistributable" was). So they managed to download it from the very unintuitive download page…

The user clicks next and continue a few times … and they got it installed! But what’s this?

They have to restart. Boo. Let’s assume the user manages to restart now and remember to come back to installing Paint.NET.

"Please wait forever."

The user is once again at a blank desktop. Is Paint.NET installed? Where is it? Well, hmm, it isn’t installed. Let’s assume the user once again harnesses their psychic power and double-clicks the Paint.NET download again (or, just as likely, they re-download it from the website).

Argh! I thought I already did that! Ok. The user channels their psychic powers to once again run the .NET installer …

Not that the stuff on this dialog box makes any sense to a normal user … but most people have gotten used to clicking "Accept" and then "Next". Although the download time estimate of 2 hours is quite a turn-off.

"Please wait forever."

Yes, please wait forever. Hope you aren’t on dial-up! Next, .NET is done installing:

If the user is really unlucky at this point, then another reboot will be required.

So … is Paint.NET installed? Hmm, where is it … I can’t find it. I’ll tap into those psychic powers and double click the Paint.NET installer again (this is the 3rd time!).

Oh thank goodness! Although then they get this fun part, which with a fresh .NET installation can actually take quite awhile (it actually times out after 4 minutes):

"Please wait forever."

Other than that installation generally goes smoothly, and then the user has Paint.NET installed.

Updating it at this point is fairly painless and easy. It only took like 6 downloads*, 3 setup wizards, a reboot, and about 1 hour of time… I’m almost amazed that any Windows XP users have managed to install Paint.NET at all. Or any .NET client software for that matter.

This whole process is no big deal for someone like myself, as I already know what needs to be installed and exactly where to click on things (relative to the normal user, I am "psychic"). But when’s the last time you met someone outside of Redmond who really knows and cares what "Windows Installer" is?

Anyway, in the next post I’ll detail how much better Paint.NET v4 is for this important deployment scenario. It’s a combination of a much smarter installation package and the new .NET 3.5 SP1 Client Profile.

* Assume that the user is not perfectly organized and just re-downloads the Paint.NET and .NET Framework installers whenever prompted to, as opposed to keeping them in a "Downloads" folder and remembering their names and which ones to click on at the right moments. This is actually quite normal! 🙂

The Second Paint.NET v4 Screenshot

Like I said before, the first concrete work I’m doing for Paint.NET v4 is focused on the installer and updater. A lot of people have told me that they use Paint.NET infrequently, or that when they start it up they "just want to get something done really quickly." Updates really get in the way of that, and people are starting to get used to Firefox’s ability to install an update after you’ve finished your current session. As a result, many people are still sitting on old versions of Paint.NET. Bummer 😦

Paint.NET v4 will support this:

I’m choosing to not have a "cancel" or "do not install" button in order to better encourage (trick?) people into installing the update. However, it’s still possible to skip out on installing the update … just click the ‘X’ in the top right corner.

The wording and graphics are still first draft. I’ll probably want a separate button icon for each of them.

Unfortunately this all won’t be available until v4 ships … which means that a v3.xx -> v4 upgrade, which requires the installation of .NET 3.5 SP1 in many cases, cannot benefit from the more casual "install once I exit" option.

On another note, the "Optimizing performance for your system…" portion of installing, which uses ‘ngen.exe’ to precompile Paint.NET, is much faster now with .NET 3.5 SP1. I’ve also made the installer report real progress on this operation instead of using the "marquee" or "indefinite" mode.

Another thing I’m doing is implementing features in an order such that I could potentially ship a Paint.NET v3.50 from this codebase if I decided it was necessary. It might be a good idea to get .NET 3.5 SP1 installed on everyone’s systems sooner rather than later!

Paint.NET v4 takes a new, good turn (ixnay on the rewrite)

In my last post about Paint.NET v4, I said that I was going to be writing it "from scratch" — that it would be a rewrite from the ground up, in other words. I’ve since changed my mind.

You see, I got a few months into this rewrite project. I wrote a lot of code — 26,000 lines of it, in fact. However, the continually daunting task of finishing the next 150,000 lines of code and doing a reset on the 4 years of bug fixes in v3.xx made things … depressing. So, I’ve decided that I will turn back to the v3.xx codebase and work towards v4 from there.

However, don’t worry. The rewrite project, which is now called a "prototype," was not wasted time. I was able to work on and experiment with a lot of stuff in a nicely isolated fashion, and I now have a much better idea how I can refactor these into the existing [v3.xx] codebase. This includes some things for stuff like task management, extensibility, eventing, asynchronous programming, retained mode rendering, and an improved document model. This is actually a good example of quantity beating quality: by being able to iterate on all this enormous amount of code in isolation without the burden of the existing code base, I’ve been able to fine-tune it towards perfection.

In fact, I can’t stress that one word enough: depressing. Having 150,000 lines of code worth of work to do before you can even have something that’s feature parity with your already-shipping product, and that your users will even be interested in, is not fun. Next time you hear yourself thinking, "Rewriting this would be worth it," stop and switch over to thinking about prototyping in an isolated codebase instead of rewriting the existing codebase. I can write a lot of code really fast, and I like to think I’m very good at it, but this was just too much for me. Your code (and mine) may not be academic-proof or astronaut-quality, but that’s ok … because it already works.

Now, why don’t I talk some about version 4 itself and what’s happening.

The first features that I’ve been working on are focused on the installer and the updater. First, the installer will internalize the progress bar stuff — it will no longer have those annoying "child windows" for when it is installing things. For the update process, I am going to give a nod to Firefox and how it lets you install the update once the current session is complete. This is in response to a lot of feedback I’ve been getting from people who never install updates because they just want to get something done right now, and can’t be bothered to wait a few minutes for the update. It’s completely understandable — I do it myself. Changes to the installation and update code are always risky business, and as such I had been delaying these until I had a long, full test pass available (in other words, a major version update). And, to explain why they are risky business: if the installer or updater fails, then the user can’t use the product. Statistically speaking, they have disappeared from your userbase. They are gone. If your installer and updater work, then your Priority 0 feature is always making sure that it continues to work!

Oh, also, the installer will do a much better job of getting the .NET Framework installed if it isn’t there already. I’m taking advantage of the new Client Profile that’s available with .NET 3.5 SP1, and it rocks: it’s only about 300KB to include the bootstrapper!

This change of direction shouldn’t result in any lost or cut features. If anything it will dramatically shorten my schedule for v4. This is good news.

And in other news, expect a version 3.36 update once the Olympics are done. It will be a servicing release to fix some bugs, like the canvas background color one. I’ve settle on #c0c0c0, which is what Photoshop uses.