Session Code: CLI312 Windows “Longhorn:” Enhancements For A Trustworthy Application Experience Jude Kavalam Group Program Manager Microsoft Corporation judej@microsoft.com

Agenda Application experience on Windows XP Customer feedback Innovation in “Longhorn” for existing applications Call to action

Internet Connection Firewall Presentation Data Communication Communication Avalon Avalon Windows Forms Windows Forms ASP.NET WinFS WinFS ADO.NET Indigo Indigo Collaboration Document UI Media Object T/SQL XML Service Models Schemas Desktop Window Manager Controls Interop Engine Services Connectivity Messaging Services Desktop Services Adaptive UI Engine People Group ObjectSpaces People and Groups Synchronization (WinFS, Win32..) Channels (Datagram, Reliable, Peer, …) Policy Engine Calendar Media Queuing Eventing Routing Presentation Object Manager Desktop Composition Engine Application Services Page/Site Composition Document … DataSet Channel Security Collaboration History Media Services InfoAgent (PreferenceRules..) Data Model Transport Channels (IPC, HTTP, TCP…) Animation and Composition Media Processing Capture and Sourcing Designer Services Personalization and Profiling Services Items SQL XML Message Encoder Real-Time Activities System Services FileSystem Services (MetaDataHandlers..) Relationships Communications Manager (Port) Transaction Framework Hardware Rendering Software Rendering and Sinks Providers Controls Membership and Security Services Signaling Extensions Federation Base Operating System Services CLR Base Class Libraries Network Class Library Application Deployment Engine (Click-Once) Memory Manager Code Execution Loader Security Serialization Hosting Layer Network Services Demand Activation and Protocol Health PNRP Native WiFi SIP GDI/GDI+ Window Manager Global Audio Engine Direct 3D Graphics Transactions Identity & Security System Storage Management Services (Event Logs, Tracing, Probes, Auto Update, Admin) TCP Listener UDP Listener IPC Listener Graphics drivers Lightweight Transactions Transaction Coordinator Virtual Shadow Copy Service File Replication Service Virtual Disk Service Internet Connection Firewall DDI Input Manager Audio Drivers DirectX Graphics Mini port Kernel Transaction Manager Logging Service Redirectors Distributed File System Filter Manager Cache Manager Protocols Filter Engine TCP, UDP IPV4, IPV6 IPSEC QOS HTTP Listener Plug and Play Memory Manager Power Manager Config Manager Process Manager Security Reference Monitor LPC Facility Transacted NTFS Universal Data Format FAT 16/32 IO Manager Device Drivers Application Impact Management Kernel Mode Kernel SCSI/FC 802.3 802.11 .. Hardware Abstraction Layer

Base Operating System Services Transactions Storage Base Class Libraries Memory Manager Hosting Layer Code Execution Loader Security Serialization Lightweight Transaction Coordinator Kernel Transaction Manager Logging Service Kernel Hardware Abstraction Layer Process Manager Security Reference Monitor LPC Facility Power Manager Config Manager Plug and Play Transacted NTFS Cache Universal Data Format GDI/GDI+ Window Global Audio Engine Direct 3D Graphics Graphics drivers DDI Input Drivers DirectX Graphics Mini port Redirectors SCSI/FC Management Services (Event Logs, Tracing, Probes, Auto Update, Admin) IO Manager Application Deployment (Click-Once) Identity & System FAT 16/32 Filter Distributed File System Virtual Shadow Copy Service File Replication Service Virtual Disk CLR Base Operating System Services Application Impact Management

Introduction Windows XP significantly improved the OS experience Application experience still needs work Application fragility is caused by the negative impact of applications on the system or other applications Fragility is revealed by Internet Explorer crashes and hangs Application and system crashes and hangs Inability to remove undesirable applications (ad-ware, spy-ware, grenade-ware) Loss of application or system functionality Application performance degradation Slow down in boot time

Windows Error Data Top ten Microsoft application/component crashes

So What’s Up With IE/Explorer?!! Probably the world’s most frequently run applications They are both highly extensible applications At least 75% of the crashes are in extension code ActiveX controls, Browser Helper Objects, Shell Extensions, etc. Rank Description 1 Crash in extension code 2 Extension over release of IE COM objects 3 IE security fix or service pack regression 4 Crash due to extension, not on stack 5 Unknown 6 IE bug 7 Crash with extension on the stack 8 Extensions unloaded window proc

Application Caused Fragility Hurts Everybody Analyzed data of application impact on the file and registry; below, some highlights from the file system Analysis of Windows support calls % application fragility issues 31% App breaks OS 19% App breaks another app 3% Shared DLLs 71% of applications add files to Windows folders Installers Runtime libraries OCX controls, codecs Some fragility conditions Incomplete uninstalls Over deletes on uninstall Location sensitivity Call resolution Manually remove/disable app 43% Used ARP to remove app 23% No resolution 17% OS repair, reinstall 10% There were many calls where the cause of the problem was not clearly attributable and there were other cases where it was not clear what exactly fixed the problem

“Run As Admin” Makes It Worse Administrator privilege makes everything more dangerous Scope of attack Surface area Users have no choice Applications don’t install or run in LUA System functionality does not degrade in a helpful way

So What Do Customers Want? Make applications and drivers less dangerous Application undo Make “limited user” feasible Make administrators run as administrators only when needed Protect the system

Innovations In "Longhorn" By design managed applications have low impact Win32 applications need supervision Manage and attribute application impact Protect the system Applications can be completely uninstalled Installing and loading drivers Make it easy for ISVs to install drivers the right way Only signed drivers will be loaded Drivers can be attributed and fully uninstalled Protect COM hosts Administrators: the right privilege at the right time

Application Impact Management Windows Applications Application Windows Resource Protection Resources: files, folders, registry settings, etc. Protection mechanism Read only Application private copy on write User private copy on write Manage/log changes – for rollback System specifies protection for its resources Solutions enabled Predictable application impact True uninstall Application Application Windows Component specified protection for files and settings Copy on write Protect Log changes Protected system file and settings Shell Networking Mail Explorer PnP Etc.

Make COM Extensibility Robust

Installing And Loading Drivers Must be installed via PnP mechanisms App/driver tying Cleaner install/uninstall rollback For beta tools contact – DIFxBeta@microsoft.com Driver packages must be signed Goal is security independent of quality Signing methods Authenticode Signature Domain/Local Administrator

Right Privilege At The Right Time User accounts (Only two account types) Normal users runs with least-privileged Admin users runs with least-privileged Admin applications need privilege elevation Only trusted applications get to run with elevated privilege

Trust Application Execution Overview

Trust Evaluation Process Code validation is a human decision Authenticode signed manifests Certificate in the store Domain administrators signed Deployment manifest Local administrators blessed All machine have a signing key Default behavior changed by policy

Impact On Applications Compatibility: majority of applications will work Application impact management exception mechanism Running apps under LUA will have limitations Virtualization of protected keys and files will help Some applications will break

What You Can Do Create a signed manifest Update your installer technology Perform complete uninstalls Least privileged user access ActiveX controls - don’t assume full access Published extensibility mechanisms only Windows ISV Lab Pre-certification and compatibility testing and performance analysis Access to technology experts To schedule a visit contact your Microsoft account manager or e-mail isvlab@microsoft.com All ISVs are eligible

Windows Application Verifier Detect run time issues in Win32 applications Memory corruptions Hangs Security issues Reduces crashes 67.8% of 3rd party user mode crashes could have been detected using the AppVerifier Aids in Logo/Certification testing Non-administrator scenarios Resource management Version checking Available in the Application Compatibility Toolkit 3.0 http://www.microsoft.com/windows/appcompatibility/

Summary Remove the fear of using applications Application experience on “Longhorn” More reliable and robust Applications and drivers are safer Non Admin users are safer COM hosting is more stable Your to-dos Test and run as LUA Check ActiveX controls and shell extensions Use manifests Logo program and AppVerifier

© 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.