Lynn Langit Microsoft – Developer Evangelist

Few Changes: Most software that runs on Windows Vista will run on Windows 7 exceptions will be low-level code (AV, Firewall, Imaging, etc.). Few Changes: Most software that runs on Windows Vista ® will run on Windows ® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). Hardware that runs Windows Vista well will run Windows 7 well. Few Changes: Focus on quality and reliability improvements Windows 7 Builds on Windows Vista Deep Changes: New models for security, drivers, deployment, and networking

AppCompat & LightUp from XP to Win 7 User Account Control Services Isolation from Vista to Win 7 Version checking High DPI Low level binary changes UX Taskbar Libraries Internals Trigger Start Services Timer Coalescence New hardware Multi touch Sensors

The Application Image Viewer WPF Application Runs on XP, Vista, Win7 On XP basic functionality with no special OS features Manually Create album Crawler (expensive) Service searching images Change Skin Reset DB / Reset configuration Lights Up on Windows 7

Application Running on XP

The Application Running on 7 Enhancing an existing Windows XP application with Windows 7 features IO Background Priority Libraries Trigger Start Services Power Management Command Links Scheduled Tasks PowerShell 2 Windows 7 Multitouch Windows 7 Sensors Other… Application Restart and Recovery Preview Handlers Windows Search Windows 7 Event Tracing User Account Control Windows 7 Taskbar Transactional NTFS Microsoft Management Console Snap-In

Application Running on 7

Photo Viewer on Windows 7

Compat - New Folder Locations  “My Documents” folder structure has changed  The user data is now stored in: ‘\users\%username%\’ folder structure  Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure  The “My “ prefix was dropped from Documents, Music, etc.  “All Users” became “Public” and “\ProgramData”  My Documents still exist as directory junction  Use the SHGetKnownFolderPath APIs

Compat - Application Data Best Practices Where to put your data: 1.Place per-user configuration data into %LOCALAPPDATA% ( Roaming into %APPDATA%) 2.Place Per-Machine (Shared) configuration data into %ALLUSERSPROFILE% (e.g. c:\ProgramData) 3.Per-Machine (Shared) user documents into %PUBLIC% 4.Per user documents go to %USERPROFILE%

Compat - User Account Control Applications run as Standard User by default Standard User has some permissions Run most applications Change per user settings Standard User can NOT do many things Install applications Change system components Change per machine settings Admin “privileges”

Windows UAC  All users run as Standard User by default  Filtered token created during logon  Only specially marked apps get the unfiltered token  Explicit consent required for elevation  Predictable shell elevation paths  High application compatibility  Data redirection  Enabling legacy apps to run as standard user  Installer Detection

UAC Architecture Standard User Rights Administrative Rights Admin logon “Standard User” Token Admin Token Abby

UAC Architecture Standard User Rights Administrative Rights User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Standard User Mode Standard User Privilege Abby

UAC Architecture Standard User Rights Administrative Rights User Process Change Time ZoneChange Time Zone Run IT Approved ApplicationsRun IT Approved Applications Install FontsInstall Fonts Install PrintersInstall Printers Run MSN MessengerRun MSN Messenger Etc.Etc. Admin Privileges Standard User Privilege Abby Admin Process Install Application Admin Process Configure IIS Admin Process Change Time Admin Privilege

Consent UI OS Application Unsigned Application Signed Application

Credential UI

Demo

Designing for UAC  1 st Choice: Make application run as Standard User only  2 nd Choice: Clearly identify Administrative tasks  Ensure Standard users can be fully productive  Identify tasks that need elevation with a “shield”

UX: The Shield  Attached to controls to indicate that elevation is required to use their associated feature  Has only one state (i.e. no hover, disabled etc.)  Does not remember elevated state  Not an unlock operation  Can be programmatically set: HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD) SendMessage(button, BCM_SETSHIELD, 0, TRUE) or using the macro in Commctrl.h: Button_SetElevationRequiredState(commandLink, TRUE )

Security Shield UI Examples

Application Manifests  Vista-aware applications embed an XML manifest  Manifest contains a RequestedExecutionLevel: asInvoker Launch with the same token as the parent process highestAvailable Launch with the highest token this user possesses requireAdministrator Highest token of the User provided User is a member of Administrators group

Finding/Solving UAC Issues  Do you?  Write to Program Files, Windows, System32, HKLM/Software, or Root?  Create anything “globally”  UseWindows messages between isolation levels  Try  Running the application “As Administrator”  Testing with UAC off  Tools  Process Monitor  Standard User Analyzer

Windows Services Basics  Started and managed by Service Control Manager  Controlled by SCM  Starting and stopping services  Disabled, Manual and Automatic  Managing running services  Maintaining service-related state information  Started – Stopped - Paused  Services can run in their own process or shared hosted process (e.g. svchost.exe)

Services and Security  Attractions for malware  May be configured to auto start on boot  Potential to run from boot without using well known auto-start methods  Often run in highly privileged contexts  As mentioned, runs outside of UAC and enables app to potentially take control of UAC behavior (e.g. MSI)  Services can run in their own process or shared hosted process

Sessions in XP/W2K/WS03 Session 0 Window Station Desktop Screen Saver Login Services 1 st User’s Window Shatter Attack

Sessions in Win7/Vista/Windows 2008 Session 0 Window Station Desktop Service Session 1 Window Station Desktop Screen Saver Login 1 st User’s Window Secure

Session 0 Isolation

Service Hardening  Windows XP services made great attack vectors:  Running in shared session, usually w/high privilege  Sometimes w/UI (interactive services)  So we had Shatter Attacks  good reasons to have Service Isolation in session 0 and Mandatory Integrity Control  Windows Vista and 7  Services run outside of UAC  ISVs may be tempted to circumvent OS security  The potential attack surface has lessened so services are a more attractive target

Three Service Hardening Designs  Services need to run least privileged  Services can now have their own SID  This can be used to lock down / sandbox the resources that the Service has access to

Perf Enhance - Trigger Start Service  New in Windows 7 - SCM registers for system events via interesting providers:  Device arrival  IP address  Domain join and leave  Group policy updates  Custom Event Tracing for Windows event  SCM starts or stops registered services:  TabletInputService started only if digitizer is present  StorSvc starts when group policy updates are applied, automatically stops

Trigger Start Examples Service NameDescriptionTrigger Type AELookupSvc Processes application compatibility cache requests for applications as they are launched Custom ETW BDESVC Provides BitLocker client services for user interface and auto-unlocking of data volumes Custom ETW BTHSERV The Bluetooth service supports discovery and association of remote Bluetooth devices. Device SensorsMTPMonitor Monitors MTP (Media Transfer Protocol) sensors (such as a cell phone with a GPS receiver) to communicate sensor data to programs Device TabletInputService Enables Tablet PC pen and ink functionality Device WinDefend Protection against spyware and potentially unwanted software Group Policy

Service or Scheduled Task? Windows Service Continuous activity from boot to shutdown Service Control Manager (SCM) programming model Can specify dependency Continuous activity from boot to shutdown Service Control Manager (SCM) programming model Can specify dependency Scheduled Task Short duration action Idle activity Take action on user login Standalone executable or out-of-process COM server Generally execute in user session Short duration action Idle activity Take action on user login Standalone executable or out-of-process COM server Generally execute in user session

Compat - Operating System Version Windows 7 is … Windows 6.1? (for Vista Compat) dwMajorVersion stays the same dwMinorVersion changes Remediation Check for features, not versions If checking for version, then use the > key (check the OS version as >= so that your app can work on future releases of the OS) Version lies

Compatibility Tab Layers

Shim Application Implements Windows API hooks Shim engine is responsible for applying the shims Load the shim DLL Retrieve the APIs which should be hooked Review the import table of the application to determine where hooks should be placed Overwrite the addresses of the API calls with the address in the shim

How Shims are Loaded Shims are applied per executable Run initialization routines Run initialization routines Shim engine applies API hooks Shim engine applies API hooks Loader maps executable and statically linked DLLs into memory Loader maps executable and statically linked DLLs into memory

Compat – Misc Regressions Removal of Windows Mail Removal of Windows Movie Maker NLS Sorting Changes Internet Explorer 8 - User Agent String Removal of Windows Registry Reflection Removal of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ)

Problem Step Recorder %windir%\system32\psr.exe Allows testers and users to track, step by step, exactly what an application is doing, creating an.mht file with screenshots illustrating the bug reproduction Creates a.zip file containing an.mht file Integrated with Dr. Watson for Windows

This Was Very Surprising To Us… Monitor Max Resolution % Set to Maximum 1280X102456% 1400X105079% 1600X120032% 1680X105066% 1920X105039% 1920X120078% Avg. set to default55% User's Chosen Resolution % using that resolution 640X4801% 800X6007% 1024X76857% 1280X1024 3% 1600X120032% Total100.00% DetailsDetails Users with Max Resolution of 1600X1200 Users are lowering their screen resolution to get larger text…

High DPI - Why Do We Care? Non-native resolution negates the value of high fidelity displays Text looks blurry because ClearType requires native resolution Can’t display native high def content 720p high definition video requires 1280x720 resolution 1080p requires 1920x megapixel photos requires 1600x1200 native Many people accidentally select a non-native aspect ratio Pixilated Content does not take advantage of the display Non-native aspect Ratio Settings “Squishes” Content

High DPI Issues Clipped Text Layout Issues & Image Size Issues Pixilated Bitmaps WinForms Issues Blurry UIMismatched Font Sizes

Graphics Improvements in Windows 7

Graphics APIs for Rich Client Applications GDIGDI+DirectXWPF Native Development Managed Development Hardware Acceleration Immediate Mode Primarily Rendering Input, Focus, Events, Controls

DirectX: When the application needs control over features and performance WPF: When the application needs richness but needs to be built quickly and there is no need for fine grained control over hw performance and features GDI: When the application needs to work on all Microsoft OSs and the lowest common denominator functionality is sufficient When to use which API Increasing HW Exploitiveness

AreaExisting API(s)Challenges 3DD3D3…D3D10Not always available: No HW Server Remoted Direct3D DGDI, GDI+Quality, Performance Direct2D TextGDIQuality, Not up to date DirectWrite ImagingGDI, GDI+, WICExtensive format support, Security Updated WIC Device ControlGDIOutdated notion of HW config DXGI 1.1 Advancing the platform

Direct2D Direct3D Segoe UIDirectWrite DXVA & WIC Graphic Improvements Windows 7 DWM memory consumption is cut by 50% per window Take advantage of the GPU’s computation power High-DPI support & High Color Windows 7 DWM uses Direct3D10.1 API

Direct2D And DirectWrite New APIs in Windows 7 Win32 developers Interoperability Usable in service context Direct2D 2D graphics rendering tasks Increased performance and visual quality DirectWrite Vertical stack for text services Fonts, Script Processing, Layout

Direct2D: New in Windows 7 Rendering Focused Immediate Mode API: 2D Vectors & Geometry, Bitmaps & Text Hardware & Software Pipelines Built for Performance on Direct3D 10.1 Interoperable with Direct3D & GDI High Quality Rendering: Per Primitive Anti-Aliasing & MSAA via Direct3D Remoted via Direct3D 10.1 Printing support via XPS

Direct2D Performance

DirectWrite Modern Typography Enables world-wide applications ClearType advances Works with any rendering technology Hardware accelerated via Direct2D Best reading experience for the PC

Gabriola

DirectWrite

Call to Action: Fundamentals Compatible UAC aware, Support x64, Sign files & drivers, no OS version checking, support multi user sessions…. Install to correct folders / transactional uninstall Self Certified with new Logo automatic tool (FrontRunner) Resource Optimized and more Power aware Retire old “XP” services to Win 7 tasks Use triggered Services Provide a troubleshoot pack & WER

Windows 7 Readiness Programs Make sure your applications work with Windows 7 Allow MS to tell our customers about your Apps Publish your support policy for Windows 7 List your solutions on the Compatibility Center Get the Windows 7 Logo Focused on Compatible Applications Simple Process – No 3rd party testing required n7-K86V-HW3G

Resources Cookbooks “Application Compatibility Cookbook“Application Compatibility Cookbook” “Windows 7 Application Quality Cookbook“Windows 7 Application Quality Cookbook” MSDN Application Compatibility: TechNet Windows Application Compatibility: us/desktopdeployment/bb aspx us/desktopdeployment/bb aspx DevReadiness.org Channel 9:

Track Resources Windows 7 RC Training for Developers Windows content on Channel 9 Windows 7 Developer Center on MSDN Windows Application Compatibility Roadmap Windows 7 Blog for Developers My blog series – #Win7DevSerieshttp://blogs.msdn.com/SoCalDevGal My MSDN show – MSDN geekSpeakMSDN geekSpeak My Facebook group ‘Windows 7 Developers’ Links, Video & Screencasts

Related Content Breakout Sessions WCL201Developing for Windows 7 WCL301Windows Application Readiness for Developers WCL302Optimizing Your Application for the Windows 7 User Experience Whiteboard Session WTB215Windows Client Development Discussion Hands-on Lab WCL08-HOLWindows 7: Mitigating Application Issues Using Shims

International Content & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Tech ·Ed Africa 2009 sessions will be made available for download the week after the event from:

Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.