Using Application Compatibility Toolkit (ACT) 4.0 to Manage Application Compatibility on XP SP2 and Server SP1 Corey Hynes DSK304
Agenda Application Compatibility Toolkit goals Application compatibility challenges ACT 4.0 in Detail Feature overview Three-phase approach Evaluate application compatibility issues Mitigate compatibility issues Deploy issue solutions Architecture and Features Areas of continued investment Call to Action Appendix 7 Steps to Get Started with ACT 4.0 Top 10 Reasons to Deploy Microsoft Windows XP SP2
Goals Enable adoption of Microsoft Windows by reducing application compatibility as a deployment blocker Provide a unified, end-to-end system to address application issues Tools for Evaluation Tools for Mitigation Tools for Deployment Listen, learn and respond to corporate application compatibility issues Provide a secure and privacy-compliant web service for customers to share application issues and solutions with Microsoft
Challenges (Windows XP) Changes to Microsoft Windows XP code base 9x was more “relaxed” in heap management Subtle changes in Win32 API behavior Registry value changes Changes to Folder Location Documents & Settings My Documents Applications with platform-specific drivers Common in anti-virus, backup and partitioning software Applications hard-coding to work on specific OS version
Challenges (Windows XP SP2) Microsoft Internet Explorer Binary behaviors, local machine lockdown, mime handling & sniffing, zone elevation, Windows restrictions, download blocking DCOM & RPC Launch and activation permissions, remote anonymous access Windows Firewall Ports closed by default Data Execution Prevention (DEP) Access violations for applications that do not handle NX
Feature Overview Built on top of 3.0 technology Improved evaluation tools Improved mitigation tools Improved deployment tools Task-based interfaces
Three-Phase Approach EvaluationMitigationDeployment Inventoryapplications Collectapplicationissues Packagesolutions Deploy solutions Create and test solutions
Architecture and Features
SalesSupport ServersHR Test Environment Production Environment Collector DCOM Windows Firewall IE Collector CollectorCollector DCOMDCOM WindowsFirewallWindowsFirewall Compatibility Evaluation Agents IE Distribute agents to Collect application inventory Collect application inventory Assess application issues Assess application issues Run IE test tool Detect SP2 compatibility issues Detect SP2 compatibility issues Client Distribute via SMS SMS Log on scripts Log on scripts Configure agents to collect specific data Department name Department name User name, Machine name, IP User name, Machine name, IP Custom name-value pairs Custom name-value pairs Evaluation Phase Architecture
Production Environment Network Share Application Evaluation Tool: Application Analyzer SalesSupport Servers HR Collector DCOM Windows Firewall Collector DCOM Windows Firewall Windows Firewall Windows Firewall Server MSFT Online DB SQLServer Network Share Network Share Web Service NetworkShare ReportViewer(Analyzer) Client
Web Application Evaluation Tool: Internet Explorer compatibility evaluator View Log of Errors Change IE Security Settings Save Logs Evaluates issues related to 1.Automatic Download Blocking 2.Bad Certificate ActiveX Blocking 3.Binary Behaviors Restrictions 4.Local Machine Zone Lockdown (LMZL) 5.MIME Handling Restrictions 6.MK Protocol Blocking 7.Object Caching Protection 8.Pop-up Blocking 9.Windows Restrictions 10.Zone Elevation Restrictions Windows XP SP2 Client (Test Machine)
Evaluation Feature Highlights Automated application inventory agent Light-weight tool Data collected about installed Application and machine configuration Windows XP SP2 compatibility evaluators Checks whether an application uses DCOM interfaces that will be blocked by SP2 Windows Firewall compatibility evaluator is configured to monitor ports over time that violate new Windows Firewall defaults Detects violations to new Internet Explorer security feature settings Rich client tool for reporting and analysis Faster and more comprehensive data filtering Reports can be shared Managed application (requires.NET Framework 1.1) Data stored in SQL Server 2000 Secure data encryption to/from Microsoft online Web services
Evaluation Phase
Test Environment Command line tool that can generate a single EXE Mitigation Phase Architecture Query File .ADQ File (Application List with DCOM and Firewall Issues) Compatibility Administrator file .SDB File (Database with Win32 Fixes) Solution Builder Tool Test Environment One Mitigation Package for Applications One Mitigation Package for Applications (Machine-wide Fix)
Application Mitigation Tool: Compatibility administrator Without Compatibility Fixes: Error message on Windows XP Calls GetVersion Returns Calls GetVersion Returns setup.exe kernel32.dll Compat Fix kernel32.dll With Compatibility Fixes: Setup Continues on Windows XP 100s of Fixes: Limited User Account, Registry Keys, File Paths, Display
Web Application Mitigation Tool: Internet explorer compatibility evaluator Registry Package (.REG file) for Internet Explorer View Log of Errors Change IE Security Settings Windows XP SP2 Client (Test Machine)
Mitigation Feature Highlights Enable application-specific solutions while minimizing impact on overall security One Mitigation package for applications For DCOM and Firewall fixes Applications added to exception list For Win32 Compatibility fixes Database Installed on target machine Machine wide fixes Uninstall option available Registry package for Internet Explorer Can be deployed via logon scripts or SMS Registry changes can also be done via group policies
Mitigation Phase
Deployment Architecture Production Environment SalesSupport ServersHR Server Option 1. Log on Scripts Distribute evaluation agents OR fix package via logon scripts Option 2. Systems Management Server Distribute evaluation agents OR fix package via SMS Network Share Network Share Log On Scripts System Management Server Client MitigationPackage Evaluation Package
Deployment Feature Highlights Easy to distribute and install Self-installing executable Can be deployed via logon scripts or SMS SMS integration Extends SMS’s existing targeting capabilities Deployment of evaluation agents Deployment of mitigation packages Consolidation of mitigation solutions One mitigation package for App issues Registry fixes for Internet Explorer
Feature ACT 3.0 ACT 4.0 Deployment Task List Application inventory agent DCOM and Firewall issue detection Internet Explorer compatibility test tool Client tool for reporting and analysis Tool for creating solutions Tool for packaging solutions SMS integration Documentation New Features in ACT 4.0
Areas of Continued Investment
Call to Action Download ACT lity/act4.msp lity/act4.msp Give us your feedback Post messages on the newsgroup microsoft.public.windows.app_compatibility Support is offered via Microsoft product Support services
Your Feedback is Important! Please Fill Out a Survey for This Session on CommNet
Appendix 7 Steps to Get Started with ACT 4.0 Top 10 Reasons to Install Windows XP SP2
Step 1: Familiarize Yourself with ACT 4.0 Download from mpatibility/act4.mspx mpatibility/act4.mspx Install ACT 4.0 Recommended operating systems: Microsoft Windows XP Professional Microsoft Windows Server 2003 Note: Individual components support varying operating systems.
Step 1: Familiarize Yourself with ACT 4.0 ComponentDescription OS Recommended Application Compatibility Toolkit (Framework) Help files and deployment task list Microsoft Windows XP Pro Microsoft Windows Server 2003 Application Analyzer Client tool for Reporting and Analysis Application Compatibility Administrator Client Tool for applying common compatibility fixes Internet Explorer Compatibility Evaluator Client Tool for testing web sites/Web Apps and applications on XPSP2 Windows XP Pro SP2 Collect.exe Collects application inventory on a specified set of computers Microsoft Windows 98, ME, Microsoft NT4 Microsoft Windows 2000 Pro Microsoft Windows 2000 Server Windows XP Microsoft Windows Server 2003 WFCE.exeDCOMCE.Exe Identifies potential application issues related to DCOM and Windows Firewall Windows XP Pro Windows Server 2003
Step 1: Familiarize Yourself with ACT 4.0 Review the prescriptive guidance on using ACT Step-by-step tasks divided into three phases Track your deployment progress in the task list In-context help documentation
Step 2: Configure Application Analyzer Launch application analyzer Go to configuration screen Set up Analyzer SQL DB Specify the SQL Server name and click “Refresh” Type in the name of the new database to create and click “Create New” (NOTE: you must be a member of the SQL Server admin role)
Step 2: Configure Application Analyzer (cont’d) Configure Collector Settings set up file share(s) for collecting data Application data will be collected with Collect.exe Application issue data will be collected with DCOMCE.exe and WFCE.exe Add the log path(s) to the list Configure the Merger Service In Service Control Manager find the “merger” service Configure it to log on with a user account that has privileges on the Analyzer SQL DB.
Step 2: Configure Application Analyzer (cont’d) Configure Merger Permissions on Analyzer SQL DB In SQL Enterprise Manager expand the Analyzer SQL DB and click on “Users”. Find the user you added to the Merger service and grant them the role of db_AnalyzerMerger
Step 2: Configure Application Analyzer (cont’d) Configure Solution Builder Permissions on Analyzer SQL DB In SQL Enterprise Manager expand the Analyzer SQL DB and click on “Users”. Find the user that you will use to create solutions (mitigation package) and add it to the role of db_SolutionBuilder
Step 3: Collect Application and Issue Data Inventory Applications Run Collect.exe Located in C:\Program Files\Microsoft Application Compatibility Toolkit 4\Application Analyzer Common command line options Example: collect.exe /o c:\TestLogs /o defines output path for logs Default filename is name of the machine
Step 3: Collect Application and Issue Data (cont’d) Collect DCOM and Windows Firewall Compatibility Issues Run DCOMCE.exe Located in C:\Program Files\Microsoft Application Compatibility Toolkit\Application Analyzer\CEAgents Common command line options Example: DCOMCE.exe /o c:\TestLogs /o defines output path for logs Default file name is MachineName.Issue.GUID Run WFCE.exe Located in C:\Program Files\Microsoft Application Compatibility Toolkit\Application Analyzer\CEAgents Copied to a directory where regular users do not have write access (E.g. c:\Windows\System32) Common command line options Example: WFCE.exe /o c:\TestLogs /o defines output path Default file name is MachineName.Issue.GUID /ct defines completion time in hours
Step 3: Deploy Collection Agents Using SMS (optional) Collector and the Compatibility Evaluator Agents can be distributed via the SMS Deployment Wizard
Step 3: Collect Application and Issue Data (cont’d) Collect Internet Explorer Compatibility Issues Run Internet Explorer Compatibility Evaluator (IECE) Update IE with the test logging infrastructure Run test cases on business critical web applications against Windows XP SP2
Step 4: Process Issue Data Merge collected Data into Analyzer SQL DB Launch Application Analyzer Go to Configuration screen Click on “Log Processing” Click on “Start Log Processing”
Step 4: Process Issue Data Get the Latest Issue Data from Microsoft Connection via a secure connection
Step 5: Analyze Issue Data Analyze application compatibility issue data Launch Application Analyzer Go to Reports Pivot between three data views: Applications, Machines, or Issues
Step 5: Analyze Issue Data (cont’d) Drill-down to see details of an application
Step 5: Analyze Issue Data (cont’d) Drill-down to see details of an issue
Step 5: Analyze Issue Data (cont’d) Analyze Web application compatibility issue data View log of reported issues Drill-down into issues to find out more about them, including work-arounds and mitigations
Step 6: Mitigate Compatibility Issues Mitigate Legacy Applications Compatibility Issues Run Compatibility Administrator Apply “Layers” and “Fixes” as appropriate Compatibility Layers are designed to “hook” Win32 APIs and emulate the prior behavior Examples Hard-coding paths to Special Folders “CorrectFilePaths” OS Version Number Version Lie Compatibility Fix Generate a custom database of fixes (called a custom SDB) Install the custom SDB in order to apply it
Mitigate Internet Explorer Compatibility Issues Option 1 - Export mitigation from IECE into a.REG file (Binary Behaviors, Pop-up Blocking, Windows Restrictions) Option 2 - Change IE security settings globally Option 3 - Change underlying problem (i.e. code) Step 6: Mitigate Compatibility Issues (cont.)
Step 6: Mitigate Compatibility Issues (cont’d) Mitigate DCOM and Windows Firewall (WF) Compatibility Issues Launch Application Analyzer Filter report to just show DCOM and WF issues you want to mitigate Save report as an ADQ file Copy FixPack.Exe, FixInst.Exe, dbapi.dll, mtadq.dll, and sdbproxy.dll to where your ADQ file is saved Run Solution Builder to generate a packaged executable of the DCOM and WF fixes
Step 7: Deploy Mitigations One EXE package for easy deployment DCOM and Firewall fixes Win 32 compatibility fixes One registry package for Internet Explorer compatibility issues One registry package for Internet Explorer compatibility issues Can also be configured via group policies
Top 10 Reasons to Deploy Windows XP SP2 1. Help protect your PC from harmful attachments. 2. Improve your privacy when you’re on the Web 3. Avoid potentially unsafe downloads 4. Reduce annoying pop-ups 5. Get firewall protection from startup to shutdown 6. Take control of your security settings 7. Get the latest updates easily 8. Help protect your address 9. Take action against crashes caused by browser add-ons 10. Go wireless without the hassle
We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.