Maarten van de Bospoort Application Development Consultant Microsoft WCL312
Agenda Oh, oh. I come from XP. I’ve done Vista. What did you break now? That leaves room for improvement.
Top AppCompat Issues From XP to Win 7 User Account Control Mandatory Integrity Control Services Isolation From Vista to Win 7 Version checking Miscellaneous More than just compatible High DPI Remote Desktop and Fast User Switching
User Account Control – Why? Running as administrator increases malware threats No limits on what an application can do Install root kits Install key stroke loggers Etc. Enterprises: significant TCO reductions when running with managed systems Key: run as much as possible as Standard User
User Account Control – How? Applications run as Standard User by default What is a Standard User? Allowed Run most applications Change per user settings Not Allowed Install applications and drivers Change system settings Admin “privileges”
UAC Architecture “Standard User” Token Admin Token Abby App Admin Token Child App Standard User Token App Standard User Token Child App Standard User Token
UAC Split Tokens
What is broken by UAC? Can no longer: write to Program Files write to System32 write to some HKLM\Software hives Create kernel objects in global namespace Impact on: file creation in restricted locations Installers Custom Actions in MSI Events, Mutex, Mapped Files, Named Pipes, etc.
OS Mitigation: Data Redirection Legacy applications that write to secure locations HKLM\Software; %SystemDrive%\Program Files; %WinDir%\System32 Redirected to: HKCU\Software\Classes\VirtualStore; %LocalAppData%\VirtualStore\ Intended for “legacy” applications Might be removed in a future OS version Redirection removes need for elevation Not for native x64; no redirection for binaries Impact: Per machine changes to per user.
Data Redirection
Mitigation: Installer Detection Installers often require administrative rights Running as Standard User would mean failure Mitigation: detect strings in binaries resources Setup, install, patch, etc. Elevate to Administrator
Installer Detection
Fixing UAC bugs Write to the correct location All UsersUser DocumentsC:\users\publicC:\users\TheUser DataC:\ProgramDataC:\users\TheUser\AppData Split up your application in two parts Standard user day-to-day part Administrator part Add a manifest to opt out of mitigation
Manifest: UAC section MyAdminApp.Exe.Manifest
Vista / Win 7 “Aware” Application Vista/Win 7-aware applications embed an XML manifest Disables all mitigations Manifest contains a trustInfo section: asInvokerLaunch with the same token as the parent process highestAvailableLaunch with the highest token this user possesses requireAdministratorHighest token of the User provided User is a member of Administrators group
UAC Issues Do you? Write to Program Files, Windows, System32, HKLM/Software, or Root? Create kernel objects “globally”? Try Running the application elevated (“As Administrator”) Testing with UAC off Tools Process Monitor, Process explorer Standard User Analyzer
Mandatory Integrity Control (MIC) Traditional NT security model revolves around process token and resource DACL Vista/Win7: MIC level assigned to Each process (medium default) All resources (medium default) Basically four levels: 0: Low 1: Medium 2: High 3: System
MIC: Processes and Resources Medium (Default) Low WriteWrite WriteWrite Read Medium Process (Default) Low Process (PMIE)
MIC: Processes and Resources Medium (Default) Low WriteWrite Read Medium Process (Default) Low Process (PMIE) WriteWrite
MIC: Processes and Messages SendMessageSendMessage Medium Process (Default) Low Process (PMIE) SendMessageSendMessage SendMessageSendMessage SendMessageSendMessage Medium Process (Default) Low Process (PMIE)
IExplore.exe Install ActiveX control Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings MIC Example: IE. Prior to Vista
Protected Mode IE Protected Mode IE Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings MIC Example: IE. Vista+ Protected Mode Broker Process
MIC Issues Do you? Use Windows messages between MIC levels? See Drag and drop fail? Use IE to write to user’s %homepath%? Try Running the application elevated (“As Administrator”) Testing with UAC off Run IE with Protected Mode off Tools Process Monitor, Process explorer Standard User Analyzer
Session 0 Window Station Desktop Screen Saver Login Sessions in XP/W2K/WS03 Services 1 st User’s Window Shatter Attack
Sessions in Vista/Windows 7 Session 0 Window Station Desktop Service Session 1 Window Station Desktop Screen Saver Login 1 st User’s Window Secure
Session 0 Isolation
Session 0 Issues Do you Have services that interact with the desktop? communicate with other user mode apps? create a kernel object to communicate? Verify communication between services and applications services are not relying on interacting with desktop Guidance UI: use WTSSendMessage() or CreateProcessAsUser() kernel objects: have the service create them in global
The AppCompat “Cookbooks” Everything else that we haven’t covered XP-> Vista/2008 -> Win7 “Application Compatibility Cookbook“Application Compatibility Cookbook” “Application Compatibility” on MSDNApplication Compatibility Vista -> Win 7 “Windows 7 Application Quality Cookbook“Windows 7 Application Quality Cookbook”
Windows Vista to Windows 7 Application Compatibility is a main goal Very few breaking changes If your app works on Vista, it will likely work on Windows 7 …but there are a few things to verify
Incompatible by Design Version checking for a specific OS release Structure of private data and data types Patching OS calls Using Registry Values instead of APIs Non-deterministic Events Redistributing Windows components
Version Checking Applications check Windows OS version and block themselves or modify behavior If absolutely needed, check for >= OS version Don’t block Present a warning message Allow applications to continue Check for existence of specific features if that is important Windows 7 is version 6.1
Version Checks – Stop doing this OSVERSIONINFO version; GetVersionEx( &version ); if ( version.dwMajorVersion != 5 ) { OnAppExit(); }
Version Checks – Do this HMODULE hMod; hMod = LoadLibraryFromSystem32(L"Apphelp.dll"); if (hMod) return hMod; hMod = LoadLibraryFromSystem32(L"sdbapiu.dll"); if (hMod) return hMod; hMod = LoadLibraryFromSystem32(L"sdbapi.dll"); if (hMod) return hMod;
Version Check: Shimming Myapp.exeMyapp.exe kernel32.dllkernel32.dll GetVersionEx 6.1
ShimShim Version Check: Shim Applied Myapp.exeMyapp.exe kernel32.dllkernel32.dll GetVersionEx()
Internet Explorer 8 Tabs are running in individual processes E.g. each tab (process) gets its own ActiveX control New rendering engine IE7 (compatibility mode) IE8 New IE8 user string
Miscellaneous Regressions Removal of Windows Mail Removal of Windows Movie Maker API implementations moved to kernelbase.dll (minwin) Removal of Windows Registry Reflection Replacement of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ) Check out the Windows 7 Cookbook for the full list
That’s pretty much it Now let’s make it better High DPI Remote Desktop Fixing your released applications with Shims
High DPI Surprises Monitor Max Resolution % Set to Maximum 1280X102456% 1400X105079% 1600X120032% 1680X105066% 1920X105039% 1920X120078% Avg. set to default55% User's Chosen Resolution % using that resolution 640X4801% 800X6007% 1024X76857% 1280X1024 3% 1600X120032% Total100.00% DetailsDetails Users with Max Resolution of 1600X1200 Users are lowering their screen resolution to get larger text…
High DPI: Why Do We Care? High fidelity monitors not fully used ClearType requires native resolution Can’t display native high def content Accidentally select a non-native aspect ratio Pixilated Content does not take advantage of the display Non-native aspect Ratio Settings “Squishes” Content
High DPI Issues Clipped Text Layout & Image Size Issues Pixilated Bitmaps WinForms Issues Blurry UIMismatched Font Sizes
High DPI: test for Windows 7 Windows 7 clean install determines DPI by heuristics Your helpdesk will hear it more DWM will “virtualize” and blow you up after 150% Try running with at least 125% DPI or better 150% Fix issues and declare DPIAware in the manifest
RDS and Fast User Switching Remote Desktop (Terminal Services) allows for centralized deployment End users logging in or running applications “remote” (TS Apps) FUS is “light” form of RDP Exists since XP Parking one user session, switching to other Multiple instances of Application can be running
RDP & FUS Compatibility Issues Concurrency Resources can be accessed simultaneously Terminal Service sessions separated from Services User data privacy Sound, high CPU in inactive FUS session Remote devices Local resources are remote for the application Remote performance considerations paints, video, disk I/O, CPU, network are all shared
Wrapping up Shims for ISVs Windows 7 Logo We’re here to help
What are Shims? Windows components change to support: new technology bug fixes strategy changes OS changes may fix some, break others Simulate previous Windows behavior for an application
Shims for ISVs? Only for released applications: future versions need to be fixed We’ll try to shim your released application If we missed you, please contact us Some information we’ll need: specific scenario that fails the application which versions need to be shimmed
Windows 7 Logo Logo requirements improve end users’ experience Make your migration efforts easier Simplified from Vista Self test Links: List in Windows 7 Compat center Client Logo Program us/windows/dd aspxhttp://msdn.microsoft.com/en- us/windows/dd aspx Server Logo Program
We are here to help Forum: US/windowscompatibility/ World-wide events Hand on Testing Labs in Redmond:
Resources Cookbooks “Application Compatibility Cookbook“Application Compatibility Cookbook” “Windows 7 Application Quality Cookbook“Windows 7 Application Quality Cookbook” MSDN Application Compatibility: TechNet Windows Application Compatibility: us/desktopdeployment/bb aspx DevReadiness.org Channel 9: Logo:
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification and Training Resources Microsoft Certification & Training Resources Resources
Related Content Breakout sessions (session codes and titles) WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story WCL304 Fix Your Broken Applications: The Black Art of Shims WCL304 Fix Your Broken Applications: The Black Art of Shims WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources →Want to find out which Windows Client sessions are best suited to help you in your deployment lifecycle? →Want to talk face-to-face with folks from the Windows Product Team? Meet us today at the Springboard Series Lounge, or visit us at Springboard Series The Springboard Series empowers you to select the right resources, at the right technical level, at the right point in your Windows® Client adoption and management process. Come see why Springboard Series is your destination for Windows 7.
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.