Peter Himschoot Microsoft Regional Director BeLux U2U
Why aren’t applications compatible with Windows? Windows 7 compatibility changes Compatibility guidelines Compatibility diagnostics Windows 7 Logo requirements
Things change between releases OS version number, structure of internal data types, registry keys, order of events … Knowingly breaking changes User Account Control User experience changes High DPI
The Administrator account goes down in Windows history Greater attack surface (security) Bigger TCO (users break their PCs) Less manageable (users change policy) The Standard User is usually enough!
Windows XP is generally unusable as Standard User Windows Vista SP1, Windows 7 eliminate privileged operations What can a standard user do? Write files, connect to the network, change display settings, change the time zone, install trusted applications … What can’t a standard user do? Write to sensitive registry locations, install unsigned device drivers, change the time …
88% of users have UAC enabled 60-80% don’t see a single UAC prompt within a single session 08/07 – 08/08 time period: Four times less (!) UAC prompts from applications
Three types of users: “True admin” – elevated privileges all the time Standard user – no elevated privileges at all “UAC admin” – token is filtered at login time and linked to an elevated token UAC is an intermediate step! Ultimately, all users must run as standard user
Traditional NT security model revolves around process token Windows Vista/Win7 enhances this with MIC: Each process gets a MIC level All resources get a MIC level (medium is default) There are four levels: 0: Low 1: Medium 2: High 3: System
Over-The-Shoulder elevation: Full admin elevation:
A part of Windows: Other (verified) publisher:
Unverified publisher:
Windows Vista UAC can be on or off Grater control through Registry Windows 7 introduces granular prompt levels
Avoid elevated operations! Annoying prompts Costs you all standard-user customers Vulnerabilities are escalated Attackers target your products
Best case: Your application runs 100% fine as standard user Remove operations that require unnecessary privileges Does your application need to write to C:\? Does your application need to store its settings in HKLM? Do elevated work at install-time Install for the requesting user
Factor the operation into a separate process (or out-of-process COM object) Identify the operation with a Shield icon
Ensure that the low-privilege application can’t be externally abused E.g. malware pressed buttons and causes high- privilege operations in an elevated process Have the high-privilege process present the user interaction Factor out to a service or task Secure the communications channel (don’t talk to strangers)
Administrator-only applications should prompt for elevation when launched Fail gracefully, allow for OTS elevation Add a manifest to your application requesting elevated privileges Ask for privilege once E.g. Vista Windows Explorer made this mistake with file operations
<assembly xmlns="urn:schemas-microsoft-com:asmv.v1" manifestVersion="1.0"> <assemblyIdentity version=" " processorArchitecture="X86" name="AppName" type="win32" /> App Description <assembly xmlns="urn:schemas-microsoft-com:asmv.v1" manifestVersion="1.0"> <assemblyIdentity version=" " processorArchitecture="X86" name="AppName" type="win32" /> App Description requestedExecutionLevelrequireAdministrator highestAvailable asInvoker
Visual Studio 2008 can embed it for you C++ projects have a special UAC combo box C# or VB.NET projects need to edit the XML file manually Use an embedding tool such as mt.exe Use the UAC Helpers library (CodePlex) Use the Windows Vista Bridge
You can’t elevate a running process Preferably use manifests to request elevation In other scenarios, the ShellExecute “runas” verb forces an elevation request Even if there is a manifest that says “asInvoker” For COM out-of-process objects, use CoCreateAsAdmin
Process proc = new Process(); proc.StartInfo = new ProcessStartInfo(); proc.StartInfo.UseShellExecute = true; proc.StartInfo.Verb = “runas"; proc.StartInfo.FileName proc.Start();
UacHelpers.IsCurrentProcessElevated UacHelpers.IsUacEnabled UacHelpers.IsUserAdmin
For compatibility purposes, some privileged operations are redirected %UserProfile%\AppData\Local\VirtualStore HKCU\Software\Classes\VirtualStore (Some) installers are auto-detected Applications with a manifest do not get virtualization 64-bit applications do not get virtualization Generally, don’t rely on it! Can break in so many ways
DPI (Dots Per Inch) settings are per-user, require logoff/logon (not reboot) Windows 7 clean install heuristically chooses proper DPI The user doesn’t have to opt-in to high DPI Declare applications to be DPI-aware Use manifest (preferred) SetProcessDPIAware
Clipped text Layout issues and image size issues Pixilated bitmaps Layout issues Blurry UI Mismatched font sizes
Windows makes every effort! Thousands of applications have “compatibility shims” applied by the system Even more applications are thoroughly tested Windows 7 (32-bit) can still run 16-bit MS- DOS programs Almost 25 years later! Most applications work just fine on new Windows versions Some don’t
Do NOT check the version of Windows and refuse to run (Windows 7 Logo requirement) Check for features, not versions Support backward: Disable features Support forward: Check for version ≥
Windows Mail is deprecated Including APIs to launch Outlook Express, etc. Replaced by Windows Live Mail Internet Explorer 8 out-of-the-box Compatibility with standards, incompatibility with websites IE7 emulation mode (Compatibility View) Intranet sites in compatibility mode by default Pages/servers can detect IE8 and request compatibility mode/render standard content
Applications on 64-bit Windows have to be extra careful 32-bit applications run in a virtualized environment (WOW64) File system redirection, registry redirection Registry reflection (COM server nodes) Two versions of the registry Two versions of Program Files Two versions of System32 (SysWOW64)
A library can be selected instead of a folder E.g. in common file dialogs Ask the library for its default save location Ask the common file dialog to provide only file-system locations Less user-friendly, means user has to navigate to a specific folder instead of a library Due to Libraries internal structure, users may NOT KNOW the specific folder
Tell Windows which OS version your application was designed for
Application Compatibility Toolkit An extensive set of tools for diagnosing and fixing compatibility problems Includes management of organization-wide compatibility fixes Includes Standard User Analyzer, Internet Explorer Compatibility Test Tool and many others
Shims = compatibility fixes Redirect registry access Redirect file system access OS version lie Legacy graphics mode emulation …hundreds of others! ACT generates an SDB file Install on end-user’s machine using sdbinst (part of Windows)
Shortcut “Compatibility” tab Compatibility troubleshooter
Problem Steps Recorder can be an invaluable tool
If you’re compliant with the Windows Vista logo, you’re ready for Windows 7 Even if you’re not planning to apply, the Logo requirements make sense Logo requirements better application! Reduce helpdesk and support costs Happier users IT – easier install and management End users, better experiences
Provide Microsoft with a copy of the software for testing purposes Agree to a day resolution policy for issues with Logo’d products Opt in to receive communications from Microsoft regarding the Logo’d products
Do not distribute malware or spyware Do not modify WRP protected resources Register for the WinQual portal Install and uninstall cleanly Install to the correct folders Support Windows x64 Follow UAC guidelines Do not load drivers and services in Safe Mode
Digitally sign files with Authenticode Do not check the OS version Prevent unnecessary reboots Support multi-user sessions Pass Application Verifier tests
…everything you were afraid to ask
Why aren’t applications compatible with Windows? Windows 7 compatibility changes Compatibility guidelines Compatibility diagnostics Windows 7 Logo requirements
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.