Presentation is loading. Please wait.

Presentation is loading. Please wait.

Maarten van de Bospoort Application Development Consultant Microsoft WCL312.

Published byHoratio Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "Maarten van de Bospoort Application Development Consultant Microsoft WCL312."— Presentation transcript:

1

2 Maarten van de Bospoort Application Development Consultant Microsoft WCL312

3 Agenda Oh, oh. I come from XP. I’ve done Vista. What did you break now? That leaves room for improvement.

4 Top AppCompat Issues From XP to Win 7 User Account Control Mandatory Integrity Control Services Isolation From Vista to Win 7 Version checking Miscellaneous More than just compatible High DPI Remote Desktop and Fast User Switching

5 User Account Control – Why? Running as administrator increases malware threats No limits on what an application can do Install root kits Install key stroke loggers Etc. Enterprises: significant TCO reductions when running with managed systems Key: run as much as possible as Standard User

6 User Account Control – How? Applications run as Standard User by default What is a Standard User? Allowed Run most applications Change per user settings Not Allowed Install applications and drivers Change system settings Admin “privileges”

7 UAC Architecture “Standard User” Token Admin Token Abby App Admin Token Child App Standard User Token App Standard User Token Child App Standard User Token

8 UAC Split Tokens

9 What is broken by UAC? Can no longer: write to Program Files write to System32 write to some HKLM\Software hives Create kernel objects in global namespace Impact on: file creation in restricted locations Installers Custom Actions in MSI Events, Mutex, Mapped Files, Named Pipes, etc.

10 OS Mitigation: Data Redirection Legacy applications that write to secure locations HKLM\Software; %SystemDrive%\Program Files; %WinDir%\System32 Redirected to: HKCU\Software\Classes\VirtualStore; %LocalAppData%\VirtualStore\ Intended for “legacy” applications Might be removed in a future OS version Redirection removes need for elevation Not for native x64; no redirection for binaries Impact: Per machine changes to per user.

11 Data Redirection

12 Mitigation: Installer Detection Installers often require administrative rights Running as Standard User would mean failure Mitigation: detect strings in binaries resources Setup, install, patch, etc. Elevate to Administrator

13 Installer Detection

14 Fixing UAC bugs Write to the correct location All UsersUser DocumentsC:\users\publicC:\users\TheUser DataC:\ProgramDataC:\users\TheUser\AppData Split up your application in two parts Standard user day-to-day part Administrator part Add a manifest to opt out of mitigation

15 Manifest: UAC section MyAdminApp.Exe.Manifest

16 Vista / Win 7 “Aware” Application Vista/Win 7-aware applications embed an XML manifest Disables all mitigations Manifest contains a trustInfo section: asInvokerLaunch with the same token as the parent process highestAvailableLaunch with the highest token this user possesses requireAdministratorHighest token of the User provided User is a member of Administrators group

17 UAC Issues Do you? Write to Program Files, Windows, System32, HKLM/Software, or Root? Create kernel objects “globally”? Try Running the application elevated (“As Administrator”) Testing with UAC off Tools Process Monitor, Process explorer Standard User Analyzer

18 Mandatory Integrity Control (MIC) Traditional NT security model revolves around process token and resource DACL Vista/Win7: MIC level assigned to Each process (medium default) All resources (medium default) Basically four levels: 0: Low 1: Medium 2: High 3: System

19 MIC: Processes and Resources Medium (Default) Low WriteWrite WriteWrite Read Medium Process (Default) Low Process (PMIE)

20 MIC: Processes and Resources Medium (Default) Low WriteWrite Read Medium Process (Default) Low Process (PMIE) WriteWrite

21 MIC: Processes and Messages SendMessageSendMessage Medium Process (Default) Low Process (PMIE) SendMessageSendMessage SendMessageSendMessage SendMessageSendMessage Medium Process (Default) Low Process (PMIE)

22 IExplore.exe Install ActiveX control Change Settings, Download a Picture Cache Web contentExploit can install MALWARE Admin-Rights Access User-Rights Access Temp Internet Files HKLM Program Files HKCU My Documents Startup Folder Untrusted files & settings MIC Example: IE. Prior to Vista

23 Protected Mode IE Protected Mode IE Install an ActiveX control Change settings, Save a picture Integrity Control Broker Process Redirected settings & files Compat Redirector Cache Web content Admin-Rights Access User-Rights Access Temp Internet Files HKLM HKCR Program Files HKCU My Documents Startup Folder Untrusted files & settings MIC Example: IE. Vista+ Protected Mode Broker Process

24 MIC Issues Do you? Use Windows messages between MIC levels? See Drag and drop fail? Use IE to write to user’s %homepath%? Try Running the application elevated (“As Administrator”) Testing with UAC off Run IE with Protected Mode off Tools Process Monitor, Process explorer Standard User Analyzer

25 Session 0 Window Station Desktop Screen Saver Login Sessions in XP/W2K/WS03 Services 1 st User’s Window Shatter Attack

26 Sessions in Vista/Windows 7 Session 0 Window Station Desktop Service Session 1 Window Station Desktop Screen Saver Login 1 st User’s Window Secure

27 Session 0 Isolation

28 Session 0 Issues Do you Have services that interact with the desktop? communicate with other user mode apps? create a kernel object to communicate? Verify communication between services and applications services are not relying on interacting with desktop Guidance UI: use WTSSendMessage() or CreateProcessAsUser() kernel objects: have the service create them in global

29 The AppCompat “Cookbooks” Everything else that we haven’t covered XP-> Vista/2008 -> Win7 “Application Compatibility Cookbook“Application Compatibility Cookbook” “Application Compatibility” on MSDNApplication Compatibility Vista -> Win 7 “Windows 7 Application Quality Cookbook“Windows 7 Application Quality Cookbook”

30 Windows Vista to Windows 7 Application Compatibility is a main goal Very few breaking changes If your app works on Vista, it will likely work on Windows 7 …but there are a few things to verify

31 Incompatible by Design Version checking for a specific OS release Structure of private data and data types Patching OS calls Using Registry Values instead of APIs Non-deterministic Events Redistributing Windows components

32 Version Checking Applications check Windows OS version and block themselves or modify behavior If absolutely needed, check for >= OS version Don’t block Present a warning message Allow applications to continue Check for existence of specific features if that is important Windows 7 is version 6.1

33 Version Checks – Stop doing this OSVERSIONINFO version; GetVersionEx( &version ); if ( version.dwMajorVersion != 5 ) { OnAppExit(); }

34 Version Checks – Do this HMODULE hMod; hMod = LoadLibraryFromSystem32(L"Apphelp.dll"); if (hMod) return hMod; hMod = LoadLibraryFromSystem32(L"sdbapiu.dll"); if (hMod) return hMod; hMod = LoadLibraryFromSystem32(L"sdbapi.dll"); if (hMod) return hMod;

35 Version Check: Shimming Myapp.exeMyapp.exe kernel32.dllkernel32.dll GetVersionEx 6.1

36 ShimShim Version Check: Shim Applied Myapp.exeMyapp.exe kernel32.dllkernel32.dll GetVersionEx() 6.1 6.0

37 Internet Explorer 8 Tabs are running in individual processes E.g. each tab (process) gets its own ActiveX control New rendering engine IE7 (compatibility mode) IE8 New IE8 user string

38 Miscellaneous Regressions Removal of Windows Mail Removal of Windows Movie Maker API implementations moved to kernelbase.dll (minwin) Removal of Windows Registry Reflection Replacement of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ) Check out the Windows 7 Cookbook for the full list

39 That’s pretty much it Now let’s make it better High DPI Remote Desktop Fixing your released applications with Shims

40 High DPI Surprises Monitor Max Resolution % Set to Maximum 1280X102456% 1400X105079% 1600X120032% 1680X105066% 1920X105039% 1920X120078% Avg. set to default55% User's Chosen Resolution % using that resolution 640X4801% 800X6007% 1024X76857% 1280X1024 3% 1600X120032% Total100.00% DetailsDetails Users with Max Resolution of 1600X1200 Users are lowering their screen resolution to get larger text…

41 High DPI: Why Do We Care? High fidelity monitors not fully used ClearType requires native resolution Can’t display native high def content Accidentally select a non-native aspect ratio Pixilated Content does not take advantage of the display Non-native aspect Ratio Settings “Squishes” Content

42 High DPI Issues Clipped Text Layout & Image Size Issues Pixilated Bitmaps WinForms Issues Blurry UIMismatched Font Sizes

43 High DPI: test for Windows 7 Windows 7 clean install determines DPI by heuristics Your helpdesk will hear it more DWM will “virtualize” and blow you up after 150% Try running with at least 125% DPI or better 150% Fix issues and declare DPIAware in the manifest

44 RDS and Fast User Switching Remote Desktop (Terminal Services) allows for centralized deployment End users logging in or running applications “remote” (TS Apps) FUS is “light” form of RDP Exists since XP Parking one user session, switching to other Multiple instances of Application can be running

45 RDP & FUS Compatibility Issues Concurrency Resources can be accessed simultaneously Terminal Service sessions separated from Services User data privacy Sound, high CPU in inactive FUS session Remote devices Local resources are remote for the application Remote performance considerations paints, video, disk I/O, CPU, network are all shared

46 Wrapping up Shims for ISVs Windows 7 Logo We’re here to help

47 What are Shims? Windows components change to support: new technology bug fixes strategy changes OS changes may fix some, break others Simulate previous Windows behavior for an application

48 Shims for ISVs? Only for released applications: future versions need to be fixed We’ll try to shim your released application If we missed you, please contact us Some information we’ll need: specific scenario that fails the application which versions need to be shimmed

49 Windows 7 Logo Logo requirements improve end users’ experience Make your migration efforts easier Simplified from Vista Self test Links: List in Windows 7 Compat center http://go.microsoft.com/?linkid=9661176 http://go.microsoft.com/?linkid=9661176 Client Logo Program http://msdn.microsoft.com/en- us/windows/dd203105.aspxhttp://msdn.microsoft.com/en- us/windows/dd203105.aspx Server Logo Program http://www.innovateon.com/product_server2008.aspx http://www.innovateon.com/product_server2008.aspx

50 We are here to help Forum: http://social.msdn.microsoft.com/Forums/en- US/windowscompatibility/ World-wide events Hand on Testing Labs in Redmond: srglabs@microsoft.com srglabs@microsoft.com

51 Resources Cookbooks “Application Compatibility Cookbook“Application Compatibility Cookbook” “Windows 7 Application Quality Cookbook“Windows 7 Application Quality Cookbook” MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx TechNet Windows Application Compatibility: http://technet.microsoft.com/en- us/desktopdeployment/bb414773.aspx DevReadiness.org Channel 9: http://channel9.msdn.com/tags/Application+Compatibility/ Logo: http://msdn.microsoft.com/en-us/windows/dd203105.aspx

52 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources www.microsoft.com/learning Microsoft Certification & Training Resources Resources

53 Related Content Breakout sessions (session codes and titles) WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story WCL304 Fix Your Broken Applications: The Black Art of Shims WCL304 Fix Your Broken Applications: The Black Art of Shims WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging

54 Track Resources →Want to find out which Windows Client sessions are best suited to help you in your deployment lifecycle? →Want to talk face-to-face with folks from the Windows Product Team? Meet us today at the Springboard Series Lounge, or visit us at www.microsoft.com/springboard www.microsoft.com/springboard Springboard Series The Springboard Series empowers you to select the right resources, at the right technical level, at the right point in your Windows® Client adoption and management process. Come see why Springboard Series is your destination for Windows 7.

55

56 Complete an evaluation on CommNet and enter to win!

57 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Maarten van de Bospoort Application Development Consultant Microsoft WCL312."

Similar presentations

Optimizing Device Drivers For Terminal Servers Plug And Play Device Redirection Framework Gaurav Daga Program Manager Windows Terminal Server Microsoft.

Optimizing Device Drivers For Terminal Servers Plug And Play Device Redirection Framework Gaurav Daga Program Manager Windows Terminal Server Microsoft.
Windows 7 Training. Windows ® 7 Compatibility Session 0 Isolation Isolation of Windows 7 Services.

Windows 7 Training. Windows ® 7 Compatibility Session 0 Isolation Isolation of Windows 7 Services.
Michael Niehaus & Tim Mintner Senior Software Development Engineers Microsoft Corporation WCL309.

Michael Niehaus & Tim Mintner Senior Software Development Engineers Microsoft Corporation WCL309.
©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.

©2006 Microsoft Corporation. All rights reserved. Application Compatibility in Windows Vista and the Application Compatibility Toolkit Micheal Sciacqua.
Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation

Connect with life Gopikrishna Kannan Program Manager | Microsoft Corporation
Building Windows (7) Applications Microsoft ® Corporation.

Building Windows (7) Applications Microsoft ® Corporation.
Windows 7 Training. Windows ® 7 Compatibility Installer Detection.

Windows 7 Training. Windows ® 7 Compatibility Installer Detection.
Ashwin Palekar Group Program Manager Microsoft Corp Session Code: VIR307.

Ashwin Palekar Group Program Manager Microsoft Corp Session Code: VIR307.
Johan Arwidmark Chief Technical Architect TrueSec WEM303.

Johan Arwidmark Chief Technical Architect TrueSec WEM303.
Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.

Rob Hwacinski Sr. Program Manager Lead Microsoft Corporation WEM206 Ashwin Kulkarni Sr. Product Manager Microsoft Corporation.
Johan Arwidmark Chief Technical Architect WCL315.

Johan Arwidmark Chief Technical Architect WCL315.
Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.

Microsoft Desktop Virtualization Migrating to Windows 7 With MED-V.
Michel Barnett Architect Microsoft WCL201 Session Objectives and Takeaways Session Objectives: Explain deployment options Demonstrate key deployment.

Michel Barnett Architect Microsoft WCL201 Session Objectives and Takeaways Session Objectives: Explain deployment options Demonstrate key deployment.
Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.
Matt Ayers Senior Program Manager Microsoft Corporation WCL403.

Matt Ayers Senior Program Manager Microsoft Corporation WCL403.
© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts:

© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts:
Microsoft Desktop Virtualization 1 Martin Vittrup Senior Technology Specialist Windows Client Microsoft Denmark.

Microsoft Desktop Virtualization 1 Martin Vittrup Senior Technology Specialist Windows Client Microsoft Denmark.
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect.

Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+

CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Windows XP to Windows 7 using P2V Migration. Agenda Deploying Local P2V Migration for SA Retro Mode Scripts Customize MDT 2010 with Disk2VHD Windows Virtual.

Windows XP to Windows 7 using P2V Migration. Agenda Deploying Local P2V Migration for SA Retro Mode Scripts Customize MDT 2010 with Disk2VHD Windows Virtual.

Similar presentations

Ads by Google