Transcript Jeremy Chapman Aaron Margosis Microsoft Session Code: CLI310 How much is this app Can I justthing strokegoing a check compat to I just stay on Thehave MED-V brochure and problem Should costthis me? Doesn’t App-V just The tool brochure Windows XP? said just govirtualize away? it all fix ititallfixes for.

Jeremy Chapman
Aaron Margosis
Microsoft
Session Code: CLI310
How much is this app
Can
I justthing
strokegoing
a check
compat
to
I just stay on
Thehave
MED-V
brochure
and
problem Should
costthis
me?
Doesn’t
App-V
just
The
tool
brochure
Windows
XP?
said just
govirtualize
away? it all
fix ititallfixes
for 90%
me? of
said
and migrate.
the problems.
Why
did you
half
All I need
to break
do is run
oflong
my enough,
software?
ACT
The
Internets
saidand
to
it’s fixed,
right?
just
turn off
UAC.
Why can’t my
company
afford
No,
seriously,
canaI
Listen,
I’m
not
chair
for
me?
haveabout
a chair,
talking
App
please?
Compat
until I get
a chair.
App-V
ACT 5.5
Beyond Trust
Win XP Mode
MED-V
AppDNA
ACF Partners
ChangeBase
Shims
Disable UAC
Why is app-compat hard?
It never used to be this hard!
Backward-compatibility used to trump
everything
Shell Folders
p:\\products\public
CON, PRN, NUL
Starting with XP SP2, not anymore
Customers demanded better security
Vista was the first major desktop OS release after
TWC memo.
Some things that had to change
Microsoft Agent was too awesome
Made computers too easy to use
More popular than Solitaire and porn
The single biggest app-compat hit, ever
Nobody uses the Agent control!
Do they?
Some things that had to change
Everyone runs as “standard user”
The infamous User Account Control
Even admins run as “standard user”
The single biggest app-compat hit, ever
Every time you disable UAC…
Steve Ballmer kills a kitten
Please, think of the kittens
Some things that had to change
Everyone runs as “standard user”
The infamous User Account Control
Even admins run as “standard user”
The single biggest app-compat hit, ever
No more interactive services
“Session 0 isolation”
Side effects – breaks other IPCs that “always” worked before
IE standards compliance
Internet Explorer Protected Mode
64-bit computing
Windows Resource Protection
Some things that just changed
Windows version number changed
Well, duh!
You’d think that couldn’t cause problems!
Why is Windows 7 internally 6.1?
Check the Windows version!
//
//
//
If
{
This program requires WinXP or newer.
Windows XP is version 5.1
This is easy!
Not (vMajor >= 5 AND vMinor >= 1) Then
DisplayMessage(“This program requires
Windows XP or newer”);
Vista
Win7
as
isWindows
Windows6.1?
7.0?
6.0:
LayDownAndDie;
} vMajor: 6
7 >= 5
vMinor: 1
0 >= 1!
1? Oops!
Crap!
It works!
More things that just changed
New folder locations
We moved the profiles – again!
Default color scheme
What happens when a dev assumes that active title
bar text will always be a light color and uses it as a
background color?
Aero – desktop composition
We break – we fix
Redirects access attempts from protected areas
to non-roaming parts of user profile
Not related to App-V’s “bubble”
This is per-user, not per-application
Virtual memory
Virtual address space
Virtual communities
NT Virtual DOS Machine (NTVDM)
Java Virtual Machine (JVM)
MS Visual Basic Virtual Machine (MSVBVM)
Virtual processors (hyperthreading)
Virtual reality
Virtual teams
Virtual private network (VPN)
UAC file and registry virtualization
Application virtualization
Machine virtualization (Virtual PC, Virtual Server, Hyper-V)
Virtual Earth
MS Enterprise Desktop Virtualization (MED-V)
Virtual pets
Virtual Desktop Infrastructure (VDI)
virtual keyword (C++, C#)
Virtual directory (IIS)
Virtual overload
It’s the new “.NET”!
We break – we fix
Redirects access attempts from protected areas
to non-roaming parts of user profile
Transparent to the app
Fixes many permissions-related issues
Does not apply to all apps or all file types
New in Win7: Writing to root of C:\ redirects
Some support for old folder names
Can traverse, but cannot list
Can directly access files through old names
Cannot list contents of these junctions
Fixups auto-applied to some known apps
6307 apps in Win7 RTM
Jet database in %windir%\AppPatch, and
cached information in registry
Checked whenever a new process starts
Created by Windows team; updated by WU
Does not guarantee that the app works
Windows predicts helpful fixes for next run
Displayed after program has been run
Up to user to decide what to do
Please disable in a
managed
environment
We break – IT admin fixes
Doesn’t it fix everything?
I mean, look at the name!
Strengths
Inventory
Vendor data
CompatAdmin (see Custom Shim Databases)
Developer/Tester Tools
Weaknesses
Compatibility evaluators
Application import
We break – IT admin fixes
TechNet Magazine
June 2009
Articles by Chris Jackson
and Chris Corio
Same mechanisms as the in-box shims
Build shim DBs with tools in the App Compat
Toolkit
Easy to use? Let’s see…
Fixing apps is easy!
Good for some kinds of bugs:
Bad Windows version checks
Writing to HKCR at runtime
Unnecessary checks for “am I admin?”
Writing to WRP-protected keys and files
Windows thinks your app is an installer
Some file/registry redirections
Drawbacks…
Not all general purpose shims have the same …
“customer love” applied in their creation
The tools are … “primitive”
The main file redirection shim is really, really literal
(really)
Shims management story could be … “better”
Compatibility Administrator
How to Fix Stuff
Formerly SoftGrid
Isolates apps from one another
Does not isolate it from the OS
Side effects of current implementation:
Apps can write anywhere in “the registry”
Apps can be allowed to write to specific files in
“protected” locations
Apps actually write to private copies
NOTE: May not be true in future versions of App-V
Lots of goodness beyond app-compat
Packaging and Deployment
Licensing
Drawbacks…
Mitigates only limited types of AC problems
Machine Virtualization
Virtual PC
Virtual PC 2007
Windows Virtual PC
Remote App patch
There is a technical title – if you find it let us know
Uses machine virtualization
App actually runs on XP or other downlevel OS
User sees only the app window
Similar to Windows XP Mode, but with
manageability
Intended for larger organizations
Benefits:
App designed for XP actually runs on XP!
Drawbacks:
Most of the drawback of XP Mode (… next)
Similar to MED-V, without manageability
License for the Windows XP VM included with
certain Win7 SKUs
Install apps in the XP VM; shortcuts in the All
Users’ Start Menu get copied to the host
Click on shortcut in host Start menu, app
appears in a window
…eventually
App designed for XP actually runs on XP
One critical app that absolutely will not work on
Win7 doesn’t hold up deployment
What it’s good for:
Web apps that require IE6
Running 16-bit apps on x64
Some types of desktop apps
Microsoft Agent
Trade-offs
XP Mode is not for the enterprise!
XP VM needs maintenance (AV, hotfixes, policies, etc)
VM is hibernated when you’re not running an app
Apps can’t interact with apps on the host
E.g., app wants to send email, or interact with window
messaging
May not support custom hardware
Much greater hardware requirements
Incl. Hardware Assisted Virtualization.
Default XP Mode user is admin
Might conflict with enterprise policies
Windows XP Mode
Only if other options don’t work
Loosen file or registry permissions
Allow interactive user to start/stop a particular
service or driver
Must be done surgically
Least amount of additional privilege on the
smallest number of objects
Benefits:
Results often more predictable than with shims
Drawbacks:
Risk of elevation of privilege
Risk of system instability
Requires threat modeling – hard to do right
Primarily ChangeBase and AppDNA
These tools average 90 – 95% at telling you if
the app as a whole will work
False “green” the primary accuracy issue
Will not detect every issue
Complementary to ACT
ACT does runtime analysis
ACT does no better than chance at predicting
application breakage for the app as a whole
Absolute last resort
UAC elevation
Enterprise users should not have this option!
3rd party, BeyondTrust Privilege Manager
Decent solution in some cases
Impossible to prevent elevation of privilege
Not a silver bullet…
App doesn’t work – now what?
What are those geeks doing?
Make sure they don’t debug what they don’t
plan to fix (support required)
Layer debugging and remediation
Tier 1: get the repro, run scripted tests of common
solutions
Tier 2: leverage tools, configure basic fixes
Tier 3: deep debugging, complex remediation
(typically just a few per customer)
Important: efficient handoff between IT Pros
and Developers
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
Complete an evaluation
on CommNet and enter to
win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.