Transcript Maarten van de Bospoort Application Development Consultant Microsoft WCL312 Agenda  Oh, oh. I come from XP.  I’ve done Vista.

Maarten van de Bospoort
Application Development Consultant
Microsoft
WCL312
Agenda
 Oh, oh. I come from XP.
 I’ve done Vista. What did you break now?
 That leaves room for improvement.
Top AppCompat Issues
From XP to Win 7
User Account Control
Mandatory Integrity Control
Services Isolation
From Vista to Win 7
Version checking
Miscellaneous
More than just compatible
High DPI
Remote Desktop and Fast User Switching
User Account Control – Why?
Running as administrator increases
malware threats
No limits on what an application can do
Install root kits
Install key stroke loggers
Etc.
Enterprises: significant TCO reductions when
running with managed systems
Key: run as much as possible as Standard User
User Account Control – How?
Applications run as Standard User by default
What is a Standard User?
Allowed
• Run most applications
• Change per user settings
Not Allowed
• Install applications
and drivers
• Change system settings
• Admin “privileges”
UAC Architecture
Admin Token
Abby
App
Admin Token
“Standard User” Token
Child App
Standard User
Token Standard User
Token
App
Standard User
Token
Admin Token
Child App
UAC Split Tokens
What is broken by UAC?
Can no longer:
write to Program Files
write to System32
write to some HKLM\Software hives
Create kernel objects in global namespace
Impact on:
file creation in restricted locations
Installers
Custom Actions in MSI
Events, Mutex, Mapped Files, Named Pipes, etc.
OS Mitigation: Data Redirection
Legacy applications that write to secure locations
HKLM\Software; %SystemDrive%\Program Files; %WinDir%\System32
Redirected to:
HKCU\Software\Classes\VirtualStore; %LocalAppData%\VirtualStore\
Intended for “legacy” applications
Might be removed in a future OS version
Redirection removes need for elevation
Not for native x64; no redirection for binaries
Impact:
Per machine changes to per user.
Data Redirection
Mitigation: Installer Detection
Installers often require administrative rights
Running as Standard User would mean failure
Mitigation: detect strings in binaries resources
Setup, install, patch, etc.
Elevate to Administrator
Installer Detection
Fixing UAC bugs
Write to the correct location
All Users
User
Documents
C:\users\public
C:\users\TheUser
Data
C:\ProgramData
C:\users\TheUser\AppData
• Split up your application in two parts
• Standard user day-to-day part
• Administrator part
• Add a manifest to opt out of mitigation
Manifest: UAC section
MyAdminApp.Exe.Manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0"
processorArchitecture="X86"
name="MyAdminApp"
type="win32"/>
<!-- Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level=“asInvoker"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Vista / Win 7 “Aware” Application
Vista/Win 7-aware applications embed
an XML manifest
Disables all mitigations
Manifest contains a trustInfo section:
asInvoker
Launch with the same token as the
parent process
highestAvailable
Launch with the highest token this
user possesses
requireAdministrator
Highest token of the User provided User is a
member of Administrators group
UAC Issues
Do you?
Write to Program Files, Windows, System32,
HKLM/Software, or Root?
Create kernel objects “globally”?
Try
Running the application elevated (“As Administrator”)
Testing with UAC off
Tools
Process Monitor, Process explorer
Standard User Analyzer
Mandatory Integrity Control (MIC)
Traditional NT security model revolves
around process token and resource DACL
Vista/Win7: MIC level assigned to
Each process (medium default)
All resources (medium default)
Basically four levels:
0: Low
1: Medium
2: High
3: System
MIC: Processes and Resources
Medium Process
(Default)
Write
Read
Write
Low Process
(PMIE)
Medium
(Default)
Read
Low
MIC: Processes and Resources
Medium Process
(Default)
Medium
(Default)
Low
Low Process
(PMIE)
MIC: Processes and Messages
Medium Process
(Default)
SendMessage
Low Process
(PMIE)
SendMessage
Medium Process
(Default)
Low Process
(PMIE)
MIC Example: IE. Prior to Vista
Admin-Rights Access
Install ActiveX control
HKLM
Exploit can install
MALWARE
IExplore.exe
Program Files
User-Rights Access
Change Settings,
Download a Picture
HKCU
My Documents
Exploit can install
MALWARE
Cache Web content
Startup Folder
Temp Internet Files
Untrusted files & settings
Broker Process
Broker Process
Integrity Control
Protected
Mode
IE
Compat Redirector
MIC Example: IE. Vista+ Protected Mode
Admin-Rights Access
Install an
ActiveX
control
HKLM
HKCR
Program Files
Change
settings,
Save a picture
Cache Web content
User-Rights Access
HKCU
My Documents
Startup Folder
Temp Internet Files
Untrusted files & settings
Redirected settings & files
MIC Issues
Do you?
Use Windows messages between MIC levels?
See Drag and drop fail?
Use IE to write to user’s %homepath%?
Try
Running the application elevated (“As Administrator”)
Testing with UAC off
Run IE with Protected Mode off
Tools
Process Monitor, Process explorer
Standard User Analyzer
Sessions in XP/W2K/WS03
Session 0
Window Station
Desktop
Services
1st User’s
Window
1st User’s
Window
1st User’s
Window
Screen Saver
Login
Shatter Attack
Sessions in Vista/Windows 7
Session 0
Session 1
Window Station
Desktop
Window Station
Desktop
Service
1st User’s
Window
Service
1st User’s
Window
1st User’s
Window
Screen Saver
Login
Secure
Session 0 Isolation
Session 0 Issues
Do you
Have services that
interact with the desktop?
communicate with other user mode apps?
create a kernel object to communicate?
Verify
communication between services and applications
services are not relying on interacting with desktop
Guidance
UI: use WTSSendMessage() or CreateProcessAsUser()
kernel objects: have the service create them in global
The AppCompat “Cookbooks”
Everything else that we haven’t covered
XP-> Vista/2008 -> Win7
“Application Compatibility Cookbook”
“Application Compatibility” on MSDN
Vista -> Win 7
“Windows 7 Application Quality Cookbook”
Windows Vista to Windows 7
Application Compatibility is a main goal
Very few breaking changes
If your app works on Vista, it will likely work on
Windows 7
…but there are a few things to verify
Incompatible by Design
Version checking for a specific OS release
Structure of private data and data types
Patching OS calls
Using Registry Values instead of APIs
Non-deterministic Events
Redistributing Windows components
Version Checking
Applications check Windows OS version and
block themselves or modify behavior
If absolutely needed, check for >= OS version
Don’t block
Present a warning message
Allow applications to continue
Check for existence of specific features if that is
important
Windows 7 is version 6.1
Version Checks – Stop doing this
OSVERSIONINFO version;
GetVersionEx( &version );
if ( version.dwMajorVersion != 5 )
{
OnAppExit();
}
Version Checks – Do this
HMODULE hMod;
hMod =
LoadLibraryFromSystem32(L"Apphelp.dll");
if (hMod) return hMod;
hMod =
LoadLibraryFromSystem32(L"sdbapiu.dll");
if (hMod) return hMod;
hMod = LoadLibraryFromSystem32(L"sdbapi.dll");
if (hMod) return hMod;
Version Check: Shimming
Myapp.exe
GetVersionEx
kernel32.dll
6.1
Version Check: Shim Applied
6.0
Myapp.exe
GetVersionEx()
Shim
kernel32.dll
6.1
Internet Explorer 8
Tabs are running in individual processes
E.g. each tab (process) gets its own ActiveX control
New rendering engine
IE7 (compatibility mode)
IE8
New IE8 user string
Miscellaneous Regressions
Removal of Windows Mail
Removal of Windows Movie Maker
API implementations moved to kernelbase.dll (minwin)
Removal of Windows Registry Reflection
Replacement of WPDUSB.SYS Driver for Windows
Portable Devices
Microsoft Message Queuing (MSMQ)
Check out the Windows 7 Cookbook for the full list
That’s pretty much it
Now let’s make it better
High DPI
Remote Desktop
Fixing your released applications with Shims
High DPI Surprises
Monitor Max
Resolution
% Set to
Maximum
1280X1024
1400X1050
1600X1200
1680X1050
1920X1050
1920X1200
Avg. set to default
56%
79%
32%
66%
39%
78%
55%
Details
Users with Max Resolution of
1600X1200
User's Chosen
Resolution
% using that
resolution
640X480
800X600
1024X768
1280X1024
1600X1200
Total
Users are lowering their screen resolution to get larger text…
1%
7%
57%
3%
32%
100.00%
High DPI: Why Do We Care?
High fidelity monitors not fully used
ClearType requires native resolution
Can’t display native high def content
Accidentally select a non-native aspect ratio
Pixilated Content does not take
advantage of the display
Non-native aspect Ratio Settings
“Squishes” Content
High DPI Issues
Clipped Text
Layout & Image Size Issues
WinForms Issues
Pixilated Bitmaps
Blurry UI
Mismatched Font Sizes
High DPI: test for Windows 7
Windows 7 clean install determines DPI by heuristics
Your helpdesk will hear it more
DWM will “virtualize” and blow you up after 150%
Try running with at least 125% DPI or better 150%
Fix issues and declare DPIAware in the manifest
RDS and Fast User Switching
Remote Desktop (Terminal Services) allows for
centralized deployment
End users logging in or running applications
“remote” (TS Apps)
FUS is “light” form of RDP
Exists since XP
Parking one user session, switching to other
Multiple instances of Application can be running
RDP & FUS Compatibility Issues
Concurrency
Resources can be accessed simultaneously
Terminal Service sessions separated from Services
User data privacy
Sound, high CPU in inactive FUS session
Remote devices
Local resources are remote for the application
Remote performance considerations
paints, video, disk I/O, CPU, network are all shared
Wrapping up
Shims for ISVs
Windows 7 Logo
We’re here to help
What are Shims?
Windows components change to support:
new technology
bug fixes
strategy changes
OS changes may fix some, break others
Simulate previous Windows behavior
for an application
Shims for ISVs?
Only for released applications:
future versions need to be fixed
We’ll try to shim your released application
If we missed you, please contact us
Some information we’ll need:
specific scenario that fails
the application
which versions need to be shimmed
Windows 7 Logo
Logo requirements
improve end users’ experience
Make your migration efforts easier
Simplified from Vista
Self test
Links:
List in Windows 7 Compat center
http://go.microsoft.com/?linkid=9661176
Client Logo Program http://msdn.microsoft.com/enus/windows/dd203105.aspx
Server Logo Program
http://www.innovateon.com/product_server2008.aspx
We are here to help
Forum:
http://social.msdn.microsoft.com/Forums/enUS/windowscompatibility/
World-wide events
Hand on Testing Labs in Redmond:
[email protected]
Resources
Cookbooks
“Application Compatibility Cookbook”
“Windows 7 Application Quality Cookbook”
MSDN Application Compatibility:
http://msdn.microsoft.com/en-us/windows/aa904987.aspx
TechNet Windows Application Compatibility:
http://technet.microsoft.com/enus/desktopdeployment/bb414773.aspx
DevReadiness.org
Channel 9:
http://channel9.msdn.com/tags/Application+Compatibility/
Logo:
http://msdn.microsoft.com/en-us/windows/dd203105.aspx
Resources
www.microsoft.com/teched
www.microsoft.com/learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
http://microsoft.com/technet
http://microsoft.com/msdn
Resources for IT Professionals
Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
Related Content
Breakout sessions (session codes and titles)
•
•
•
WCL302 Are You Breaking My Stuff Again? The Windows 7 App
Compat Story
WCL304 Fix Your Broken Applications: The Black Art of Shims
WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources
→ Want to find out which Windows Client sessions are best
suited to help you in your deployment lifecycle?
→ Want to talk face-to-face with folks from
the Windows Product Team?
Meet us today at the
Springboard Series Lounge, or visit us at
www.microsoft.com/springboard
Springboard Series
The Springboard Series empowers you to select the right resources, at the right
technical level, at the right point in your Windows® Client adoption and management
process. Come see why Springboard Series is your destination for Windows 7.
Complete an
evaluation on
CommNet and
enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should
not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.