Application Compatibility Overview Aaron Margosis, Microsoft Corporation http://blogs.msdn.com/b/aaron_margosis http://blogs.technet.com/b/fdcc Agenda Overview of the Windows 7 application compatibility landscape • What breaks and why? • What does Windows.

Download Report

Transcript Application Compatibility Overview Aaron Margosis, Microsoft Corporation http://blogs.msdn.com/b/aaron_margosis http://blogs.technet.com/b/fdcc Agenda Overview of the Windows 7 application compatibility landscape • What breaks and why? • What does Windows. 

Application Compatibility
Overview
Aaron Margosis, Microsoft Corporation
http://blogs.msdn.com/b/aaron_margosis
http://blogs.technet.com/b/fdcc
Agenda
Overview of the Windows 7 application compatibility landscape
• What breaks and why?
• What does Windows do to fix things?
• What options are available for apps that still break?
Not covered:
• Troubleshooting and remediation details
Why is app-compat hard?
• It never used to be this hard!
• Backward-compatibility used to win
• Shell Folders
• p:\\products\public
• CON, PRN, NUL
• Starting with XP SP2, not anymore
• Customers demanded better security
• Vista was the first major desktop OS release after TWC memo
What Breaks in Windows 7?
Some things that had to change:
Everyone runs as “standard user”
• The infamous
User Account Control
• Even admins run as “standard user”
• The single biggest app-compat hit, ever
The Truth About UAC
• The first step toward Standard User
• Required to improve security and TCO
• Suite of technologies to fix stuff, not break it
• Running as standard user breaks stuff
• That’s why no one did it before UAC!
• Users shouldn’t be admins to begin with
• And can’t approve elevation prompts
• Disabling UAC turns off IE Protected Mode
We break – we fix:
UAC’s file and registry “virtualization”
• Redirects access attempts from protected areas to non-roaming
parts of user profile
• Not related to App-V’s “bubble”
• This is per-user, not per-application
We break – we fix:
UAC’s file and registry “virtualization”
• Redirects access attempts from protected areas to non-roaming
parts of user profile
• Transparent to the app
• Fixes many permissions-related issues
• Does not apply to all apps or all file types
Internet Explorer 8 Standards Compliance
• Meets customer demand, good for the web
• App compat > 80%
• Compatibility View is extremely helpful
• On by default for Intranet
• Quirks mode also helpful, but no admin UI!
• Many tools available for troubleshooting
• Fixes either super easy or require devs
• Hardest problem: server apps for IE6 only
• E.g., Oracle, SAP
 MED-V a potential solution
Internet Explorer Zone Changes (IE7 and Higher)
•
•
•
•
•
Trusted Sites default settings tightened
Intranet zone now the most permissive
Only Intranet has automatic Windows authentication
Trusted Sites now intended for external sites
Common simple fix for web apps: make sure zone is correct!
Internet Explorer Protected Mode
•
•
•
•
•
Sandboxed environment
Runs at “Low Integrity”
Cannot write to most areas of file system or registry
Limits impact of drive-bys
IEPM has protected you from exploits
• …if you left UAC enabled
Internet Explorer Protected Mode
• “On” in Internet and Restricted Sites zones
• “Off” in Intranet and Trusted Sites
• May need to configure to recognize Intranet
• External sites can be added to Trusted Sites
• E.g., sites that require Java
• Again – setting zone correctly fixes many web apps
• Other products like the idea!
• Google Chrome
• Office 2010
• Adobe Reader X
Some things that just changed:
Windows version number
• Incorrect version checks: the most common bugs we find
• Making it 6.1 keeps more apps working!
• “Version lie” shims are easy to apply
• And now easier to lie to MSIs
• Still don’t think it can be that common?
Check the Windows version!
//
//
//
If
{
This program requires WinXP or newer.
Windows XP is version 5.1
This is easy!
Not (vMajor >= 5 AND vMinor >= 1) Then
DisplayMessage(“This program requires
Windows XP or newer”);
Vista
Win7
as
isWindows
Windows6.1?
7.0?
6.0:
LayDownAndDie;
7 >= 5
} vMajor: 6
vMinor: 1
0 >= 1!
1? Oops!
Crap!
It works!
More things that just changed:
Folder locations
• We moved the profiles – again!
• Myth: We did this for no good reason
• Truth: There was probably a good reason
• And we changed where files need to go!
• Myth: No guidance about where to put stuff
• Truth: Well, yeah, but we’re fixing that
• Myth: Everything breaks, apps actually cry
• Truth 1: Correctly-written apps still work
• Truth 2: Junctions fix many bad apps
•
•
•
•
Some support for old folder names
Can traverse, but cannot list
Can directly access files through old names
Cannot list contents of these junctions
Where Should I Store Files?
Per-User Files
Visible to user in Explorer
Windows 7 example:
Windows XP equivalent:
Hidden from user, Local
Windows 7 example:
Windows XP equivalent:
Hidden from user, Roaming
Windows 7 example:
Windows XP equivalent:
Shared Files
Visible to user in Explorer
Windows 7 example:
Windows XP equivalent:
Hidden from user, Local
Windows 7 example:
Windows XP equivalent:
Location (Symbolic Constant and Examples)
FOLDERID_Documents / CSIDL_MYDOCUMENTS
C:\Users\username\Documents
C:\Documents and Settings\username\My Documents
FOLDERID_LocalAppData / CSIDL_LOCAL_APPDATA
C:\Users\username\AppData\Local
C:\Documents and Settings\username\Local Settings\Application Data
FOLDERID_RoamingAppData / CSIDL_APPDATA
C:\Users\username\AppData\Roaming
C:\Documents and Settings\username\Application Data
Location (Symbolic Constant and Examples)
FOLDERID_PublicDocuments / CSIDL_COMMON_DOCUMENTS
C:\Users\Public\Documents
C:\Documents and Settings\All Users\Documents
FOLDERID_ProgramData / CSIDL_COMMON_APPDATA
C:\ProgramData
C:\Documents and Settings\All Users\Application Data
More things that just changed:
Default color scheme
More things that just changed:
Default color scheme
• Occasional mistake by VB6 devs
• Easy to fix (if you have the source)
• .NET WinForms made themes easy to use
• Oops: everyone tested only on Luna
• Fortunately, we have FakeLunaTheme shim
• Note: apps that work only with one theme probably violate
accessibility laws
• You WILL go to jail! (US law – your laws may be harsher.)
• Push back if app owner insists on Classic Theme
What Do I Do With Broken
Apps?
Options for Fixing Broken Apps
in (approximate) order of preference
1. Retire the app
2. Get an updated version of the app (from vendor or your
developers)
3. Modify the installer via transforms or post-install scripts
4. Let UAC file/reg virtualization do its magic
5. Apply shims
6. Change permissions or policies
7. Machine virtualization (MED-V, VDI)
Independent issue: Application virtualization
Retiring Apps
• Maintaining a big inventory is expensive!
• Testing apps you don’t need is expensive!
• Just because it’s there doesn’t mean you need it (and have to test
it)
• Does anyone actually use it?
• How often?
• How critical is it?
• Can it be replaced with something else?
• Excel? Calculator?
• How expensive/complex to repair?
Is the App Supported on Win7?
www.microsoft.com/windows/compatibility
•
•
•
•
Search for apps or hardware
Indicates support/non-support for x86/x64
Based on vendor’s public claims
Links to vendor web sites’ claims
Modifying Installers
MSI transforms or post-install scripts
Can fix several bug classes:
• Version check
• “Run once” bug
• App assumes user has admin rights
• Performs final install operations on first run
• “One user” bug
• Installer assumes installing user == end user
• Writes to HKCU, %USERPROFILE%
• Missing components (e.g., MSVBVM50)
• Applied to specific apps
• Configured with Compatibility Administrator in the App
Compat Toolkit
• Deployable to enterprise
• Changes what the app thinks it sees
• Does not change what app is allowed to do
How Shims Work
Process
App.exe
IAT
IAT
IAT
• CreateFile
• CreateFile
IAT
IAT
IAT
• CreateFile
• CreateFile
• CreateFile
• CreateFile
Shim DLL
CorrectFilePaths
implementation
Kernel32.dll
CreateFileW
implementation
What Are Shims Good For?
•
•
•
•
•
•
Bad Windows version checks
Writing to HKCR at runtime
Unnecessary checks for “am I admin?”
Writing to WRP-protected keys and files
Windows thinks your app is an installer
Some file/registry redirections
When Are Shims Appropriate?
• Source code fix not feasible
• Vendor support not important
• Some considerations…
• Not all general purpose shims have the same … “customer
love” applied in their creation
• The tools are … “primitive”
• Shims management not integrated into other management
tools (e.g. Group Policy)
• You can do a lot with just the Top 10 shims
• But to becoming a shim ninja takes time and much practice
• Only if other options don’t work:
• Loosen file or registry permissions
• Allow interactive user to start/stop a particular service or
driver
• Disable an IE security feature (e.g. DEP)
• Relax a security policy (e.g., FIPS crypto)
• Must be done surgically
• Least amount of additional privilege on the smallest number of
objects
• Benefits:
• Results often more predictable than with shims
• Drawbacks:
• Risk of elevation of privilege
• Risk of system instability
• Requires threat modeling – hard to do right
Changing Security Settings:
How I’ve seen some do “standard user” on XP…
• ACL loosening scripts
• Most “required fixes” are now automatic
• Installing apps to writable folders
• Exposes EoP and infection risks
• Granting admin-equivalent rights
• (What could possibly go wrong?)
Microsoft Enterprise Desktop Virtualization
• Machine virtualization solution
• App actually runs on an XP OS
• User sees only the app window
• Centrally managed
• Part of MDOP
• Reasonable IE6 app compat story
• Seamless redirection of the browser
What Can MED-V Do?
• App designed for XP actually runs on XP
• Win7 deployment not held hostage by one app that resists all
other compat solutions
• What it’s good for:
• Web apps that require IE6
• Running 16-bit apps on x64
• Some types of desktop apps
• Microsoft Agent
MED-V:
The rest of the story
• Postpones issues, does not solve them
• You must have an explicit exit strategy
• XP is already out of mainstream support
• XP extended support ends in 2014
• Need RAM, CPU to support guest VM
• Management requirements
• It is a separate computer
• Doesn’t inherit host’s AV, patches, policies, domain
• VM is hibernated when not running an app
• Apps can’t interact with host desktop apps
• E.g., app wants to automate Office apps or send email
Windows XP Mode
Here’s how, right?
What is Windows
• Windows XP SP3 virtual machine
• It’s not really a “mode” within Windows 7
• Similar to MED-V, without manageability
• License included with certain Win7 SKUs
• Designed only for Small Business market
• Install apps in the XP VM; shortcuts in the All Users’ Start Menu
get copied to the host
• Click on shortcut in host Start menu, app appears in a window
• …eventually
Windows XP Mode
More of that story
• All the drawbacks of MED-V, plus
• Does not have MED-V’s IE6 redirection, and
• Default XP Mode user is admin
• Might conflict with enterprise policies
Resources
TechNet Magazine
June 2009
Articles by Chris Jackson
and Chris Corio
Tools for identifying issues
• General issues: Sysinternals Process Monitor
http://technet.microsoft.com/en-us/sysinternals/bb896645
• Admin permissions issues:
• LUA Buglight
http://blogs.msdn.com/b/aaron_margosis/archive/2011/03/23/lua-buglight-2-1-1-with-support-for-win7-2008r2-sp1.aspx
• Standard User Analyzer (ships with App Compat Toolkit)
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971
requires Application Verifier, downloaded separately:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18
• For web apps:
• IE’s built-in developer tools (F12 in IE8 and IE9)
• Fiddler
http://www.fiddler2.com
• Expression Web SuperPreview
For More Information
• The Windows Vista and Windows Server 2008 Developer Story:
Application Compatibility Cookbook
http://msdn.microsoft.com/en-us/library/Aa480152
• Windows 7 and Windows Server 2008 R2 Application Quality
Cookbook
(describes changes from Vista to Win7, not from XP to Win7)
http://msdn.microsoft.com/en-us/library/dd371778(VS.85).aspx
• The App Compat Guy (Chris Jackson)’s blog:
http://www.appcompatguy.com
• My blogs:
http://blogs.msdn.com/b/aaron_margosis and
http://blogs.technet.com/b/fdcc
• TechEd online presentations by Chris Jackson and me:
http://www.msteched.com
43
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:
http://www.technet-newsletters.be
• Technical updates
• Event announcements and registration
• Top downloads
Join us on Facebook
Download
MSDN/TechNet Desktop Gadget
http://www.facebook.com/technetbe
http://bit.ly/msdntngadget
http://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge
http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/
• Download to your favorite MP3 or video player
• Get access to slides and recommended resources by the speakers
THANK YOU