Windows 7 Application Compatibility

8,983 views
8,807 views

Published on

Published in: Technology, Business
1 Comment
3 Likes
Statistics
Notes
  • really it is very helpful website
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
8,983
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
174
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide
  • Docking windowsMinimize all windowsShow desktopLive Preview – IEPeek Preview – Media playerThumbnail toolbar – Media player
  • OTS - Over the Shoulder PromptsExplain colors
  • Show application elevationShow heuristics to detect an installerShow adding a manifest with Visual Studio 2008Show Task ManagerUI
  • Windows 7 Application Compatibility

    1. 1. Windows 7Application Compatibility<br />Dave Allen<br />ISV Application Architect<br />Microsoft UK<br />Dave.Allen@microsoft.com<br />
    2. 2. Agenda<br />Why your application might not work<br />User Account Control<br />New Folder Locations<br />Windows Resource Protection<br />Mandatory Integrity Control<br />User Interface Privilege Isolation<br />Internet Explorer Protected Mode<br />OS and IE Versioning<br />Session 0 Isolation<br />Some less common issues<br />
    3. 3. Some of the cool stuff in Windows 7<br />Demo<br />
    4. 4. Why: User Account Control<br />OS is at risk from today’s malware when user is running as Administrator<br />Ease with which malware can self-install<br />Privilege elevation through security holes in software<br />Extent of damage caused by malware is potentially greater<br />Other issues<br />Accidental damage caused by user <br />
    5. 5. How: User Account Control<br />With Windows 7 all users run as Standard User by default, including members of Admin group<br />Only true for interactive logins; services continue to run as before in Windows XP<br />
    6. 6. How: User Account Control (cont.)<br />Two tokens are created at logon (split token)<br />Standard User Token<br />Administrator SID set as Deny Only (can still be used to deny access, but not to grant)<br />Runs with medium integrity level (IL)<br />Most privileges removed (e.g. SeDebugPrivilege)<br />Administrator Token<br />Administrator SID has all rights assigned<br />Runs with high integrity level (IL)<br />All privileges are present<br />
    7. 7. How: User Account Control (cont.)<br />Standard User Token is used until explicit consent is given, then Administrator Token is used (Consent UI) for that particular process<br />Supporting feature: Unnecessary Administrator checks (in XP) have been removed<br />Example: Change time zone<br />
    8. 8. UAC: Elevation Details<br />Re-parented<br />Standard User or ProtectedAdministrator<br />System<br />Full Administrator<br />ShellExecute(elevatedapp.exe)<br />CreateProcessAsUser(elevatedapp.exe)<br />explorer.exe<br />AppInfo Service<br />elevatedapp.exe<br />RPC<br />RPC<br />consent.exe<br />
    9. 9. UAC: OTS Dialogs<br />
    10. 10. UAC Spilt Token<br />Demo<br />
    11. 11. UAC: Running Apps Elevated <br />Right click program  Run as administrator<br />Compatibility fix (shim) or mode<br />Program properties  Compatibility tab  Run as administrator<br />RunAsAdmin shim in system shim database<br />Installer detection<br />Heuristics such as string containing “Setup”, “Install”, or “Update” in:<br />Executable name<br />Resource strings<br />MSIs are always detected as installers<br />
    12. 12. UAC: Running Apps Elevated (cont.)<br />Application designed for Windows 7<br />UAC manifest with &lt;requestedExecutionLevel&gt;<br />All applications should have one <br />Removes application compatibility overhead (some Shims, PCA, virtualization) at run time<br />Internal manifest (compiled into the application)<br />Build manifest into application binary<br />Takes precedence <br />External manifest (added as a separate file)<br />MyApp.exe.manifest<br />Unsupported, avoid!<br />
    13. 13. UAC: Internal Manifest (cont.)<br />requireAdministrator<br />The application runs only for administrators and requires that the application be launched with the full token of an administrator <br />asInvoker<br />The application runs with the same token as the parent process<br />highestAvailable<br />The application runs with the highest privileges the current user can obtain<br />
    14. 14. UAC: Internal Manifest (cont.)<br />Extract application manifest from executable if it exists:<br />mt -inputresource:elevatedapp.exe;#1 -out:extracted.manifest<br />Modify the manifest to add UAC request<br />&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;<br /> &lt;asmv1:assembly manifestVersion=&quot;1.0&quot; xmlns=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv1=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv2=&quot;urn:schemas-microsoft-com:asm.v2&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;<br /> &lt;assemblyIdentity version=&quot;1.0.0.0&quot; name=&quot;MyApplication.exe&quot;/&gt;<br /> &lt;trustInfoxmlns=&quot;urn:schemas-microsoft-com:asm.v2&quot;&gt; <br /> &lt;security&gt;<br /> &lt;requestedPrivilegesxmlns=&quot;urn:schemas-microsoft-com:asm.v3&quot;&gt;<br />&lt;requestedExecutionLevel level=&quot;asInvoker&quot; uiAccess=&quot;false&quot; /&gt;<br /> &lt;/requestedPrivileges&gt;<br /> &lt;/security&gt;<br /> &lt;/trustInfo&gt;<br /> &lt;/asmv1:assembly&gt;<br />Insert the modified manifest back into the executable:<br />mt -manifest elevatedapp.exe.manifest -outputresource:elevatedapp.exe;#1<br />
    15. 15. Side topic: Compatibility manifest<br />Modify the manifest to add OS target<br />&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;<br /> &lt;asmv1:assembly manifestVersion=&quot;1.0&quot; xmlns=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv1=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv2=&quot;urn:schemas-microsoft-com:asm.v2&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;<br /> &lt;assemblyIdentity version=&quot;1.0.0.0&quot; name=&quot;MyApplication.exe&quot;/&gt;<br /> &lt;compatibility xmlns=&quot;urn:schemas-microsoft-com:compatibility.v1&quot;&gt;<br /> &lt;application&gt;<br /> &lt;!—- The ID below indicates application support for Windows 7 --&gt;<br /> &lt;supportedOS Id=&quot;{35138b9a-5d96-4fbd-8e2d-a2440225f93a}&quot;/&gt;<br /> &lt;/application&gt;<br /> &lt;/compatibility&gt;<br /> &lt;/asmv1:assembly&gt;<br />
    16. 16. Combined Manifest<br />Combined UAC and compatibility manifest<br />&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;<br /> &lt;asmv1:assembly manifestVersion=&quot;1.0&quot; xmlns=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv1=&quot;urn:schemas-microsoft-com:asm.v1&quot; xmlns:asmv2=&quot;urn:schemas-microsoft-com:asm.v2&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;<br /> &lt;assemblyIdentity version=&quot;1.0.0.0&quot; name=&quot;MyApplication.exe&quot;/&gt;<br /> &lt;trustInfoxmlns=&quot;urn:schemas-microsoft-com:asm.v2&quot;&gt; <br /> &lt;security&gt;<br /> &lt;requestedPrivilegesxmlns=&quot;urn:schemas-microsoft-com:asm.v3&quot;&gt;<br />&lt;requestedExecutionLevel level=“asInvoker&quot; uiAccess=&quot;false&quot; /&gt;<br /> &lt;/requestedPrivileges&gt;<br /> &lt;/security&gt;<br /> &lt;compatibility xmlns=&quot;urn:schemas-microsoft-com:compatibility.v1&quot;&gt;<br /> &lt;application&gt;<br /> &lt;!—- The ID below indicates application support for Windows 7 --&gt;<br /> &lt;supportedOS Id=&quot;{35138b9a-5d96-4fbd-8e2d-a2440225f93a}&quot;/&gt;<br /> &lt;/application&gt;<br /> &lt;/compatibility&gt;<br /> &lt;/trustInfo&gt;<br /> &lt;/asmv1:assembly&gt;<br />
    17. 17. UAC: UI Design for Elevation<br />Send the BCM_SETSHIELD message to a button control, using SendMessage<br />Button.FlatStyle has to be set to System<br />Fails for owner-drawn buttons<br />Get icon and render in owner draw handlerHICON shieldIcon = LoadIcon(null, IDI_SHIELD);<br />Unmanaged code (C++)<br />SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macro<br />Managed code (C#, VB.NET)<br />Use SystemIcons.Shield<br />
    18. 18. Elevation, Manifests, and UI Design<br />Demo<br />
    19. 19. Why: Program Compatibility Assistant<br />Program Compatibility Assistant (PCA) automates mitigation of some UAC (and more) compatibility issues<br />Attempts to detect if a program is an installer<br />Client-only feature – not in Server<br />PCA monitors attempts to:<br />Create a sub folder in “Program Files”<br />Copy exe or dll files into the new folder<br />Overwrite system files<br />Not writing to the “Program Database”<br />Etc…<br />
    20. 20. How: Program Compatibility Assistant<br />If PCA detects a compatibility issue it…<br />Notifies the user AND<br />Applies a solution (high confidence) OR<br />Offers to apply a solution (medium confidence)<br />
    21. 21. UAC: Virtualization<br />Redirects privileged file access to C:Usersusername%AppDataLocalVirtualStore<br />C:Program Files<br />C:Windows<br />Redirects registry access from HKLM to HKCUSoftwareClassesVirtualStoreMACHINE<br />Adding a manifest disables virtualization and the Program Compatibility Assistant (PCA)<br />
    22. 22. UAC: Virtualization (cont.)<br />Redirection is “sticky” – reads are re-directed<br />Deleting all virtual copies removes the “stickiness”<br />Elevated process not affected<br />Side effects: multiple virtualized copies (one per user and one for admin) <br />
    23. 23. Virtualization<br />Demo<br />
    24. 24. UAC: Symptoms<br />Explicit access right error message<br />Event Log contains security or application messages indicating security problems<br />Application crashes, fails to install, or fails to update for automatic updater<br />Application fails to remember saved settings<br />Symptoms vary widely and are difficult to diagnose<br />
    25. 25. UAC: Investigation<br />Determine whether application was designed to run as administrator<br />Run as administrator – does it work?<br />Run as standard user – check redirection locations<br />C:Usersusername%AppDataLocalVirtualStore<br />HKCUSoftwareClassesVirtualStoreMACHINE<br />Event Log – logs relevant UAC<br />Process Monitor (Procmon) for failed access<br />http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx<br />
    26. 26. Event Log<br />Demo<br />
    27. 27. UAC: MSI’s<br />Symptom<br />MSI with a custom action fails with a UAC error despite elevation<br />Cause<br />MSI contains custom action that impersonates the user (default)<br />Example: ActionType=1025<br />msidbCustomActionTypeInScript (0x400) delayed<br />msidbCustomActionTypeDll (0x1) = 0x401<br />msidbCustomActionNoImpersonate (0x800) not set<br />
    28. 28. UAC: MSI’s (cont.)<br />Fixes<br />Redesign to select not impersonating user<br />Set bit msidbCustomActionNoImpersonate (0x800)<br />Example : ActionType 1025 (0x401) becomes 3073 (0xC01)<br />Edit MSI with Orca.exe to change the right ActionType fields<br />Run from elevated command prompt<br />
    29. 29. Orca<br />Demo<br />
    30. 30. UAC: Self-extracting installer<br />Symptom<br />Self-extracting EXE or custom wrapper runs elevated and executes a script, but script fails<br />Cause <br />UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are not transferred to script<br />Fixes<br />Redesign to use MSI<br />Run from elevated command prompt<br />Creates an elevated script engine<br />
    31. 31. UAC: Checking for admin rights<br />Symptoms<br />Many – from minor feature misbehavior to crash<br />Causes<br />Applications uses<br />IsUserAnAdmin, CheckTokenMembership “BUILTINAdministrators” and similar APIs<br />APIs return false when not elevated<br />Mitigation<br />Shim ForceAdminAccess or ProtectedAdminCheck<br />Fix<br />GetTokenInformation API<br />TokenElevation (elevated or not)<br />TokenElevationType (default, full or limited)<br />
    32. 32. UAC: User COM Objects<br />Symptoms <br />Elevated application cannot instantiate COM object<br />Regular application can instantiate the same COM object<br />Cause<br />COM object is registered per user<br />HKEY_CLASSES_ROOT is a virtual registry hive<br />HKCUSoftwareClasses take precedence in Windows XP and for medium and low integrity processes in Windows 7<br />HKCUSoftwareClasses is NEVER used for high integrity processes (elevated) in Windows 7<br />Prevents user configuring malicious COM object and tricking elevated task into executing code.<br />Mitigation<br />Applications that will require administrator rights should register any COM objects during installation to HKLMSoftwareClasses.<br />
    33. 33. UAC: Mapped Network Drives<br />Symptoms <br />Regular mapped network drives (and SUBST) are not visible when running elevated<br />Drives mapped from an elevated prompt are not visible in standard processes (including Explorer)<br />Causes<br />Mappings attached to logon session<br />Mapped Network drives are only valid in the context of the user token that mapped them<br />Two sets of mapping for split token situation<br />
    34. 34. UAC: Mapped Network Drives (cont.)<br />Mitigation<br />Automatic mitigation for installers accessing remote drive<br />Map each drive in the context of the regular token and elevated token<br />Registry entry<br />HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLinkedConnections = (dword)1<br />http://support.microsoft.com/kb/937624<br />
    35. 35. Mapped Network Drives<br />Demo<br />
    36. 36. New Folder Locations<br />“My Documents” and other user folder locations are changed to provide a better user experience <br />The user data is now stored in: ‘usersusername%’ folder structure<br />Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure<br />The “My “ prefix was dropped from Documents, Music, etc.<br />“All Users” became “Public” and “ProgramData”<br />
    37. 37. New Folder Locations (cont.)<br />Differentiation between User and App data<br />User does not directly interact with app data<br />Identify specific locations using<br />ShGetFolderPath or SHGetKnownFolderPath<br />System.Environment namespace<br />Shared User Data (Documents)<br />C:UsersPublicDocuments<br />CSIDL_COMMON_DOCUMENTS<br />FOLDERID_PublicDocuments<br />
    38. 38. New Folder Locations (cont.)<br />Per User Data (Documents)<br />C:Usersusername%Documents<br />CSIDL_MYDOCUMENTS<br />FOLDERID_Documents<br />SpecialFolder.MyDocuments<br />
    39. 39. New Folder Locations (cont.)<br />Shared Application Data<br />C:ProgramDataMyAppName<br />%AllUsersProfile%MyAppName<br />CSIDL_COMMON_APPDATA<br />FOLDERID_ProgramData<br />SpecialFolder.CommonApplicationData<br />Set permissions (ACL) for folders in shared application data area during install<br />
    40. 40. New Folder Locations (cont.)<br />Per User Application Data (local)<br /> C:Usersusername%AppDataLocal<br />%LOCALAPPDATA%<br />CSIDL_LOCAL_APPDATA<br />FOLDERID_LocalAppData<br />SpecialFolder.LocalApplicationData<br />
    41. 41. New Folder Locations (cont.)<br />Per User Application Data (roaming)<br />C:Usersusername%AppDataRoaming<br />%APPDATA%<br />CSIDL_APPDATA<br />FOLDERID_RoamingAppData<br />SpecialFolder.ApplicationData<br />
    42. 42. New Folder Locations (cont.)<br />Localization Changes<br />Localized folder names used to be the actual name (i.e., “C:Programme”) and an English name was not provided<br />In Windows 7, all folders have English names (i.e., “C:Program Files”) and a junction point with the localized name is provided (i.e., “C:Programme”)<br />Explorer displays the localized name for the actual directory <br />
    43. 43. New Folder Locations: Mitigation<br />Directory junctions<br />Provides backward compatibility for hard-coded paths<br />‘Documents and Settings’  ‘Users’<br />‘My Documents’  ‘Documents’<br />‘Programme’  ‘Program Files’<br />
    44. 44. New Folder Locations: Fixes<br />Never hard code absolute paths<br />AppVerifier includes a test<br />Script: environment variables<br />Unmanaged code (C++/C)<br />ShGetFolderPath function (CLSID_...)<br />SHGetKnownFolderPath (FOLDERID_...)<br />Vista and later<br />Managed code (C#, VB.NET)<br />System.Environment.GetFolderPath<br />EnumSystem.Environment.SpecialFolder<br />Microsoft.VisualBasic.FileIO.SpecialDirectories<br />My.Computer.FileSystem.SpecialDirectories<br />
    45. 45. Q & A<br />
    46. 46. Why: Windows Resource Protection<br />Core operating system files and registry keys can be overwritten with older versions or malicious code causing serious stability and security issues<br />Windows Resource Protection (WRP) is designed to protect those objects from being overwritten<br />Increases system stability, predictability, and reliability<br />Replaces Windows File Protection in Windows XP<br />
    47. 47. How: Windows Resource Protection<br />Updates to protected resources restricted<br />OS trusted installers (Windows Update)<br />ACL on resources <br />Affects specific files, folders, and registry keys <br />Majority of core OS modules (EXE and DLL) <br />Majority of core OS HKCR Registry Keys <br />Folders used exclusively by OS resources<br />
    48. 48. WRP<br />Demo<br />
    49. 49. Mandatory Integrity Control<br />Windows 7 implements Mandatory Integrity Control (MIC)<br />Processes run at one of four Integrity Levels:<br />System processes run at System IL<br />Applications that require administrative privileges run at High IL<br />Standard applications run at Medium IL<br />Restricted apps run at Low IL<br />Securable objects (Files, Processes, Windows Stations, Message queues) define the minimum IL for a process to access them<br />Default IL for objects: Medium<br />
    50. 50. User Interface Privilege Isolation<br />UIPI uses MIC’s Integrity Levels to restrict sending window messages<br />Applications cannot send messages to other applications running at a higher integrity level<br />Higher application can allow access<br />SendMessage returns success to mitigate failures<br />Where compatibility impact is high, lower IL applications can be manifested to opt out of UIPI<br />Manifested<br />Signed (authenticated)<br />Installed in “Program Files”<br />
    51. 51. MIC and UIPI<br />Objects<br />Processes<br />High<br />High<br />High IL<br />Process<br />Medium<br />Medium<br />Medium IL<br />Process<br />Low<br />Low<br />Low IL<br />Process<br />Read<br />Write<br />Send<br />
    52. 52. Integrity Levels<br />Security IDs (SIDs) for integrity levels<br />RID defines the integrity level<br />Low: S-1-16-4096 (0x1000)<br />Medium: S-1-16-8192 (0x2000)<br />High: S-1-16-12288 (0x3000)<br />System: S-1-16-16384 (0x4000) <br />
    53. 53. Install an ActiveXcontrol<br />Exploit can install MALWARE<br />Change Settings,<br />Download a Picture<br />Exploit can install MALWARE<br />Cache Web content<br />Why: IE Protected Mode<br />IExplore.exe<br />Admin-Rights Access<br />HKLM<br />Program Files<br />User-Rights Access<br />HKCU<br />My Documents<br />Startup Folder<br />Temp Internet Files<br />Untrusted files & settings<br />
    54. 54. How: IE Protected Mode<br />In Windows 7, Microsoft Internet Explorer 8 runs in Protected Mode (IEPM) for non-trusted sites (installation default)<br />IE runs as separate process instances for different protection modes <br />Prevents buffer overflow exploits from affecting higher trust level sites<br />Required by IEPM’s underlying mechanism: <br />Mandatory Integrity Control (MIC)<br />User Interface Privilege Isolation (UIPI)<br />
    55. 55. How: IE Protected Mode (cont.)<br />Integrity Levels (IL) for IE<br />IEPM: Low Integrity Level<br />Unprotected: Medium Integrity Level<br />Low-integrity processes (such as IEPM) can only write to folders, files, and registry keys that are also marked as low-integrity<br />Temporary Internet Files folder<br />%TEMP%Low<br />History folder<br />Cookies folder<br />Favorites folder<br />Windows Temporary Files folders<br />%userprofile%AppDataLocalLow<br />
    56. 56. IEPM: Compatibility Impact<br />Attempts by ActiveX controls to modify medium and higher IL objects fail<br />e.g. writing to the user’s Documents folder<br />ActiveX controls fail to install<br />Automatic mitigations<br />
    57. 57. Install an ActiveX control<br />Change settings, <br />Drag and Drop<br />Cache Web content<br />Redirected settings & files<br />Compat Layer<br />IEPM: Automatic Mitigation<br />IExplore in<br />Protected<br />Mode<br />Integrity Control and UIPI<br />IEInstall.exe<br />Admin-Rights Access<br />HKLM<br />HKCR<br />Program Files<br />IEUser.exe<br />User-Rights Access<br />HKCU<br />My Documents<br />Startup Folder<br />Temp Internet Files<br />Untrusted files & settings<br />
    58. 58. IEPM: Manual Mitigation<br />Redesign the site to function properly in Protected Mode <br />Add site to trusted sites<br />Protected Mode is not enabled for trusted sites<br />Use ActiveX Install Services (AXIS) for enterprise deployments<br />
    59. 59. AXIS: How it works<br />IE parses a page that requires an ActiveX control<br />If the user is a Standard User, the AXIS is called<br />The AXIS will perform a lookup in the Allowed Installation Sites list deployed via Group Policy<br />If the Host URL is within policy, the control will be downloaded by the service<br />If the control meets the signing criteria, it will be installed as the LocalSystem account<br />
    60. 60. AXIS: Enabling the Service<br />AXIS is an optional component that must be enabled<br />Deploy through SMS<br />Run cmd.exe as Administrator, then run this command: ocsetup.exe AxInstallService<br />Control Panel Programs  Turn Windows Features On or Off<br />
    61. 61. AXIS: Configuring the Policy<br />Run gpedit.msc<br />Navigate to Computer Settings <br />Administrative Templates<br />Windows Components<br />ActiveX Installer Services<br />Enter Host URL and policy for each trusted site<br />Must specify protocol: http or https(preferred)<br />Example: http://download.microsoft.com<br />Best Policy 2, 1, 0, 0<br />
    62. 62. Q & A<br />
    63. 63. Windows and IE Versions<br />Internal version number for Windows 7 is 6.1 – this is what is returned by GetVersion()<br />Version number for Internet Explorer is 8.0<br />Version number is included in User Agent String<br />User Agent String is included in HTTP header<br />
    64. 64. Windows Version Mitigation<br />Compatibility mode is provided in Windows 7<br />Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibilitytab. This applies multiple shims including “WinXPSP2VersionLie”<br />PCA automates step for installers<br />Better: Apply the shim “WinXPSP2VersionLie”<br />In many cases, applications will work the same way they did in Windows XP and there is no need for changes to them<br />
    65. 65. Windows Version Mitigation (cont.)<br />&apos;Reinstall using recommended settings&apos; <br />Applies the Windows XP compatibility mode and restarts the program<br />The fix is effective for all users (stored in HKLM)<br />
    66. 66. Windows Version Remediation<br />Applications should not perform version checks for equality, e.g. == 5.1<br />If you need a specific feature, check whether the feature is installed or available<br />If you need Windows XP, check for Windows XP or later (&gt;= 5.1)<br />Exceptions to this occur when there is a very specific business, or legal need to do a version check, such as a regulatory body requires you to certify your application for each operating system and version<br />
    67. 67. Windows Version Numbers<br />Demo<br />
    68. 68. IE8 Version Symptoms<br />Web sites may render incorrectly<br />CSS and JavaScript compliance changes<br />Renders in IE8 Standards Mode for Internet sites<br />Web sites that check the User Agent String for the IE version will get higher version number<br />Web sites might refuse to load<br />Web Sites might reduce functionality<br />
    69. 69. IE8 Version Mitigations<br />IE7 Compatibility Mode<br />Default setting for intranet sites<br />Can be controlled from the server<br />For a single Web Page<br />For a directory, application, or site<br />Add &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=EmulateIE7&quot; /&gt; to the page or response header<br />See http://support.microsoft.com/kb/968499 for different options<br />
    70. 70. IE7 Compatibility Mode<br />In a Web Page<br />&lt;html&gt;<br /> &lt;head&gt;<br /> &lt;title&gt;My Web Page&lt;/title&gt;<br /> &lt;!-- Use IE7 mode --&gt;<br /> &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=EmulateIE7”/&gt;<br /> &lt;/head&gt;<br /> &lt;body&gt;<br /> &lt;p&gt;Content goes here.&lt;/p&gt;<br /> &lt;/body&gt;<br />&lt;/html&gt; <br />
    71. 71. IE7 Compatibility Mode<br />In the web.config<br />&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;<br /> &lt;configuration&gt;<br /> &lt;system.webServer&gt;<br /> &lt;httpProtocol&gt; <br /> &lt;customHeaders&gt; <br /> &lt;clear /&gt; <br /> &lt;add name=&quot;X-UA-Compatible&quot; value=&quot;IE=EmulateIE7”/&gt; <br /> &lt;/customHeaders&gt; <br /> &lt;/httpProtocol&gt; <br /> &lt;/system.webServer&gt; <br />&lt;/configuration&gt;<br />
    72. 72. IE8 Standards Mode<br />In a Web Page<br />&lt;html&gt;<br /> &lt;head&gt;<br /> &lt;title&gt;IE8 Standards Mode Web Page&lt;/title&gt;<br /> &lt;!-- Use IE8 Standards Mode --&gt;<br /> &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=IE8”/&gt;<br /> &lt;/head&gt;<br /> &lt;body&gt;<br /> &lt;h1&gt;Hi from IE8 Standards Mode&lt;/h1&gt;<br /> &lt;/body&gt;<br />&lt;/html&gt; <br />
    73. 73. Expression SuperPreview<br />Stand-alone visual debugging tool<br />Shows web pages rendered in IE 6 and either IE 7 or 8, depending on which version you have installed on your machine.<br />View pages side by side or as an onion-skin overlay and use rulers, guides and zoom/pan tools to precisely identify differences in layout.<br />
    74. 74. Expression SuperPreview<br />Demo<br />
    75. 75. Sessions in Windows XP/ Server 2003<br />Session 0<br />Window Station<br />Desktop<br />Services<br />1st User’sWindow<br />1st User’sWindow<br />1st User’sWindow<br />Screen Saver<br />Login<br />
    76. 76. Sessions in Windows 7<br />Session 0<br />Session 1<br />Window Station<br />Window Station<br />Desktop<br />Desktop<br />Service<br />1st User’sWindow<br />1st User’sWindow<br />Service<br />1st User’sWindow<br />Screen Saver<br />Login<br />Secure<br />
    77. 77. Session 0: Compatibility Impact<br />A service and a user application that use window message functions (e.g. SendMessage, PostMessage) to communicate will silently fail<br />A service and a user application that use local objects to communicate will silently fail<br />A service that uses a UI to interact with the user will display the UI on a special desktop which is inaccessible<br />Applications that work with Fast User Mode Switching will probably continue to work<br />
    78. 78. Session 0 Isolation<br />Demo<br />
    79. 79. Less Common Issues<br />Painting Behavior<br />Deprecated Components<br />Managed Code for .NET 1.x<br />64-bit Vista<br />
    80. 80. Painting behavior<br />Why: To improve user experience<br />How: All top-level windows are rendered to an off-screen bitmap; Desktop Window Manager combines the images to draw the desktop <br />Impact: Some applications will render incorrectly<br />Mitigation: Disable desktop composition<br />Apply shim “DisableDWM”<br />Properties -&gt; Compatibility Tab -&gt; Disable desktop composition<br />Fixes: Redesign application to not assume that it is rendering directly to the screen<br />
    81. 81. Disabling Desktop Composition<br />Demo<br />
    82. 82. Deprecated components<br />Windows Help (WinHlp32.exe)<br />Available as a download<br />CHM is now the preferred option<br />Graphical Identification and Network Authentication (GINA) modules<br />Removal of Windows Mail<br />Disables CoStartOutlookExpress<br />File associations (.eml, .nws, .contact, .group, .wab, .p7c, .vfc) are broken or disabled<br />Install Windows Live Mail<br />
    83. 83. Deprecated components (cont.)<br />Removal of Windows Movie Maker<br />Install Windows Live Movie Maker<br />Microsoft Agent technologies <br />Removal of Windows Registry Reflection<br />PCA instruments CoCreateInstance API and the Loader (NTDLL)<br />Detect load failures on deprecated COM objects and DLLs respectively<br />Uses Windows Error Reporting (WER) to retrieve<br />Knowledge Base article or link to download deprecated component<br />
    84. 84. Managed code for .NET 1.x<br />Symptom<br />Managed code written for .NET 1.x fails (error message or crash)<br />Cause<br />Application depends on .NET 1.x feature AND<br />Application does not specify &lt;supportedRuntime&gt; or &lt;requiredRuntime&gt; in configuration file<br />Note: .NET 1.0 did not support &lt;supportedRuntime&gt;<br />Fix<br />Add &lt;supportedRuntime version=&quot;v1.1.4322&quot;/&gt; to &lt;appname&gt;.exe.config<br />
    85. 85. Managed code for .NET 1.x<br />Symptom<br />Managed code written for .NET 1.x fails (error message or crash)<br />Cause<br />Application depends on .NET 1.x feature AND<br />Application does not specify &lt;supportedRuntime&gt; or &lt;requiredRuntime&gt; in configuration file<br />Note: .NET 1.0 did not support &lt;supportedRuntime&gt;<br />Fix<br />Add &lt;supportedRuntime version=&quot;v1.1.4322&quot;/&gt; to &lt;appname&gt;.exe.config<br />
    86. 86. 64 bit<br />WoW64 allows 32-bit applications to run on 64-bit Windows, but compatibility issues may still exist<br />Not supported<br />16-bit applications and installers<br />Limited support for some installers<br />32-bit kernel mode drivers<br />32-bit user mode printer drivers<br />Kernel patching (x64 only)<br />Patchguard prevents applications from patching the Kernel. If this is detected, a shut down will be initiated<br />Windows Server 2008 R2 – 64 bit ONLY<br />
    87. 87. Windows 7 Logo Program<br />Benefits<br />Compatibility message to your customers<br />Joint marketing<br />Partner Points<br />Requirements<br />ISVs must sign up to receive their crash data from WER<br />Use AppVerifier as part of development lifecycle<br />Install to correct folder locations<br />Sign binary executables<br />Include a manifest and run as a standard user<br />Support Restart Manager<br />64 bit support<br />Etc...<br />
    88. 88. Windows 7 Logo Program Roadmap<br />Follow these steps to verify that your application complies with the Windows 7 Client Software Logo technical requirements: <br />Download and install the Windows 7 Client Software Logo Toolkit <br />Run the Toolkit to validate your application <br />Ensure the application adheres to all policies <br />Accept and sign all legal agreements <br />Opt in to receive communications from Microsoft about your product(s) <br />Mail a licensed copy of your software to Microsoft <br />Upon successful completion of validation testing submit the results to Microsoft <br />
    89. 89. Tools, documentation, and help<br />Application Verifierhttp://go.microsoft.com/fwlink/?linkid=11573<br />Standard User Analyzer http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-B45E-492DD6DA2971&displaylang=en <br />Windows 7 Application Quality Cookbookhttp://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=Windows7AppQuality&ReleaseId=1734<br />Windows 7 Training Kit for Developershttp://www.microsoft.com/downloads/details.aspx?FamilyID=1C333F06-FADB-4D93-9C80-402621C600E7&displaylang=en<br />Application Compatibility Forumhttp://social.msdn.microsoft.com/Forums/en-US/windowscompatibility/threads/<br />
    90. 90. Call to action<br />Get ready for Windows 7 deployments<br />Test your applications on Windows 7<br />Make use of resources that are available now<br />Joint marketing<br />Free technical support<br />Free App Compat Labs<br />Latest tools<br />Active discussion forums<br />Tell Microsoft and your customers<br />Update Greenlight Web Site<br />Consider Window 7 Logo certification<br />
    91. 91. Resources<br />Windows Application Compatibilityhttp://msdn.microsoft.com/en-us/windows/aa904987.aspx<br />Developer for Windows 7 on MSDN http://msdn.microsoft.com/en-us/windows/dd433113.aspx<br />IE8 Readiness Toolkithttp://www.microsoft.com/windows/internet-explorer/readiness/developers-new.aspx<br />Windows API Code Packhttp://code.msdn.microsoft.com/WindowsAPICodePack<br />Greenlight Web Sitehttp://www.isvappcompat.com/uk <br />UK DPE Briefings and Labshttp://blogs.msdn.com/ukisvdev/archive/2009/06/09/windows-7-application-compatibility-briefings-and-drop-in-clinic.aspx<br />
    92. 92. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.<br />The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.<br />

    ×