Your SlideShare is downloading. ×
0
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Windows 7 Application Compatibility
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows 7 Application Compatibility

8,312

Published on

Published in: Technology, Business
1 Comment
3 Likes
Statistics
Notes
  • really it is very helpful website
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
8,312
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
168
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Docking windowsMinimize all windowsShow desktopLive Preview – IEPeek Preview – Media playerThumbnail toolbar – Media player
  • OTS - Over the Shoulder PromptsExplain colors
  • Show application elevationShow heuristics to detect an installerShow adding a manifest with Visual Studio 2008Show Task ManagerUI
  • Transcript

    • 1. Windows 7Application Compatibility
      Dave Allen
      ISV Application Architect
      Microsoft UK
      Dave.Allen@microsoft.com
    • 2. Agenda
      Why your application might not work
      User Account Control
      New Folder Locations
      Windows Resource Protection
      Mandatory Integrity Control
      User Interface Privilege Isolation
      Internet Explorer Protected Mode
      OS and IE Versioning
      Session 0 Isolation
      Some less common issues
    • 3. Some of the cool stuff in Windows 7
      Demo
    • 4. Why: User Account Control
      OS is at risk from today’s malware when user is running as Administrator
      Ease with which malware can self-install
      Privilege elevation through security holes in software
      Extent of damage caused by malware is potentially greater
      Other issues
      Accidental damage caused by user
    • 5. How: User Account Control
      With Windows 7 all users run as Standard User by default, including members of Admin group
      Only true for interactive logins; services continue to run as before in Windows XP
    • 6. How: User Account Control (cont.)
      Two tokens are created at logon (split token)
      Standard User Token
      Administrator SID set as Deny Only (can still be used to deny access, but not to grant)
      Runs with medium integrity level (IL)
      Most privileges removed (e.g. SeDebugPrivilege)
      Administrator Token
      Administrator SID has all rights assigned
      Runs with high integrity level (IL)
      All privileges are present
    • 7. How: User Account Control (cont.)
      Standard User Token is used until explicit consent is given, then Administrator Token is used (Consent UI) for that particular process
      Supporting feature: Unnecessary Administrator checks (in XP) have been removed
      Example: Change time zone
    • 8. UAC: Elevation Details
      Re-parented
      Standard User or ProtectedAdministrator
      System
      Full Administrator
      ShellExecute(elevatedapp.exe)
      CreateProcessAsUser(elevatedapp.exe)
      explorer.exe
      AppInfo Service
      elevatedapp.exe
      RPC
      RPC
      consent.exe
    • 9. UAC: OTS Dialogs
    • 10. UAC Spilt Token
      Demo
    • 11. UAC: Running Apps Elevated
      Right click program  Run as administrator
      Compatibility fix (shim) or mode
      Program properties  Compatibility tab  Run as administrator
      RunAsAdmin shim in system shim database
      Installer detection
      Heuristics such as string containing “Setup”, “Install”, or “Update” in:
      Executable name
      Resource strings
      MSIs are always detected as installers
    • 12. UAC: Running Apps Elevated (cont.)
      Application designed for Windows 7
      UAC manifest with <requestedExecutionLevel>
      All applications should have one
      Removes application compatibility overhead (some Shims, PCA, virtualization) at run time
      Internal manifest (compiled into the application)
      Build manifest into application binary
      Takes precedence
      External manifest (added as a separate file)
      MyApp.exe.manifest
      Unsupported, avoid!
    • 13. UAC: Internal Manifest (cont.)
      requireAdministrator
      The application runs only for administrators and requires that the application be launched with the full token of an administrator
      asInvoker
      The application runs with the same token as the parent process
      highestAvailable
      The application runs with the highest privileges the current user can obtain
    • 14. UAC: Internal Manifest (cont.)
      Extract application manifest from executable if it exists:
      mt -inputresource:elevatedapp.exe;#1 -out:extracted.manifest
      Modify the manifest to add UAC request
      <?xml version="1.0" encoding="utf-8"?>
      <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/>
      <trustInfoxmlns="urn:schemas-microsoft-com:asm.v2">
      <security>
      <requestedPrivilegesxmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level="asInvoker" uiAccess="false" />
      </requestedPrivileges>
      </security>
      </trustInfo>
      </asmv1:assembly>
      Insert the modified manifest back into the executable:
      mt -manifest elevatedapp.exe.manifest -outputresource:elevatedapp.exe;#1
    • 15. Side topic: Compatibility manifest
      Modify the manifest to add OS target
      <?xml version="1.0" encoding="utf-8"?>
      <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/>
      <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
      <application>
      <!—- The ID below indicates application support for Windows 7 -->
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      </application>
      </compatibility>
      </asmv1:assembly>
    • 16. Combined Manifest
      Combined UAC and compatibility manifest
      <?xml version="1.0" encoding="utf-8"?>
      <asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <assemblyIdentity version="1.0.0.0" name="MyApplication.exe"/>
      <trustInfoxmlns="urn:schemas-microsoft-com:asm.v2">
      <security>
      <requestedPrivilegesxmlns="urn:schemas-microsoft-com:asm.v3">
      <requestedExecutionLevel level=“asInvoker" uiAccess="false" />
      </requestedPrivileges>
      </security>
      <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
      <application>
      <!—- The ID below indicates application support for Windows 7 -->
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      </application>
      </compatibility>
      </trustInfo>
      </asmv1:assembly>
    • 17. UAC: UI Design for Elevation
      Send the BCM_SETSHIELD message to a button control, using SendMessage
      Button.FlatStyle has to be set to System
      Fails for owner-drawn buttons
      Get icon and render in owner draw handlerHICON shieldIcon = LoadIcon(null, IDI_SHIELD);
      Unmanaged code (C++)
      SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macro
      Managed code (C#, VB.NET)
      Use SystemIcons.Shield
    • 18. Elevation, Manifests, and UI Design
      Demo
    • 19. Why: Program Compatibility Assistant
      Program Compatibility Assistant (PCA) automates mitigation of some UAC (and more) compatibility issues
      Attempts to detect if a program is an installer
      Client-only feature – not in Server
      PCA monitors attempts to:
      Create a sub folder in “Program Files”
      Copy exe or dll files into the new folder
      Overwrite system files
      Not writing to the “Program Database”
      Etc…
    • 20. How: Program Compatibility Assistant
      If PCA detects a compatibility issue it…
      Notifies the user AND
      Applies a solution (high confidence) OR
      Offers to apply a solution (medium confidence)
    • 21. UAC: Virtualization
      Redirects privileged file access to C:Usersusername%AppDataLocalVirtualStore
      C:Program Files
      C:Windows
      Redirects registry access from HKLM to HKCUSoftwareClassesVirtualStoreMACHINE
      Adding a manifest disables virtualization and the Program Compatibility Assistant (PCA)
    • 22. UAC: Virtualization (cont.)
      Redirection is “sticky” – reads are re-directed
      Deleting all virtual copies removes the “stickiness”
      Elevated process not affected
      Side effects: multiple virtualized copies (one per user and one for admin)
    • 23. Virtualization
      Demo
    • 24. UAC: Symptoms
      Explicit access right error message
      Event Log contains security or application messages indicating security problems
      Application crashes, fails to install, or fails to update for automatic updater
      Application fails to remember saved settings
      Symptoms vary widely and are difficult to diagnose
    • 25. UAC: Investigation
      Determine whether application was designed to run as administrator
      Run as administrator – does it work?
      Run as standard user – check redirection locations
      C:Usersusername%AppDataLocalVirtualStore
      HKCUSoftwareClassesVirtualStoreMACHINE
      Event Log – logs relevant UAC
      Process Monitor (Procmon) for failed access
      http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx
    • 26. Event Log
      Demo
    • 27. UAC: MSI’s
      Symptom
      MSI with a custom action fails with a UAC error despite elevation
      Cause
      MSI contains custom action that impersonates the user (default)
      Example: ActionType=1025
      msidbCustomActionTypeInScript (0x400) delayed
      msidbCustomActionTypeDll (0x1) = 0x401
      msidbCustomActionNoImpersonate (0x800) not set
    • 28. UAC: MSI’s (cont.)
      Fixes
      Redesign to select not impersonating user
      Set bit msidbCustomActionNoImpersonate (0x800)
      Example : ActionType 1025 (0x401) becomes 3073 (0xC01)
      Edit MSI with Orca.exe to change the right ActionType fields
      Run from elevated command prompt
    • 29. Orca
      Demo
    • 30. UAC: Self-extracting installer
      Symptom
      Self-extracting EXE or custom wrapper runs elevated and executes a script, but script fails
      Cause
      UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are not transferred to script
      Fixes
      Redesign to use MSI
      Run from elevated command prompt
      Creates an elevated script engine
    • 31. UAC: Checking for admin rights
      Symptoms
      Many – from minor feature misbehavior to crash
      Causes
      Applications uses
      IsUserAnAdmin, CheckTokenMembership “BUILTINAdministrators” and similar APIs
      APIs return false when not elevated
      Mitigation
      Shim ForceAdminAccess or ProtectedAdminCheck
      Fix
      GetTokenInformation API
      TokenElevation (elevated or not)
      TokenElevationType (default, full or limited)
    • 32. UAC: User COM Objects
      Symptoms
      Elevated application cannot instantiate COM object
      Regular application can instantiate the same COM object
      Cause
      COM object is registered per user
      HKEY_CLASSES_ROOT is a virtual registry hive
      HKCUSoftwareClasses take precedence in Windows XP and for medium and low integrity processes in Windows 7
      HKCUSoftwareClasses is NEVER used for high integrity processes (elevated) in Windows 7
      Prevents user configuring malicious COM object and tricking elevated task into executing code.
      Mitigation
      Applications that will require administrator rights should register any COM objects during installation to HKLMSoftwareClasses.
    • 33. UAC: Mapped Network Drives
      Symptoms
      Regular mapped network drives (and SUBST) are not visible when running elevated
      Drives mapped from an elevated prompt are not visible in standard processes (including Explorer)
      Causes
      Mappings attached to logon session
      Mapped Network drives are only valid in the context of the user token that mapped them
      Two sets of mapping for split token situation
    • 34. UAC: Mapped Network Drives (cont.)
      Mitigation
      Automatic mitigation for installers accessing remote drive
      Map each drive in the context of the regular token and elevated token
      Registry entry
      HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLinkedConnections = (dword)1
      http://support.microsoft.com/kb/937624
    • 35. Mapped Network Drives
      Demo
    • 36. New Folder Locations
      “My Documents” and other user folder locations are changed to provide a better user experience
      The user data is now stored in: ‘usersusername%’ folder structure
      Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure
      The “My “ prefix was dropped from Documents, Music, etc.
      “All Users” became “Public” and “ProgramData”
    • 37. New Folder Locations (cont.)
      Differentiation between User and App data
      User does not directly interact with app data
      Identify specific locations using
      ShGetFolderPath or SHGetKnownFolderPath
      System.Environment namespace
      Shared User Data (Documents)
      C:UsersPublicDocuments
      CSIDL_COMMON_DOCUMENTS
      FOLDERID_PublicDocuments
    • 38. New Folder Locations (cont.)
      Per User Data (Documents)
      C:Usersusername%Documents
      CSIDL_MYDOCUMENTS
      FOLDERID_Documents
      SpecialFolder.MyDocuments
    • 39. New Folder Locations (cont.)
      Shared Application Data
      C:ProgramDataMyAppName
      %AllUsersProfile%MyAppName
      CSIDL_COMMON_APPDATA
      FOLDERID_ProgramData
      SpecialFolder.CommonApplicationData
      Set permissions (ACL) for folders in shared application data area during install
    • 40. New Folder Locations (cont.)
      Per User Application Data (local)
      C:Usersusername%AppDataLocal
      %LOCALAPPDATA%
      CSIDL_LOCAL_APPDATA
      FOLDERID_LocalAppData
      SpecialFolder.LocalApplicationData
    • 41. New Folder Locations (cont.)
      Per User Application Data (roaming)
      C:Usersusername%AppDataRoaming
      %APPDATA%
      CSIDL_APPDATA
      FOLDERID_RoamingAppData
      SpecialFolder.ApplicationData
    • 42. New Folder Locations (cont.)
      Localization Changes
      Localized folder names used to be the actual name (i.e., “C:Programme”) and an English name was not provided
      In Windows 7, all folders have English names (i.e., “C:Program Files”) and a junction point with the localized name is provided (i.e., “C:Programme”)
      Explorer displays the localized name for the actual directory
    • 43. New Folder Locations: Mitigation
      Directory junctions
      Provides backward compatibility for hard-coded paths
      ‘Documents and Settings’  ‘Users’
      ‘My Documents’  ‘Documents’
      ‘Programme’  ‘Program Files’
    • 44. New Folder Locations: Fixes
      Never hard code absolute paths
      AppVerifier includes a test
      Script: environment variables
      Unmanaged code (C++/C)
      ShGetFolderPath function (CLSID_...)
      SHGetKnownFolderPath (FOLDERID_...)
      Vista and later
      Managed code (C#, VB.NET)
      System.Environment.GetFolderPath
      EnumSystem.Environment.SpecialFolder
      Microsoft.VisualBasic.FileIO.SpecialDirectories
      My.Computer.FileSystem.SpecialDirectories
    • 45. Q & A
    • 46. Why: Windows Resource Protection
      Core operating system files and registry keys can be overwritten with older versions or malicious code causing serious stability and security issues
      Windows Resource Protection (WRP) is designed to protect those objects from being overwritten
      Increases system stability, predictability, and reliability
      Replaces Windows File Protection in Windows XP
    • 47. How: Windows Resource Protection
      Updates to protected resources restricted
      OS trusted installers (Windows Update)
      ACL on resources
      Affects specific files, folders, and registry keys
      Majority of core OS modules (EXE and DLL)
      Majority of core OS HKCR Registry Keys
      Folders used exclusively by OS resources
    • 48. WRP
      Demo
    • 49. Mandatory Integrity Control
      Windows 7 implements Mandatory Integrity Control (MIC)
      Processes run at one of four Integrity Levels:
      System processes run at System IL
      Applications that require administrative privileges run at High IL
      Standard applications run at Medium IL
      Restricted apps run at Low IL
      Securable objects (Files, Processes, Windows Stations, Message queues) define the minimum IL for a process to access them
      Default IL for objects: Medium
    • 50. User Interface Privilege Isolation
      UIPI uses MIC’s Integrity Levels to restrict sending window messages
      Applications cannot send messages to other applications running at a higher integrity level
      Higher application can allow access
      SendMessage returns success to mitigate failures
      Where compatibility impact is high, lower IL applications can be manifested to opt out of UIPI
      Manifested
      Signed (authenticated)
      Installed in “Program Files”
    • 51. MIC and UIPI
      Objects
      Processes
      High
      High
      High IL
      Process
      Medium
      Medium
      Medium IL
      Process
      Low
      Low
      Low IL
      Process
      Read
      Write
      Send
    • 52. Integrity Levels
      Security IDs (SIDs) for integrity levels
      RID defines the integrity level
      Low: S-1-16-4096 (0x1000)
      Medium: S-1-16-8192 (0x2000)
      High: S-1-16-12288 (0x3000)
      System: S-1-16-16384 (0x4000)
    • 53. Install an ActiveXcontrol
      Exploit can install MALWARE
      Change Settings,
      Download a Picture
      Exploit can install MALWARE
      Cache Web content
      Why: IE Protected Mode
      IExplore.exe
      Admin-Rights Access
      HKLM
      Program Files
      User-Rights Access
      HKCU
      My Documents
      Startup Folder
      Temp Internet Files
      Untrusted files & settings
    • 54. How: IE Protected Mode
      In Windows 7, Microsoft Internet Explorer 8 runs in Protected Mode (IEPM) for non-trusted sites (installation default)
      IE runs as separate process instances for different protection modes
      Prevents buffer overflow exploits from affecting higher trust level sites
      Required by IEPM’s underlying mechanism:
      Mandatory Integrity Control (MIC)
      User Interface Privilege Isolation (UIPI)
    • 55. How: IE Protected Mode (cont.)
      Integrity Levels (IL) for IE
      IEPM: Low Integrity Level
      Unprotected: Medium Integrity Level
      Low-integrity processes (such as IEPM) can only write to folders, files, and registry keys that are also marked as low-integrity
      Temporary Internet Files folder
      %TEMP%Low
      History folder
      Cookies folder
      Favorites folder
      Windows Temporary Files folders
      %userprofile%AppDataLocalLow
    • 56. IEPM: Compatibility Impact
      Attempts by ActiveX controls to modify medium and higher IL objects fail
      e.g. writing to the user’s Documents folder
      ActiveX controls fail to install
      Automatic mitigations
    • 57. Install an ActiveX control
      Change settings,
      Drag and Drop
      Cache Web content
      Redirected settings & files
      Compat Layer
      IEPM: Automatic Mitigation
      IExplore in
      Protected
      Mode
      Integrity Control and UIPI
      IEInstall.exe
      Admin-Rights Access
      HKLM
      HKCR
      Program Files
      IEUser.exe
      User-Rights Access
      HKCU
      My Documents
      Startup Folder
      Temp Internet Files
      Untrusted files & settings
    • 58. IEPM: Manual Mitigation
      Redesign the site to function properly in Protected Mode
      Add site to trusted sites
      Protected Mode is not enabled for trusted sites
      Use ActiveX Install Services (AXIS) for enterprise deployments
    • 59. AXIS: How it works
      IE parses a page that requires an ActiveX control
      If the user is a Standard User, the AXIS is called
      The AXIS will perform a lookup in the Allowed Installation Sites list deployed via Group Policy
      If the Host URL is within policy, the control will be downloaded by the service
      If the control meets the signing criteria, it will be installed as the LocalSystem account
    • 60. AXIS: Enabling the Service
      AXIS is an optional component that must be enabled
      Deploy through SMS
      Run cmd.exe as Administrator, then run this command: ocsetup.exe AxInstallService
      Control Panel Programs  Turn Windows Features On or Off
    • 61. AXIS: Configuring the Policy
      Run gpedit.msc
      Navigate to Computer Settings
      Administrative Templates
      Windows Components
      ActiveX Installer Services
      Enter Host URL and policy for each trusted site
      Must specify protocol: http or https(preferred)
      Example: http://download.microsoft.com
      Best Policy 2, 1, 0, 0
    • 62. Q & A
    • 63. Windows and IE Versions
      Internal version number for Windows 7 is 6.1 – this is what is returned by GetVersion()
      Version number for Internet Explorer is 8.0
      Version number is included in User Agent String
      User Agent String is included in HTTP header
    • 64. Windows Version Mitigation
      Compatibility mode is provided in Windows 7
      Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibilitytab. This applies multiple shims including “WinXPSP2VersionLie”
      PCA automates step for installers
      Better: Apply the shim “WinXPSP2VersionLie”
      In many cases, applications will work the same way they did in Windows XP and there is no need for changes to them
    • 65. Windows Version Mitigation (cont.)
      'Reinstall using recommended settings'
      Applies the Windows XP compatibility mode and restarts the program
      The fix is effective for all users (stored in HKLM)
    • 66. Windows Version Remediation
      Applications should not perform version checks for equality, e.g. == 5.1
      If you need a specific feature, check whether the feature is installed or available
      If you need Windows XP, check for Windows XP or later (>= 5.1)
      Exceptions to this occur when there is a very specific business, or legal need to do a version check, such as a regulatory body requires you to certify your application for each operating system and version
    • 67. Windows Version Numbers
      Demo
    • 68. IE8 Version Symptoms
      Web sites may render incorrectly
      CSS and JavaScript compliance changes
      Renders in IE8 Standards Mode for Internet sites
      Web sites that check the User Agent String for the IE version will get higher version number
      Web sites might refuse to load
      Web Sites might reduce functionality
    • 69. IE8 Version Mitigations
      IE7 Compatibility Mode
      Default setting for intranet sites
      Can be controlled from the server
      For a single Web Page
      For a directory, application, or site
      Add <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> to the page or response header
      See http://support.microsoft.com/kb/968499 for different options
    • 70. IE7 Compatibility Mode
      In a Web Page
      <html>
      <head>
      <title>My Web Page</title>
      <!-- Use IE7 mode -->
      <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7”/>
      </head>
      <body>
      <p>Content goes here.</p>
      </body>
      </html>
    • 71. IE7 Compatibility Mode
      In the web.config
      <?xml version="1.0" encoding="utf-8"?>
      <configuration>
      <system.webServer>
      <httpProtocol>
      <customHeaders>
      <clear />
      <add name="X-UA-Compatible" value="IE=EmulateIE7”/>
      </customHeaders>
      </httpProtocol>
      </system.webServer>
      </configuration>
    • 72. IE8 Standards Mode
      In a Web Page
      <html>
      <head>
      <title>IE8 Standards Mode Web Page</title>
      <!-- Use IE8 Standards Mode -->
      <meta http-equiv="X-UA-Compatible" content="IE=IE8”/>
      </head>
      <body>
      <h1>Hi from IE8 Standards Mode</h1>
      </body>
      </html>
    • 73. Expression SuperPreview
      Stand-alone visual debugging tool
      Shows web pages rendered in IE 6 and either IE 7 or 8, depending on which version you have installed on your machine.
      View pages side by side or as an onion-skin overlay and use rulers, guides and zoom/pan tools to precisely identify differences in layout.
    • 74. Expression SuperPreview
      Demo
    • 75. Sessions in Windows XP/ Server 2003
      Session 0
      Window Station
      Desktop
      Services
      1st User’sWindow
      1st User’sWindow
      1st User’sWindow
      Screen Saver
      Login
    • 76. Sessions in Windows 7
      Session 0
      Session 1
      Window Station
      Window Station
      Desktop
      Desktop
      Service
      1st User’sWindow
      1st User’sWindow
      Service
      1st User’sWindow
      Screen Saver
      Login
      Secure
    • 77. Session 0: Compatibility Impact
      A service and a user application that use window message functions (e.g. SendMessage, PostMessage) to communicate will silently fail
      A service and a user application that use local objects to communicate will silently fail
      A service that uses a UI to interact with the user will display the UI on a special desktop which is inaccessible
      Applications that work with Fast User Mode Switching will probably continue to work
    • 78. Session 0 Isolation
      Demo
    • 79. Less Common Issues
      Painting Behavior
      Deprecated Components
      Managed Code for .NET 1.x
      64-bit Vista
    • 80. Painting behavior
      Why: To improve user experience
      How: All top-level windows are rendered to an off-screen bitmap; Desktop Window Manager combines the images to draw the desktop
      Impact: Some applications will render incorrectly
      Mitigation: Disable desktop composition
      Apply shim “DisableDWM”
      Properties -> Compatibility Tab -> Disable desktop composition
      Fixes: Redesign application to not assume that it is rendering directly to the screen
    • 81. Disabling Desktop Composition
      Demo
    • 82. Deprecated components
      Windows Help (WinHlp32.exe)
      Available as a download
      CHM is now the preferred option
      Graphical Identification and Network Authentication (GINA) modules
      Removal of Windows Mail
      Disables CoStartOutlookExpress
      File associations (.eml, .nws, .contact, .group, .wab, .p7c, .vfc) are broken or disabled
      Install Windows Live Mail
    • 83. Deprecated components (cont.)
      Removal of Windows Movie Maker
      Install Windows Live Movie Maker
      Microsoft Agent technologies 
      Removal of Windows Registry Reflection
      PCA instruments CoCreateInstance API and the Loader (NTDLL)
      Detect load failures on deprecated COM objects and DLLs respectively
      Uses Windows Error Reporting (WER) to retrieve
      Knowledge Base article or link to download deprecated component
    • 84. Managed code for .NET 1.x
      Symptom
      Managed code written for .NET 1.x fails (error message or crash)
      Cause
      Application depends on .NET 1.x feature AND
      Application does not specify <supportedRuntime> or <requiredRuntime> in configuration file
      Note: .NET 1.0 did not support <supportedRuntime>
      Fix
      Add <supportedRuntime version="v1.1.4322"/> to <appname>.exe.config
    • 85. Managed code for .NET 1.x
      Symptom
      Managed code written for .NET 1.x fails (error message or crash)
      Cause
      Application depends on .NET 1.x feature AND
      Application does not specify <supportedRuntime> or <requiredRuntime> in configuration file
      Note: .NET 1.0 did not support <supportedRuntime>
      Fix
      Add <supportedRuntime version="v1.1.4322"/> to <appname>.exe.config
    • 86. 64 bit
      WoW64 allows 32-bit applications to run on 64-bit Windows, but compatibility issues may still exist
      Not supported
      16-bit applications and installers
      Limited support for some installers
      32-bit kernel mode drivers
      32-bit user mode printer drivers
      Kernel patching (x64 only)
      Patchguard prevents applications from patching the Kernel. If this is detected, a shut down will be initiated
      Windows Server 2008 R2 – 64 bit ONLY
    • 87. Windows 7 Logo Program
      Benefits
      Compatibility message to your customers
      Joint marketing
      Partner Points
      Requirements
      ISVs must sign up to receive their crash data from WER
      Use AppVerifier as part of development lifecycle
      Install to correct folder locations
      Sign binary executables
      Include a manifest and run as a standard user
      Support Restart Manager
      64 bit support
      Etc...
    • 88. Windows 7 Logo Program Roadmap
      Follow these steps to verify that your application complies with the Windows 7 Client Software Logo technical requirements:
      Download and install the Windows 7 Client Software Logo Toolkit
      Run the Toolkit to validate your application
      Ensure the application adheres to all policies
      Accept and sign all legal agreements
      Opt in to receive communications from Microsoft about your product(s)
      Mail a licensed copy of your software to Microsoft
      Upon successful completion of validation testing submit the results to Microsoft
    • 89. Tools, documentation, and help
      Application Verifierhttp://go.microsoft.com/fwlink/?linkid=11573
      Standard User Analyzer http://www.microsoft.com/downloads/details.aspx?FamilyId=24DA89E9-B581-47B0-B45E-492DD6DA2971&displaylang=en
      Windows 7 Application Quality Cookbookhttp://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=Windows7AppQuality&ReleaseId=1734
      Windows 7 Training Kit for Developershttp://www.microsoft.com/downloads/details.aspx?FamilyID=1C333F06-FADB-4D93-9C80-402621C600E7&displaylang=en
      Application Compatibility Forumhttp://social.msdn.microsoft.com/Forums/en-US/windowscompatibility/threads/
    • 90. Call to action
      Get ready for Windows 7 deployments
      Test your applications on Windows 7
      Make use of resources that are available now
      Joint marketing
      Free technical support
      Free App Compat Labs
      Latest tools
      Active discussion forums
      Tell Microsoft and your customers
      Update Greenlight Web Site
      Consider Window 7 Logo certification
    • 91. Resources
      Windows Application Compatibilityhttp://msdn.microsoft.com/en-us/windows/aa904987.aspx
      Developer for Windows 7 on MSDN http://msdn.microsoft.com/en-us/windows/dd433113.aspx
      IE8 Readiness Toolkithttp://www.microsoft.com/windows/internet-explorer/readiness/developers-new.aspx
      Windows API Code Packhttp://code.msdn.microsoft.com/WindowsAPICodePack
      Greenlight Web Sitehttp://www.isvappcompat.com/uk
      UK DPE Briefings and Labshttp://blogs.msdn.com/ukisvdev/archive/2009/06/09/windows-7-application-compatibility-briefings-and-drop-in-clinic.aspx
    • 92. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
      The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

    ×