SYN328: Learn why AppDNA should be a part of every consultant’s toolkit
1. SYN328: Learn why AppDNA
should be a part of every
consultant’s toolkit
#SYN328 #CitrixSynergy @jeremysaunders @caditc
2. How to make yourself look cool
with Citrix AppDNA?
#SYN328 #CitrixSynergy @jeremysaunders @caditc
AppDNA is to an IT Consultant as a paperclip is to MacGyver
3. Jeremy Saunders - from Perth, Western Australia
Independent Consultant, known as J House Consulting
E-mail: jeremy@jhouseconsulting.com
Twitter: @jeremysaunders
Web: http://www.jhouseconsulting.com
Warren Simondson - from Brisbane, Queensland
Managing Director and founder of Ctrl-Alt-Del IT Consultancy
E-mail: wsimondson@ctrl-alt-del.com.au
Twitter: @caditc
Web: http://www.ctrl-alt-del.com.au
Tweet about this session with hashtag #SYN328 and #CitrixSynergy
3
About Us
4. Holistic approach to Application Compatibility
All about AppDNA
Demonstrations & best practice information
Q & A
4
Agenda
5. Extended Support phase end dates:
Windows XP 8th April 2014
Includes MED-V
Windows Server 2003 14th July 2015
Includes Presentation Server and XenApp
32-bit to 64-bit
Application Virtualisation
Desktop Virtualisation
Future Proofing
Application Portfolio Management
Manage the application portfolio, including forward planning
5
Motivation
6. In Windows it is essentially a bunch of files and registry
keys. Sure, that’s simplifying it somewhat, but the main
focus for application compatibility is to simply make it
all work. Manage the file and registry locations; API
calls. Pretty simply really!
6
What is an App?
7. Security
Trustworthy Computing initiatives from 2002 that were introduced from
Windows XP SP2 and 2003 SP2.
Running everyone with Standard User rights causes the most problems.
UAC Virtualisation (The VirtualStore) fixes stuff, but not everything,
which is why we still have so many issues.
Disabling UAC is NOT the solution.
Deprecated components (removal of legacy components such as
the Microsoft Agent and Outlook Express)
Windows Resource Protection (WRP)
Session 0 Isolation
Operating System Version changes
7
Why do we have issues?
8. Windows Vista/2008 was given version 6.0, which was
pretty logical. However, it turned out to be bad for
Application Compatibility simply because many legacy apps
written during the Windows XP period would check major
version and minor version like this:
If Not (vMajor >= 5 AND vMinor >= 1) Then
{
DisplayMessage(“This program requires Windows XP or newer”);
}
This is why Windows 7/2008 R2 is version 6.1 & Windows
8/2012 is version 6.2. And the new Windows 8.1 is 6.3.
8
Fact about Windows Versions
9. Many people are unaware of shims, or if they’ve heard of
them, they have no clue that a shim can be used to fix
many broken/incompatible Win32 apps.
The shim modifies the Import Address Table (IAT) on
application load.
With the shim in place it will intercept an API call and does
a redirection.
A shim changes the question the application is asking.
“A shim basically rephrases the question to something it
can say yes to.” Chris Jackson (AKA The App Compat Guy)
Shims need to be optimised!!!
9
What is a Shim?
10. Application Compatibility Toolkit (ACT)
Standard User Analyser (SUA)
Compatibility Administrator
Internet Explorer Compatibility Test Tool (IECTT)
Create/Deploy/Manage Data Collection Packages (DCPs)
Application Verifier
LUA Buglight
Problem Steps Recorder (PSR)
Windows Debugger (WinDbg), including logger.exe and logviewer.exe
SysInternals Tools – e.g. Process Monitor, Process Explorer, DebugView, Sigcheck
Reverse Engineer using Decompilers and Disassemblers:
.NET Reflector by RedGate – commercial decompiler
ILSpy by SharpDevelop – free decompiler
PEBrowse64 Professional by SmidgeonSoft – free disassembler
IDA by Hex-Rays – commercial disassembler
Hex-Rays Decompiler – commercial decompiler
10
Application Compatibility and
Debugging Tools
11. The garbage in, garbage out reality is responsible for
the failure of many IT projects.
“Poor data quality is the primary reason for 40% of all
IT initiatives failing to achieve their targeted
benefits.” - Gartner Research.
11
Project Failures –budgets & timelines
13. 2000: Camwood was started as SI company specialising in
application migration and portfolio Management
2004: Application compatibility management tool was born
2008: Company “App-DNA” was born, giving us the
application name: “AppTitude”
2011: Citrix acquisition and renamed application to “AppDNA”
13
AppDNA History
14. AppDNA enables enterprises to confidently discover,
automate, model and manage applications for faster
application migration, easier application virtualization
and streamlined application management. AppDNA
software combines insight about applications with
highly accurate application testing, remediation and
compatibility.
14
What does AppDNA do?
15. Application Analysis
Runs hundreds of algorithms against your application
fingerprints
Comprehensive Reporting
The reports use a RAG system for Red/Amber/Green.
Remediation
Thoroughly detailed and comprehensive information
Application Packaging
Automate .MST, .SFT, .APPV
15
How does it do that?
16. Provides the confidence to present deployment
project timelines, facts and figures
Typically delivers between 300 - 500% ROI
Aims to be 95% accurate with it’s analysis
Removes fear, uncertainty and doubt (FUD)
Helps you gain control of your application portfolio
16
Benefits of AppDNA
18. Can use the product for 30 days under the eval license
and can access the 2 main high level reports.
Eval license lets you unlock full reporting on up to 5
Windows and 5 Web Apps.
Licenses are currently tied to Sites (databases).
18
Licensing
19. Users – AD Integration (linked)
Roles
Administrators
Editors
Users
Product Package Importers
** Create your own.
Sites – There is one default site, create more for
decentralised or devolved management requirements.
19
Administration
20. SCCM/ConfigMgr
Lakeside SysTrack
The discovery of applications is done by SysTrack.
AppDNA plugs directly into the SysTrack DataMine to
take collected data to provide your Imports.
20
Integrate
21. Desktop Apps
Direct Import (.MSI, .SFT, .APPV)
Install Capture (.EXE, scripts)
Self Provisioning
Web Apps
Web Capture
Web Direct Import (.MSI)
Stand-alone Spider and MSI Converter
21
Import & Analyse
25. 25
Estate View
Provides details on the apps based on the
algorithms. Starts with the Before and After
Chart of applications based on algorithms
used.
27. Provides a high-level status of the application
portfolio.
A "U" indicates that the combination was untested,
and a padlock means that the application is
unlicensed for the report.
27
Overview Summary
The fruit salad Report
Provides a high-level status of the application
portfolio.
28. 28
Custom Reports
These are reports that you define yourself. You can base
custom reports on existing algorithms and algorithm
groups or new ones that you write yourself. You can also
create new algorithms based on your own specialized
knowledge of your environment.
33. Apply Eval license first. This opens up Estate View reports
for all modules.
Import as many apps as possible to start with.
If scripting apps, give the script an intuitive name that
relates to the app, and not just “install.cmd”
Create AD linked User Accounts.
Create the appropriate rolls for your team members.
Create Collections to “Group” applications together.
Tune SQL memory usage, especially if running on the same
box.
33
Best Practices Recap
34. There is no substitute for experience. But those with
the experience must use common sense and use the
right tools too.
Using the right toolset for your Application Migration
project is like being a conductor of an orchestra.
AppDNA provides you with the knowledge for all
challenges you need to know up front.
AppDNA is a product that can give you the confidence
that your application migration or desktop
transformation project is good to go!
34
Parting Words
35. Hands on Lab – SYN 629 – Automating XenApp and
App-V application migration with AppDNA
Session – SYN412 – Top 10 application migration tips
for XenApp and XenDesktop
Session - SYN507 - Reducing desktop infrastructure
management overhead using “old school” tactics
Geek Speak: Denis Gundarev from Entisys Solutions
Partner Training: CAD-200-1W - Simplifying Application
Migration with Citrix AppDNA 6.1
35
Other Sessions and Training
36. Citrix eDOCS: http://support.citrix.com/proddocs/topic/dna/dna.html
Podio: AppDNA Extensions Workspace:
https://citrix.podio.com/appdna-extensions-customers/
On-line AppDNA RIO Calculator:
http://www.citrix.com.au/products/appdna/how-it-helps/roi-calculator.html
Citrix have internal spread sheets that may help provide a
different angle for you.
Citrix Case Studies and White Papers:
http://www.papershare.com/u/App-DNA
Citrix TV (and YouTube)
36
Resources
37. Citrix AppDNA on twitter @AppDNA
Subscribe to Jeremy’s Twitter Lists:
AppCompat – Application Compatibility
APM - Application Portfolio Management
Chris Jackson – @appcompatguy
The App Compat Guy
Aaron Margosis
The Non-Admin Guy
Mark Russinovich – @markrussinovich
The Sysinternals Legend
Dmitry Vostokov - @DumpAnalysis
Software Engineer at Citrix. He runs http://www.dumpanalysis.org
John Robbins - @JohnWintellect
Co-founder of Wintellect: http://www.wintellect.com/blogs/jrobbins
Remko Weijnen - @RemkoWeijnen
Great blogger on App Compat issues
37
Who to follow?
39. Conference surveys are available online at
www.citrixsynergy.com starting Friday, May 24 at
9:00 a.m. PT
Provide your feedback by 4:00 p.m. PT that day and
you’ll receive a $30 Amazon.com gift card via email
Download presentations starting Monday, June 3,
from your My Conference Planning tool located
within the My Account section
39
Before you leave…
Editor's Notes
I also think it’s cool because AppDNA has a research and development centre in Perth.
Next date would be Windows Vista on 11th April 2017. Too far away to worry about at present.Who had an Application Portfolio Management specialist? Usually comes under the Enterprise Architecture practice.
Interact with the audience to understand how many apps some of them have.Are they managed apps?Do they have control of their portfolio?Do they have an Application Portfolio Management specialist and policies?Software does not necessarily have a used by date. It’s about how long the Vendor will support it. And if not, then will the business manage the risk?According to statistics the average piece of software has a 12 year life span. So that could be 3 or more major versions of OS upgrades.VB6 was released in 1998 and it’s still supported, even on Windows 8, which means that it may be around until about 2022.Who has an Application Packaging Factory (APF)? Often outsourced.Who has an Application Compatibility Factory (ACF)? Mostly bundled into the APF as part of outsourcing the application packaging.
Apps that use/integrate with the Windows 8 Modern UI (formerly known as Metro) will not work if UAC has been disabled.Windows Resource Protection (WRP) prevents the replacement of essential system files, folders, and registry keys that are installed as part of the operating system.Session 0 Isolation from Vista and above is for non-interactive services only. Interactive (user) sessions start from session 1. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a means to elevate their own privilege level. The problem here is that messages can only be sent between processes that are on the same desktop (session). Therefore, if an older application has a service needs to interact with a user, such as an antivirus update service, the user will never see the update prompt.Most applications do a poor job of reporting unexpected errors:Locked, missing or corrupt filesMissing or corrupt registry dataPermissions problemsErrors manifest in several different ways:Misleading error messagesCrashes or hangs
A Shim is a database file with an extension of .sdbHow to deploy shims? Use sdbinst.exeShims for writing to protected folder and registry locations:VirtualRegistry is a multi-purpose shim for simulating the existence of appropriate registry entries for legacy applications. It can be used to redirect registry keys to a separate area in the registry (typically to resolve issues where access is denied), or to return different values when an application is looking for a specific key (that may no longer exist) or a different version (when a version number is hard coded). You will explore the version lie aspectsof VirtualRegistry.CorrectFilePaths is another very flexible shim, which includes a number of default file redirections for times when a legacy application may be looking for a known component in one location using a hard coded path, but that component has moved to another location. You can also configure CorrectFilePaths to redirect from one arbitrary path to another, if you want to modify where to place a file. The destination folder structure must exist, or the CorrectFilePaths shim will fail.Version Lie Shims for bad Windows version checks returns the appropriate operating system version information. For example, the WinXPSP2VersionLie returns the Windows XP version information to the application, regardless of the actual operating system version that is running on the computer.UAC file virtualisation doesn't handle renames or deletes. In these cases you need to apply the VirtualizeDeleteFile shim, which is a compatibility fix designed to enable an application to incorrectly think that a file that the user does not have permission to delete, has been successfully deleted.Some tools don’t optimise shims, such as the Microsoft Standard User Analyser (SUA). Microsoft has heuristical detection for installers. However, an exe that is a non-installer will be prompted for elevation if it contains the words setup, update, install or patch in the name or within the binary itself. So you may need to apply the SpecificNonInstaller shim for this exe.Time for a joke:185 desperate and dateless applications walk into a bar. One of them starts chatting to this intimidating, yet hot OS called Windows 7. They hit it off and think they may be compatible. The 184 other apps are egging him on. Things start hotting up. The application spawns processes all over Windows 7. Windows 7 starts leaking, goes all blue and demands that the application stops. The application knows that this is his only opportunity to perform, or he’ll be replaced. So he says “Don’t worry, I’ve got Shims.”
Limited User Rights brought us VirtualRegistry Store and VirtualFileSystem Store. This was enhanced under Windows 7 to include a redirection on writes to C:\\. Did you also know that there is a “C:\\Documents and Settings\\<username>” redirection in the Operating System? These are specifically implemented for legacy applications, but did initially create a lot of confusion.I’ve come across an application where a developer had used “C:\\Documents and Settings\\%Username%\\Application Data\\” in their config file. So I asked them to change their app to use %AppData%.ACT is a lifecycle management tool that assists in identifying and managing your overall application portfolio. ACT enables you to create:Compatibility FixesCompatibility ModesAppHelp messagesCompatibility databasesACT Version History:1.0 Windows 2000,Windows XP pre-release2.0 Windows XP RC2.6 Windows XP, .NET Server (AKA Windows Server 2003 pre-release)3.0 Windows XP SP1, Windows Server 2003 RC4.0 Windows XP SP2, Windows Server 2003 SP14.1 Windows XP SP3, Windows Server 2003 SP25.0 Windows Vista RC5.5 Windows Vista SP1, Windows 7 RC5.6 Windows Vista SP2, Windows 7 SP16.0 Windows 8 RCMany that are using it today, only started using it from version 5.0, which was quite a misunderstood version. This may have been due to the extra layers of limited user rights Windows Vista presented us with.ACT 5.5 and above were vastly improved releases.ACT 6.0 is out, but previously most would have been using 5.5 or 5.6.ACT 6.0 is integrated into the Windows Assessment and Deployment Kit (Windows ADK)Compatibility Administrator is what you use to fix problems (ie create shims)Run Compatibility Administrator in expert mode by using the /x switch. ie. compatadmin.exe /xThis shows much more detail on how shims are configured.SUA - previously known as the Limited User Account Analyser or LUA Analyser. Helps you find and fix LUA issues in the application.As mentioned the suggested fixes from SUA does not necessarily optimise the shims. Be aware that SUA potentially includes all Windows System32 modules with each shim it creates. So you therefore need to go back in and edit it. You’ll need to run Compatibility Administrator in expert mode to be able to do this. If you don’t fix it, you’ll waste CPU resources and apps will be slow to start. Note that VB6 Apps, however, must include the msvbvm60.dll.DCP – Detects compatibility problems with the Operating SystemInventory Collector – collects application list and devicesUser Account Control Compatibility Evaluator – picks up UAC issuesWindows Compatibility Evaluator – picks up GINA, Session 0 and Deprecation issuesFrom the DCP and information collected within Compatibility Manager, you can:Create - labels, categories, subcategoriesSet - prioritiesAdd - your assessment, issues and solutionsSetup Analysis Tool was depreciated from ACT 5.6 as it was providing no value.LUA Buglight (by Aaron Margosis) is a utility that helps identify "LUA bugs" in applications; or feature of an application that:works when run by a member of Administrators or Power Usersfails when run by a standard userhas no valid business or technical reason for requiring administrative control over the computer.LUA Buglight is very similar to the Standard User Analyser (SUA) tool, but has more powerful logging and reporting capabilities. However, only LUA Buglight will show you the exact text that was passed into an API.LUABuglightVersion History:1.0 - Support for Windows XP SP3, Windows 2003 SP2, Limited Vista Support2.0 - Support for Vista, 2008R12.1 - Support for Windows 7, 2008R22.1.1 - Support for Windows 7 SP1, 2008R2 SP12.2 - Support for Windows 8Decompiler vs. Disassembler:A decompiler transforms binary code into high-level pseudocode text that can easily be read by humans. We rely on this transformation to analyse and validate programs.A disassembler transforms binary code into assembler, which is much lower level and is more difficult to read for humans. It explores binary programs, for which source code isn't always available, to create maps of their execution. The real interest of a disassembler is that it shows the instructions that are actually executed by the processor in a symbolic representation called assembly language.Decompilers and Disassemblers:.NET Reflector - Decompile, understand, and fix any .NET code, even if you don't have the source.ILSpy - Open-source .NET assembly browser and decompiler. It was developed once Red Gate announced that there would be no more free versions of .NET Reflector.PEBrowse64 Professional - disassembler for Win32/Win64 executables and Microsoft .NET assemblies.IDA (Interactive DisAssembler) - disassembler and debuggerHex-Rays Decompiler – commercial decompiler (still does not support 64-bit code)VB Decompiler – commercial decompiler for programs (EXE, DLL or OCX) written in Visual Basic 5.0 and 6.0 and disassembler for programs written on .NET technology: http://www.vb-decompiler.org/Others:Resource Hacker - a freeware utility to view, modify, rename, add, delete and extract resources in 32bit & 64bit Windows executables and resource files (*.res): http://www.angusj.com/resourcehacker/PEDi - PEiD detects most common packers, cryptors and compilers for Portable Executable (PE) files: http://www.aldeid.com/wiki/PEiD010 Editor – Commercial text and hex editing with Binary Templates technology: http://sweetscape.com/010editor/Debug shims use the following registry value in conjunction with SysInternalsDebugView tool:Key: HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlagsValue: ShowDebugInfoType: REG_DWORDData: 9Program Compatibility Assistant (PCA) should be turned off in production, as it confuses users and can potentially cause issues.Xperf from the Windows Performance Toolkit (WPT) helps determine if applications are creating performance bottlenecks on startup or login. Especially application fixes and group policies.Sysinternals: http://www.microsoft.com/technet/sysinternalsProcess Explorer – process/thread viewerProcess Monitor – file/registry/process/thread tracingProcdump – process memory dumperAutoruns – displays all autostart locationsSigCheck – shows file version information PsExec – execute processes remotely or in the system accountTcpView – shows TCP/IP endpointsStrings – dumps printable strings in any fileDebugView – Desktops – Debugging Tools for Windows: www.microsoft.com/whdc/devtools/debuggingWindbg.exe - application and kernel debuggerLogger.exe intercepts the API calls and shows all the details being passed into the API. It creates a log file.Logviewer.exe reads log files created by logger.exe.There are no silver bullets to solving all your problems. You must know and understand how to use all these tools.You could even invest in commercial products to help remove admin privileges, such as BeyondTrustPowerBroker for Windows or AppSense Application Manager.
Application migration is the most difficult and costly part of most Desktop Transformation projects. It’s the part where a lot of up-front guestimates are made in the project planning phase.Projects can quickly get out-of-control, timelines need to be extended, more resources brought in to help out…this all effects the budget. Could this be why many organisations stay on the same OS for as long as possible? “Once bitten twice shy”.
Inventory, Usage and RationalisationMicrosoft SCCM/ConfigMgrLakesideSysTrack – Has full AppDNA integration.Liquidware Labs Stratusphere FIT - You would use Stratusphere FIT to complete an audit, which includes applications. This data can then be exported from the Application Audit Report to an XLS or CSV, format it for AppDNA, and then import it into AppDNA.CentrixWorkSpaceiQ - Centrix uses an export from AppDNA then an import in the CentrixWorkSpace console. Once the data is imported, you can correlate usage with AppCompat. More importantly, you can focus appcompat efforts on those apps that are most heavily used.SplunkFuturestateIT AppRx (a neat SAAS offering)RES Baseline Desktop Analyzer - free product - the Application Landscape feature to get the DNA of the user. This will tell you what the users actively launch throughout their sessions.Data Collection Packages withinACT are also great for getting an inventory.IT Asset Management (ITAM) system, such as ServiceNow, for example.To succeed you must have a good plan, good people, and good tools and ensure it’s well executed.Using the right toolset for your Application Migration project is like being a conductor of an orchestra.
Saves time and reduces cost by accurately predicting application behaviour on new technology platforms. Project risk is reduced by providing clear insight into how applications will function in a new or migrated environment. AppDNA will show a clear path to successful server and desktop transformation.
Where Do I Stand?How do I get there?How long will it take?How much will it cost?What do I need to do?
In my opinion it should have a Testers role, so that those conducting testing in any form can log in and create journals. Giving Testers the Editors role is not appropriate.
We will talk briefly about these, but will not demonstrate them due to time constraints.
Green areas mean that the application has no areas of concern against the technologyAmber areas are warnings that indicate areas of interest, but are not necessarily reason for concern.Red areas indicate areas of concern which may or may not have remediation options.A "U" indicates that the combination was untested, and a padlock means that the application is unlicensed for the report.Are red apps all bad? How often is the application used, and by whom? Are there other ways of delivering this app without it side-tracking the project?
This report allows admins to classify the application data and determine the best strategy to move forward.Modelling and a what if tool.The baseball/cricket tool - gets runs on the board.Very handy for determining pilot groups, and rollout plan. The initial goal is to discover he low hanging fruit.i.e. The apps that are easy to knock off first, and group them. This way you can plan your pilot groups and perhaps the transition/rollout into production. You may use this data to help create use cases, or for tiering your apps and groups of users, or for client device requirements.For example: if you're having difficulties with the Adobe CS Suite, then you're probably not going to migrate your marketing department first. So you can also deprioritise other apps that only the marketing department use.
AppDNA makes the remediation information available in a variety of tailored formats.The right remediation will depend on the application as well as your organization.Sometimes the best solution is not to remediate an application but to upgrade or replace it.Autofix remediation's within AppDNA are voluntary. You are not forced into accepting an automatic fix that does not fit into your packaging best practices.
Use SysInternalsZoomit to assist
Microsoft's Stephen Rose (@stephenlrose) is another one worth following.Sign up for the Springboard Series Insider (SSI) newsletter: http://technet.microsoft.com/en-us/windows/springboard-series-insider.aspxStephen lead an awesome TechEd 2012 presentation on “How many coffees can you drink whilst your PC boots” using Xperf from the Windows ADK.