Windows 7 Application Compatibility


Published on

This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Windows 7 Application Compatibility

    1. 1. How to Design Windows 7 Compatible Application (User Account Control)<br />Windows 7 Application Compatibility Webcast Series<br />Presenter: Michal Morciniec, Partner Support, Microsoft<br /><br />Monday, October 26, 2009<br />1<br />Microsoft Confidential<br />
    2. 2. Agenda<br />Windows Application Compatibility Roadmap<br />Top Compatibility Issues XP  Win 7 <br />Resources for Partners<br />
    3. 3. Application CompatibilityStages<br /><ul><li>Design</li></ul> knowledge of possible issues<br /><ul><li> Test</li></ul> run the application in new OS<br /> use test tools<br /><ul><li> Fixing </li></ul> code changes<br /> compatibility patching (shimming)<br /> Windows XP Mode in W7 <br /><ul><li> Certification </li></ul> obtain Windows 7 Logo<br /><ul><li> Publishing</li></ul>Publish your app in Windows 7 Catalogue <br />
    4. 4. Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off<br />Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc). <br />Hardware that runs Windows Vista well will run Windows 7 well.<br />Windows 7<br />Few Changes: Focus on quality and reliability improvements<br />Deep Changes: New models for security, drivers, deployment, and networking<br />
    5. 5. Top Application Compatibility Issues<br /><ul><li>Moving from XP to Win 7
    6. 6. User Account Control
    7. 7. Windows Services Isolation
    8. 8. Version checking</li></li></ul><li>OS VersionChange<br />Monday, October 26, 2009<br />6<br />Microsoft Confidential<br />
    9. 9. Windows OS Version Numbers<br />
    10. 10. Why Version 6.1?<br />Some applications only check dwMajorVersion<br />Some applications tried to do the right thing, but implemented it INCORRECTLY<br />if (majorVersion &gt;= 5 && minorVersion &gt;= 1)<br />
    11. 11. Version Checking Best Practices<br />Do not perform version checks for equality<br />If you need a feature, check for the feature<br />Check for Windows XP or later (&gt;= 5.1)<br />Exceptions occur when there is a business or legal reason do a version check, e.g. a regulatory body requires you to certify your application for each operating system and version<br />Check Windows 7 Training Kit forDeveloperfor sample code<br />
    12. 12. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />10<br />Microsoft Confidential<br />UAC<br />
    13. 13. UserAccountTypes<br />Built-in (local machine) Administrator<br />Disabled by default<br />Runs with “Full token” <br />Protected Administrator<br />User in Administrators group<br />Runs with “Split token”<br />Standard User or Limited User Account<br />None of the above<br />Does not have administrator privileges<br />11<br />
    14. 14. User Account Control – Why?<br /><ul><li>Applications run as Standard User by default
    15. 15. What Standard User can do?</li></ul>Not Allowed<br /><ul><li>Install applications
    16. 16. Change system components
    17. 17. Change per machine settings
    18. 18. Admin “privileges”</li></ul>Allowed<br /><ul><li> Run most applications
    19. 19. Change per user settings</li></li></ul><li>Abby<br />UAC Architecture<br />Admin Token<br />Admin Token<br />App<br />Child App<br />Admin Token<br />Standard User Token<br />“Standard User” Token<br />Standard User Token<br />App<br />Child App<br />Standard User Token<br />
    20. 20. The Split Token<br />Run with fewer rights most of the time<br />Conveniently elevate when you need rights<br />Applies to interactive logons only<br />
    21. 21. UAC Split Tokens<br />demo<br />
    22. 22. Consent UI<br />OS Application<br />Unsigned Application<br />Signed Application<br />
    23. 23. Credential UI (Over The Shoulder)<br />
    24. 24. Windows 7 UAC Control Settings<br />New settings:<br />Top Setting – Vista behaviour<br />2nd – Does not prompt for Windows binaries<br />3rd as 2nd+prompts on User Desktop<br />4th-UAC disabled<br />Monday, October 26, 2009<br />18<br />Microsoft Confidential<br />
    25. 25. Windows 7 UAC and Auto-Elevation<br />Middlesettings use auto elevation<br />Windows Publishing Certificatesignedbinaries<br />In “secure” location<br />%SystemRoot%System32 <br />Some %ProgramFiles% subdirs (Windows Defender, Windows Journal<br />OnHardcodedList (Pkgmgr.exe, Migwiz.exe)<br />Monday, October 26, 2009<br />19<br />Microsoft Confidential<br />sigcheck -m<br />
    26. 26. UAC and Security Policy (W7 and Vista)<br />As in Vista certain UAC behaviour can be controlled through Security Policy<br />Prompt Behaviour for Admins/Standard Users<br />Installer detection heuristics<br />Switching to secure desktop when Prompting<br />File and Registry Virtualization <br />Ex. : Disable OTS Dialog for Standard Users<br /> (Automatically deny elevation requests)<br />Monday, October 26, 2009<br />20<br />Microsoft Confidential<br />
    27. 27. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />21<br />Microsoft Confidential<br />UAC<br />UI Goals -Shield<br />
    28. 28. UI Goals: Simple & Predictable<br />1 Make application Standard user only<br />2 Clearly identify Administrative tasks<br />Ensure Standard users can be fully productive<br />Identify tasks that need elevation with a “shield” <br />
    29. 29. UI: The Shield<br />Attached to controls to indicate that elevation is required to use their associated feature<br />Has only one state (i.e. no hover, disabled etc.)<br />Does not remember elevated state<br />Not an unlock operation<br />Can be programmatically set:<br />IDI_SHIELD icon resource<br />BCM_SETSHIELD button message<br />See:<br />Enabling UAC Elevation in .Net applications<br />(elevating process, dispaying shield , etc.)<br />
    30. 30. UI Shield Example Use<br />
    31. 31. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />25<br />Microsoft Confidential<br />UAC<br />UI Goals –Shield<br />MIC<br />
    32. 32. Mandatory Integrity Control (MIC)<br />Traditional NT security model revolves around process token<br />Windows Vista/Win7 enhances this with MIC:<br />Each process gets a MIC level<br />All resources get a MIC level (medium is default)<br />There are four levels:<br />0: Low (IE with Protected Mode On)<br />1: Medium (Standard User) <br />2: High (Elevated User)<br />3: System (System Services)<br />
    33. 33. MIC and Resources<br />MIC levels apply to:<br />Processes<br />Objects<br />COM components<br />Services<br />Files<br />Registry keys<br />View MIC level on files and other resources using “accesschk –i” (Sysinternals tool)<br />IE currently only application that has a MIC level of Low<br />All IE resources need low as well<br />
    34. 34. MIC, Simplified<br />Object can have an integrity label<br />Stored in its Security Descriptor<br />Processes run at an integrity level (IL)<br />Stored in its Access Token<br />Process cannot access object if their IL is lower than the object’s label<br />Part of the access check<br />
    35. 35. Integrity Labels -Policies<br />Every securable object has one<br />Includes Level and Policy<br />Policies can include:<br />No-Write-Up: Lower IL can’t write to object<br />No-Read-Up: Lower IL can’t read object<br />No-Execute-Up: Lower IL can’t execute object<br />No label = Medium + No-Write-Up<br />Processes are No-Write-Up + No-Read-Up<br />
    36. 36. MIC And Access Checks<br />Process IL + access requested matched against object label<br />If Process IL &gt;= Object’s label, go onto DACL check<br />If Process IL &lt; Object’s label, <br />and Object policy includes…<br />and access requested includes…<br />
    37. 37. Access CheckExample – With MIC&quot;Who am I&quot; – Identity + trust level<br />R+W<br />Request Access:<br />Read + Write<br />Internet Explorer<br />[LOW IL]<br />Toby’s <br />Startup <br />Folder<br />Medium (NW)<br />Request Access:<br />Read + Write<br />MS Money<br />[Medium IL]<br />
    38. 38. User Interface Privilege Isolation (UIPI)<br />UIPI- lower MIC process CANNOT<br />Perform a window handle validation created by a higher-privileged process<br />Call SendMessage or PostMessage to windows created by a higher-privileged process<br />Use thread hooks to attach to a higher-privileged process<br />Use journal hooks (SetWindowsHookEx) to monitor a higher-privileged process<br />Perform DLL injection to a higher-privileged process<br />To allow Windows Message to pass between MIC levels use<br />ChangeWindowMessageFilter(message, SGFLT_ADD);<br />OR can mark UIAccess = true in manifest(see osk.exe forexample)<br /><ul><li>Check Windows 7 Training Kit forDeveloperfor sample code</li></li></ul><li>Mandatory Integrity Control<br />demo<br />
    39. 39. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />34<br />Microsoft Confidential<br />UAC<br />UI Goals –Shield<br />MIC<br />Virtualization<br />
    40. 40. Virtualization<br />Intended for existing legacy applications and may be removed in a future OS version<br />32-bit legacy interactive applications that write to administrator locations<br />HKLMSoftware; <br />%SystemDrive%Program Files<br />%WinDir%System32<br />Redirected to:<br />HKCUSoftwareClassesVirtualStore<br />%LocalAppData%VirtualStore<br />Redirection removes need for elevation<br />Writes to HKLM go to HKCU redirected store<br />Writes to system directories redirected to per-user store<br />Different from registry keys redirection for 32-bit applications on x64 under WOW64…<br />
    41. 41. Virtualization - Details<br />Registry Keys Virtualization<br />Does not work if:<br />Process is 64 bit<br />Process is impersonating a user<br />Process specified requestedExecutionLevel in manifest<br />Process is non-interactive (e.g.:Windows Service)<br />File Virtualization<br />Does not work if:<br />File is of executable type -examples:<br />.aspx, .bin,.cmd,.exe, .hlp, .msi, .ocx, .sys, .tlb, .wsh<br />Monday, October 26, 2009<br />36<br />Partner Ready<br />
    42. 42. Virtualization and Windows Explorer<br />
    43. 43. Virtualization<br />demo<br />
    44. 44. WRP (Windows ResourceProtection)<br />General mechanism that protects certain OS resources, e.g. Windowssystem32kernel32.dll<br />NT SERVICETrustedInstaller has Full Access <br />SfcIsKeyProtected() lets you detect if registry key is WRP protected<br />SfcIsFileProtected() lets you detect if file is WRP protected<br />Windows Module Installer (TrustedInstaller.exe) is used to update OS components<br />There is no API for ISVs to interact with it<br />Local Administrator can take “ownership” of protected resource eliminating WRP<br />so WRP is not a security measure <br />Applications / Installers<br />Should not modify WRP protected resources<br />
    45. 45. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />40<br />Microsoft Confidential<br />UAC<br />MIC<br />Virtualization<br />WRP<br />Folder Locations<br />
    46. 46. Folder Locations<br />User data: Usersusername%<br />Pictures, Music, Documents, Desktop, and Favorites directly under this structure<br />“My “ prefix dropped (but Windows 7 displays it again in Explorer…)<br />“All Users”  “Public” or “ProgramData”<br />
    47. 47. Where Should I Store Data?<br />SHGetKnownFolderPath Constants<br />See:<br />Where Should I Write Program Data Instead of Program Files?<br />
    48. 48. Folder Location Best Practices<br />Never hard code absolute paths<br />AppVerifier includes a test<br />Script: environment variables<br />Unmanaged code (C, C++)<br />ShGetFolderPath function (CLSID_...)<br />SHGetKnownFolderPath (FOLDERID_...)<br />Managed code (C#, VB.NET)<br />System.Environment.GetFolderPath<br />Microsoft.VisualBasic.FileIO.SpecialDirectories<br />My.Computer.FileSystem.SpecialDirectories<br />
    49. 49. Movingfrom XP to Windows 7<br />Monday, October 26, 2009<br />44<br />Microsoft Confidential<br />UAC<br />MIC<br />Virtualization<br />WRP<br />Folder Locations<br />ApplicationManifest<br />
    50. 50. Vista / Win 7 “Aware” Application<br />Vista/Win 7-aware applications embed an XML manifest<br />Standard item in VS 2008 Projects<br />Disables all mitigations<br />Manifest contains a RequestedExecutionLevel:<br />
    51. 51. ExampleApplicationManifest<br />MyAdminApp.Exe.Manifest<br />&lt;?xmlversion=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?&gt;<br />&lt;assemblyxmlns=&quot;urn:schemas-microsoft-com:asm.v1&quot; manifestVersion=&quot;1.0&quot;&gt;<br /> &lt;assemblyIdentityversion=&quot;; processorArchitecture=&quot;X86&quot;name=&quot;MyAdminApp&quot; type=&quot;win32&quot;/&gt;<br /> &lt;!-- Identify the application security requirements. --&gt;<br /> &lt;trustInfoxmlns=&quot;urn:schemas-microsoft-com:asm.v3&quot;&gt;<br /> &lt;security&gt;<br /> &lt;requestedPrivileges&gt;<br /> &lt;requestedExecutionLevellevel=&quot;requireAdministrator&quot;/&gt;<br /> &lt;/requestedPrivileges&gt;<br /> &lt;/security&gt;<br /> &lt;/trustInfo&gt;<br />&lt;/assembly&gt;<br />
    52. 52. Finding/Solving UAC Issues<br />Do you?<br />Write to Program Files, Windows, System32, HKLM/Software, or Root?<br />Create anything “globally” (System wide)<br />Use Windows messages between isolation levels<br />Try<br />Running the application “As Administrator”<br />Testing with UAC off<br />Tools<br />Process Monitor<br />Standard User Analyzer<br />
    53. 53. Windows Services and Session 0<br />In Windows® XP, Windows Services and user applications execute together in Session 0.<br />From Windows Vista®, Windows Services are isolated in Session 0<br />User Application execute in Session 1, Session 2, etc. <br />(“fast user switching” and Terminal Services)<br />
    54. 54. Session Separation<br />Session 0 in Windows XP / Windows Server 2003<br />Session 0 / Session 1 in Windows Vista+<br />
    55. 55. Related Issues<br />Windows Messages cannot cross Desktop boundaries (and therefore session)<br />Windows Services cannot show UI (being in a different session!)<br />Access control (MIC) adds complexity to possible solutions.<br />
    56. 56. Showing UI from Windows Service<br />Built-in mitigation mechanism alerts user(that service is “interactive”)<br /><ul><li>Interactive Service Detection Service (stopped by default)
    57. 57. Invonvenient for users</li></ul>For simple message:<br /><ul><li>use TS API WTSSendMessage</li></ul>For complex UI<br /><ul><li>use CreateProcessAsUser</li></li></ul><li>Windows Service Isolation- Session 0<br />demo<br />
    58. 58. PartnerResources<br />Monday, October 26, 2009<br />53<br />Microsoft Confidential<br />ACF Program<br />Support<br />Publicresources<br />
    59. 59. ApplicationCompatibilityFactory (ACF)<br />5 Partners with experteese in application compatibility tests<br />Wipro, Infosys, TCS (Tata), Satyam, HP, Sogeti<br /><br />ACF Training Site<br />Contains training material for Partners willing to participate in ACF<br />ACT 5.5 + Documentation + Webcasts + Slides<br />54<br />
    60. 60. Application Compatibility – Training<br />Training Program in English -12 hours approx. 300 level:<br />UAC Overview<br />Advanced UAC and Windows Resource Protection<br />IE in Protected Mode<br />Versioning, Folder Locations, Session 0 Isolation<br />ACT 5.5 Internals<br />Shims and Compatibility Administration<br />LUA Tools and Solutions<br />Sysinternals Tools and IE Compatibility Test Tool<br />Exam<br />55<br />
    61. 61. Support Options for Application Compatibility<br />Partner Online Technical Communities (OTC)<br />Windows 7 Application Compatibility OTC<br /><br />First response in 8 hours<br />Local language<br />Public Discussion Lists<br />MSDN Application Compatibility for Windows Development<br />Technet Windows 7 Application Compatibility Forum<br />W7 ISV Remediation Workshops DPE<br />Apply in “Green Light”<br />Face to face 2-3 days<br />Bring your app to fix<br />Fell free tocontact me :<br />56<br />
    62. 62. Code Samples<br />Windows 7 Training Kit For Developers hands-on labs code samples (managed /unmanaged) about:<br />OS Version Checks<br />Session 0 Isolation<br />User Interface Process Isolation (MIC)<br />Installer Detection<br />High DPI<br />Data Redirection(File and Registry Virtualization)<br />57<br />
    63. 63. Public Resources<br />Cookbooks – address compatibility<br />“Application Compatibility Cookbook”<br />“Windows 7 Application Quality Cookbook” <br />MSDN Application Compatibility:<br />TechNet Windows Application Compatibility:<br />Developer Guides – general programming guides<br />Windows 7 UX Guide<br />Windows 7 Developer Guide<br />SysInternals Tools Suite<br /><br />58<br />