This document summarizes key points about application compatibility between Windows versions. Most software that runs on Windows Vista will also run on Windows 7, with some exceptions for low-level code. Hardware compatible with Vista will also generally work with 7. While there are few surface-level changes, under the hood there are deeper changes to security, drivers, deployment and networking. The document outlines specific compatibility issues applications may face when moving from XP to 7 or Vista to 7, such as new folder locations and changes due to User Account Control. It provides recommendations on using new Windows 7 APIs and features to enhance applications.

1. Windows 7 AppCompatLynn Langithttp://blogs.msdn.com/SoCalDevGalMicrosoft – Developer Evangelist

2. Windows 7 Builds on Windows VistaFew Changes: Most software that runs on Windows Vista® will run on Windows® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). Hardware that runs Windows Vista well will run Windows 7 well.Few Changes: Focus on quality and reliability improvementsDeep Changes: New models for security, drivers, deployment, and networking

3. AppCompat & LightUpfrom XP to Win 7

4. User Account Control

5. Services Isolation

6. from Vista to Win 7

7. Version checking

8. High DPI

9. Low level binary changes

10. UX

11. Taskbar

12. Libraries

13. Internals

14. Trigger Start Services

15. Timer Coalescence

16. New hardware

17. Multi touch

18. SensorsFrom XP to Windows 7http://code.msdn.microsoft.com/XP2Win7

19. The ApplicationImage ViewerWPF Application Runs on XP, Vista, Win7On XP basic functionality with no special OS featuresManually Create albumCrawler (expensive) Service searching imagesChange SkinReset DB / Reset configurationLights Up on Windows 7

20. Application Running on XP

21. The Application Running on 7Enhancing an existing Windows XP application with Windows 7 featuresIO Background PriorityLibraries Trigger Start ServicesPower ManagementCommand Links Scheduled TasksPowerShell 2Windows 7 MultitouchWindows 7 SensorsOther…Application Restart and RecoveryPreview HandlersWindows SearchWindows 7 Event TracingUser Account ControlWindows 7 TaskbarTransactional NTFSMicrosoft Management Console Snap-In

22. Application Running on 7

23. DemoPhoto Viewer on Windows 7

24. Compat - New Folder Locations“My Documents” folder structure has changed The user data is now stored in: ‘\users\%username%\’ folder structurePictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structureThe “My “ prefix was dropped from Documents, Music, etc.“All Users” became “Public” and “\ProgramData”My Documents still exist as directory junctionUse the SHGetKnownFolderPath APIs

25. Compat - Application Data Best PracticesWhere to put your data:Place per-user configuration data into %LOCALAPPDATA% (Roaming into %APPDATA%)Place Per-Machine (Shared) configuration data into %ALLUSERSPROFILE% (e.g. c:\ProgramData)Per-Machine (Shared) user documents into %PUBLIC%Per user documents go to %USERPROFILE%

26. Compat - User Account Control Applications run as Standard User by default

27. Standard User has some permissions

28. Run most applications

29. Change per user settings

30. Standard User can NOT do many things

31. Install applications

32. Change system components

33. Change per machine settings

34. Admin “privileges”Windows UACAll users run as Standard User by defaultFiltered token created during logonOnly specially marked apps get the unfiltered tokenExplicit consent required for elevationPredictable shell elevation pathsHigh application compatibilityData redirectionEnabling legacy apps to run as standard userInstaller DetectionUAC ArchitectureAbbyStandard User RightsAdministrative RightsAdmin logonAdmin Token“Standard User” Token

35. UAC ArchitectureChange Time Zone

36. Run IT Approved Applications

37. Install Fonts

38. Install Printers

39. Run MSN Messenger

40. Etc.AbbyUser ProcessStandard User PrivilegeStandard User RightsAdministrative RightsStandard User Mode

41. UAC ArchitectureChange Time Zone

42. Run IT Approved Applications

43. Install Fonts

44. Install Printers

45. Run MSN Messenger

46. Etc.AbbyUser ProcessChange TimeStandard User PrivilegeAdmin PrivilegeAdmin PrivilegeAdmin PrivilegeAdmin ProcessConfigure IISAdmin ProcessInstall ApplicationAdmin ProcessStandard User RightsAdministrative RightsAdmin Privileges

47. Consent UIOS ApplicationUnsigned ApplicationSigned Application

48. Credential UI

49. UAC Split Tokens Demo

50. Designing for UAC1st Choice: Make application run as Standard User only2nd Choice: Clearly identify Administrative tasksEnsure Standard users can be fully productiveIdentify tasks that need elevation with a “shield”

51. UX: The ShieldAttached to controls to indicate that elevation is required to use their associated featureHas only one state (i.e. no hover, disabled etc.)Does not remember elevated stateNot an unlock operationCan be programmatically set:HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD)SendMessage(button, BCM_SETSHIELD, 0, TRUE) or using the macro in Commctrl.h:Button_SetElevationRequiredState(commandLink, TRUE)

52. Security Shield UI Examples

53. Application ManifestsVista-aware applications embed an XML manifestManifest contains a RequestedExecutionLevel:

54. Finding/Solving UAC IssuesDo you?Write to Program Files, Windows, System32, HKLM/Software, or Root?Create anything “globally”UseWindows messages between isolation levelsTryRunning the application “As Administrator”Testing with UAC offToolsProcess MonitorStandard User Analyzer

55. Windows Services BasicsStarted and managed by Service Control ManagerControlled by SCMStarting and stopping servicesDisabled, Manual and AutomaticManaging running servicesMaintaining service-related state informationStarted – Stopped - PausedServices can run in their own process or shared hosted process (e.g. svchost.exe)

56. Services and SecurityAttractions for malwareMay be configured to auto start on bootPotential to run from boot without using well known auto-start methodsOften run in highly privileged contextsAs mentioned, runs outside of UAC and enables app to potentially take control of UAC behavior (e.g. MSI)Services can run in their own process or shared hosted process

57. Sessions in XP/W2K/WS03Session 0Window StationDesktopServicesShatter Attack1st User’sWindow1st User’sWindow1st User’sWindowScreen SaverLogin

58. Sessions in Win7/Vista/Windows 2008Session 0Session 1Window StationWindow StationDesktopDesktopService1st User’sWindow1st User’sWindowService1st User’sWindowScreen SaverLoginSecure

59. Session 0 Isolationdemo

60. Service HardeningWindows XP services made great attack vectors:Running in shared session, usually w/high privilegeSometimes w/UI (interactive services)So we had Shatter Attacksgood reasons to have Service Isolation in session 0 and Mandatory Integrity ControlWindows Vista and 7Services run outside of UACISVs may be tempted to circumvent OS securityThe potential attack surface has lessened so services are a more attractive target

61. Three Service Hardening DesignsServices need to run least privilegedServices can now have their own SIDThis can be used to lock down / sandbox the resources that the Service has access to

62. Perf Enhance - Trigger Start ServiceNew in Windows 7 - SCM registers for system events via interesting providers:Device arrivalIP addressDomain join and leaveGroup policy updatesCustom Event Tracing for Windows eventSCM starts or stops registered services:TabletInputService started only if digitizer is presentStorSvc starts when group policy updates are applied, automatically stops