More Related Content
Similar to Briforum2012 advanced appv-sequencing (20)
Briforum2012 advanced appv-sequencing
- 2. BriForum | © TechTarget
Kevin Kaminski
Principal Consultant
Big Hat Group Inc. &
CoreTech Staffing and Professional Services
Advanced Sequencing
with App-V
- 3. Agenda
● What is an Application
● State Separation (aka Application Virtualization)
● Application Compatibility Shims
● Using Shims with App-V
● Overcoming Device Driver Issues with App-V
● Overview of Procmon
● Using Procmon with App-V
BriForum | © TechTarget 3
- 4. What is an Application?
BriForum | © TechTarget 4
- 7. Application Compatibility Shims
● Built-in operating system
feature
● Users can set compatibility
levels for specific
applications
BriForum | © TechTarget 7
What is a Shim?
- 8. Application Compatibility Shims
● Applies to applications that use the Windows Portable
Executable format.
● Most PE executables use one or more DLLs.
● When each application is launched the system checks to
see if one or more shims are required.
● If one or more shims are required the behavior of one or
more DLLs is altered.
BriForum | © TechTarget 8
What is a Shim?
- 9. Application Compatibility Shims
● In order to link executables to DLLs a mapping is created
called the import address table.
● The import address table is built at launch time to create
mappings between the PE executable and its required
DLLs.
● All DLLs are loaded into memory at this time.
● Any shims that need to be applied are loaded as the
import address table is built.
BriForum | © TechTarget 9
Shimming: Under the Covers
- 11. BriForum | © TechTarget 1111
Dependency
Walker Trace
Demo Time!
BriForum | © TechTarget
- 16. App-V and Shims
● Installation
- SDBInst.exe –n “<SDB Filename>”
- Standard User Analyzer Wizard MSI
● Delivery
- Install as a dependency via systems management tool.
- Implement as a script inside the OSD
● Really? Your users should not be local administrators.
● If using the App-V management server to manage App-V apps
the coordination between management systems can be an
issue.
BriForum | © TechTarget 17
Implementation Choices
- 17. BriForum | © TechTarget 1818
“Shimming” a
Virtual
Application
Demo Time!
BriForum | © TechTarget
- 18. Device Drivers
● Runs in the kernel memory space
● Installers can vary
- EXE
- MSI
- No installer
● Provides functionality to communicate with hardware
- But not always the case i.e. Antivirus
● Not all drivers work with virtual applications
- i.e. how badly do you need this as a virtual application?
BriForum | © TechTarget 19
What is a device driver?
- 19. Device Drivers
● Driver Files
- .INF: Setup information file, can install programs as well
- .CAT: Signature files used to validate driver authenticity
- .EXE: Usually for end user interaction
- .DLL: Some drivers also contain libraries
- .SYS: The driver itself
- .PDB: Microsoft file format for storing debug information
BriForum | © TechTarget 20
What is a device driver?
- 22. Device Drivers
● DIFx
- Part of the Windows Driver Kit
- Free Download
● http://msdn.microsoft.com/en-us/windows/hardware/gg487428
● http://bit.ly/msdifx
- Local Location
● C:WinDDK7600.16385.1redistDIFx
BriForum | © TechTarget 23
Same Problem But Different Solution
- 23. Device Drivers
● DIFx
- DPInst.exe
● Simple, easiest to implement
● Command line or manual
- DIFx App
● MSI Merge Module
● .wixlib for WIX support
- DIFx API
● Developer interface only
BriForum | © TechTarget 24
Same Problem But Different Solution
- 24. Device Drivers
● Simple Install: DPInst.exe /s
● Other flags:
- /lm – Legacy mode, accepts unsigned drivers
- /path – If drivers are not in the current working directory
- /sa – Suppresses adding an entry to Programs and
Features
- /se – Suppress EULA, works with /s or /q
- /sw – Suppresses the wizard, only works with /se
- /u – Supply the .inf file and this flag uninstalls the driver
BriForum | © TechTarget 25
DPInst.exe Command Lines
- 25. Device Drivers
● Rundll32.exe syssetup,SetupInfObjectInstallAction <INF
File Section> <Flag> <Path to inf file>
● Rundll32.exe syssetup,SetupInfObjectInstallAction
DefaultInstall 128 C:<path to inf>
Flags:
4 Quiet Mode, no UI
8 Don't Run GrpConv
16 Force Self-Updating on User's System
32 Backup Data Before Install
64 Rollback to Previous State
128 Validate the Backup Data and Suppress Reboot
256 Complete Rollback to Previous State
512 Force Delay of OCX Registration
BriForum | © TechTarget 26
Run32.dll
- 26. Collecting Drivers
● Look for Vendor Installer
- Common for copy protection vendors
● Harvesting Drivers
- Install media
- Driver Magician
● Never after sequencing
● Make the vendor MSI / installer only install a driver
- Can be difficult or next to impossible
BriForum | © TechTarget 27
Different Approaches
- 27. BriForum | © TechTarget 2828
Collecting and
Installing
Device Drivers
Demo Time!
BriForum | © TechTarget
- 28. Process Monitor (aka Procmon)
● An advanced logging tool for process and thread activity
- Registry access
- File access
- Network activity
- Time and duration of events (i.e. performance metrics)
BriForum | © TechTarget 29
What is it?
- 29. Process Monitor
● Regular Operation
- Administrator rights
- Rights to install device drivers
● Reading Logs (/openlog)
- Regular user ok
- Also remember /Run32 for opening 32-bit logs on a 64-bit
system
BriForum | © TechTarget 30
Rights Requirements
- 30. Process Monitor
● Use the following command line to inject a command
prompt
- C:Program Files (x86)Microsoft Application Virtualization
Clientsfttray.exe" /exe cmd.exe /launch "DefaultApp MFC
Application 1.0.0.1
- Best practice is to launch procmon and the App-V
application using the command prompt
BriForum | © TechTarget 31
Monitoring Inside the Sequence
- 31. Process Monitor
● Or put a command prompt in the OSD (KB939896)
<SCRIPT EVENT="LAUNCH" TIMING="PRE"
PROTECT="FALSE" WAIT="TRUE" TIMEOUT="0">
<SCRIPTBODY>cmd.exe</SCRIPTBODY>
</SCRIPT>
- Best practice is to launch procmon.exe with the start
command then close the command prompt to launch the
App-V application
BriForum | © TechTarget 32
Monitoring Inside the Sequence #2
- 32. Process Monitor
● Command Line
- Procmon.exe /externalcapture
● Best Visibility with /externalcapture
- Protect = TRUE with no /externalcapture: 430
- Protect = TRUE: 430
- Protect = False without /externalcapture: 430
- Protect = False with /externalcapture: 988
- Outside the sequence with /externalcapture: 988
BriForum | © TechTarget 33
Monitoring Outside the Sequence #3
- 33. BriForum | © TechTarget 3434
Procmon
Demo Time!
BriForum | © TechTarget
- 34. Process Monitor
● /BackingFile – Uses a file for logging rather than memory
● /NoConnect – Don’t start monitoring on launch
● /AcceptEula – Get rid of EULA on first use
● /LoadConfig – Loads a saved configuration file
● /Profiling – Enables thread profiling
● /Minimized – Minimize procmon on startup
● /Quiet – Does not confirm filter settings on startup
BriForum | © TechTarget 35
Misc Procmon Command Line Flags
- 35. The End
● My Blog: www.myitforum.com/cs2/blogs/kkaminski
● My Twitter: @kkaminsk
● Application Compatibility Toolkit: http://bit.ly/msact56
● Application Verifier: http://bit.ly/appverify
● DIFx http://bit.ly/msdifx
● Process Monitor: http://bit.ly/procmon
● INF Files: Gosh’s site http://gosh.msfn.org/
● Sysinternals Administrator Reference: http://bit.ly/samref
BriForum | © TechTarget 36
Resources (… and question time)