Post on 25-Feb-2016
description
transcript
Application Compatibility OverviewAaron Margosis, Microsoft Corporationhttp://blogs.msdn.com/b/aaron_margosishttp://blogs.technet.com/b/fdcc
Agenda
Overview of the Windows 7 application compatibility landscape• What breaks and why?• What does Windows do to fix things?• What options are available for apps that still break?
Not covered:• Troubleshooting and remediation details
Why is app-compat hard?
• It never used to be this hard!• Backward-compatibility used to win• Shell Folders• p:\\products\public• CON, PRN, NUL
• Starting with XP SP2, not anymore• Customers demanded better security• Vista was the first major desktop OS release after TWC memo
What Breaks in Windows 7?
Some things that had to change:Everyone runs as “standard user”
• The infamous User Account Control• Even admins run as “standard user”• The single biggest app-compat hit, ever
The Truth About UAC
• The first step toward Standard User• Required to improve security and TCO
• Suite of technologies to fix stuff, not break it• Running as standard user breaks stuff• That’s why no one did it before UAC!
• Users shouldn’t be admins to begin with• And can’t approve elevation prompts
• Disabling UAC turns off IE Protected Mode
We break – we fix:UAC’s file and registry “virtualization”
• Redirects access attempts from protected areas to non-roaming parts of user profile
• Not related to App-V’s “bubble”• This is per-user, not per-application
We break – we fix:UAC’s file and registry “virtualization”
• Redirects access attempts from protected areas to non-roaming parts of user profile
• Transparent to the app• Fixes many permissions-related issues• Does not apply to all apps or all file types
Some things that had to change:Internet Explorer 8 Standards Compliance
• Meets customer demand, good for the web• App compat > 80%• Compatibility View is extremely helpful• On by default for Intranet• Quirks mode also helpful, but no admin UI!
• Many tools available for troubleshooting• Fixes either super easy or require devs• Hardest problem: server apps for IE6 only• E.g., Oracle, SAP MED-V a potential solution
Some things that had to change:Internet Explorer Zone Changes (IE7 and Higher)
• Trusted Sites default settings tightened• Intranet zone now the most permissive• Only Intranet has automatic Windows authentication• Trusted Sites now intended for external sites• Common simple fix for web apps: make sure zone is correct!
Some things that had to change:Internet Explorer Protected Mode
• Sandboxed environment• Runs at “Low Integrity”• Cannot write to most areas of file system or registry• Limits impact of drive-bys• IEPM has protected you from exploits• …if you left UAC enabled
Internet Explorer Protected Mode
• “On” in Internet and Restricted Sites zones• “Off” in Intranet and Trusted Sites• May need to configure to recognize Intranet
• External sites can be added to Trusted Sites• E.g., sites that require Java
• Again – setting zone correctly fixes many web apps• Other products like the idea!• Google Chrome• Office 2010• Adobe Reader X
Some things that just changed:Windows version number
• Incorrect version checks: the most common bugs we find• Making it 6.1 keeps more apps working!
• “Version lie” shims are easy to apply• And now easier to lie to MSIs
• Still don’t think it can be that common?
Check the Windows version!
// This program requires WinXP or newer.// Windows XP is version 5.1// This is easy!If Not (vMajor >= 5 AND vMinor >= 1) Then{
DisplayMessage(“This program requires Windows XP or newer”);
LayDownAndDie;}Win7 as Windows 7.0?
vMajor: 7 >= 5vMinor: 0 >= 1? Crap!
Vista is Windows 6.0:vMajor: 6 >= 5vMinor: 0 >= 1? Oops!
Win7 as Windows 6.1?vMajor: 6 >= 5vMinor: 1 >= 1! It works!
More things that just changed:Folder locations
• We moved the profiles – again!• Myth: We did this for no good reason• Truth: There was probably a good reason
• And we changed where files need to go!• Myth: No guidance about where to put stuff• Truth: Well, yeah, but we’re fixing that
• Myth: Everything breaks, apps actually cry• Truth 1: Correctly-written apps still work• Truth 2: Junctions fix many bad apps
Directory Junctions
• Some support for old folder names• Can traverse, but cannot list• Can directly access files through old names• Cannot list contents of these junctions
Where Should I Store Files?Per-User Files Location (Symbolic Constant and Examples)
Visible to user in ExplorerWindows 7 example:Windows XP equivalent:
FOLDERID_Documents / CSIDL_MYDOCUMENTSC:\Users\username\DocumentsC:\Documents and Settings\username\My Documents
Hidden from user, LocalWindows 7 example:Windows XP equivalent:
FOLDERID_LocalAppData / CSIDL_LOCAL_APPDATAC:\Users\username\AppData\LocalC:\Documents and Settings\username\Local Settings\Application Data
Hidden from user, RoamingWindows 7 example:Windows XP equivalent:
FOLDERID_RoamingAppData / CSIDL_APPDATAC:\Users\username\AppData\RoamingC:\Documents and Settings\username\Application Data
Shared Files Location (Symbolic Constant and Examples)Visible to user in Explorer
Windows 7 example:
Windows XP equivalent:
FOLDERID_PublicDocuments / CSIDL_COMMON_DOCUMENTSC:\Users\Public\DocumentsC:\Documents and Settings\All Users\Documents
Hidden from user, Local
Windows 7 example:
Windows XP equivalent:
FOLDERID_ProgramData / CSIDL_COMMON_APPDATAC:\ProgramDataC:\Documents and Settings\All Users\Application Data
More things that just changed:Default color scheme
More things that just changed:Default color scheme
• Occasional mistake by VB6 devs• Easy to fix (if you have the source)
• .NET WinForms made themes easy to use• Oops: everyone tested only on Luna• Fortunately, we have FakeLunaTheme shim
• Note: apps that work only with one theme probably violate accessibility laws• You WILL go to jail! (US law – your laws may be harsher.)• Push back if app owner insists on Classic Theme
What Do I Do With Broken Apps?
Options for Fixing Broken Appsin (approximate) order of preference
1. Retire the app2. Get an updated version of the app (from vendor or your
developers)3. Modify the installer via transforms or post-install scripts4. Let UAC file/reg virtualization do its magic5. Apply shims6. Change permissions or policies7. Machine virtualization (MED-V, VDI)Independent issue: Application virtualization
Retiring Apps
• Maintaining a big inventory is expensive!• Testing apps you don’t need is expensive!• Just because it’s there doesn’t mean you need it (and have to test
it)• Does anyone actually use it?• How often?• How critical is it?• Can it be replaced with something else?• Excel? Calculator?
• How expensive/complex to repair?
Is the App Supported on Win7?
www.microsoft.com/windows/compatibility
• Search for apps or hardware• Indicates support/non-support for x86/x64• Based on vendor’s public claims• Links to vendor web sites’ claims
Modifying InstallersMSI transforms or post-install scripts
Can fix several bug classes:• Version check• “Run once” bug• App assumes user has admin rights• Performs final install operations on first run
• “One user” bug• Installer assumes installing user == end user• Writes to HKCU, %USERPROFILE%
• Missing components (e.g., MSVBVM50)
What Are Shims?
• Applied to specific apps• Configured with Compatibility Administrator in the App
Compat Toolkit• Deployable to enterprise
• Changes what the app thinks it sees• Does not change what app is allowed to do
Process
Kernel32.dll
CreateFileWimplementation
Shim DLLCorrectFilePathsimplementation
How Shims Work
App.exeIAT• CreateFile
Custom1.dll
IAT• CreateFile
Custom2.dll
IAT• CreateFile
Crypt32.dll
IAT• CreateFile
Msxml3.dll
IAT• CreateFile
Urlmon.dll
IAT• CreateFile
What Are Shims Good For?
• Bad Windows version checks• Writing to HKCR at runtime• Unnecessary checks for “am I admin?”• Writing to WRP-protected keys and files• Windows thinks your app is an installer• Some file/registry redirections
When Are Shims Appropriate?
• Source code fix not feasible• Vendor support not important
Shims – The Rest of the Story
• Some considerations…• Not all general purpose shims have the same … “customer
love” applied in their creation• The tools are … “primitive”• Shims management not integrated into other management
tools (e.g. Group Policy)• You can do a lot with just the Top 10 shims• But to becoming a shim ninja takes time and much practice
Changing Security Settings
• Only if other options don’t work:• Loosen file or registry permissions• Allow interactive user to start/stop a particular service or
driver• Disable an IE security feature (e.g. DEP)• Relax a security policy (e.g., FIPS crypto)
• Must be done surgically• Least amount of additional privilege on the smallest number of
objects
Changing Security Settings
• Benefits:• Results often more predictable than with shims
• Drawbacks:• Risk of elevation of privilege• Risk of system instability• Requires threat modeling – hard to do right
Changing Security Settings:How I’ve seen some do “standard user” on XP…
• ACL loosening scripts• Most “required fixes” are now automatic
• Installing apps to writable folders• Exposes EoP and infection risks
• Granting admin-equivalent rights• (What could possibly go wrong?)
What is MED-V?Microsoft Enterprise Desktop Virtualization
• Machine virtualization solution• App actually runs on an XP OS• User sees only the app window
• Centrally managed• Part of MDOP• Reasonable IE6 app compat story• Seamless redirection of the browser
What Can MED-V Do?
• App designed for XP actually runs on XP• Win7 deployment not held hostage by one app that resists all
other compat solutions• What it’s good for:• Web apps that require IE6• Running 16-bit apps on x64• Some types of desktop apps• Microsoft Agent
MED-V:The rest of the story
• Postpones issues, does not solve them• You must have an explicit exit strategy• XP is already out of mainstream support• XP extended support ends in 2014
• Need RAM, CPU to support guest VM• Management requirements• It is a separate computer• Doesn’t inherit host’s AV, patches, policies, domain• VM is hibernated when not running an app
• Apps can’t interact with host desktop apps• E.g., app wants to automate Office apps or send email
Windows XP ModeHere’s how, right?
Wrong!
What is Windows XP Mode?
• Windows XP SP3 virtual machine• It’s not really a “mode” within Windows 7• Similar to MED-V, without manageability
• License included with certain Win7 SKUs• Designed only for Small Business market
• Install apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the host
• Click on shortcut in host Start menu, app appears in a window• …eventually
Windows XP ModeMore of that story
• All the drawbacks of MED-V, plus• Does not have MED-V’s IE6 redirection, and• Default XP Mode user is admin• Might conflict with enterprise policies
Resources
TechNet MagazineJune 2009Articles by Chris Jackson
and Chris Corio
Tools for identifying issues
• General issues: Sysinternals Process Monitorhttp://technet.microsoft.com/en-us/sysinternals/bb896645
• Admin permissions issues: • LUA Buglight
http://blogs.msdn.com/b/aaron_margosis/archive/2011/03/23/lua-buglight-2-1-1-with-support-for-win7-2008r2-sp1.aspx
• Standard User Analyzer (ships with App Compat Toolkit)http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971
requires Application Verifier, downloaded separately:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18
• For web apps:• IE’s built-in developer tools (F12 in IE8 and IE9)• Fiddler
http://www.fiddler2.com
• Expression Web SuperPreview
For More Information
• The Windows Vista and Windows Server 2008 Developer Story: Application Compatibility Cookbookhttp://msdn.microsoft.com/en-us/library/Aa480152
• Windows 7 and Windows Server 2008 R2 Application Quality Cookbook(describes changes from Vista to Win7, not from XP to Win7)http://msdn.microsoft.com/en-us/library/dd371778(VS.85).aspx
• The App Compat Guy (Chris Jackson)’s blog:http://www.appcompatguy.com
• My blogs:http://blogs.msdn.com/b/aaron_margosis andhttp://blogs.technet.com/b/fdcc
• TechEd online presentations by Chris Jackson and me:http://www.msteched.com
43
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:http://www.technet-newsletters.be
• Technical updates• Event announcements and registration• Top downloads
Join us on Facebookhttp://www.facebook.com/technetbehttp://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
Download MSDN/TechNet Desktop Gadget
http://bit.ly/msdntngadget
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/• Download to your favorite MP3 or video player• Get access to slides and recommended resources by the speakers
THANK YOU