Windows Application Readiness for Developers

Maarten van de BospoortApplication Development ConsultantMicrosoftWCL312

Agenda

Oh, oh. I come from XP.

I’ve done Vista. What did you break now?

That leaves room for improvement.

Top AppCompat Issues

From XP to Win 7User Account ControlMandatory Integrity ControlServices Isolation

From Vista to Win 7Version checkingMiscellaneous

More than just compatibleHigh DPIRemote Desktop and Fast User Switching

User Account Control – Why?

Running as administrator increases malware threats

No limits on what an application can doInstall root kitsInstall key stroke loggersEtc.

Enterprises: significant TCO reductions when running with managed systemsKey: run as much as possible as Standard User

User Account Control – How?

Applications run as Standard User by defaultWhat is a Standard User?

Allowed• Run most applications• Change per user settings

Not Allowed• Install applications

and drivers• Change system settings• Admin “privileges”

UAC Architecture

“Standard User” Token

Admin TokenAbby

Admin Token

AppAdmin Token

Child App

Standard User Token

AppStandard User

Token

Child AppStandard User Token

UAC Split Tokens

demo

What is broken by UAC?

Can no longer:write to Program Fileswrite to System32write to some HKLM\Software hivesCreate kernel objects in global namespace

Impact on:file creation in restricted locationsInstallersCustom Actions in MSIEvents, Mutex, Mapped Files, Named Pipes, etc.

OS Mitigation: Data RedirectionLegacy applications that write to secure locations

HKLM\Software; %SystemDrive%\Program Files; %WinDir%\System32Redirected to:

HKCU\Software\Classes\VirtualStore; %LocalAppData%\VirtualStore\Intended for “legacy” applications

Might be removed in a future OS versionRedirection removes need for elevationNot for native x64; no redirection for binariesImpact:

Per machine changes to per user.

Data Redirection

demo

Mitigation: Installer Detection

Installers often require administrative rightsRunning as Standard User would mean failureMitigation: detect strings in binaries resources

Setup, install, patch, etc. Elevate to Administrator

Installer Detection

demo

Fixing UAC bugs

Write to the correct locationAll Users User

Documents C:\users\public C:\users\TheUser

Data C:\ProgramData C:\users\TheUser\AppData

• Split up your application in two parts• Standard user day-to-day part• Administrator part

• Add a manifest to opt out of mitigation

Manifest: UAC sectionMyAdminApp.Exe.Manifest

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level=“asInvoker"/> </requestedPrivileges> </security> </trustInfo></assembly>

Vista / Win 7 “Aware” Application

Vista/Win 7-aware applications embed an XML manifestDisables all mitigationsManifest contains a trustInfo section:asInvoker Launch with the same token as the

parent processhighestAvailable Launch with the highest token this

user possessesrequireAdministrator Highest token of the User provided User is a

member of Administrators group

UAC Issues

Do you?Write to Program Files, Windows, System32, HKLM/Software, or Root?Create kernel objects “globally”?

TryRunning the application elevated (“As Administrator”)Testing with UAC off

ToolsProcess Monitor, Process explorerStandard User Analyzer

Mandatory Integrity Control (MIC)

Traditional NT security model revolves around process token and resource DACLVista/Win7: MIC level assigned to

Each process (medium default)All resources (medium default)

Basically four levels:0: Low 1: Medium 2: High3: System

MIC: Processes and Resources

Medium (Default)

Medium (Default)

LowLow

Write

Write

ReadRead

ReadRead

Medium Process(Default)

Low Process(PMIE)

MIC: Processes and Resources

Medium (Default)

Medium (Default)

LowLow

Write

ReadRead

ReadRead

Medium Process(Default)

Low Process(PMIE)

Write

MIC: Processes and Messages

SendMessage

Medium Process(Default)

Low Process(PMIE)

SendMessa

ge

SendMessage

SendMessage

Medium Process(Default)

Low Process(PMIE)

IExplore.exeIExplore.exe

Install ActiveX control

Change Settings,

Download a Picture

Cache Web content

Exploit can install MALWARE

Exploit can install MALWARE

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

MIC Example: IE. Prior to Vista

ProtectedMode

IE

ProtectedMode

IE

Install an ActiveX control

Change settings,

Save a picture

Inte

grity

Con

trol

Bro

ker

Pro

cess

Redirected settings & files

Com

pat

Red

irect

or

Cache Web content

Admin-Rights Access

Admin-Rights Access

User-Rights AccessUser-Rights Access

Temp Internet FilesTemp Internet Files

HKLM

HKCR

Program Files

HKCU

My Documents

Startup Folder

Untrusted files & settings

MIC Example: IE. Vista+ Protected Mode

Bro

ker

Pro

cess

MIC Issues

Do you?Use Windows messages between MIC levels?See Drag and drop fail?Use IE to write to user’s %homepath%?

TryRunning the application elevated (“As Administrator”)Testing with UAC offRun IE with Protected Mode off

ToolsProcess Monitor, Process explorerStandard User Analyzer

Session 0

Window StationDesktop

Screen Saver

Login

Sessions in XP/W2K/WS03

Services

1st User’sWindow

1st User’sWindow

1st User’sWindow

Shatter Attack

Sessions in Vista/Windows 7Session 0

Window StationDesktop

Service

Service

Session 1

Window StationDesktop

Screen Saver

Login

1st User’sWindow

1st User’sWindow

1st User’sWindow

Secure

Session 0 Isolation

demo

Session 0 Issues

Do youHave services that

interact with the desktop?communicate with other user mode apps?

create a kernel object to communicate?Verify

communication between services and applicationsservices are not relying on interacting with desktop

GuidanceUI: use WTSSendMessage() or CreateProcessAsUser()kernel objects: have the service create them in global

The AppCompat “Cookbooks”

Everything else that we haven’t covered

XP-> Vista/2008 -> Win7“Application Compatibility Cookbook”“Application Compatibility” on MSDN

Vista -> Win 7“Windows 7 Application Quality Cookbook”

Windows Vista to Windows 7

Application Compatibility is a main goalVery few breaking changes

If your app works on Vista, it will likely work on Windows 7

…but there are a few things to verify

Incompatible by Design

Version checking for a specific OS releaseStructure of private data and data typesPatching OS callsUsing Registry Values instead of APIsNon-deterministic EventsRedistributing Windows components

Version Checking

Applications check Windows OS version and block themselves or modify behaviorIf absolutely needed, check for >= OS version

Don’t blockPresent a warning message Allow applications to continue

Check for existence of specific features if that is importantWindows 7 is version 6.1

Version Checks – Stop doing this

OSVERSIONINFO version;

GetVersionEx( &version );

if ( version.dwMajorVersion != 5 ){

OnAppExit();}

Version Checks – Do this

HMODULE hMod; hMod =

LoadLibraryFromSystem32(L"Apphelp.dll");if (hMod) return hMod; hMod =

LoadLibraryFromSystem32(L"sdbapiu.dll");if (hMod) return hMod; hMod =

LoadLibraryFromSystem32(L"sdbapi.dll");if (hMod) return hMod;

Version Check: Shimming

Myapp.exe

kernel32.dll

GetVersionEx6.1

Shim

Version Check: Shim Applied

Myapp.exe

kernel32.dll

GetVersionEx()

6.1

6.0

Internet Explorer 8

Tabs are running in individual processesE.g. each tab (process) gets its own ActiveX control

New rendering engineIE7 (compatibility mode)IE8

New IE8 user string

Miscellaneous Regressions

Removal of Windows Mail Removal of Windows Movie Maker API implementations moved to kernelbase.dll (minwin)Removal of Windows Registry Reflection Replacement of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ)

Check out the Windows 7 Cookbook for the full list

That’s pretty much itNow let’s make it better

High DPIRemote DesktopFixing your released applications with Shims

High DPI SurprisesMonitor Max Resolution

% Set to Maximum

1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%

User's Chosen

Resolution

% using that resolution

640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%

Total 100.00%

Details Users with Max Resolution of 1600X1200

Almost half of all of users are not

configuring their display to maximum

resolution (!)

Users are lowering their screen resolution to get larger text…

High DPI: Why Do We Care?

High fidelity monitors not fully usedClearType requires native resolutionCan’t display native high def contentAccidentally select a non-native aspect ratio

Pixilated Content does not take advantage of the display

Non-native aspect Ratio Settings “Squishes” Content

High DPI Issues

Clipped Text

Layout & Image Size Issues

Pixilated BitmapsWinForms Issues

Blurry UI Mismatched Font Sizes

High DPI: test for Windows 7

Windows 7 clean install determines DPI by heuristicsYour helpdesk will hear it moreDWM will “virtualize” and blow you up after 150%Try running with at least 125% DPI or better 150%Fix issues and declare DPIAware in the manifest

RDS and Fast User Switching

Remote Desktop (Terminal Services) allows for centralized deploymentEnd users logging in or running applications “remote” (TS Apps)FUS is “light” form of RDP

Exists since XPParking one user session, switching to other

Multiple instances of Application can be running

RDP & FUS Compatibility Issues

ConcurrencyResources can be accessed simultaneouslyTerminal Service sessions separated from Services

User data privacySound, high CPU in inactive FUS sessionRemote devices

Local resources are remote for the applicationRemote performance considerations

paints, video, disk I/O, CPU, network are all shared

Wrapping up

Shims for ISVsWindows 7 LogoWe’re here to help

What are Shims?

Windows components change to support:new technologybug fixesstrategy changes

OS changes may fix some, break othersSimulate previous Windows behavior for an application

Shims for ISVs?

Only for released applications:future versions need to be fixed

We’ll try to shim your released applicationIf we missed you, please contact usSome information we’ll need:

specific scenario that failsthe applicationwhich versions need to be shimmed

Windows 7 Logo Logo requirements

improve end users’ experienceMake your migration efforts easier

Simplified from VistaSelf testLinks:List in Windows 7 Compat center http://go.microsoft.com/?linkid=9661176Client Logo Program http://msdn.microsoft.com/en-us/windows/dd203105.aspxServer Logo Program http://www.innovateon.com/product_server2008.aspx

We are here to help

Forum:http://social.msdn.microsoft.com/Forums/en-US/windowscompatibility/

World-wide eventsHand on Testing Labs in Redmond: srglabs@microsoft.com

ResourcesCookbooks

“Application Compatibility Cookbook”“Windows 7 Application Quality Cookbook”

MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx

TechNet Windows Application Compatibility:http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx

DevReadiness.orgChannel 9:

http://channel9.msdn.com/tags/Application+Compatibility/Logo:

http://msdn.microsoft.com/en-us/windows/dd203105.aspx

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related ContentBreakout sessions (session codes and titles)

•WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story •WCL304 Fix Your Broken Applications: The Black Art of Shims •WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging

Track Resources→Want to find out which Windows Client sessions are best suited to help you in your deployment lifecycle? →Want to talk face-to-face with folks from the Windows Product Team?

Meet us today at the

Springboard Series Lounge, or visit us at www.microsoft.com/springboard

Springboard SeriesThe Springboard Series empowers you to select the right resources, at the right technical

level, at the right point in your Windows® Client adoption and management process. Come see why Springboard Series is your destination for Windows 7.

question & answer

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.