Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | horatio-lamb |
View: | 212 times |
Download: | 0 times |
Windows Application Readiness for Developers
Maarten van de BospoortApplication Development ConsultantMicrosoftWCL312
Agenda
Oh, oh. I come from XP.
I’ve done Vista. What did you break now?
That leaves room for improvement.
Top AppCompat Issues
From XP to Win 7User Account ControlMandatory Integrity ControlServices Isolation
From Vista to Win 7Version checkingMiscellaneous
More than just compatibleHigh DPIRemote Desktop and Fast User Switching
User Account Control – Why?
Running as administrator increases malware threats
No limits on what an application can doInstall root kitsInstall key stroke loggersEtc.
Enterprises: significant TCO reductions when running with managed systemsKey: run as much as possible as Standard User
User Account Control – How?
Applications run as Standard User by defaultWhat is a Standard User?
Allowed• Run most applications• Change per user settings
Not Allowed• Install applications
and drivers• Change system settings• Admin “privileges”
UAC Architecture
“Standard User” Token
Admin TokenAbby
Admin Token
AppAdmin Token
Child App
Standard User Token
AppStandard User
Token
Child AppStandard User Token
What is broken by UAC?
Can no longer:write to Program Fileswrite to System32write to some HKLM\Software hivesCreate kernel objects in global namespace
Impact on:file creation in restricted locationsInstallersCustom Actions in MSIEvents, Mutex, Mapped Files, Named Pipes, etc.
OS Mitigation: Data RedirectionLegacy applications that write to secure locations
HKLM\Software; %SystemDrive%\Program Files; %WinDir%\System32Redirected to:
HKCU\Software\Classes\VirtualStore; %LocalAppData%\VirtualStore\Intended for “legacy” applications
Might be removed in a future OS versionRedirection removes need for elevationNot for native x64; no redirection for binariesImpact:
Per machine changes to per user.
Mitigation: Installer Detection
Installers often require administrative rightsRunning as Standard User would mean failureMitigation: detect strings in binaries resources
Setup, install, patch, etc. Elevate to Administrator
Fixing UAC bugs
Write to the correct locationAll Users User
Documents C:\users\public C:\users\TheUser
Data C:\ProgramData C:\users\TheUser\AppData
• Split up your application in two parts• Standard user day-to-day part• Administrator part
• Add a manifest to opt out of mitigation
Manifest: UAC sectionMyAdminApp.Exe.Manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level=“asInvoker"/> </requestedPrivileges> </security> </trustInfo></assembly>
Vista / Win 7 “Aware” Application
Vista/Win 7-aware applications embed an XML manifestDisables all mitigationsManifest contains a trustInfo section:asInvoker Launch with the same token as the
parent processhighestAvailable Launch with the highest token this
user possessesrequireAdministrator Highest token of the User provided User is a
member of Administrators group
UAC Issues
Do you?Write to Program Files, Windows, System32, HKLM/Software, or Root?Create kernel objects “globally”?
TryRunning the application elevated (“As Administrator”)Testing with UAC off
ToolsProcess Monitor, Process explorerStandard User Analyzer
Mandatory Integrity Control (MIC)
Traditional NT security model revolves around process token and resource DACLVista/Win7: MIC level assigned to
Each process (medium default)All resources (medium default)
Basically four levels:0: Low 1: Medium 2: High3: System
MIC: Processes and Resources
Medium (Default)
Medium (Default)
LowLow
Write
Write
ReadRead
ReadRead
Medium Process(Default)
Low Process(PMIE)
MIC: Processes and Resources
Medium (Default)
Medium (Default)
LowLow
Write
ReadRead
ReadRead
Medium Process(Default)
Low Process(PMIE)
Write
MIC: Processes and Messages
SendMessage
Medium Process(Default)
Low Process(PMIE)
SendMessa
ge
SendMessage
SendMessage
Medium Process(Default)
Low Process(PMIE)
IExplore.exeIExplore.exe
Install ActiveX control
Change Settings,
Download a Picture
Cache Web content
Exploit can install MALWARE
Exploit can install MALWARE
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
MIC Example: IE. Prior to Vista
ProtectedMode
IE
ProtectedMode
IE
Install an ActiveX control
Change settings,
Save a picture
Inte
grity
Con
trol
Bro
ker
Pro
cess
Redirected settings & files
Com
pat
Red
irect
or
Cache Web content
Admin-Rights Access
Admin-Rights Access
User-Rights AccessUser-Rights Access
Temp Internet FilesTemp Internet Files
HKLM
HKCR
Program Files
HKCU
My Documents
Startup Folder
Untrusted files & settings
MIC Example: IE. Vista+ Protected Mode
Bro
ker
Pro
cess
MIC Issues
Do you?Use Windows messages between MIC levels?See Drag and drop fail?Use IE to write to user’s %homepath%?
TryRunning the application elevated (“As Administrator”)Testing with UAC offRun IE with Protected Mode off
ToolsProcess Monitor, Process explorerStandard User Analyzer
Session 0
Window StationDesktop
Screen Saver
Login
Sessions in XP/W2K/WS03
Services
1st User’sWindow
1st User’sWindow
1st User’sWindow
Shatter Attack
Sessions in Vista/Windows 7Session 0
Window StationDesktop
Service
Service
Session 1
Window StationDesktop
Screen Saver
Login
1st User’sWindow
1st User’sWindow
1st User’sWindow
Secure
Session 0 Issues
Do youHave services that
interact with the desktop?communicate with other user mode apps?
create a kernel object to communicate?Verify
communication between services and applicationsservices are not relying on interacting with desktop
GuidanceUI: use WTSSendMessage() or CreateProcessAsUser()kernel objects: have the service create them in global
The AppCompat “Cookbooks”
Everything else that we haven’t covered
XP-> Vista/2008 -> Win7“Application Compatibility Cookbook”“Application Compatibility” on MSDN
Vista -> Win 7“Windows 7 Application Quality Cookbook”
Windows Vista to Windows 7
Application Compatibility is a main goalVery few breaking changes
If your app works on Vista, it will likely work on Windows 7
…but there are a few things to verify
Incompatible by Design
Version checking for a specific OS releaseStructure of private data and data typesPatching OS callsUsing Registry Values instead of APIsNon-deterministic EventsRedistributing Windows components
Version Checking
Applications check Windows OS version and block themselves or modify behaviorIf absolutely needed, check for >= OS version
Don’t blockPresent a warning message Allow applications to continue
Check for existence of specific features if that is importantWindows 7 is version 6.1
Version Checks – Stop doing this
OSVERSIONINFO version;
GetVersionEx( &version );
if ( version.dwMajorVersion != 5 ){
OnAppExit();}
Version Checks – Do this
HMODULE hMod; hMod =
LoadLibraryFromSystem32(L"Apphelp.dll");if (hMod) return hMod; hMod =
LoadLibraryFromSystem32(L"sdbapiu.dll");if (hMod) return hMod; hMod =
LoadLibraryFromSystem32(L"sdbapi.dll");if (hMod) return hMod;
Internet Explorer 8
Tabs are running in individual processesE.g. each tab (process) gets its own ActiveX control
New rendering engineIE7 (compatibility mode)IE8
New IE8 user string
Miscellaneous Regressions
Removal of Windows Mail Removal of Windows Movie Maker API implementations moved to kernelbase.dll (minwin)Removal of Windows Registry Reflection Replacement of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ)
Check out the Windows 7 Cookbook for the full list
That’s pretty much itNow let’s make it better
High DPIRemote DesktopFixing your released applications with Shims
High DPI SurprisesMonitor Max Resolution
% Set to Maximum
1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%
User's Chosen
Resolution
% using that resolution
640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%
Total 100.00%
Details Users with Max Resolution of 1600X1200
Almost half of all of users are not
configuring their display to maximum
resolution (!)
Users are lowering their screen resolution to get larger text…
High DPI: Why Do We Care?
High fidelity monitors not fully usedClearType requires native resolutionCan’t display native high def contentAccidentally select a non-native aspect ratio
Pixilated Content does not take advantage of the display
Non-native aspect Ratio Settings “Squishes” Content
High DPI Issues
Clipped Text
Layout & Image Size Issues
Pixilated BitmapsWinForms Issues
Blurry UI Mismatched Font Sizes
High DPI: test for Windows 7
Windows 7 clean install determines DPI by heuristicsYour helpdesk will hear it moreDWM will “virtualize” and blow you up after 150%Try running with at least 125% DPI or better 150%Fix issues and declare DPIAware in the manifest
RDS and Fast User Switching
Remote Desktop (Terminal Services) allows for centralized deploymentEnd users logging in or running applications “remote” (TS Apps)FUS is “light” form of RDP
Exists since XPParking one user session, switching to other
Multiple instances of Application can be running
RDP & FUS Compatibility Issues
ConcurrencyResources can be accessed simultaneouslyTerminal Service sessions separated from Services
User data privacySound, high CPU in inactive FUS sessionRemote devices
Local resources are remote for the applicationRemote performance considerations
paints, video, disk I/O, CPU, network are all shared
What are Shims?
Windows components change to support:new technologybug fixesstrategy changes
OS changes may fix some, break othersSimulate previous Windows behavior for an application
Shims for ISVs?
Only for released applications:future versions need to be fixed
We’ll try to shim your released applicationIf we missed you, please contact usSome information we’ll need:
specific scenario that failsthe applicationwhich versions need to be shimmed
Windows 7 Logo Logo requirements
improve end users’ experienceMake your migration efforts easier
Simplified from VistaSelf testLinks:List in Windows 7 Compat center http://go.microsoft.com/?linkid=9661176Client Logo Program http://msdn.microsoft.com/en-us/windows/dd203105.aspxServer Logo Program http://www.innovateon.com/product_server2008.aspx
We are here to help
Forum:http://social.msdn.microsoft.com/Forums/en-US/windowscompatibility/
World-wide eventsHand on Testing Labs in Redmond: [email protected]
ResourcesCookbooks
“Application Compatibility Cookbook”“Windows 7 Application Quality Cookbook”
MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx
TechNet Windows Application Compatibility:http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx
DevReadiness.orgChannel 9:
http://channel9.msdn.com/tags/Application+Compatibility/Logo:
http://msdn.microsoft.com/en-us/windows/dd203105.aspx
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related ContentBreakout sessions (session codes and titles)
•WCL302 Are You Breaking My Stuff Again? The Windows 7 App Compat Story •WCL304 Fix Your Broken Applications: The Black Art of Shims •WCL401 Not for the Faint of Heart: Hard Core App Compat Debugging
Track Resources→Want to find out which Windows Client sessions are best suited to help you in your deployment lifecycle? →Want to talk face-to-face with folks from the Windows Product Team?
Meet us today at the
Springboard Series Lounge, or visit us at www.microsoft.com/springboard
Springboard SeriesThe Springboard Series empowers you to select the right resources, at the right technical
level, at the right point in your Windows® Client adoption and management process. Come see why Springboard Series is your destination for Windows 7.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.