Application Compatibility

Peter HimschootMicrosoft Regional Director BeLuxpeter@u2u.netU2U

Agenda

Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements

Why Aren't Applications Compatible?

Things change between releasesOS version number, structure of internal data types, registry keys, order of events …

Knowingly breaking changesUser Account Control

User experience changesHigh DPI

Why Not Administrator?

The Administrator account goes down in Windows history

Greater attack surface (security)Bigger TCO (users break their PCs)Less manageable (users change policy)

The Standard User is usually enough!

Slowly Moving…

Windows XP is generally unusable as Standard UserWindows Vista SP1, Windows 7 eliminate privileged operationsWhat can a standard user do?

Write files, connect to the network, change display settings, change the time zone, install trusted applications …

What can’t a standard user do?Write to sensitive registry locations, install unsigned device drivers, change the time …

Debunking Some Myths

88% of users have UAC enabled

60-80% don’t see a single UAC prompt within a single session

08/07 – 08/08 time period: Four times less (!) UAC prompts from applications

The Meaning of UAC

Three types of users:“True admin” – elevated privileges all the timeStandard user – no elevated privileges at all“UAC admin” – token is filtered at login time and linked to an elevated token

UAC is an intermediate step!Ultimately, all users must run as standard user

Mandatory Integrity Control (MIC)

• Traditional NT security model revolves around process token

• Windows Vista/Win7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level (medium is

default)

• There are four levels:• 0: Low • 1: Medium • 2: High• 3: System

MIC and Securable Objects

Types of Elevation

Over-The-Shoulder elevation:

Full admin elevation:

Types of Elevation

A part of Windows:

Other (verified) publisher:

Types of Elevation

Unverified publisher:

Fine-Grained Control Over UAC

Windows Vista UAC can be on or off

Grater control through Registry

Windows 7 introduces granular prompt levels

You Don’t Want Privilege

Avoid elevated operations!Annoying promptsCosts you all standard-user customersVulnerabilities are escalatedAttackers target your products

Removing Unecessary Elevation

Administrator OnlyStandard User

Compliant

Writing to HKLM Writing to HKCU

Writing to C:\, Program Files, C:\Windows, C:\Temp

Writing to user local AppData, temporary path or documents folder

Always ask for GENERIC_ALL access mask

Ask for minimum required privileges

Refuse to launch if not elevated

Disable parts of functionality

Designing for UACRemoving Privileges

Best case: Your application runs 100% fine as standard user

Remove operations that require unnecessary privileges

Does your application need to write to C:\?Does your application need to store its settings in HKLM?

Do elevated work at install-timeInstall for the requesting user

Designing for UACRefactoring Elevation

Factor the operation into a separate process (or out-of-process COM object)Identify the operation with a Shield icon

Designing for UACRefactoring Elevation

Ensure that the low-privilege application can’t be externally abused

E.g. malware pressed buttons and causes high-privilege operations in an elevated processHave the high-privilege process present the user interaction

Factor out to a service or taskSecure the communications channel (don’t talk to strangers)

Designing for UACAdmin-Only Applications

Administrator-only applications should prompt for elevation when launched

Fail gracefully, allow for OTS elevation

Add a manifest to your application requesting elevated privileges

Ask for privilege onceE.g. Vista Windows Explorer made this mistake with file operations

UAC Application Manifest<?xml version="1.0" encoding="utf-8" ?><assembly xmlns="urn:schemas-microsoft-com:asmv.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="AppName" type="win32" /> <description>App Description</description> <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" /> </requestedPrivileges> </security> </trustInfo></assembly>

requestedExecutionLevel

requireAdministrator

highestAvailable

asInvoker

Embedding the Manifest

Visual Studio 2008 can embed it for you

C++ projects have a special UAC combo boxC# or VB.NET projects need to edit the XML file manually

Use an embedding tool such as mt.exeUse the UAC Helpers library (CodePlex)Use the Windows Vista Bridge

Launching an Elevated Process

You can’t elevate a running processPreferably use manifests to request elevation

In other scenarios, the ShellExecute “runas” verb forces an elevation request

Even if there is a manifest that says “asInvoker”

For COM out-of-process objects, use CoCreateAsAdmin

Launching an Elevated ProcessManaged CodeProcess proc = new Process();proc.StartInfo = new ProcessStartInfo();proc.StartInfo.UseShellExecute = true;proc.StartInfo.Verb = “runas"; proc.StartInfo.FileName = @“C:\Windows\Notepad.exe"; proc.Start();

Detecting Elevation

UacHelpers.IsCurrentProcessElevatedUacHelpers.IsUacEnabledUacHelpers.IsUserAdmin

UAC Virtualization

For compatibility purposes, some privileged operations are redirected

%UserProfile%\AppData\Local\VirtualStoreHKCU\Software\Classes\VirtualStore

(Some) installers are auto-detectedApplications with a manifest do not get virtualization64-bit applications do not get virtualizationGenerally, don’t rely on it!

Can break in so many ways

Windows 7 Breaking ChangesDPIDPI (Dots Per Inch) settings are per-

user, require logoff/logon (not reboot)Windows 7 clean install heuristically chooses proper DPI

The user doesn’t have to opt-in to high DPI

Declare applications to be DPI-awareUse manifest (preferred)SetProcessDPIAware

High DPI Issues

Clipped text Layout issues and image size

issues

Pixilated bitmaps

Layout issues

Blurry UI

Mismatched font sizes

Windows Compatibility

Windows makes every effort!Thousands of applications have “compatibility shims” applied by the systemEven more applications are thoroughly tested

Windows 7 (32-bit) can still run 16-bit MS-DOS programs

Almost 25 years later!Most applications work just fine on new Windows versionsSome don’t

The Version Check

Do NOT check the version of Windows and refuse to run (Windows 7 Logo requirement)Check for features, not versions

Support backward: Disable featuresSupport forward: Check for version ≥

Windows 7 Breaking ChangesMail and Internet ExplorerWindows Mail is deprecated

Including APIs to launch Outlook Express, etc.Replaced by Windows Live Mail

Internet Explorer 8 out-of-the-boxCompatibility with standards, incompatibility with websitesIE7 emulation mode (Compatibility View)Intranet sites in compatibility mode by defaultPages/servers can detect IE8 and request compatibility mode/render standard content

64-Bit Windows

Applications on 64-bit Windows have to be extra careful32-bit applications run in a virtualized environment (WOW64)

File system redirection, registry redirectionRegistry reflection (COM server nodes)

Two versions of the registryTwo versions of Program FilesTwo versions of System32 (SysWOW64)

Windows 7 Breaking ChangesLibrariesA library can be selected instead of a

folderE.g. in common file dialogs

Ask the library for its default save locationAsk the common file dialog to provide only file-system locations

Less user-friendly, means user has to navigate to a specific folder instead of a library

Due to Libraries internal structure, users may NOT KNOW the specific folder

General Compatibility Guidelines

Compatible Might Be a Hack

Configuration APIs Change registry values

GetKnownFolder(…) Hard-code system paths

Consider future error codes

AppInit_DLLsPatch OS binaries

Target 32-bit and 64-bit

Repackage redistributables

Let The System Know!

Tell Windows which OS version your application was designed for

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application>

<supportedOS Id="{77777777-7777-7777-7777-777777777777}"/> <supportedOS Id="{66666666-6666-6666-6666-666666666666}"/> </application> </compatibility></assembly> 

Compatibility Diagnostics

Application Compatibility ToolkitAn extensive set of tools for diagnosing and fixing compatibility problems

Includes management of organization-wide compatibility fixes

Includes Standard User Analyzer, Internet Explorer Compatibility Test Tool and many others

Administering Compatibility

Examples of Shims

Shims = compatibility fixesRedirect registry accessRedirect file system accessOS version lieLegacy graphics mode emulation…hundreds of others!

ACT generates an SDB fileInstall on end-user’s machine using sdbinst (part of Windows)

End-User Solutions

Shortcut “Compatibility” tab

Compatibility troubleshooter

Reproducing Problems

Problem Steps Recorder can be an invaluable tool

Windows 7 Logo RequirementsWord of AdviceIf you’re compliant with the Windows

Vista logo, you’re ready for Windows 7

Even if you’re not planning to apply, the Logo requirements make senseLogo requirements better application!

Reduce helpdesk and support costsHappier users

IT – easier install and managementEnd users, better experiences

Windows 7 Logo RequirementsGeneral RequirementsProvide Microsoft with a copy of the

software for testing purposesAgree to a 30-90 day resolution policy for issues with Logo’d productsOpt in to receive communications from Microsoft regarding the Logo’d products

Windows 7 Logo RequirementsGeneral RequirementsDo not distribute malware or spyware

Do not modify WRP protected resourcesRegister for the WinQual portalInstall and uninstall cleanlyInstall to the correct foldersSupport Windows x64Follow UAC guidelinesDo not load drivers and services in Safe Mode

Windows 7 Logo RequirementsGeneral RequirementsDigitally sign files with Authenticode

Do not check the OS versionPrevent unnecessary rebootsSupport multi-user sessionsPass Application Verifier tests

Application Compatibility

…everything you were afraid to ask

Q&A

Summary

Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.