This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7
1. How to Design Windows 7 Compatible Application (User Account Control) Windows 7 Application Compatibility Webcast Series Presenter: Michal Morciniec, Partner Support, Microsoft micham@microsoft.com Monday, October 26, 2009 1 Microsoft Confidential
2. Agenda Windows Application Compatibility Roadmap Top Compatibility Issues XP Win 7 Resources for Partners
3.
4. Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well. Windows 7 Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking
10. Why Version 6.1? Some applications only check dwMajorVersion Some applications tried to do the right thing, but implemented it INCORRECTLY if (majorVersion >= 5 && minorVersion >= 1)
11. Version Checking Best Practices Do not perform version checks for equality If you need a feature, check for the feature Check for Windows XP or later (>= 5.1) Exceptions occur when there is a business or legal reason do a version check, e.g. a regulatory body requires you to certify your application for each operating system and version Check Windows 7 Training Kit forDeveloperfor sample code
12. Movingfrom XP to Windows 7 Monday, October 26, 2009 10 Microsoft Confidential UAC
13. UserAccountTypes Built-in (local machine) Administrator Disabled by default Runs with “Full token” Protected Administrator User in Administrators group Runs with “Split token” Standard User or Limited User Account None of the above Does not have administrator privileges 11
24. Windows 7 UAC Control Settings New settings: Top Setting – Vista behaviour 2nd – Does not prompt for Windows binaries 3rd as 2nd+prompts on User Desktop 4th-UAC disabled Monday, October 26, 2009 18 Microsoft Confidential
25. Windows 7 UAC and Auto-Elevation Middlesettings use auto elevation Windows Publishing Certificatesignedbinaries In “secure” location %SystemRoot%ystem32 Some %ProgramFiles% subdirs (Windows Defender, Windows Journal OnHardcodedList (Pkgmgr.exe, Migwiz.exe) Monday, October 26, 2009 19 Microsoft Confidential sigcheck -m
26. UAC and Security Policy (W7 and Vista) As in Vista certain UAC behaviour can be controlled through Security Policy Prompt Behaviour for Admins/Standard Users Installer detection heuristics Switching to secure desktop when Prompting File and Registry Virtualization Ex. : Disable OTS Dialog for Standard Users (Automatically deny elevation requests) Monday, October 26, 2009 20 Microsoft Confidential
27. Movingfrom XP to Windows 7 Monday, October 26, 2009 21 Microsoft Confidential UAC UI Goals -Shield
28. UI Goals: Simple & Predictable 1 Make application Standard user only 2 Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”
29. UI: The Shield Attached to controls to indicate that elevation is required to use their associated feature Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation Can be programmatically set: IDI_SHIELD icon resource BCM_SETSHIELD button message See: Enabling UAC Elevation in .Net applications (elevating process, dispaying shield , etc.)
31. Movingfrom XP to Windows 7 Monday, October 26, 2009 25 Microsoft Confidential UAC UI Goals –Shield MIC
32. Mandatory Integrity Control (MIC) Traditional NT security model revolves around process token Windows Vista/Win7 enhances this with MIC: Each process gets a MIC level All resources get a MIC level (medium is default) There are four levels: 0: Low (IE with Protected Mode On) 1: Medium (Standard User) 2: High (Elevated User) 3: System (System Services)
33. MIC and Resources MIC levels apply to: Processes Objects COM components Services Files Registry keys View MIC level on files and other resources using “accesschk –i” (Sysinternals tool) IE currently only application that has a MIC level of Low All IE resources need low as well
34. MIC, Simplified Object can have an integrity label Stored in its Security Descriptor Processes run at an integrity level (IL) Stored in its Access Token Process cannot access object if their IL is lower than the object’s label Part of the access check
35. Integrity Labels -Policies Every securable object has one Includes Level and Policy Policies can include: No-Write-Up: Lower IL can’t write to object No-Read-Up: Lower IL can’t read object No-Execute-Up: Lower IL can’t execute object No label = Medium + No-Write-Up Processes are No-Write-Up + No-Read-Up
36. MIC And Access Checks Process IL + access requested matched against object label If Process IL >= Object’s label, go onto DACL check If Process IL < Object’s label, and Object policy includes… and access requested includes…
37. Access CheckExample – With MIC"Who am I" – Identity + trust level R+W Request Access: Read + Write Internet Explorer [LOW IL] Toby’s Startup Folder Medium (NW) Request Access: Read + Write MS Money [Medium IL]
38.
39. Movingfrom XP to Windows 7 Monday, October 26, 2009 34 Microsoft Confidential UAC UI Goals –Shield MIC Virtualization
40. Virtualization Intended for existing legacy applications and may be removed in a future OS version 32-bit legacy interactive applications that write to administrator locations HKLMoftware; %SystemDrive%rogram Files %WinDir%ystem32 Redirected to: HKCUoftwarelassesirtualStore %LocalAppData%irtualStorebr />Redirection removes need for elevation Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store Different from registry keys redirection for 32-bit applications on x64 under WOW64…
41. Virtualization - Details Registry Keys Virtualization Does not work if: Process is 64 bit Process is impersonating a user Process specified requestedExecutionLevel in manifest Process is non-interactive (e.g.:Windows Service) File Virtualization Does not work if: File is of executable type -examples: .aspx, .bin,.cmd,.exe, .hlp, .msi, .ocx, .sys, .tlb, .wsh Monday, October 26, 2009 36 Partner Ready
44. WRP (Windows ResourceProtection) General mechanism that protects certain OS resources, e.g. Windowsystem32ernel32.dll NT SERVICErustedInstaller has Full Access SfcIsKeyProtected() lets you detect if registry key is WRP protected SfcIsFileProtected() lets you detect if file is WRP protected Windows Module Installer (TrustedInstaller.exe) is used to update OS components There is no API for ISVs to interact with it Local Administrator can take “ownership” of protected resource eliminating WRP so WRP is not a security measure Applications / Installers Should not modify WRP protected resources
45. Movingfrom XP to Windows 7 Monday, October 26, 2009 40 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations
46. Folder Locations User data: sersusername%br />Pictures, Music, Documents, Desktop, and Favorites directly under this structure “My “ prefix dropped (but Windows 7 displays it again in Explorer…) “All Users” “Public” or “rogramData”
47. Where Should I Store Data? SHGetKnownFolderPath Constants See: Where Should I Write Program Data Instead of Program Files?
48. Folder Location Best Practices Never hard code absolute paths AppVerifier includes a test Script: environment variables Unmanaged code (C, C++) ShGetFolderPath function (CLSID_...) SHGetKnownFolderPath (FOLDERID_...) Managed code (C#, VB.NET) System.Environment.GetFolderPath Microsoft.VisualBasic.FileIO.SpecialDirectories My.Computer.FileSystem.SpecialDirectories
49. Movingfrom XP to Windows 7 Monday, October 26, 2009 44 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations ApplicationManifest
50. Vista / Win 7 “Aware” Application Vista/Win 7-aware applications embed an XML manifest Standard item in VS 2008 Projects Disables all mitigations Manifest contains a RequestedExecutionLevel:
52. Finding/Solving UAC Issues Do you? Write to Program Files, Windows, System32, HKLM/Software, or Root? Create anything “globally” (System wide) Use Windows messages between isolation levels Try Running the application “As Administrator” Testing with UAC off Tools Process Monitor Standard User Analyzer
53. Windows Services and Session 0 In Windows® XP, Windows Services and user applications execute together in Session 0. From Windows Vista®, Windows Services are isolated in Session 0 User Application execute in Session 1, Session 2, etc. (“fast user switching” and Terminal Services)
54. Session Separation Session 0 in Windows XP / Windows Server 2003 Session 0 / Session 1 in Windows Vista+
55. Related Issues Windows Messages cannot cross Desktop boundaries (and therefore session) Windows Services cannot show UI (being in a different session!) Access control (MIC) adds complexity to possible solutions.
59. ApplicationCompatibilityFactory (ACF) 5 Partners with experteese in application compatibility tests Wipro, Infosys, TCS (Tata), Satyam, HP, Sogeti http://technet.microsoft.com/en-us/windows/bb510132.aspx ACF Training Site Contains training material for Partners willing to participate in ACF ACT 5.5 + Documentation + Webcasts + Slides 54
60. Application Compatibility – Training Training Program in English -12 hours approx. 300 level: UAC Overview Advanced UAC and Windows Resource Protection IE in Protected Mode Versioning, Folder Locations, Session 0 Isolation ACT 5.5 Internals Shims and Compatibility Administration LUA Tools and Solutions Sysinternals Tools and IE Compatibility Test Tool Exam 55
61. Support Options for Application Compatibility Partner Online Technical Communities (OTC) Windows 7 Application Compatibility OTC https://partner.microsoft.com/US/40014662 First response in 8 hours Local language Public Discussion Lists MSDN Application Compatibility for Windows Development Technet Windows 7 Application Compatibility Forum W7 ISV Remediation Workshops DPE Apply in “Green Light” https://www.isvappcompat.com/Default.aspx Face to face 2-3 days Bring your app to fix Fell free tocontact me : micham@microsoft.com 56
62. Code Samples Windows 7 Training Kit For Developers hands-on labs code samples (managed /unmanaged) about: OS Version Checks Session 0 Isolation User Interface Process Isolation (MIC) Installer Detection High DPI Data Redirection(File and Registry Virtualization) 57
63. Public Resources Cookbooks – address compatibility “Application Compatibility Cookbook” “Windows 7 Application Quality Cookbook” MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx TechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx Developer Guides – general programming guides Windows 7 UX Guide Windows 7 Developer Guide SysInternals Tools Suite http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx 58