Join & Turn on 2010 - Microsoft

wafflejourneyAI and Robotics

Nov 14, 2013 (3 years and 9 months ago)

63 views

Application Compatibility
Overview

Aaron Margosis, Microsoft Corporation

http://blogs.msdn.com/b/aaron_margosis

http://blogs.technet.com/b/fdcc

Agenda

Overview of the Windows 7 application compatibility landscape


What breaks and why?


What does Windows do to fix things?


What options are available for apps that still break?


Not covered:


Troubleshooting and remediation details

Why is app
-
compat hard?


It never used to be this hard!


Backward
-
compatibility used to win


Shell Folders


p:
\
\
products
\
public


CON, PRN, NUL


Starting with XP SP2, not anymore


Customers demanded better security


Vista was the first major desktop OS release after TWC memo

What Breaks in Windows 7?

Some things that
had

to change:

Everyone runs as “standard user”


The infamous
User Account Control


Even
admins

run as “standard user”


The single biggest app
-
compat hit,
ever

The Truth About UAC


The
first step

toward Standard User


Required to improve security
and TCO


Suite of technologies to
fix

stuff, not break it


Running as standard user
breaks stuff


That’s why no one did it before UAC!


Users shouldn’t be
admins

to begin with


And can’t approve elevation prompts


Disabling
UAC
turns off IE Protected Mode

We break


we fix:

UAC’s file and registry “virtualization”


Redirects access attempts from protected areas to non
-
roaming
parts of user profile


Not

related to App
-
V’s “bubble”


This is per
-
user, not per
-
application

We break


we fix:

UAC’s file and registry “virtualization”


Redirects access attempts from protected areas to non
-
roaming
parts of user profile


Transparent to the app


Fixes many permissions
-
related issues


Does not apply to all apps or all file types

Internet Explorer 8 Standards Compliance


Meets customer demand, good for the web


App compat > 80%


Compatibility View is extremely helpful


On by default for Intranet


Quirks mode also helpful, but no admin UI!


Many tools available for troubleshooting


Fixes either super easy or require
devs


Hardest problem: server apps for IE6 only


E.g., Oracle, SAP



MED
-
V a potential solution

Internet Explorer
Zone Changes (IE7 and Higher)


Trusted Sites default settings tightened


Intranet zone now the most permissive


Only Intranet has automatic Windows authentication


Trusted Sites now intended for
external

sites


Common simple fix for web apps: make sure zone is correct!

Internet Explorer Protected Mode


Sandboxed environment


Runs at “Low Integrity”


Cannot write to most areas of file system or registry


Limits impact of drive
-
bys


IEPM
has

protected you from exploits



if

you left UAC
enabled

Internet Explorer Protected Mode


“On” in Internet and Restricted Sites zones


“Off” in Intranet and Trusted Sites


May
need to configure to recognize Intranet


External sites can be added to Trusted Sites


E.g., sites that require
Java


Again


setting zone correctly fixes many web apps


Other
products like the idea!


Google Chrome


Office 2010


Adobe Reader X


Some things that just
changed:

Windows version
number


Incorrect version checks: the most common bugs we find


Making it 6.1 keeps more apps working!


“Version lie” shims are easy to apply


And now easier to lie to MSIs


Still don’t think it can be that common?

Check the Windows version!


// This program requires
WinXP

or newer.

// Windows XP is version 5.1

// This is easy!

If Not (
vMajor

>= 5 AND
vMinor

>= 1) Then

{

DisplayMessage
(“This program requires
Windows XP or newer”);


LayDownAndDie
;

}

Win7 as Windows
7.0
?

vMajor
:
7 >= 5

vMinor
:
0 >= 1
? Crap!

Vista is Windows
6.0
:

vMajor
:
6 >= 5

vMinor
:
0 >=

1
? Oops!

Win7 as Windows
6.1
?

vMajor
:
6 >= 5

vMinor
:
1 >= 1
! It works!

More
things that just
changed:

Folder locations


We moved the profiles


again!


Myth: We did this for no good reason


Truth: There was probably a good reason


And we changed where files need to go!


Myth: No guidance about where to put stuff


Truth: Well, yeah, but we’re fixing that


Myth: Everything breaks, apps actually cry


Truth 1: Correctly
-
written apps still work


Truth 2: Junctions fix many bad apps



Some

support for old folder names


Can

traverse, but cannot list


Can

directly access files
through

old names


Cannot

list contents of these junctions

Where Should I Store Files?

Per
-
User Files

Location (Symbolic Constant and Examples)

Visible to user

in Explorer


Windows 7 example:


Windows XP equivalent:

FOLDERID_Documents

/ CSIDL_MYDOCUMENTS

C:
\
Users
\
username
\
Documents

C:
\
Documents and Settings
\
username
\
My Documents

Hidden from user, Local


Windows 7 example:


Windows XP equivalent:

FOLDERID_LocalAppData

/ CSIDL_LOCAL_APPDATA

C:
\
Users
\
username
\
AppData
\
Local

C:
\
Documents and Settings
\
username
\
Local Settings
\
Application Data

Hidden from user, Roaming


Windows 7 example:


Windows XP equivalent:

FOLDERID_RoamingAppData

/ CSIDL_APPDATA

C:
\
Users
\
username
\
AppData
\
Roaming

C:
\
Documents and Settings
\
username
\
Application Data

Shared Files

Location (Symbolic Constant and Examples)

Visible to user

in Explorer


Windows 7 example:


Windows XP equivalent:

FOLDERID_PublicDocuments

/ CSIDL_COMMON_DOCUMENTS

C:
\
Users
\
Public
\
Documents

C:
\
Documents and Settings
\
All Users
\
Documents

Hidden from user, Local


Windows 7 example:


Windows XP equivalent:

FOLDERID_ProgramData

/ CSIDL_COMMON_APPDATA

C:
\
ProgramData

C:
\
Documents and Settings
\
All Users
\
Application Data

More things that just
changed:

Default color scheme

More things that just
changed:

Default color scheme


Occasional mistake by VB6
devs


Easy to fix (if you have the source)


.NET
WinForms

made themes easy to use


Oops: everyone tested only on Luna


Fortunately, we have
FakeLunaTheme

shim


Note: apps that work only with one theme probably violate
accessibility laws


You WILL go to jail!
(US law


your laws may be harsher.)


Push back if app owner insists on Classic Theme

What Do I Do With Broken
Apps?

Options for Fixing Broken Apps

in (approximate) order of preference

1.
Retire the app

2.
Get an updated version of the app (from vendor or your
developers)

3.
Modify the installer via transforms or post
-
install scripts

4.
Let UAC
file/
reg

virtualization do its magic

5.
Apply shims

6.
Change permissions or policies

7.
Machine virtualization (MED
-
V, VDI)

Independent issue: Application
virtualization

Retiring Apps


Maintaining a big inventory is expensive!


Testing apps you don’t need is expensive!


Just because it’s there doesn’t mean you need it (and have to test
it)


Does anyone actually use it?


How often?


How critical is it?


Can it be replaced with something else?


Excel? Calculator?


How expensive/complex to repair?

Is the App Supported on Win7?

www.microsoft.com/windows/compatibility



Search for apps or hardware


Indicates support/non
-
support for x86/x64


Based on vendor’s public claims


Links to vendor web sites’ claims

Modifying Installers

MSI transforms or post
-
install scripts

Can fix several bug classes:


Version check


“Run once” bug


App assumes user has admin rights


Performs final install operations on first run


“One user” bug


Installer assumes installing user == end user


Writes to HKCU, %USERPROFILE%


Missing components (e.g., MSVBVM50)




Applied to specific apps


Configured with Compatibility Administrator in the App
Compat Toolkit


Deployable to enterprise


Changes what the app
thinks

it sees


Does
not
change what app is allowed
to do

Process

Kernel32.dll

CreateFileW

implementation

Shim DLL

CorrectFilePaths

implementation

How Shims Work

App.exe

IAT



CreateFile

IAT



CreateFile

IAT



CreateFile

IAT



CreateFile

IAT



CreateFile

IAT



CreateFile

What Are Shims Good For?


Bad Windows version checks


Writing to HKCR at runtime


Unnecessary checks for “am I admin?”


Writing to WRP
-
protected keys and files


Windows thinks your app is an installer


Some

file/registry redirections

When Are Shims Appropriate?


Source code fix not feasible


Vendor support not important



Some considerations…


Not all general purpose shims have the same … “customer
love” applied in their creation


The tools are … “primitive”


Shims management not integrated into other management
tools (e.g. Group Policy)


You can do a lot with just the Top 10 shims


But to becoming a shim ninja takes time and much practice



Only

if other options don’t work:


Loosen file or registry permissions


Allow interactive user to start/stop a particular service or
driver


Disable an IE security feature (e.g. DEP)


Relax a security policy (e.g., FIPS crypto)


Must be done surgically


Least amount of additional privilege on the smallest number of
objects




Benefits:


Results often more predictable than with shims


Drawbacks:


Risk of elevation of privilege


Risk of system instability


Requires threat modeling


hard to do right


Changing Security Settings:

How I’ve seen some do “standard user” on XP…


ACL loosening scripts


Most “required fixes” are now automatic


Installing apps to writable folders


Exposes
EoP

and infection risks


Granting admin
-
equivalent rights


(What could possibly go wrong?)


Microsoft Enterprise Desktop Virtualization


Machine virtualization solution


App actually runs on an XP OS


User sees only the app window


Centrally managed


Part of MDOP


Reasonable IE6 app compat story


Seamless redirection of the browser

What Can MED
-
V Do?


App designed for XP actually runs on XP


Win7 deployment not held hostage by one app that resists all
other compat solutions


What it’s good for:


Web apps that require IE6


Running 16
-
bit apps on x64


Some types of desktop apps


Microsoft Agent


MED
-
V:

The rest of the story


Postpones issues, does not solve them


You
must

have an explicit exit strategy


XP is already out of mainstream support


XP extended support ends in 2014


Need RAM, CPU to support guest VM


Management requirements


It is a separate computer


Doesn’t inherit host’s AV, patches, policies, domain


VM is hibernated when not running an app


Apps can’t interact with host desktop apps


E.g., app wants to
automate Office apps or send email

Windows XP Mode

Here’s how, right?

What is Windows


Windows XP SP3 virtual machine


It’s not really a “mode” within Windows 7


Similar to MED
-
V, without manageability


License included with certain Win7 SKUs


Designed
only

for Small Business market


Install apps in the XP VM; shortcuts in the All Users’ Start Menu
get copied to the host


Click on shortcut in host Start menu, app appears in a window


…eventually

Windows XP
Mode

More of that story


All the drawbacks of MED
-
V, plus


Does not have MED
-
V’s IE6 redirection, and


Default XP Mode user is admin


Might conflict with enterprise policies

Resources
TechNet Magazine

June 2009

Articles

by Chris Jackson
and Chris
Corio

Tools for identifying issues


General issues: Sysinternals Process Monitor

http://technet.microsoft.com/en
-
us/sysinternals/bb896645


Admin permissions issues:


LUA Buglight

http://blogs.msdn.com/b/aaron_margosis/archive/2011/03/23/lua
-
buglight
-
2
-
1
-
1
-
with
-
support
-
for
-
win7
-
2008r2
-
sp1.aspx


Standard User Analyzer (ships with App Compat Toolkit)

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9
-
b581
-
47b0
-
b45e
-
492dd6da2971

requires Application Verifier, downloaded separately:

http://
www.microsoft.com/downloads/en/details.aspx?FamilyID=C4A25AB9
-
649D
-
4A1B
-
B4A7
-
C9D8B095DF18


For web apps:


IE’s built
-
in developer tools (F12 in IE8 and IE9)


Fiddler

http://www.fiddler2.com


Expression Web
SuperPreview



For More Information


The Windows Vista and Windows Server 2008 Developer Story:
Application Compatibility
Cookbook

http
://msdn.microsoft.com/en
-
us/library/Aa480152


Windows 7 and Windows Server 2008 R2 Application Quality
Cookbook

(
describes changes from Vista to Win7, not from XP to
Win7)

http
://msdn.microsoft.com/en
-
us/library/dd371778(VS.85).aspx


The App Compat Guy (Chris Jackson)’s blog:

http://www.appcompatguy.com


My blogs:

http://blogs.msdn.com/b/aaron_margosis
and

http://blogs.technet.com/b/fdcc


TechEd online presentations by Chris Jackson and me:

http://www.msteched.com


43

Stay up to date with TechNet Belux


Register for our newsletters and stay up to
date:



http://www.technet
-
newsletters.be


Technical updates


Event announcements and registration


Top downloads

Join us
on
Facebook


http
://
www.facebook.com/technetbe


http
://
www.facebook.com/technetbelux



LinkedIn:
http://linkd.in/technetbelux/




Twitter:
@technetbelux



Download


MSDN/TechNet Desktop Gadget

http://bit.ly/msdntngadget

TechDays 2011 On
-
Demand


Watch

this session
on
-
demand via
TechNet Edge

http
://technet.microsoft.com/fr
-
be/edge/


http
://technet.microsoft.com/nl
-
be/edge/


Download to your favorite MP3 or video player


Get access to slides and recommended resources by the speakers

THANK YOU