Is Virtualisation the Silver Bullet for Compatibility? What EVERYONE Should Know about Application and Hardware Compatibility Jeremy Chapman

Aaron MargosisMicrosoftSession Code: CLI310

How much is this app compat thing going to

cost me? Should I just stay on Windows XP?

Why did you break half of my software?

Why can’t my company afford a

chair for me?

Can I just stroke a check and have this problem

go away?Doesn’t App-V just

fix it all for me?

All I need to do is run ACT long enough, and

it’s fixed, right?

No, seriously, can I have a chair,

please?

The MED-V brochure said just virtualize it all

and migrate.

The tool brochure said it fixes 90% of

the problems.

The Internets said to just turn off UAC.

Listen, I’m not talking about App Compat until I get

a chair.

App-V

Beyond TrustACT 5.5

Win XP Mode

ACF PartnersMED-V

AppDNA

ChangeBase Shims

Disable UAC

There are no silver bullets.

Why is app-compat hard?

It never used to be this hard!Backward-compatibility used to trump everything

Shell Foldersp:\\products\publicCON, PRN, NUL

Starting with XP SP2, not anymoreCustomers demanded better securityVista was the first major desktop OS release after TWC memo.

Some things that had to change

Microsoft Agent was too awesomeMade computers too easy to useMore popular than Solitaire and pornThe single biggest app-compat hit, ever

Nobody uses the Agent control!Do they?

Some things that had to change

Everyone runs as “standard user”

The infamous User Account ControlEven admins run as “standard user”The single biggest app-compat hit, ever

Every time you disable UAC…Steve Ballmer kills a kitten

Please, think of the kittens

Some things that had to change

Everyone runs as “standard user”

The infamous User Account ControlEven admins run as “standard user”The single biggest app-compat hit, ever

No more interactive services“Session 0 isolation”Side effects – breaks other IPCs that “always” worked before

IE standards complianceInternet Explorer Protected Mode64-bit computingWindows Resource Protection

Some things that just changed

Windows version number changedWell, duh!You’d think that couldn’t cause problems!Why is Windows 7 internally 6.1?

Check the Windows version!

// This program requires WinXP or newer.// Windows XP is version 5.1// This is easy!If Not (vMajor >= 5 AND vMinor >= 1) Then{

DisplayMessage(“This program requires Windows XP or newer”);

LayDownAndDie;}Win7 as Windows 7.0?

vMajor: 7 >= 5vMinor: 0 >= 1? Crap!

Vista is Windows 6.0:vMajor: 6 >= 5vMinor: 0 >= 1? Oops!

Win7 as Windows 6.1?vMajor: 6 >= 5vMinor: 1 >= 1! It works!

More things that just changed

New folder locationsWe moved the profiles – again!

Default color schemeWhat happens when a dev assumes that active title bar text will always be a light color and uses it as a background color?

Aero – desktop composition

We break – we fixUAC’s file and registry “virtualization”

Redirects access attempts from protected areas to non-roaming parts of user profileNot related to App-V’s “bubble”

This is per-user, not per-application

Virtual overloadIt’s the new “.NET”!

Virtual memoryVirtual address spaceVirtual communitiesNT Virtual DOS Machine (NTVDM)Java Virtual Machine (JVM)MS Visual Basic Virtual Machine (MSVBVM)Virtual processors (hyperthreading)Virtual realityVirtual teamsVirtual private network (VPN)UAC file and registry virtualizationApplication virtualizationMachine virtualization (Virtual PC, Virtual Server, Hyper-V)Virtual EarthMS Enterprise Desktop Virtualization (MED-V)Virtual petsVirtual Desktop Infrastructure (VDI)virtual keyword (C++, C#)Virtual directory (IIS)Virtual device driver (VxD – obsolete!)

We break – we fixUAC’s file and registry “virtualization”

Redirects access attempts from protected areas to non-roaming parts of user profileTransparent to the appFixes many permissions-related issuesDoes not apply to all apps or all file typesNew in Win7: Writing to root of C:\ redirects

We break – we fixJunctions

Some support for old folder namesCan traverse, but cannot listCan directly access files through old namesCannot list contents of these junctions

We break – we fixApp-Compat Shim Database

Fixups auto-applied to some known apps6307 apps in Win7 RTM

Jet database in %windir%\AppPatch, and cached information in registryChecked whenever a new process startsCreated by Windows team; updated by WUDoes not guarantee that the app works

We break – the user fixesCompatibility Tab

We break – the user fixesProgram Compatibility Assistant (PCA)

Windows predicts helpful fixes for next runDisplayed after program has been runUp to user to decide what to doPlease disable in amanagedenvironment

We break – IT admin fixesApplication Compatibility Toolkit 5.5

Doesn’t it fix everything?I mean, look at the name!

StrengthsInventoryVendor dataCompatAdmin (see Custom Shim Databases)Developer/Tester Tools

WeaknessesCompatibility evaluatorsApplication import

We break – IT admin fixesApplication Compatibility Toolkit 5.5

TechNet MagazineJune 2009Articles by Chris Jackson

and Chris Corio

We break – IT admin fixesCustom App-Compat Shim Database(s)

Same mechanisms as the in-box shimsBuild shim DBs with tools in the App Compat ToolkitEasy to use? Let’s see…

Fixing apps is easy!video

We break – IT admin fixesCustom App-Compat Shim Database(s)

Good for some kinds of bugs:Bad Windows version checksWriting to HKCR at runtimeUnnecessary checks for “am I admin?”Writing to WRP-protected keys and filesWindows thinks your app is an installerSome file/registry redirections

We break – IT admin fixesCustom App-Compat Shim Database(s)

Drawbacks…Not all general purpose shims have the same … “customer love” applied in their creationThe tools are … “primitive”The main file redirection shim is really, really literal (really)Shims management story could be … “better”

Compatibility AdministratorHow to Fix Stuff

Demo

We break – IT admin fixesApplication Virtualization (App-V)

Formerly SoftGridIsolates apps from one anotherDoes not isolate it from the OSSide effects of current implementation:

Apps can write anywhere in “the registry”Apps can be allowed to write to specific files in “protected” locationsApps actually write to private copiesNOTE: May not be true in future versions of App-V

We break – IT admin fixesApplication Virtualization (App-V)

Lots of goodness beyond app-compatPackaging and DeploymentLicensing

Drawbacks…Mitigates only limited types of AC problems

Machine Virtualization

Virtual PCVirtual PC 2007Windows Virtual PCRemote App patch

There is a technical title – if you find it let us know

We break – IT admin fixesMS Enterprise Desktop Virtualization (MED-V)

Uses machine virtualizationApp actually runs on XP or other downlevel OSUser sees only the app windowSimilar to Windows XP Mode, but with manageability

Intended for larger organizations

We break – IT admin fixesMS Enterprise Desktop Virtualization (MED-V)

Benefits:App designed for XP actually runs on XP!

Drawbacks:Most of the drawback of XP Mode (… next)

We break – IT admin fixesWindows XP Mode

Similar to MED-V, without manageabilityLicense for the Windows XP VM included with certain Win7 SKUsInstall apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the hostClick on shortcut in host Start menu, app appears in a window

…eventually

We break – IT admin fixesWindows XP Mode

App designed for XP actually runs on XPOne critical app that absolutely will not work on Win7 doesn’t hold up deploymentWhat it’s good for:

Web apps that require IE6Running 16-bit apps on x64Some types of desktop appsMicrosoft Agent

We break – IT admin fixesWindows XP Mode

Trade-offsXP Mode is not for the enterprise!XP VM needs maintenance (AV, hotfixes, policies, etc)

VM is hibernated when you’re not running an appApps can’t interact with apps on the host

E.g., app wants to send email, or interact with window messaging

May not support custom hardwareMuch greater hardware requirements

Incl. Hardware Assisted Virtualization.Default XP Mode user is admin

Might conflict with enterprise policies

Windows XP ModeDemo

We break – IT admin fixesChange permissions on system objects

Only if other options don’t workLoosen file or registry permissionsAllow interactive user to start/stop a particular service or driverMust be done surgically

Least amount of additional privilege on the smallest number of objects

We break – IT admin fixesChange permissions on system objects

Benefits:Results often more predictable than with shims

Drawbacks:Risk of elevation of privilegeRisk of system instabilityRequires threat modeling – hard to do right

We break – IT admin fixes3rd Party Static Analysis Tools

Primarily ChangeBase and AppDNAThese tools average 90 – 95% at telling you if the app as a whole will work

False “green” the primary accuracy issueWill not detect every issueComplementary to ACT

ACT does runtime analysisACT does no better than chance at predicting application breakage for the app as a whole

We break – IT admin fixesLet the app run as admin

Absolute last resortUAC elevation

Enterprise users should not have this option!3rd party, BeyondTrust Privilege ManagerDecent solution in some casesImpossible to prevent elevation of privilegeNot a silver bullet…

App doesn’t work – now what?What are those geeks doing?

Make sure they don’t debug what they don’t plan to fix (support required)Layer debugging and remediation

Tier 1: get the repro, run scripted tests of common solutionsTier 2: leverage tools, configure basic fixesTier 3: deep debugging, complex remediation (typically just a few per customer)

Important: efficient handoff between IT Prosand Developers

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.