peter himschoot microsoft regional director belux [email protected] u2u
TRANSCRIPT
![Page 2: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/2.jpg)
Agenda
Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements
![Page 3: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/3.jpg)
Why Aren't Applications Compatible?
Things change between releasesOS version number, structure of internal data types, registry keys, order of events …
Knowingly breaking changesUser Account Control
User experience changesHigh DPI
![Page 4: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/4.jpg)
Why Not Administrator?
The Administrator account goes down in Windows history
Greater attack surface (security)Bigger TCO (users break their PCs)Less manageable (users change policy)
The Standard User is usually enough!
![Page 5: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/5.jpg)
Slowly Moving…
Windows XP is generally unusable as Standard UserWindows Vista SP1, Windows 7 eliminate privileged operationsWhat can a standard user do?
Write files, connect to the network, change display settings, change the time zone, install trusted applications …
What can’t a standard user do?Write to sensitive registry locations, install unsigned device drivers, change the time …
![Page 6: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/6.jpg)
Debunking Some Myths
88% of users have UAC enabled
60-80% don’t see a single UAC prompt within a single session
08/07 – 08/08 time period: Four times less (!) UAC prompts from applications
![Page 7: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/7.jpg)
The Meaning of UAC
Three types of users:“True admin” – elevated privileges all the timeStandard user – no elevated privileges at all“UAC admin” – token is filtered at login time and linked to an elevated token
UAC is an intermediate step!Ultimately, all users must run as standard user
![Page 8: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/8.jpg)
Mandatory Integrity Control (MIC)
• Traditional NT security model revolves around process token
• Windows Vista/Win7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level (medium is
default)
• There are four levels:• 0: Low • 1: Medium • 2: High• 3: System
![Page 9: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/9.jpg)
MIC and Securable Objects
![Page 10: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/10.jpg)
Types of Elevation
Over-The-Shoulder elevation:
Full admin elevation:
![Page 11: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/11.jpg)
Types of Elevation
A part of Windows:
Other (verified) publisher:
![Page 12: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/12.jpg)
Types of Elevation
Unverified publisher:
![Page 13: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/13.jpg)
Fine-Grained Control Over UAC
Windows Vista UAC can be on or off
Grater control through Registry
Windows 7 introduces granular prompt levels
![Page 14: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/14.jpg)
You Don’t Want Privilege
Avoid elevated operations!Annoying promptsCosts you all standard-user customersVulnerabilities are escalatedAttackers target your products
![Page 15: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/15.jpg)
Removing Unecessary Elevation
Administrator OnlyStandard User
Compliant
Writing to HKLM Writing to HKCU
Writing to C:\, Program Files, C:\Windows, C:\Temp
Writing to user local AppData, temporary path or documents folder
Always ask for GENERIC_ALL access mask
Ask for minimum required privileges
Refuse to launch if not elevated
Disable parts of functionality
![Page 16: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/16.jpg)
Designing for UACRemoving Privileges
Best case: Your application runs 100% fine as standard user
Remove operations that require unnecessary privileges
Does your application need to write to C:\?Does your application need to store its settings in HKLM?
Do elevated work at install-timeInstall for the requesting user
![Page 17: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/17.jpg)
Designing for UACRefactoring Elevation
Factor the operation into a separate process (or out-of-process COM object)Identify the operation with a Shield icon
![Page 18: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/18.jpg)
Designing for UACRefactoring Elevation
Ensure that the low-privilege application can’t be externally abused
E.g. malware pressed buttons and causes high-privilege operations in an elevated processHave the high-privilege process present the user interaction
Factor out to a service or taskSecure the communications channel (don’t talk to strangers)
![Page 19: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/19.jpg)
Designing for UACAdmin-Only Applications
Administrator-only applications should prompt for elevation when launched
Fail gracefully, allow for OTS elevation
Add a manifest to your application requesting elevated privileges
Ask for privilege onceE.g. Vista Windows Explorer made this mistake with file operations
![Page 20: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/20.jpg)
UAC Application Manifest<?xml version="1.0" encoding="utf-8" ?><assembly xmlns="urn:schemas-microsoft-com:asmv.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="AppName" type="win32" /> <description>App Description</description> <trustInfo xmlns="urn:schemas-microsoft.com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" /> </requestedPrivileges> </security> </trustInfo></assembly>
requestedExecutionLevel
requireAdministrator
highestAvailable
asInvoker
![Page 21: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/21.jpg)
Embedding the Manifest
Visual Studio 2008 can embed it for you
C++ projects have a special UAC combo boxC# or VB.NET projects need to edit the XML file manually
Use an embedding tool such as mt.exeUse the UAC Helpers library (CodePlex)Use the Windows Vista Bridge
![Page 22: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/22.jpg)
Launching an Elevated Process
You can’t elevate a running processPreferably use manifests to request elevation
In other scenarios, the ShellExecute “runas” verb forces an elevation request
Even if there is a manifest that says “asInvoker”
For COM out-of-process objects, use CoCreateAsAdmin
![Page 23: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/23.jpg)
Launching an Elevated ProcessManaged CodeProcess proc = new Process();proc.StartInfo = new ProcessStartInfo();proc.StartInfo.UseShellExecute = true;proc.StartInfo.Verb = “runas"; proc.StartInfo.FileName = @“C:\Windows\Notepad.exe"; proc.Start();
![Page 24: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/24.jpg)
Detecting Elevation
UacHelpers.IsCurrentProcessElevatedUacHelpers.IsUacEnabledUacHelpers.IsUserAdmin
![Page 25: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/25.jpg)
UAC Virtualization
For compatibility purposes, some privileged operations are redirected
%UserProfile%\AppData\Local\VirtualStoreHKCU\Software\Classes\VirtualStore
(Some) installers are auto-detectedApplications with a manifest do not get virtualization64-bit applications do not get virtualizationGenerally, don’t rely on it!
Can break in so many ways
![Page 26: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/26.jpg)
Windows 7 Breaking ChangesDPIDPI (Dots Per Inch) settings are per-
user, require logoff/logon (not reboot)Windows 7 clean install heuristically chooses proper DPI
The user doesn’t have to opt-in to high DPI
Declare applications to be DPI-awareUse manifest (preferred)SetProcessDPIAware
![Page 27: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/27.jpg)
High DPI Issues
Clipped text Layout issues and image size
issues
Pixilated bitmaps
Layout issues
Blurry UI
Mismatched font sizes
![Page 28: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/28.jpg)
Windows Compatibility
Windows makes every effort!Thousands of applications have “compatibility shims” applied by the systemEven more applications are thoroughly tested
Windows 7 (32-bit) can still run 16-bit MS-DOS programs
Almost 25 years later!Most applications work just fine on new Windows versionsSome don’t
![Page 29: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/29.jpg)
The Version Check
Do NOT check the version of Windows and refuse to run (Windows 7 Logo requirement)Check for features, not versions
Support backward: Disable featuresSupport forward: Check for version ≥
![Page 30: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/30.jpg)
Windows 7 Breaking ChangesMail and Internet ExplorerWindows Mail is deprecated
Including APIs to launch Outlook Express, etc.Replaced by Windows Live Mail
Internet Explorer 8 out-of-the-boxCompatibility with standards, incompatibility with websitesIE7 emulation mode (Compatibility View)Intranet sites in compatibility mode by defaultPages/servers can detect IE8 and request compatibility mode/render standard content
![Page 31: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/31.jpg)
64-Bit Windows
Applications on 64-bit Windows have to be extra careful32-bit applications run in a virtualized environment (WOW64)
File system redirection, registry redirectionRegistry reflection (COM server nodes)
Two versions of the registryTwo versions of Program FilesTwo versions of System32 (SysWOW64)
![Page 32: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/32.jpg)
Windows 7 Breaking ChangesLibrariesA library can be selected instead of a
folderE.g. in common file dialogs
Ask the library for its default save locationAsk the common file dialog to provide only file-system locations
Less user-friendly, means user has to navigate to a specific folder instead of a library
Due to Libraries internal structure, users may NOT KNOW the specific folder
![Page 33: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/33.jpg)
General Compatibility Guidelines
Compatible Might Be a Hack
Configuration APIs Change registry values
GetKnownFolder(…) Hard-code system paths
Consider future error codes
AppInit_DLLsPatch OS binaries
Target 32-bit and 64-bit
Repackage redistributables
![Page 34: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/34.jpg)
Let The System Know!
Tell Windows which OS version your application was designed for
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application>
<supportedOS Id="{77777777-7777-7777-7777-777777777777}"/> <supportedOS Id="{66666666-6666-6666-6666-666666666666}"/> </application> </compatibility></assembly>
![Page 35: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/35.jpg)
Compatibility Diagnostics
Application Compatibility ToolkitAn extensive set of tools for diagnosing and fixing compatibility problems
Includes management of organization-wide compatibility fixes
Includes Standard User Analyzer, Internet Explorer Compatibility Test Tool and many others
![Page 36: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/36.jpg)
Administering Compatibility
![Page 37: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/37.jpg)
Examples of Shims
Shims = compatibility fixesRedirect registry accessRedirect file system accessOS version lieLegacy graphics mode emulation…hundreds of others!
ACT generates an SDB fileInstall on end-user’s machine using sdbinst (part of Windows)
![Page 38: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/38.jpg)
End-User Solutions
Shortcut “Compatibility” tab
Compatibility troubleshooter
![Page 39: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/39.jpg)
Reproducing Problems
Problem Steps Recorder can be an invaluable tool
![Page 40: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/40.jpg)
Windows 7 Logo RequirementsWord of AdviceIf you’re compliant with the Windows
Vista logo, you’re ready for Windows 7
Even if you’re not planning to apply, the Logo requirements make senseLogo requirements better application!
Reduce helpdesk and support costsHappier users
IT – easier install and managementEnd users, better experiences
![Page 41: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/41.jpg)
Windows 7 Logo RequirementsGeneral RequirementsProvide Microsoft with a copy of the
software for testing purposesAgree to a 30-90 day resolution policy for issues with Logo’d productsOpt in to receive communications from Microsoft regarding the Logo’d products
![Page 42: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/42.jpg)
Windows 7 Logo RequirementsGeneral RequirementsDo not distribute malware or spyware
Do not modify WRP protected resourcesRegister for the WinQual portalInstall and uninstall cleanlyInstall to the correct foldersSupport Windows x64Follow UAC guidelinesDo not load drivers and services in Safe Mode
![Page 43: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/43.jpg)
Windows 7 Logo RequirementsGeneral RequirementsDigitally sign files with Authenticode
Do not check the OS versionPrevent unnecessary rebootsSupport multi-user sessionsPass Application Verifier tests
![Page 44: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/44.jpg)
Application Compatibility
…everything you were afraid to ask
Q&A
![Page 45: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/45.jpg)
Summary
Why aren’t applications compatible with Windows?Windows 7 compatibility changesCompatibility guidelinesCompatibility diagnosticsWindows 7 Logo requirements
![Page 46: Peter Himschoot Microsoft Regional Director BeLux peter@u2u.net U2U](https://reader036.vdocuments.us/reader036/viewer/2022062301/56649f295503460f94c42ebf/html5/thumbnails/46.jpg)
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.