windows 7 application compatibility
DESCRIPTION
This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7TRANSCRIPT
Monday, April 10, 2023 1Microsoft Confidential
How to Design Windows 7 Compatible Application (User Account Control)Windows 7 Application Compatibility Webcast Series
Presenter: Michal Morciniec, Partner Support, Microsoft
Agenda
Windows Application Compatibility Roadmap
Top Compatibility Issues XP Win 7 Resources for Partners
Application Compatibility Stages
• Designknowledge of possible issues
• Testrun the application in new OSuse test tools
• Fixing code changescompatibility patching (shimming)Windows XP Mode in W7
• Certification obtain Windows 7 Logo
• PublishingPublish your app in Windows 7 Catalogue
Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc).
Hardware that runs Windows Vista well will run Windows 7 well.
Windows 7
Few Changes: Focus on quality and reliability improvements
Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off
Deep Changes: New models for security, drivers, deployment, and networking
Top Application Compatibility Issues
• Moving from XP to Win 7• User Account Control• Windows Services Isolation• Version checking
Monday, April 10, 2023 6Microsoft Confidential
OS Version Change
Windows OS Version NumbersOperating System Version Number Release Date
Windows 1.0 1.04 1985
Windows 2.0 2.11 1987
Windows 3.0 3.00 1990
Windows NT 3.1 3.10.528 1993
Windows for Workgroups 3.11 3.11 1993
Windows NT Workstation 3.5 3.5.807 1994
Windows NT Workstation 3.51 3.51.1057 1995
Windows 95 4.0.950 1995
Windows NT Workstation 4.0 4.0.1381 1996
Windows 98 4.1.1998 1998
Windows 98 Second Edition 4.1.2222 1999
Windows Me 4.90.3000 2000
Windows 2000 Professional 5.0.2195 2000
Windows XP 5.1.2600 2001
Windows Vista 6.0.6000 2006
Windows 7 6.1.???? ????
Why Version 6.1?
Some applications only check dwMajorVersion
Some applications tried to do the right thing, but implemented it INCORRECTLY– if (majorVersion >= 5 && minorVersion >= 1)
OS Version Major >= 5 Minor >= 1 Result Desired?
Windows 2000 5.0 T F F Yes
Windows XP 5.1 T T T YesWindows Vista 6.0 T F F NO
Windows 7 6.1 T T T Yes
Version Checking Best Practices
Do not perform version checks for equality– If you need a feature, check for the feature– Check for Windows XP or later (>= 5.1)– Exceptions occur when there is a business or legal
reason do a version check, e.g. a regulatory body requires you to certify your application for each operating system and version
– Check Windows 7 Training Kit for Developer for sample code
Monday, April 10, 2023 10Microsoft Confidential
Moving from XP to Windows 7UAC
11
User Account Types
Built-in (local machine) Administrator– Disabled by default– Runs with “Full token”
Protected Administrator– User in Administrators group– Runs with “Split token”
Standard User or Limited User Account– None of the above– Does not have administrator privileges
User Account Control – Why?
• Applications run as Standard User by default• What Standard User can do?
Not Allowed
• Install applications•Change system components•Change per machine settings•Admin “privileges”
Allowed
• Run most applications• Change per user settings
UAC Architecture
“Standard User” Token
Admin TokenAbby
Admin Token
AppAdmin Token
Child App
Standard User Token
AppStandard
User TokenChild App
Standard User Token
The Split Token
• Run with fewer rights most of the time• Conveniently elevate when you need
rights• Applies to interactive logons only
UAC Split Tokens
demo
Consent UI
OS Application
Unsigned Application
Signed Application
Credential UI (Over The Shoulder)
Monday, April 10, 2023 18Microsoft Confidential
Windows 7 UAC Control Settings
New settings:– Top Setting – Vista
behaviour– 2nd – Does not
prompt for Windows binaries
– 3rd as 2nd+prompts on User Desktop
– 4th-UAC disabled
Monday, April 10, 2023 19Microsoft Confidential
Windows 7 UAC and Auto-Elevation
Middle settings use auto elevation– Windows Publishing Certificate signed binaries– In “secure” location
• %SystemRoot%\System32 • Some %ProgramFiles% subdirs (Windows Defender,
Windows Journal
– On Hard coded List (Pkgmgr.exe, Migwiz.exe)
sigcheck -m
Monday, April 10, 2023 20Microsoft Confidential
UAC and Security Policy (W7 and Vista)
As in Vista certain UAC behaviour can be controlled through Security Policy– Prompt Behaviour for Admins/Standard Users– Installer detection heuristics– Switching to secure desktop when Prompting– File and Registry Virtualization Ex. : Disable OTS Dialog for Standard Users
(Automatically deny elevation requests)
Monday, April 10, 2023 21Microsoft Confidential
Moving from XP to Windows 7UAC
UI Goals -Shield
UI Goals: Simple & Predictable
1 Make application Standard user only2 Clearly identify Administrative tasks– Ensure Standard users can be fully
productive– Identify tasks that need elevation with a
“shield”
UI: The Shield
• Attached to controls to indicate that elevation is required to use their associated feature
• Has only one state (i.e. no hover, disabled etc.)• Does not remember elevated state
• Not an unlock operation
• Can be programmatically set:• IDI_SHIELD icon resource• BCM_SETSHIELD button message
See:Enabling UAC Elevation in .Net applications(elevating process, dispaying shield , etc.)
UI Shield Example Use
Monday, April 10, 2023 25Microsoft Confidential
Moving from XP to Windows 7UAC
UI Goals –ShieldMIC
Mandatory Integrity Control (MIC)
• Traditional NT security model revolves around process token
• Windows Vista/Win7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level (medium is default)
• There are four levels:• 0: Low (IE with Protected Mode On)• 1: Medium (Standard User)• 2: High (Elevated User)• 3: System (System Services)
MIC and Resources
• MIC levels apply to:• Processes• Objects
• COM components• Services• Files• Registry keys
• View MIC level on files and other resources using “accesschk –i” (Sysinternals tool)
• IE currently only application that has a MIC level of Low
• All IE resources need low as well
MIC, Simplified
Object can have an integrity label– Stored in its Security Descriptor
Processes run at an integrity level (IL)– Stored in its Access Token
Process cannot access object if their IL is lower than the object’s label– Part of the access check
Integrity Labels -Policies
Every securable object has one Includes Level and Policy Policies can include:– No-Write-Up: Lower IL can’t write to
object– No-Read-Up: Lower IL can’t read object– No-Execute-Up: Lower IL can’t execute
object No label = Medium + No-Write-Up Processes are No-Write-Up + No-Read-
Up
MIC And Access Checks
Process IL + access requested matched against object label– If Process IL >= Object’s label, go onto
DACL check– If Process IL < Object’s label,
No Write Up No Read Up No Execute
Write Read Execute
and Object policy includes…
and access requested includes…
Access Check Example – With MIC"Who am I" – Identity + trust level
Request Access:
Read + Write
Request Access:
Read + WriteR+W
Internet Explorer[LOW IL]
MS Money[Medium IL]
Toby’s Startup Folder
Medium (NW)
User Interface Privilege Isolation (UIPI)
UIPI- lower MIC process CANNOT– Perform a window handle validation created by a higher-
privileged process– Call SendMessage or PostMessage to windows created by
a higher-privileged process– Use thread hooks to attach to a higher-privileged process– Use journal hooks (SetWindowsHookEx) to monitor a
higher-privileged process– Perform DLL injection to a higher-privileged process
To allow Windows Message to pass between MIC levels useChangeWindowMessageFilter(message, SGFLT_ADD);
OR can mark UIAccess = true in manifest (see osk.exe for example)
Check Windows 7 Training Kit for Developer for sample code
Mandatory Integrity Control
demo
Monday, April 10, 2023 34Microsoft Confidential
Moving from XP to Windows 7UAC
UI Goals –ShieldMICVirtualization
Virtualization• Intended for existing legacy applications and may
be removed in a future OS version• 32-bit legacy interactive applications that write to
administrator locations• HKLM\Software; • %SystemDrive%\Program Files• %WinDir%\System32
• Redirected to:• HKCU\Software\Classes\VirtualStore• %LocalAppData%\VirtualStore\
• Redirection removes need for elevation• Writes to HKLM go to HKCU redirected store• Writes to system directories redirected to per-
user store• Different from registry keys redirection for 32-bit
applications on x64 under WOW64…
Monday, April 10, 2023 36Partner Ready
Virtualization - Details Registry Keys Virtualization– Does not work if:• Process is 64 bit• Process is impersonating a user• Process specified requestedExecutionLevel in
manifest• Process is non-interactive (e.g.:Windows
Service)
File Virtualization– Does not work if:• File is of executable type -examples:
– .aspx, .bin,.cmd,.exe, .hlp, .msi, .ocx, .sys, .tlb, .wsh
Virtualization and Windows Explorer
Virtualization
demo
WRP (Windows Resource Protection)
General mechanism that protects certain OS resources, e.g. Windows\system32\kernel32.dll– NT SERVICE\TrustedInstaller has Full Access
• SfcIsKeyProtected() lets you detect if registry key is WRP protected• SfcIsFileProtected() lets you detect if file is WRP protected
Windows Module Installer (TrustedInstaller.exe) is used to update OS components
– There is no API for ISVs to interact with it
Local Administrator can take “ownership” of protected resource eliminating WRP
– so WRP is not a security measure Applications / Installers
– Should not modify WRP protected resources
Monday, April 10, 2023 40Microsoft Confidential
Moving from XP to Windows 7UAC
MICVirtualizationWRPFolder Locations
Folder Locations
User data: \Users\%username%\
Pictures, Music, Documents, Desktop, and Favorites directly under this structure
“My “ prefix dropped (but Windows 7 displays it again in Explorer…)
“All Users” “Public” or “\ProgramData”
Where Should I Store Data?
Shared Data User Data
Show in Explorer FOLDERID_Public FOLDERID_Documents
Hide in Explorer / Local FOLDERID_ProgramData FOLDERID_LocalAppData
Hide in Explorer / Roam - FOLDERID_RoamingAppData
See:Where Should I Write Program Data Instead of Program Files?
SHGetKnownFolderPath Constants
Folder Location Best Practices
Never hard code absolute paths– AppVerifier includes a test
Script: environment variables Unmanaged code (C, C++)– ShGetFolderPath function (CLSID_...)– SHGetKnownFolderPath (FOLDERID_...)
Managed code (C#, VB.NET)– System.Environment.GetFolderPath–Microsoft.VisualBasic.FileIO.SpecialDirectori
es–My.Computer.FileSystem.SpecialDirectories
Monday, April 10, 2023 44Microsoft Confidential
Moving from XP to Windows 7UAC
MICVirtualizationWRPFolder LocationsApplication Manifest
Vista / Win 7 “Aware” Application
• Vista/Win 7-aware applications embed an XML manifest
• Standard item in VS 2008 Projects• Disables all mitigations• Manifest contains a
RequestedExecutionLevel:asInvoker Launch with the same token as the parent
processhighestAvailable Launch with the highest token this user
possessesrequireAdministrator Highest token of the User provided User is a
member of Administrators group
Example Application Manifest
MyAdminApp.Exe.Manifest
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo></assembly>
Finding/Solving UAC Issues
• Do you?• Write to Program Files, Windows, System32,
HKLM/Software, or Root?• Create anything “globally” (System wide)• Use Windows messages between isolation levels
• Try• Running the application “As Administrator”• Testing with UAC off
• Tools• Process Monitor• Standard User Analyzer
Windows Services and Session 0
In Windows® XP, Windows Services and user applications execute together in Session 0.
From Windows Vista®, Windows Services are isolated in Session 0
User Application execute in Session 1, Session 2, etc.
(“fast user switching” and Terminal Services)
Session Separation
Session 0 in Windows XP / Windows Server 2003
Session 0 / Session 1 in Windows Vista+
Related Issues
Windows Messages cannot cross Desktop boundaries (and therefore session)
Windows Services cannot show UI (being in a different session!)
Access control (MIC) adds complexity to possible solutions.
Showing UI from Windows Service
1. Built-in mitigation mechanism alerts user(that service is “interactive”)
• Interactive Service Detection Service (stopped by default)• Invonvenient for users
2. For simple message:• use TS API WTSSendMessage3. For complex UI• use CreateProcessAsUser
Windows Service Isolation- Session 0
demo
Monday, April 10, 2023 53Microsoft Confidential
Partner Resources
ACF ProgramSupportPublic resources
54
Application Compatibility Factory (ACF)
– 5 Partners with experteese in application compatibility tests
– Wipro, Infosys, TCS (Tata), Satyam, HP, Sogeti– http://technet.microsoft.com/en-us/windows/bb510132.aspx
ACF Training Site– Contains training material for Partners willing to
participate in ACF– ACT 5.5 + Documentation + Webcasts + Slides
55
Application Compatibility – Training
Training Program in English -12 hours approx. 300 level:– UAC Overview– Advanced UAC and Windows Resource Protection– IE in Protected Mode– Versioning, Folder Locations, Session 0 Isolation– ACT 5.5 Internals– Shims and Compatibility Administration– LUA Tools and Solutions– Sysinternals Tools and IE Compatibility Test Tool– Exam
56
Support Options for Application Compatibility Partner Online Technical Communities (OTC)
– Windows 7 Application Compatibility OTC– https://partner.microsoft.com/US/40014662– First response in 8 hours– Local language
Public Discussion Lists– MSDN Application Compatibility for Windows Development– Technet Windows 7 Application Compatibility Forum
W7 ISV Remediation Workshops DPE– Apply in “Green Light”
https://www.isvappcompat.com/Default.aspx– Face to face 2-3 days– Bring your app to fix
Fell free to contact me : [email protected]
57
Code Samples
Windows 7 Training Kit For Developers hands-on labs code samples (managed /unmanaged) about:– OS Version Checks– Session 0 Isolation– User Interface Process Isolation (MIC)– Installer Detection– High DPI– Data Redirection(File and Registry
Virtualization)
58
Public Resources
Cookbooks – address compatibility– “Application Compatibility Cookbook”– “Windows 7 Application Quality Cookbook”
MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx
TechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx
Developer Guides – general programming guides– Windows 7 UX Guide– Windows 7 Developer Guide
SysInternals Tools Suitehttp://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
© 2009 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.