SlideShare una empresa de Scribd logo

Windows 7 Application Compatibility

Descargar como PPTX, PDF
M
micham

This presentation discusses most common appliacation compatibility issues in Windows 7 that applications designed for Windows Xp may experience. It explains the new features of the OS such as UAC, file and registry virtualization, WRP, Session 0 isolation, Mandatory Integrity Level that compatible applications have to be aware with to run well on Windows 7

Tecnología
1 de 59
How to Design Windows 7 Compatible Application (User Account Control) Windows 7 Application Compatibility Webcast Series Presenter: Michal Morciniec, Partner Support, Microsoft micham@microsoft.com Monday, October 26, 2009 1 Microsoft Confidential
Agenda Windows Application Compatibility Roadmap Top Compatibility Issues XP  Win 7 Resources for Partners
Application CompatibilityStages ,[object Object], knowledge of possible issues ,[object Object], run the application in new OS use test tools ,[object Object], code changes compatibility patching (shimming) Windows XP Mode in W7 ,[object Object], obtain Windows 7 Logo ,[object Object],Publish your app in Windows 7 Catalogue
Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well. Windows 7 Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking
Top Application Compatibility Issues ,[object Object]
User Account Control
Windows Services Isolation
Version checking,[object Object]
Windows OS Version Numbers
Why Version 6.1? Some applications only check dwMajorVersion Some applications tried to do the right thing, but implemented it INCORRECTLY if (majorVersion >= 5 && minorVersion >= 1)
Version Checking Best Practices Do not perform version checks for equality If you need a feature, check for the feature Check for Windows XP or later (>= 5.1) Exceptions occur when there is a business or legal reason do a version check, e.g. a regulatory body requires you to certify your application for each operating system and version Check Windows 7 Training Kit forDeveloperfor sample code
Movingfrom XP to Windows 7 Monday, October 26, 2009 10 Microsoft Confidential UAC
UserAccountTypes Built-in (local machine) Administrator Disabled by default Runs with “Full token” Protected Administrator User in Administrators group Runs with “Split token” Standard User or Limited User Account None of the above Does not have administrator privileges 11
User Account Control – Why? ,[object Object]
What Standard User can do?Not Allowed ,[object Object]
Change system components
Change per machine settings
Admin “privileges”Allowed ,[object Object]
Change per user settings,[object Object]
The Split Token Run with fewer rights most of the time Conveniently elevate when you need rights Applies to interactive logons only
UAC Split Tokens demo
Consent UI OS Application Unsigned Application Signed Application
Credential UI (Over The Shoulder)
Windows 7 UAC Control Settings New settings: Top Setting – Vista behaviour 2nd – Does not prompt for Windows binaries 3rd as 2nd+prompts on User Desktop 4th-UAC disabled Monday, October 26, 2009 18 Microsoft Confidential
Windows 7 UAC and Auto-Elevation Middlesettings use auto elevation Windows Publishing Certificatesignedbinaries In “secure” location %SystemRoot%ystem32 Some %ProgramFiles% subdirs (Windows Defender, Windows Journal OnHardcodedList (Pkgmgr.exe, Migwiz.exe) Monday, October 26, 2009 19 Microsoft Confidential sigcheck -m
UAC and Security Policy (W7 and Vista) As in Vista certain UAC behaviour can be controlled through Security Policy Prompt Behaviour for Admins/Standard Users Installer detection heuristics Switching to secure desktop when Prompting File and Registry Virtualization Ex. : Disable OTS Dialog for Standard Users (Automatically deny elevation requests) Monday, October 26, 2009 20 Microsoft Confidential
Movingfrom XP to Windows 7 Monday, October 26, 2009 21 Microsoft Confidential UAC UI Goals -Shield
UI Goals: Simple & Predictable 1 Make application Standard user only 2 Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”
UI: The Shield Attached to controls to indicate that elevation is required to use their associated feature Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation Can be programmatically set: IDI_SHIELD icon resource BCM_SETSHIELD button message See: Enabling UAC Elevation in .Net applications (elevating process, dispaying shield , etc.)
UI Shield Example Use
Movingfrom XP to Windows 7 Monday, October 26, 2009 25 Microsoft Confidential UAC UI Goals –Shield MIC
Mandatory Integrity Control (MIC) Traditional NT security model revolves around process token Windows Vista/Win7 enhances this with MIC: Each process gets a MIC level All resources get a MIC level (medium is default) There are four levels: 0: Low (IE with Protected Mode On) 1: Medium (Standard User) 2: High (Elevated User) 3: System (System Services)
MIC and Resources MIC levels apply to: Processes Objects COM components Services Files Registry keys View MIC level on files and other resources using “accesschk –i” (Sysinternals tool) IE currently only application that has a MIC level of Low All IE resources need low as well
MIC, Simplified Object can have an integrity label Stored in its Security Descriptor Processes run at an integrity level (IL) Stored in its Access Token Process cannot access object if their IL is lower than the object’s label Part of the access check
Integrity Labels -Policies Every securable object has one Includes Level and Policy Policies can include: No-Write-Up: Lower IL can’t write to object No-Read-Up: Lower IL can’t read object No-Execute-Up: Lower IL can’t execute object No label = Medium + No-Write-Up Processes are No-Write-Up + No-Read-Up
MIC And Access Checks Process IL + access requested matched against object label If Process IL >= Object’s label, go onto DACL check If Process IL < Object’s label, and Object policy includes… and access requested includes…
Access CheckExample – With MIC"Who am I" – Identity + trust level R+W Request Access: Read + Write Internet Explorer [LOW IL] Toby’s Startup Folder Medium (NW) Request Access: Read + Write MS Money [Medium IL]
User Interface Privilege Isolation (UIPI) UIPI- lower MIC process CANNOT Perform a window handle validation created by a higher-privileged process Call SendMessage or PostMessage to windows created by a higher-privileged process Use thread hooks to attach to a higher-privileged process Use journal hooks (SetWindowsHookEx) to monitor a higher-privileged process Perform DLL injection to a higher-privileged process To allow Windows Message to pass between MIC levels use ChangeWindowMessageFilter(message, SGFLT_ADD); OR can mark UIAccess = true in manifest(see osk.exe forexample) ,[object Object],[object Object]
Movingfrom XP to Windows 7 Monday, October 26, 2009 34 Microsoft Confidential UAC UI Goals –Shield MIC Virtualization
Virtualization Intended for existing legacy applications and may be removed in a future OS version 32-bit legacy interactive applications that write to administrator locations HKLMoftware; %SystemDrive%rogram Files %WinDir%ystem32 Redirected to: HKCUoftwarelassesirtualStore %LocalAppData%irtualStorebr />Redirection removes need for elevation Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store Different from registry keys redirection for 32-bit applications on x64 under WOW64…
Virtualization - Details Registry Keys Virtualization Does not work if: Process is 64 bit Process is impersonating a user Process specified requestedExecutionLevel in manifest Process is non-interactive (e.g.:Windows Service) File Virtualization Does not work if: File is of executable type -examples: .aspx, .bin,.cmd,.exe, .hlp, .msi, .ocx, .sys, .tlb, .wsh Monday, October 26, 2009 36 Partner Ready
Virtualization and Windows Explorer
Virtualization demo
WRP (Windows ResourceProtection) General mechanism that protects certain OS resources, e.g. Windowsystem32ernel32.dll NT SERVICErustedInstaller has Full Access SfcIsKeyProtected() lets you detect if registry key is WRP protected SfcIsFileProtected() lets you detect if file is WRP protected Windows Module Installer (TrustedInstaller.exe) is used to update OS components There is no API for ISVs to interact with it Local Administrator can take “ownership” of protected resource eliminating WRP so WRP is not a security measure Applications / Installers Should not modify WRP protected resources
Movingfrom XP to Windows 7 Monday, October 26, 2009 40 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations
Folder Locations User data: sersusername%br />Pictures, Music, Documents, Desktop, and Favorites directly under this structure “My “ prefix dropped (but Windows 7 displays it again in Explorer…) “All Users”  “Public” or “rogramData”
Where Should I Store Data? SHGetKnownFolderPath Constants See: Where Should I Write Program Data Instead of Program Files?
Folder Location Best Practices Never hard code absolute paths AppVerifier includes a test Script: environment variables Unmanaged code (C, C++) ShGetFolderPath function (CLSID_...) SHGetKnownFolderPath (FOLDERID_...) Managed code (C#, VB.NET) System.Environment.GetFolderPath Microsoft.VisualBasic.FileIO.SpecialDirectories My.Computer.FileSystem.SpecialDirectories
Movingfrom XP to Windows 7 Monday, October 26, 2009 44 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations ApplicationManifest
Vista / Win 7 “Aware” Application Vista/Win 7-aware applications embed an XML manifest Standard item in VS 2008 Projects Disables all mitigations Manifest contains a RequestedExecutionLevel:
ExampleApplicationManifest MyAdminApp.Exe.Manifest <?xmlversion="1.0" encoding="UTF-8" standalone="yes"?> <assemblyxmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentityversion="1.0.0.0" processorArchitecture="X86"name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfoxmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevellevel="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo> </assembly>
Finding/Solving UAC Issues Do you? Write to Program Files, Windows, System32, HKLM/Software, or Root? Create anything “globally” (System wide) Use Windows messages between isolation levels Try Running the application “As Administrator” Testing with UAC off Tools Process Monitor Standard User Analyzer
Windows Services and Session 0 In Windows® XP, Windows Services and user applications execute together in Session 0. From Windows Vista®, Windows Services are isolated in Session 0 User Application execute in Session 1, Session 2, etc. (“fast user switching” and Terminal Services)
Session Separation Session 0 in Windows XP / Windows Server 2003 Session 0 / Session 1 in Windows Vista+
Related Issues Windows Messages cannot cross Desktop boundaries (and therefore session) Windows Services cannot show UI (being in a different session!) Access control (MIC) adds complexity to possible solutions.
Showing UI from Windows Service Built-in mitigation mechanism alerts user(that service is “interactive”) ,[object Object]
Invonvenient for usersFor simple message: ,[object Object],For complex UI ,[object Object],[object Object]
PartnerResources Monday, October 26, 2009 53 Microsoft Confidential ACF Program Support Publicresources
ApplicationCompatibilityFactory (ACF) 5 Partners with experteese in application compatibility tests Wipro, Infosys, TCS (Tata), Satyam, HP, Sogeti http://technet.microsoft.com/en-us/windows/bb510132.aspx ACF Training Site Contains training material for Partners willing to participate in ACF ACT 5.5 + Documentation + Webcasts + Slides 54

Recomendados

TechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
TechCamp 2013 Dublin - What's New In Windows 8.1 For The EnterpriseTechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
TechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
Damian Flynn
 
In tune inaction
In tune inactionIn tune inaction
In tune inaction
Olav Tvedt
 
Presentatie 21 mei Tergos Modern Management
Presentatie 21 mei Tergos Modern ManagementPresentatie 21 mei Tergos Modern Management
Presentatie 21 mei Tergos Modern Management
Giovanni Perini
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
bupbechanhgmail
 
Patch Tuesday Analysis - September 2015
Patch Tuesday Analysis - September 2015Patch Tuesday Analysis - September 2015
Patch Tuesday Analysis - September 2015
Ivanti
 
05 Management Technologies
05 Management Technologies05 Management Technologies
05 Management Technologies
guest584ff8
 
13 Tips to Write Secure Applications
13 Tips to Write Secure Applications13 Tips to Write Secure Applications
13 Tips to Write Secure Applications
HelpSystems
 
IBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerIBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality Manager
Александр Шамрай
 

Recomendados

TechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
TechCamp 2013 Dublin - What's New In Windows 8.1 For The EnterpriseTechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
TechCamp 2013 Dublin - What's New In Windows 8.1 For The Enterprise
Damian Flynn
 
In tune inaction
In tune inactionIn tune inaction
In tune inaction
Olav Tvedt
 
Presentatie 21 mei Tergos Modern Management
Presentatie 21 mei Tergos Modern ManagementPresentatie 21 mei Tergos Modern Management
Presentatie 21 mei Tergos Modern Management
Giovanni Perini
 
Enhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tipsEnhancing your mobile enterprise security with ibm worklight tips
Enhancing your mobile enterprise security with ibm worklight tips
bupbechanhgmail
 
Patch Tuesday Analysis - September 2015
Patch Tuesday Analysis - September 2015Patch Tuesday Analysis - September 2015
Patch Tuesday Analysis - September 2015
Ivanti
 
05 Management Technologies
05 Management Technologies05 Management Technologies
05 Management Technologies
guest584ff8
 
13 Tips to Write Secure Applications
13 Tips to Write Secure Applications13 Tips to Write Secure Applications
13 Tips to Write Secure Applications
HelpSystems
 
IBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality ManagerIBM Rational App Scan Tester Edition and Quality Manager
IBM Rational App Scan Tester Edition and Quality Manager
Александр Шамрай
 
MDOP 2011
MDOP 2011MDOP 2011
MDOP 2011
Stephen Rose
 
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
Lumension
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
Denis Gundarev
 
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Intergen
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software review
Jermund Ottermo
 
App V
App VApp V
App V
rsquaredg
 
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
eG Innovations
 
OpsMgr 2012 end-to-end monitoring
OpsMgr 2012 end-to-end monitoringOpsMgr 2012 end-to-end monitoring
OpsMgr 2012 end-to-end monitoring
wwwally
 
Vmware’s move to a digital workspace
Vmware’s move to a digital workspaceVmware’s move to a digital workspace
Vmware’s move to a digital workspace
sporta72
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
eG Innovations
 
Patch Tuesday Analysis - May 2016
Patch Tuesday Analysis - May 2016Patch Tuesday Analysis - May 2016
Patch Tuesday Analysis - May 2016
Ivanti
 
MAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
MAX State of the Nation: Recent and Upcoming Releases - Mark PetrieMAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
MAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
MAXfocus
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
Microsoft TechNet - Belgium and Luxembourg
 
VMworld 2013: VMware Mirage 201
VMworld 2013: VMware Mirage 201VMworld 2013: VMware Mirage 201
VMworld 2013: VMware Mirage 201
VMworld
 
Manby Heart Introductie 04b
Manby Heart Introductie 04bManby Heart Introductie 04b
Manby Heart Introductie 04b
marketingmatters
 
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
Jules Stuifbergen
 
The Smartphone Challenge (a European perspective)
The Smartphone Challenge (a European perspective)The Smartphone Challenge (a European perspective)
The Smartphone Challenge (a European perspective)
Dr. Kim (Kyllesbech Larsen)
 
Cocreate ipc 2011 actieplan
Cocreate ipc 2011 actieplanCocreate ipc 2011 actieplan
Cocreate ipc 2011 actieplan
VRmaster
 
CoCreateIPC
CoCreateIPCCoCreateIPC
CoCreateIPC
VRmaster
 
Pitch iMGZN
Pitch iMGZNPitch iMGZN
Pitch iMGZN
VRmaster
 
Leadership cultural intercepts v2 eng
Leadership cultural intercepts v2 engLeadership cultural intercepts v2 eng
Leadership cultural intercepts v2 eng
Salvador Zamudio
 
A Stranger in a Strange Land
A Stranger in a Strange LandA Stranger in a Strange Land
A Stranger in a Strange Land
Dr. Kim (Kyllesbech Larsen)
 

Más contenido relacionado

La actualidad más candente

Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
Denis Gundarev
 
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Intergen
 
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
eG Innovations
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
eG Innovations
 

La actualidad más candente (14)

MDOP 2011
MDOP 2011MDOP 2011
MDOP 2011
 
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
Effectively Utilizing LEMSS: Top 11 Security Capabilities You Can Implement T...
 
Application Virtualization overview - BayCUG
Application Virtualization overview - BayCUGApplication Virtualization overview - BayCUG
Application Virtualization overview - BayCUG
 
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
Windows Accelerate IT Pro Bootcamp: Windows ToGo (Module 3 of 8)
 
AV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software reviewAV-Comparatives’ 2017 business software review
AV-Comparatives’ 2017 business software review
 
App V
App VApp V
App V
 
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
How to Get the​ Fastest Possible ​Citrix Logon Times​? Optimization Tips for ...
 
OpsMgr 2012 end-to-end monitoring
OpsMgr 2012 end-to-end monitoringOpsMgr 2012 end-to-end monitoring
OpsMgr 2012 end-to-end monitoring
 
Vmware’s move to a digital workspace
Vmware’s move to a digital workspaceVmware’s move to a digital workspace
Vmware’s move to a digital workspace
 
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
How to Extend Microsoft SCOM to Monitor & Diagnose the Performance of Citrix,...
 
Patch Tuesday Analysis - May 2016
Patch Tuesday Analysis - May 2016Patch Tuesday Analysis - May 2016
Patch Tuesday Analysis - May 2016
 
MAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
MAX State of the Nation: Recent and Upcoming Releases - Mark PetrieMAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
MAX State of the Nation: Recent and Upcoming Releases - Mark Petrie
 
SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012SCEP 2012 inside SCCM 2012
SCEP 2012 inside SCCM 2012
 
VMworld 2013: VMware Mirage 201
VMworld 2013: VMware Mirage 201VMworld 2013: VMware Mirage 201
VMworld 2013: VMware Mirage 201
 

Destacado

Leadership cultural intercepts v2 eng
Leadership cultural intercepts v2 engLeadership cultural intercepts v2 eng
Leadership cultural intercepts v2 eng
Salvador Zamudio
 
Julia Explorer Report
Julia Explorer ReportJulia Explorer Report
Julia Explorer Report
Brooke Young
 
Stephen Explorer Report
Stephen Explorer ReportStephen Explorer Report
Stephen Explorer Report
Brooke Young
 
Silent Messenger Powe Point
Silent Messenger Powe PointSilent Messenger Powe Point
Silent Messenger Powe Point
Keith Dennison
 

Destacado (20)

Manby Heart Introductie 04b
Manby Heart Introductie 04bManby Heart Introductie 04b
Manby Heart Introductie 04b
 
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
Wordcamp 2010: Hoe meet ik het succes van mijn WordPress site?
 
The Smartphone Challenge (a European perspective)
The Smartphone Challenge (a European perspective)The Smartphone Challenge (a European perspective)
The Smartphone Challenge (a European perspective)
 
Cocreate ipc 2011 actieplan
Cocreate ipc 2011 actieplanCocreate ipc 2011 actieplan
Cocreate ipc 2011 actieplan
 
CoCreateIPC
CoCreateIPCCoCreateIPC
CoCreateIPC
 
Pitch iMGZN
Pitch iMGZNPitch iMGZN
Pitch iMGZN
 
Leadership cultural intercepts v2 eng
Leadership cultural intercepts v2 engLeadership cultural intercepts v2 eng
Leadership cultural intercepts v2 eng
 
A Stranger in a Strange Land
A Stranger in a Strange LandA Stranger in a Strange Land
A Stranger in a Strange Land
 
Visit Ancient India
Visit Ancient IndiaVisit Ancient India
Visit Ancient India
 
The Paer Method
The Paer MethodThe Paer Method
The Paer Method
 
Rockstart answers eindhoven
Rockstart answers eindhovenRockstart answers eindhoven
Rockstart answers eindhoven
 
Flickr. Twitter. Here you are.
Flickr. Twitter. Here you are.Flickr. Twitter. Here you are.
Flickr. Twitter. Here you are.
 
Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)Microsoft Power Point Lg Pro Presentation (Slideshare)
Microsoft Power Point Lg Pro Presentation (Slideshare)
 
Julia Explorer Report
Julia Explorer ReportJulia Explorer Report
Julia Explorer Report
 
Crg West Any2 Members 11 Dec2008
Crg West Any2 Members 11 Dec2008Crg West Any2 Members 11 Dec2008
Crg West Any2 Members 11 Dec2008
 
Stephen Explorer Report
Stephen Explorer ReportStephen Explorer Report
Stephen Explorer Report
 
Medicaid: New Developments and Changes in the Rules
Medicaid: New Developments and Changes in the RulesMedicaid: New Developments and Changes in the Rules
Medicaid: New Developments and Changes in the Rules
 
Work goes mobile 1/3
Work goes mobile 1/3Work goes mobile 1/3
Work goes mobile 1/3
 
Silent Messenger Powe Point
Silent Messenger Powe PointSilent Messenger Powe Point
Silent Messenger Powe Point
 
Ocw presentatie
Ocw presentatieOcw presentatie
Ocw presentatie
 

Similar a Windows 7 Application Compatibility

Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
FilGov
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
adinathfashion1
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
sagaraccura
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
ableelectronics
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
Timothy Chen
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
Moses Schwartz
 
Windows 7 for IT Professionals
Windows 7 for IT ProfessionalsWindows 7 for IT Professionals
Windows 7 for IT Professionals
Rishu Mehra
 

Similar a Windows 7 Application Compatibility (20)

3 App Compat Win7
3 App Compat Win73 App Compat Win7
3 App Compat Win7
 
Wcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated TokenWcl310 Raiders of the Elevated Token
Wcl310 Raiders of the Elevated Token
 
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
Fighting Spyware With Mandatory Access Control In Microsoft Windows Vista (Di...
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
Note This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdfNote This project is broken up into Windows and Mac version.pdf
Note This project is broken up into Windows and Mac version.pdf
 
Windows 7 – Application Compatibility Toolkit 5.5 Overview
Windows 7 – Application Compatibility Toolkit 5.5 OverviewWindows 7 – Application Compatibility Toolkit 5.5 Overview
Windows 7 – Application Compatibility Toolkit 5.5 Overview
 
This project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdfThis project is broken up into Windows and Mac versions lis.pdf
This project is broken up into Windows and Mac versions lis.pdf
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討0828 Windows Server 2008 新安全功能探討
0828 Windows Server 2008 新安全功能探討
 
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
Experts Live Europe 2017 - Best Practices to secure Windows 10 with already i...
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptx
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentation
 
Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Windows 7 for IT Professionals
Windows 7 for IT ProfessionalsWindows 7 for IT Professionals
Windows 7 for IT Professionals
 
Windows 7
Windows 7Windows 7
Windows 7
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentation
 
Vistapresentation2
Vistapresentation2Vistapresentation2
Vistapresentation2
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 

Windows 7 Application Compatibility

  • 1. How to Design Windows 7 Compatible Application (User Account Control) Windows 7 Application Compatibility Webcast Series Presenter: Michal Morciniec, Partner Support, Microsoft micham@microsoft.com Monday, October 26, 2009 1 Microsoft Confidential
  • 2. Agenda Windows Application Compatibility Roadmap Top Compatibility Issues XP  Win 7 Resources for Partners
  • 3.
  • 4. Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV, Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well. Windows 7 Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking
  • 5.
  • 8.
  • 10. Why Version 6.1? Some applications only check dwMajorVersion Some applications tried to do the right thing, but implemented it INCORRECTLY if (majorVersion >= 5 && minorVersion >= 1)
  • 11. Version Checking Best Practices Do not perform version checks for equality If you need a feature, check for the feature Check for Windows XP or later (>= 5.1) Exceptions occur when there is a business or legal reason do a version check, e.g. a regulatory body requires you to certify your application for each operating system and version Check Windows 7 Training Kit forDeveloperfor sample code
  • 12. Movingfrom XP to Windows 7 Monday, October 26, 2009 10 Microsoft Confidential UAC
  • 13. UserAccountTypes Built-in (local machine) Administrator Disabled by default Runs with “Full token” Protected Administrator User in Administrators group Runs with “Split token” Standard User or Limited User Account None of the above Does not have administrator privileges 11
  • 14.
  • 15.
  • 18.
  • 19.
  • 20. The Split Token Run with fewer rights most of the time Conveniently elevate when you need rights Applies to interactive logons only
  • 22. Consent UI OS Application Unsigned Application Signed Application
  • 23. Credential UI (Over The Shoulder)
  • 24. Windows 7 UAC Control Settings New settings: Top Setting – Vista behaviour 2nd – Does not prompt for Windows binaries 3rd as 2nd+prompts on User Desktop 4th-UAC disabled Monday, October 26, 2009 18 Microsoft Confidential
  • 25. Windows 7 UAC and Auto-Elevation Middlesettings use auto elevation Windows Publishing Certificatesignedbinaries In “secure” location %SystemRoot%ystem32 Some %ProgramFiles% subdirs (Windows Defender, Windows Journal OnHardcodedList (Pkgmgr.exe, Migwiz.exe) Monday, October 26, 2009 19 Microsoft Confidential sigcheck -m
  • 26. UAC and Security Policy (W7 and Vista) As in Vista certain UAC behaviour can be controlled through Security Policy Prompt Behaviour for Admins/Standard Users Installer detection heuristics Switching to secure desktop when Prompting File and Registry Virtualization Ex. : Disable OTS Dialog for Standard Users (Automatically deny elevation requests) Monday, October 26, 2009 20 Microsoft Confidential
  • 27. Movingfrom XP to Windows 7 Monday, October 26, 2009 21 Microsoft Confidential UAC UI Goals -Shield
  • 28. UI Goals: Simple & Predictable 1 Make application Standard user only 2 Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”
  • 29. UI: The Shield Attached to controls to indicate that elevation is required to use their associated feature Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state Not an unlock operation Can be programmatically set: IDI_SHIELD icon resource BCM_SETSHIELD button message See: Enabling UAC Elevation in .Net applications (elevating process, dispaying shield , etc.)
  • 31. Movingfrom XP to Windows 7 Monday, October 26, 2009 25 Microsoft Confidential UAC UI Goals –Shield MIC
  • 32. Mandatory Integrity Control (MIC) Traditional NT security model revolves around process token Windows Vista/Win7 enhances this with MIC: Each process gets a MIC level All resources get a MIC level (medium is default) There are four levels: 0: Low (IE with Protected Mode On) 1: Medium (Standard User) 2: High (Elevated User) 3: System (System Services)
  • 33. MIC and Resources MIC levels apply to: Processes Objects COM components Services Files Registry keys View MIC level on files and other resources using “accesschk –i” (Sysinternals tool) IE currently only application that has a MIC level of Low All IE resources need low as well
  • 34. MIC, Simplified Object can have an integrity label Stored in its Security Descriptor Processes run at an integrity level (IL) Stored in its Access Token Process cannot access object if their IL is lower than the object’s label Part of the access check
  • 35. Integrity Labels -Policies Every securable object has one Includes Level and Policy Policies can include: No-Write-Up: Lower IL can’t write to object No-Read-Up: Lower IL can’t read object No-Execute-Up: Lower IL can’t execute object No label = Medium + No-Write-Up Processes are No-Write-Up + No-Read-Up
  • 36. MIC And Access Checks Process IL + access requested matched against object label If Process IL >= Object’s label, go onto DACL check If Process IL < Object’s label, and Object policy includes… and access requested includes…
  • 37. Access CheckExample – With MIC"Who am I" – Identity + trust level R+W Request Access: Read + Write Internet Explorer [LOW IL] Toby’s Startup Folder Medium (NW) Request Access: Read + Write MS Money [Medium IL]
  • 38.
  • 39. Movingfrom XP to Windows 7 Monday, October 26, 2009 34 Microsoft Confidential UAC UI Goals –Shield MIC Virtualization
  • 40. Virtualization Intended for existing legacy applications and may be removed in a future OS version 32-bit legacy interactive applications that write to administrator locations HKLMoftware; %SystemDrive%rogram Files %WinDir%ystem32 Redirected to: HKCUoftwarelassesirtualStore %LocalAppData%irtualStorebr />Redirection removes need for elevation Writes to HKLM go to HKCU redirected store Writes to system directories redirected to per-user store Different from registry keys redirection for 32-bit applications on x64 under WOW64…
  • 41. Virtualization - Details Registry Keys Virtualization Does not work if: Process is 64 bit Process is impersonating a user Process specified requestedExecutionLevel in manifest Process is non-interactive (e.g.:Windows Service) File Virtualization Does not work if: File is of executable type -examples: .aspx, .bin,.cmd,.exe, .hlp, .msi, .ocx, .sys, .tlb, .wsh Monday, October 26, 2009 36 Partner Ready
  • 44. WRP (Windows ResourceProtection) General mechanism that protects certain OS resources, e.g. Windowsystem32ernel32.dll NT SERVICErustedInstaller has Full Access SfcIsKeyProtected() lets you detect if registry key is WRP protected SfcIsFileProtected() lets you detect if file is WRP protected Windows Module Installer (TrustedInstaller.exe) is used to update OS components There is no API for ISVs to interact with it Local Administrator can take “ownership” of protected resource eliminating WRP so WRP is not a security measure Applications / Installers Should not modify WRP protected resources
  • 45. Movingfrom XP to Windows 7 Monday, October 26, 2009 40 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations
  • 46. Folder Locations User data: sersusername%br />Pictures, Music, Documents, Desktop, and Favorites directly under this structure “My “ prefix dropped (but Windows 7 displays it again in Explorer…) “All Users”  “Public” or “rogramData”
  • 47. Where Should I Store Data? SHGetKnownFolderPath Constants See: Where Should I Write Program Data Instead of Program Files?
  • 48. Folder Location Best Practices Never hard code absolute paths AppVerifier includes a test Script: environment variables Unmanaged code (C, C++) ShGetFolderPath function (CLSID_...) SHGetKnownFolderPath (FOLDERID_...) Managed code (C#, VB.NET) System.Environment.GetFolderPath Microsoft.VisualBasic.FileIO.SpecialDirectories My.Computer.FileSystem.SpecialDirectories
  • 49. Movingfrom XP to Windows 7 Monday, October 26, 2009 44 Microsoft Confidential UAC MIC Virtualization WRP Folder Locations ApplicationManifest
  • 50. Vista / Win 7 “Aware” Application Vista/Win 7-aware applications embed an XML manifest Standard item in VS 2008 Projects Disables all mitigations Manifest contains a RequestedExecutionLevel:
  • 51. ExampleApplicationManifest MyAdminApp.Exe.Manifest <?xmlversion="1.0" encoding="UTF-8" standalone="yes"?> <assemblyxmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentityversion="1.0.0.0" processorArchitecture="X86"name="MyAdminApp" type="win32"/> <!-- Identify the application security requirements. --> <trustInfoxmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevellevel="requireAdministrator"/> </requestedPrivileges> </security> </trustInfo> </assembly>
  • 52. Finding/Solving UAC Issues Do you? Write to Program Files, Windows, System32, HKLM/Software, or Root? Create anything “globally” (System wide) Use Windows messages between isolation levels Try Running the application “As Administrator” Testing with UAC off Tools Process Monitor Standard User Analyzer
  • 53. Windows Services and Session 0 In Windows® XP, Windows Services and user applications execute together in Session 0. From Windows Vista®, Windows Services are isolated in Session 0 User Application execute in Session 1, Session 2, etc. (“fast user switching” and Terminal Services)
  • 54. Session Separation Session 0 in Windows XP / Windows Server 2003 Session 0 / Session 1 in Windows Vista+
  • 55. Related Issues Windows Messages cannot cross Desktop boundaries (and therefore session) Windows Services cannot show UI (being in a different session!) Access control (MIC) adds complexity to possible solutions.
  • 56.
  • 57.
  • 58. PartnerResources Monday, October 26, 2009 53 Microsoft Confidential ACF Program Support Publicresources
  • 59. ApplicationCompatibilityFactory (ACF) 5 Partners with experteese in application compatibility tests Wipro, Infosys, TCS (Tata), Satyam, HP, Sogeti http://technet.microsoft.com/en-us/windows/bb510132.aspx ACF Training Site Contains training material for Partners willing to participate in ACF ACT 5.5 + Documentation + Webcasts + Slides 54
  • 60. Application Compatibility – Training Training Program in English -12 hours approx. 300 level: UAC Overview Advanced UAC and Windows Resource Protection IE in Protected Mode Versioning, Folder Locations, Session 0 Isolation ACT 5.5 Internals Shims and Compatibility Administration LUA Tools and Solutions Sysinternals Tools and IE Compatibility Test Tool Exam 55
  • 61. Support Options for Application Compatibility Partner Online Technical Communities (OTC) Windows 7 Application Compatibility OTC https://partner.microsoft.com/US/40014662 First response in 8 hours Local language Public Discussion Lists MSDN Application Compatibility for Windows Development Technet Windows 7 Application Compatibility Forum W7 ISV Remediation Workshops DPE Apply in “Green Light” https://www.isvappcompat.com/Default.aspx Face to face 2-3 days Bring your app to fix Fell free tocontact me : micham@microsoft.com 56
  • 62. Code Samples Windows 7 Training Kit For Developers hands-on labs code samples (managed /unmanaged) about: OS Version Checks Session 0 Isolation User Interface Process Isolation (MIC) Installer Detection High DPI Data Redirection(File and Registry Virtualization) 57
  • 63. Public Resources Cookbooks – address compatibility “Application Compatibility Cookbook” “Windows 7 Application Quality Cookbook” MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx TechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx Developer Guides – general programming guides Windows 7 UX Guide Windows 7 Developer Guide SysInternals Tools Suite http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx 58