Application Compatibility OverviewAaron Margosis, Microsoft Corporationhttp://blogs.msdn.com/b/aaron_margosishttp://blogs.technet.com/b/fdcc

Agenda

Overview of the Windows 7 application compatibility landscape• What breaks and why?• What does Windows do to fix things?• What options are available for apps that still break?

Not covered:• Troubleshooting and remediation details

Why is app-compat hard?

• It never used to be this hard!• Backward-compatibility used to win• Shell Folders• p:\\products\public• CON, PRN, NUL

• Starting with XP SP2, not anymore• Customers demanded better security• Vista was the first major desktop OS release after TWC memo

What Breaks in Windows 7?

Some things that had to change:Everyone runs as “standard user”

• The infamous User Account Control• Even admins run as “standard user”• The single biggest app-compat hit, ever

The Truth About UAC

• The first step toward Standard User• Required to improve security and TCO

• Suite of technologies to fix stuff, not break it• Running as standard user breaks stuff• That’s why no one did it before UAC!

• Users shouldn’t be admins to begin with• And can’t approve elevation prompts

• Disabling UAC turns off IE Protected Mode

We break – we fix:UAC’s file and registry “virtualization”

• Redirects access attempts from protected areas to non-roaming parts of user profile

• Not related to App-V’s “bubble”• This is per-user, not per-application

We break – we fix:UAC’s file and registry “virtualization”

• Redirects access attempts from protected areas to non-roaming parts of user profile

• Transparent to the app• Fixes many permissions-related issues• Does not apply to all apps or all file types

Some things that had to change:Internet Explorer 8 Standards Compliance

• Meets customer demand, good for the web• App compat > 80%• Compatibility View is extremely helpful• On by default for Intranet• Quirks mode also helpful, but no admin UI!

• Many tools available for troubleshooting• Fixes either super easy or require devs• Hardest problem: server apps for IE6 only• E.g., Oracle, SAP MED-V a potential solution

Some things that had to change:Internet Explorer Zone Changes (IE7 and Higher)

• Trusted Sites default settings tightened• Intranet zone now the most permissive• Only Intranet has automatic Windows authentication• Trusted Sites now intended for external sites• Common simple fix for web apps: make sure zone is correct!

Some things that had to change:Internet Explorer Protected Mode

• Sandboxed environment• Runs at “Low Integrity”• Cannot write to most areas of file system or registry• Limits impact of drive-bys• IEPM has protected you from exploits• …if you left UAC enabled

Internet Explorer Protected Mode

• “On” in Internet and Restricted Sites zones• “Off” in Intranet and Trusted Sites• May need to configure to recognize Intranet

• External sites can be added to Trusted Sites• E.g., sites that require Java

• Again – setting zone correctly fixes many web apps• Other products like the idea!• Google Chrome• Office 2010• Adobe Reader X

Some things that just changed:Windows version number

• Incorrect version checks: the most common bugs we find• Making it 6.1 keeps more apps working!

• “Version lie” shims are easy to apply• And now easier to lie to MSIs

• Still don’t think it can be that common?

Check the Windows version!

// This program requires WinXP or newer.// Windows XP is version 5.1// This is easy!If Not (vMajor >= 5 AND vMinor >= 1) Then{

DisplayMessage(“This program requires Windows XP or newer”);

LayDownAndDie;}Win7 as Windows 7.0?

vMajor: 7 >= 5vMinor: 0 >= 1? Crap!

Vista is Windows 6.0:vMajor: 6 >= 5vMinor: 0 >= 1? Oops!

Win7 as Windows 6.1?vMajor: 6 >= 5vMinor: 1 >= 1! It works!

More things that just changed:Folder locations

• We moved the profiles – again!• Myth: We did this for no good reason• Truth: There was probably a good reason

• And we changed where files need to go!• Myth: No guidance about where to put stuff• Truth: Well, yeah, but we’re fixing that

• Myth: Everything breaks, apps actually cry• Truth 1: Correctly-written apps still work• Truth 2: Junctions fix many bad apps

Directory Junctions

• Some support for old folder names• Can traverse, but cannot list• Can directly access files through old names• Cannot list contents of these junctions

Where Should I Store Files?Per-User Files Location (Symbolic Constant and Examples)

Visible to user in ExplorerWindows 7 example:Windows XP equivalent:

FOLDERID_Documents / CSIDL_MYDOCUMENTSC:\Users\username\DocumentsC:\Documents and Settings\username\My Documents

Hidden from user, LocalWindows 7 example:Windows XP equivalent:

FOLDERID_LocalAppData / CSIDL_LOCAL_APPDATAC:\Users\username\AppData\LocalC:\Documents and Settings\username\Local Settings\Application Data

Hidden from user, RoamingWindows 7 example:Windows XP equivalent:

FOLDERID_RoamingAppData / CSIDL_APPDATAC:\Users\username\AppData\RoamingC:\Documents and Settings\username\Application Data

Shared Files Location (Symbolic Constant and Examples)Visible to user in Explorer

Windows 7 example:

Windows XP equivalent:

FOLDERID_PublicDocuments / CSIDL_COMMON_DOCUMENTSC:\Users\Public\DocumentsC:\Documents and Settings\All Users\Documents

Hidden from user, Local

Windows 7 example:

Windows XP equivalent:

FOLDERID_ProgramData / CSIDL_COMMON_APPDATAC:\ProgramDataC:\Documents and Settings\All Users\Application Data

More things that just changed:Default color scheme

More things that just changed:Default color scheme

• Occasional mistake by VB6 devs• Easy to fix (if you have the source)

• .NET WinForms made themes easy to use• Oops: everyone tested only on Luna• Fortunately, we have FakeLunaTheme shim

• Note: apps that work only with one theme probably violate accessibility laws• You WILL go to jail! (US law – your laws may be harsher.)• Push back if app owner insists on Classic Theme

What Do I Do With Broken Apps?

Options for Fixing Broken Appsin (approximate) order of preference

1. Retire the app2. Get an updated version of the app (from vendor or your

developers)3. Modify the installer via transforms or post-install scripts4. Let UAC file/reg virtualization do its magic5. Apply shims6. Change permissions or policies7. Machine virtualization (MED-V, VDI)Independent issue: Application virtualization

Retiring Apps

• Maintaining a big inventory is expensive!• Testing apps you don’t need is expensive!• Just because it’s there doesn’t mean you need it (and have to test

it)• Does anyone actually use it?• How often?• How critical is it?• Can it be replaced with something else?• Excel? Calculator?

• How expensive/complex to repair?

Is the App Supported on Win7?

www.microsoft.com/windows/compatibility

• Search for apps or hardware• Indicates support/non-support for x86/x64• Based on vendor’s public claims• Links to vendor web sites’ claims

Modifying InstallersMSI transforms or post-install scripts

Can fix several bug classes:• Version check• “Run once” bug• App assumes user has admin rights• Performs final install operations on first run

• “One user” bug• Installer assumes installing user == end user• Writes to HKCU, %USERPROFILE%

• Missing components (e.g., MSVBVM50)

What Are Shims?

• Applied to specific apps• Configured with Compatibility Administrator in the App

Compat Toolkit• Deployable to enterprise

• Changes what the app thinks it sees• Does not change what app is allowed to do

Process

Kernel32.dll

CreateFileWimplementation

Shim DLLCorrectFilePathsimplementation

How Shims Work

App.exeIAT• CreateFile

Custom1.dll

IAT• CreateFile

Custom2.dll

IAT• CreateFile

Crypt32.dll

IAT• CreateFile

Msxml3.dll

IAT• CreateFile

Urlmon.dll

IAT• CreateFile

What Are Shims Good For?

• Bad Windows version checks• Writing to HKCR at runtime• Unnecessary checks for “am I admin?”• Writing to WRP-protected keys and files• Windows thinks your app is an installer• Some file/registry redirections

When Are Shims Appropriate?

• Source code fix not feasible• Vendor support not important

Shims – The Rest of the Story

• Some considerations…• Not all general purpose shims have the same … “customer

love” applied in their creation• The tools are … “primitive”• Shims management not integrated into other management

tools (e.g. Group Policy)• You can do a lot with just the Top 10 shims• But to becoming a shim ninja takes time and much practice

Changing Security Settings

• Only if other options don’t work:• Loosen file or registry permissions• Allow interactive user to start/stop a particular service or

driver• Disable an IE security feature (e.g. DEP)• Relax a security policy (e.g., FIPS crypto)

• Must be done surgically• Least amount of additional privilege on the smallest number of

objects

Changing Security Settings

• Benefits:• Results often more predictable than with shims

• Drawbacks:• Risk of elevation of privilege• Risk of system instability• Requires threat modeling – hard to do right

Changing Security Settings:How I’ve seen some do “standard user” on XP…

• ACL loosening scripts• Most “required fixes” are now automatic

• Installing apps to writable folders• Exposes EoP and infection risks

• Granting admin-equivalent rights• (What could possibly go wrong?)

What is MED-V?Microsoft Enterprise Desktop Virtualization

• Machine virtualization solution• App actually runs on an XP OS• User sees only the app window

• Centrally managed• Part of MDOP• Reasonable IE6 app compat story• Seamless redirection of the browser

What Can MED-V Do?

• App designed for XP actually runs on XP• Win7 deployment not held hostage by one app that resists all

other compat solutions• What it’s good for:• Web apps that require IE6• Running 16-bit apps on x64• Some types of desktop apps• Microsoft Agent

MED-V:The rest of the story

• Postpones issues, does not solve them• You must have an explicit exit strategy• XP is already out of mainstream support• XP extended support ends in 2014

• Need RAM, CPU to support guest VM• Management requirements• It is a separate computer• Doesn’t inherit host’s AV, patches, policies, domain• VM is hibernated when not running an app

• Apps can’t interact with host desktop apps• E.g., app wants to automate Office apps or send email

Windows XP ModeHere’s how, right?

Wrong!

What is Windows XP Mode?

• Windows XP SP3 virtual machine• It’s not really a “mode” within Windows 7• Similar to MED-V, without manageability

• License included with certain Win7 SKUs• Designed only for Small Business market

• Install apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the host

• Click on shortcut in host Start menu, app appears in a window• …eventually

Windows XP ModeMore of that story

• All the drawbacks of MED-V, plus• Does not have MED-V’s IE6 redirection, and• Default XP Mode user is admin• Might conflict with enterprise policies

Resources

TechNet MagazineJune 2009Articles by Chris Jackson

and Chris Corio

Tools for identifying issues

• General issues: Sysinternals Process Monitorhttp://technet.microsoft.com/en-us/sysinternals/bb896645

• Admin permissions issues: • LUA Buglight

http://blogs.msdn.com/b/aaron_margosis/archive/2011/03/23/lua-buglight-2-1-1-with-support-for-win7-2008r2-sp1.aspx

• Standard User Analyzer (ships with App Compat Toolkit)http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971

requires Application Verifier, downloaded separately:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18

• For web apps:• IE’s built-in developer tools (F12 in IE8 and IE9)• Fiddler

http://www.fiddler2.com

• Expression Web SuperPreview

For More Information

• The Windows Vista and Windows Server 2008 Developer Story: Application Compatibility Cookbookhttp://msdn.microsoft.com/en-us/library/Aa480152

• Windows 7 and Windows Server 2008 R2 Application Quality Cookbook(describes changes from Vista to Win7, not from XP to Win7)http://msdn.microsoft.com/en-us/library/dd371778(VS.85).aspx

• The App Compat Guy (Chris Jackson)’s blog:http://www.appcompatguy.com

• My blogs:http://blogs.msdn.com/b/aaron_margosis andhttp://blogs.technet.com/b/fdcc

• TechEd online presentations by Chris Jackson and me:http://www.msteched.com

43

Stay up to date with TechNet Belux

Register for our newsletters and stay up to date:http://www.technet-newsletters.be

• Technical updates• Event announcements and registration• Top downloads

Join us on Facebookhttp://www.facebook.com/technetbehttp://www.facebook.com/technetbelux

LinkedIn: http://linkd.in/technetbelux/

Twitter: @technetbelux

Download MSDN/TechNet Desktop Gadget

http://bit.ly/msdntngadget

TechDays 2011 On-Demand

• Watch this session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/

http://technet.microsoft.com/nl-be/edge/• Download to your favorite MP3 or video player• Get access to slides and recommended resources by the speakers

THANK YOU