1 / 45

Application Compatibility Overview

Application Compatibility Overview. Aaron Margosis, Microsoft Corporation http://blogs.msdn.com/b/aaron_margosis http://blogs.technet.com/b/fdcc. Agenda. Overview of the Windows 7 application compatibility landscape What breaks and why? What does Windows do to fix things?

palmer
Download Presentation

Application Compatibility Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Compatibility Overview Aaron Margosis, Microsoft Corporation http://blogs.msdn.com/b/aaron_margosis http://blogs.technet.com/b/fdcc

  2. Agenda Overview of the Windows 7 application compatibility landscape • What breaks and why? • What does Windows do to fix things? • What options are available for apps that still break? Not covered: • Troubleshooting and remediation details

  3. Why is app-compat hard? • It never used to be this hard! • Backward-compatibility used to win • Shell Folders • p:\\products\public • CON, PRN, NUL • Starting with XP SP2, not anymore • Customers demanded better security • Vista was the first major desktop OS release after TWC memo

  4. What Breaks in Windows 7?

  5. Some things that had to change:Everyone runs as “standard user” • The infamous User Account Control • Even admins run as “standard user” • The single biggest app-compat hit, ever

  6. The Truth About UAC • The first step toward Standard User • Required to improve security and TCO • Suite of technologies to fix stuff, not break it • Running as standard user breaks stuff • That’s why no one did it before UAC! • Users shouldn’t be admins to begin with • And can’t approve elevation prompts • Disabling UAC turns off IE Protected Mode

  7. We break – we fix:UAC’s file and registry “virtualization” • Redirects access attempts from protected areas to non-roaming parts of user profile • Not related to App-V’s “bubble” • This is per-user, not per-application

  8. We break – we fix:UAC’s file and registry “virtualization” • Redirects access attempts from protected areas to non-roaming parts of user profile • Transparent to the app • Fixes many permissions-related issues • Does not apply to all apps or all file types

  9. Some things that had to change:Internet Explorer 8 Standards Compliance • Meets customer demand, good for the web • App compat > 80% • Compatibility View is extremely helpful • On by default for Intranet • Quirks mode also helpful, but no admin UI! • Many tools available for troubleshooting • Fixes either super easy or require devs • Hardest problem: server apps for IE6 only • E.g., Oracle, SAP  MED-V a potential solution

  10. Some things that had to change:Internet Explorer Zone Changes (IE7 and Higher) • Trusted Sites default settings tightened • Intranet zone now the most permissive • Only Intranet has automatic Windows authentication • Trusted Sites now intended for external sites • Common simple fix for web apps: make sure zone is correct!

  11. Some things that had to change:Internet Explorer Protected Mode • Sandboxed environment • Runs at “Low Integrity” • Cannot write to most areas of file system or registry • Limits impact of drive-bys • IEPM has protected you from exploits • …if you left UAC enabled

  12. Internet Explorer Protected Mode • “On” in Internet and Restricted Sites zones • “Off” in Intranet and Trusted Sites • May need to configure to recognize Intranet • External sites can be added to Trusted Sites • E.g., sites that require Java • Again – setting zone correctly fixes many web apps • Other products like the idea! • Google Chrome • Office 2010 • Adobe Reader X

  13. Some things that just changed:Windows version number • Incorrect version checks: the most common bugs we find • Making it 6.1 keeps more apps working! • “Version lie” shims are easy to apply • And now easier to lie to MSIs • Still don’t think it can be that common?

  14. Check the Windows version! // This program requires WinXP or newer. // Windows XP is version 5.1 // This is easy! If Not (vMajor >= 5 AND vMinor >= 1) Then { DisplayMessage(“This program requires Windows XP or newer”); LayDownAndDie; } • Win7 as Windows 7.0? vMajor: 7 >= 5 vMinor: 0 >= 1? Crap! • Win7 as Windows 6.1? vMajor: 6 >= 5 vMinor: 1 >= 1! It works! Vista is Windows 6.0: vMajor: 6 >= 5 vMinor: 0 >= 1? Oops!

  15. More things that just changed:Folder locations • We moved the profiles – again! • Myth: We did this for no good reason • Truth: There was probably a good reason • And we changed where files need to go! • Myth: No guidance about where to put stuff • Truth: Well, yeah, but we’re fixing that • Myth: Everything breaks, apps actually cry • Truth 1: Correctly-written apps still work • Truth 2: Junctions fix many bad apps Wrong!

  16. Directory Junctions • Some support for old folder names • Can traverse, but cannot list • Can directly access files through old names • Cannot list contents of these junctions

  17. Where Should I Store Files?

  18. More things that just changed:Default color scheme

  19. More things that just changed:Default color scheme • Occasional mistake by VB6 devs • Easy to fix (if you have the source) • .NET WinForms made themes easy to use • Oops: everyone tested only on Luna • Fortunately, we have FakeLunaTheme shim • Note: apps that work only with one theme probably violate accessibility laws • You WILL go to jail! (US law – your laws may be harsher.) • Push back if app owner insists on Classic Theme

  20. What Do I Do With Broken Apps?

  21. Options for Fixing Broken Appsin (approximate) order of preference • Retire the app • Get an updated version of the app (from vendor or your developers) • Modify the installer via transforms or post-install scripts • Let UAC file/regvirtualization do its magic • Apply shims • Change permissions or policies • Machine virtualization (MED-V, VDI) Independent issue: Application virtualization

  22. Retiring Apps • Maintaining a big inventory is expensive! • Testing apps you don’t need is expensive! • Just because it’s there doesn’t mean you need it (and have to test it) • Does anyone actually use it? • How often? • How critical is it? • Can it be replaced with something else? • Excel? Calculator? • How expensive/complex to repair?

  23. Is the App Supported on Win7? www.microsoft.com/windows/compatibility • Search for apps or hardware • Indicates support/non-support for x86/x64 • Based on vendor’s public claims • Links to vendor web sites’ claims

  24. Modifying InstallersMSI transforms or post-install scripts Can fix several bug classes: • Version check • “Run once” bug • App assumes user has admin rights • Performs final install operations on first run • “One user” bug • Installer assumes installing user == end user • Writes to HKCU, %USERPROFILE% • Missing components (e.g., MSVBVM50)

  25. What Are Shims? • Applied to specific apps • Configured with Compatibility Administrator in the App Compat Toolkit • Deployable to enterprise • Changes what the app thinks it sees • Does not change what app is allowed to do

  26. How Shims Work Process App.exe • IAT • CreateFile Msxml3.dll Crypt32.dll Urlmon.dll Custom1.dll Custom2.dll • IAT • CreateFile • IAT • CreateFile • IAT • CreateFile • IAT • CreateFile • IAT • CreateFile Kernel32.dll Shim DLL CorrectFilePaths implementation CreateFileW implementation

  27. What Are Shims Good For? • Bad Windows version checks • Writing to HKCR at runtime • Unnecessary checks for “am I admin?” • Writing to WRP-protected keys and files • Windows thinks your app is an installer • Some file/registry redirections

  28. When Are Shims Appropriate? • Source code fix not feasible • Vendor support not important

  29. Shims – The Rest of the Story • Some considerations… • Not all general purpose shims have the same … “customer love” applied in their creation • The tools are … “primitive” • Shims management not integrated into other management tools (e.g. Group Policy) • You can do a lot with just the Top 10 shims • But to becoming a shim ninja takes time and much practice

  30. Changing Security Settings • Only if other options don’t work: • Loosen file or registry permissions • Allow interactive user to start/stop a particular service or driver • Disable an IE security feature (e.g. DEP) • Relax a security policy (e.g., FIPS crypto) • Must be done surgically • Least amount of additional privilege on the smallest number of objects

  31. Changing Security Settings • Benefits: • Results often more predictable than with shims • Drawbacks: • Risk of elevation of privilege • Risk of system instability • Requires threat modeling – hard to do right

  32. Changing Security Settings:How I’ve seen some do “standard user” on XP… • ACL loosening scripts • Most “required fixes” are now automatic • Installing apps to writable folders • Exposes EoP and infection risks • Granting admin-equivalent rights • (What could possibly go wrong?)

  33. What is MED-V?Microsoft Enterprise Desktop Virtualization • Machine virtualization solution • App actually runs on an XP OS • User sees only the app window • Centrally managed • Part of MDOP • Reasonable IE6 app compat story • Seamless redirection of the browser

  34. What Can MED-V Do? • App designed for XP actually runs on XP • Win7 deployment not held hostage by one app that resists all other compat solutions • What it’s good for: • Web apps that require IE6 • Running 16-bit apps on x64 • Some types of desktop apps • Microsoft Agent

  35. MED-V:The rest of the story • Postpones issues, does not solve them • You must have an explicit exit strategy • XP is already out of mainstream support • XP extended support ends in 2014 • Need RAM, CPU to support guest VM • Management requirements • It is a separate computer • Doesn’t inherit host’s AV, patches, policies, domain • VM is hibernated when not running an app • Apps can’t interact with host desktop apps • E.g., app wants to automate Office apps or send email

  36. Windows XP ModeHere’s how, right? Wrong!

  37. What is Windows XP Mode? • Windows XP SP3 virtual machine • It’s not really a “mode” within Windows 7 • Similar to MED-V, without manageability • License included with certain Win7 SKUs • Designed only for Small Business market • Install apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the host • Click on shortcut in host Start menu, app appears in a window • …eventually

  38. Windows XP ModeMore of that story • All the drawbacks of MED-V, plus • Does not have MED-V’s IE6 redirection, and • Default XP Mode user is admin • Might conflict with enterprise policies

  39. Resources • TechNet Magazine • June 2009 • Articles by Chris Jackson and Chris Corio

  40. Tools for identifying issues • General issues: Sysinternals Process Monitorhttp://technet.microsoft.com/en-us/sysinternals/bb896645 • Admin permissions issues: • LUA Buglighthttp://blogs.msdn.com/b/aaron_margosis/archive/2011/03/23/lua-buglight-2-1-1-with-support-for-win7-2008r2-sp1.aspx • Standard User Analyzer (ships with App Compat Toolkit)http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971requires Application Verifier, downloaded separately:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=C4A25AB9-649D-4A1B-B4A7-C9D8B095DF18 • For web apps: • IE’s built-in developer tools (F12 in IE8 and IE9) • Fiddlerhttp://www.fiddler2.com • Expression Web SuperPreview

  41. For More Information • The Windows Vista and Windows Server 2008 Developer Story: Application Compatibility Cookbookhttp://msdn.microsoft.com/en-us/library/Aa480152 • Windows 7 and Windows Server 2008 R2 Application Quality Cookbook(describes changes from Vista to Win7, not from XP to Win7)http://msdn.microsoft.com/en-us/library/dd371778(VS.85).aspx • The App Compat Guy (Chris Jackson)’s blog:http://www.appcompatguy.com • My blogs:http://blogs.msdn.com/b/aaron_margosis andhttp://blogs.technet.com/b/fdcc • TechEd online presentations by Chris Jackson and me:http://www.msteched.com

  42. Stay up to date with TechNet Belux Register for our newsletters and stay up to date:http://www.technet-newsletters.be • Technical updates • Event announcements and registration • Top downloads Join us on Facebook http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget

  43. TechDays 2011 On-Demand • Watchthis session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/http://technet.microsoft.com/nl-be/edge/ • Download to your favorite MP3 or video player • Get access to slides and recommended resources by the speakers

  44. THANK YOU

More Related