Windows Vista Application Compatibility

1
Windows Vista Application Compatibility
Simon Martyn Infrastructure Specialist smartyn_at_iqg
roup.net The IQ Business Group Technology
Services Division
2
Agenda

• Windows Vista Innovation and Compatibility
• Top Compatibility Issues in Windows Vista
• Application Compatibility Toolkit (ACT) 5.0
• Call To Action
• Resources
• Question and Answer

3
Innovation and Compatibility

• Windows Vista Pillars
• Security
• Reliability
• Application Compatibility (most applications just
  work)
• Performance
• Feedback and Supportability
• Improvements in Windows Vista occasionally break
  compatibility. Microsoft has created these tools
  and services to help with Application
  Compatibility
• Application Compatibility Toolkit 5.0 (ACT)
• Windows Vista Upgrade Advisor 1.0
• Vista Readiness Assessment Tool
• Application Compatibility Factory
• Windows Logo programs
• SWAT team and on campus labs

4
Agenda

• Windows Vista Innovation and Compatibility
• Top Compatibility Issues in Windows Vista
• Application Compatibility Toolkit (ACT) 5.0
• Call To Action
• Resources
• Question and Answer

5
Top Compatibility Issues With Windows Vista

• User Account Control (UAC)
• Windows Resource Protection (WRP)
• Internet Explorer 7 Protected Mode
• Windows Vista 64-bit
• Windows Filtering Platform
• Deprecations/GINA/Session 0 (High Impact/Low
  Frequency)
• Operating System Version Change
• Overall, high compatibility in Windows Vista

6
User Account Control (UAC)

• Description
• Enabling users to run with a standard user
  account
• Security feature to reduce introduction of
  vulnerabilities (Malware, Trojan, Viruses)
• Issues
• Custom installers and updaters need administrator
  privileges
• Unnecessary administrator checks
• Writing to file or registry locations that are
  not virtualized
• Mitigation
• Some common shims - Virtualization shims, Force
  Admin Access
• Relax ACL's on files and folders

7
Windows Resource Protection (WRP)

• Description
• Increase system stability by protecting Windows
  resources (files, folders, registry).
• Issues
• Application installers that attempt to replace,
  modify, or delete OS files and/or registry keys
  that are protected will fail with an access
  denied error message because the resource could
  not be updated.
• Remedies
• Never repackage Microsoft redistributables (use
  the Microsoft provided redistributable package
  instead).
• Do not write to system files and registry keys.

8
Internet Explorer 7 Protected Mode

• Description
• Internet Explorer 7 runs in Protected Mode, with
  greatly restricted privileges
• Issues
• IE cannot modify user files, registry keys
• Applications may not know how to handle new
  prompts requesting user permissions
• Mitigation
• Add the site in question to the trusted sites
  list.

9
Windows Vista 64-bit

• Description
• Windows Vista fully supports the 64-bit
  architecture processors from AMD and Intel.
• The 64-bit version of Windows Vista can run all
  32-bit applications with the help of the WOW64
  emulator.
• Issues
• Applications or components that use 16-bit
  executables, 16-bit installers or 32-bit kernel
  drivers will either fail to start or will
  function improperly on a 64-bit edition of
  Windows Vista.
• Remedies
• Remove all 16-bit components.
• Convert 16-bit installers to 32-bit or 64-bit
  installers
• Ensure that all 64-bit drivers are digitally
  signed

10
Windows Filtering Platform

• Description
• The Windows Filtering Platform (WFP) API allows
  developers to create code that interacts with the
  filtering that takes place at several layers in
  the networking stack and throughout the operating
  system .
• Publicly supported APIs.
• Issues
• Network scanning anti-virus and firewall
  applications will fail
• Remedies
• Update applications to use the new WFP APIs
• Microsoft is engaged with networking, firewall
  and anti-virus vendors to adopt the new platform

11
Deprecations

• Description
• Deprecations removal of APIs or DLLs from
  Windows Vista that existed in Windows XP
• Issues
• Applications lose functionality or dont start up
  correctly
• Remedies
• Search MSDN to look for replacement of API

12
Graphical Identification and Authentication (GINA)

• Description
• Windows Vista introduces a new authentication
  model (new Credential Provider API)
• Issues
• Users will not be able to logon using Custom
  logon applications. These may include
• Biometric devices (fingerprint reader)
• Custom UI for logon
• Virtual private network (VPN) solutions for
  remote users with custom logon UI
• Remedies
• The applications or components that use the GINA
  technology will need to be re-authored to use the
  new logon authentication model for Windows Vista
• For all credential provider information and
  questions, send e-mail to the Shell Credential
  Provider alias credprov_at_microsoft.com

13
Session 0

• Description
• Services are isolated to run in their own private
  Session (Session 0) to enhance security.
• Users no longer share this session
• Issues
• Services with user interaction may hang as UI is
  not visible to the user
• Remedies
• Update Apps, to ensure services do not display UI
• In-box mitigation where notification is sent to
  current user when there is UI in Session 0

14
Operating System Version Change

• Description
• The internal version number for Windows Vista is
  changed to 6. The GetVersion function will now
  return this version number to applications when
  queried.
• Issues
• Any application that specifically checks for the
  OS version will get a higher version number which
  it may not be designed to handle
• Application installers may prevent themselves
  from installing and applications may prevent
  themselves from starting.
• Mitigation
• Use compatibility administrator and apply XP SP2
  layer or version lie shim

15
Agenda

• Windows Vista Innovation and Compatibility
• Top Compatibility Issues in Windows Vista
• Application Compatibility Toolkit (ACT) 5.0
• Call To Action
• Resources
• Question and Answer

16
Application Compatibility Toolkit

• Customer Target
• Medium/Large Businesses and Large Enterprises
• Mission
• A lifecycle management tool that assists in
  identifying and managing your overall
  application/device/computer portfolio, reducing
  the cost and time involved in resolving
  application compatibility issues, and helping you
  quickly deploy Windows Vista and Windows Updates.
  
• Strategy
• Help detect, diagnose, and mitigate compatibility
  issues found in Windows Vista
• Microsoft Compatibility Exchange to facilitate
  exchange of compatibility data between ISV/IHV,
  Microsoft, and customers
• Deliver tools that are timely and relevant to
  Windows releases

17
ACT 5.0 - High Level Architecture
4
Compatibility Exchange
Desktop Topology
2
Log Processing Service
Internet
3
1
Application Compatibility Manager
Agent Framework/Compatibility Evaluators
Betty
Wilma
18
ACT Methodology
Collect Data
Analyze
Test
Inventory Applications and Devices Gather high-le
vel compatibility evaluator data
In-depth testing with dev/test tools Log test
data Build and test mitigations
Prioritize and Categorize Synchronize data with
Microsoft Compatibility Exchange Identify
high-level issues
19
COLLECT

• Inventory and Compatibility Data

19
20
ACT Data Collection Architecture
21
Compatibility Evaluators for Vista

• Inventory Collector
• Gathers data on a computer regarding
  applications, devices (device manager), and
  system information.
• User Account Control
• Detects which applications may have issues with
  running as Standard User on Vista
• Windows Vista
• Deprecations - identifies applications that are
  loading binaries or using APIs that will be
  removed in Vista
• GINA - identifies applications that installed a
  Graphical Identification and Authentication
  (GINA) DLL
• Session 0 - identifies applications with
  interactive services
• Internet Explorer
• Detects compatibility issues with web
  applications due to IE security features

22
Compatibility Evaluator for Updates

• Detects applications impacted by Windows Updates

Windows Updates
Enterprise Desktop Topology
Application Compatibility Manager
Update Manifest
Update Compatibility Evaluator Data
23
ACT - Collect
24
ANALYZE

• Prioritize, Categorize, Rationalize, Synchronize
  and Manage compatibility data

24
25
Prioritize, Categorize, Rationalize
25
26
Consolidated view from all data providers
27
Microsoft Compatibility Exchange

• Features
• IT Pros helping each other out by sharing of
  application compatibility rating with community
• Secure and privacy compliant transactions
• Simple and easy to share
• Submission can be anonymous or by user name
• Partner with MCS and deployment specialist in
  building and seeding community data
• Scalable solution

• Features
• Feedback mechanism to vendors on most requested
  applications
• Authoritative data compliments community rating
• Leverage existing Microsoft data repositories
  (test, certification, logo, vendor portal)
• Limited data due to dependencies on Vendor Portal
  and test team

28
ACT - Analyze
29
TEST AND MITIGATE

• Test, Debug, Resolve, Deploy Solutions

29
30
Developer and Tester Tools

• Standard User Analyzer
• Provides a way for testers to further test the
  LOB applications to determine what will fail as
  Standard User on Vista
• Internet Explorer Test Tool
• Provides a way for testers to further test the
  intranet web applications to understand the exact
  issue and determine which of their web
  applications will not work with IE 7
• Setup Analysis Tool
• Detects issues such as WRP, installing of 32 bit
  kernel mode drivers, 16 bit components to flag
  any of your packages which could run into this
  issue
• Compatibility Administrator
• Helps IT Admins, Developers, Testers create and
  test compatibility shim/fixes (no code changes
  required)

31
ACT Test and Mitigate
32
Standard User Analyzer

• The Standard User Analyzer is a tool to help
  diagnose potential issues with an application
  when it is run as a standard user
• Based on LUA Predictor technology in Application
  Verifier (AppVerifier)
• Intercepts common API calls which usually require
  elevated privileges
• Predicts whether these API calls would have
  succeeded as a standard user

32
32
33
SUA - API Coverage

• File system access (e.g. Program Files)
• Registry access (e.g. HKLM)
• INI WriteProfile (privileged locations)
• Token checking (explicit checks)
• Privilege (e.g. enabling SeDebugPrivilege)
• Namespace (creating global objects)
• Other securable objects (events, mutexes,
  waitable timers, semaphores, etc.)
• Process creation (attempting to launch another
  process which requires elevation)

33
34
Internet Explorer Compatibility Test Tool

• Installs the IE Compatibility Evaluator
• Enables Internet Explorer logging
• Compatibility issues are recorded in the event
  log
• IECE processes the event log to list events
• You can see the events real time, helps for easy
  debugging

34
35
ACT Feature Comparison
36
Call To Action

• Download ACT 5.0 RC Now!!
• http//connect.microsoft.com/site/sitehome.aspx?Si
  teID81
• Leverage services provided by Microsoft and
  Partners
• Application Compatibility Factory, Windows Logo
  Program

37
Application Compatibility Resources

• For IT Professionals
• Application Compatibility in Windows Vista
• http//www.microsoft.com/technet/windowsvista/appc
  ompat/default.mspx
• Business Desktop Deployment Solution Accelerator
• http//www.microsoft.com/technet/desktopdeployment
  /bddoverview.mspx
• Download ACT 5.0 RC
• http//connect.microsoft.com/site/sitehome.aspx?Si
  teID81
• For Developers
• Application Compatibility Cookbook
• http//msdn.microsoft.com/windowsvista/default.as
  px?pull/library/en-us/dnlong/html/AppComp.asp 
• Windows Vista Application Development
  Requirements for User Account Control
  http//download.microsoft.com/download/5/6/a/56a0e
  d11-e073-42f9-932b-38acd478f46d/WindowsVistaUACDev
  Reqs.doc
• Questions related to SUA
• suatool_at_microsoft.com
• ACT Newsgroup
• http//www.microsoft.com/communities/newsgroups/li
  st/en-us/default.aspx?dgmicrosoft.public.deployme
  nt.app_compatibility

38
Thank you to our Partners for their support of
TechDays 2007
39
(No Transcript)