few changes: most software that runs on windows vista will run on windows 7 - exceptions will be low...
TRANSCRIPT
Developing Compatible Software for Windows 7
Paul van WingerdenDeveloper & Platform GroupMicrosoft [email protected]
Agenda
Experiences with LabsBuilts on top of VistaDemoOverview UAC, WRP, …, …
Next Steps
Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV,
Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.
Windows 7
Few Changes: Focus on quality and reliability improvements
Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off
Deep Changes: New models for security, drivers, deployment, and
networking
Enable Richer Application Experiences
More natural user interaction
Windows Touch, ink and gesture support plus handwriting recognition enable new input capabilities.
New taskbar, destinations and shell integration enhance discoverability and usability
New extensible Ribbon adds Office 2007-style controls, menus, and galleries to your application.
Rich animation framework helps you integrate smooth dynamic motion.
Access hardware innovations
Direct 2D/3D allow you to deliver high-Fidelity graphics and media
Multi-core support enhances application and device performance
Device Stage enables rich, customizable software experiences for connected devices
Build on a solid foundation
Improved fundamentalsCompatible: Works with your Windows Vista-based applications and devices
Secure: Greater flexibility with UAC while keeping security a priority
Responsive: Improved system performance and resource management
Greater developer productivity
More powerful scripting automation with PowerShell 2.0
Enhanced MSI engine makes software deployment easier
Improved accessibility and global support
Remote and virtual multi-monitor support
Simpler VHD mounting from within explorer
Integrate the best of Windows and web
services
Extend web services to client applications
Federated Search allows you to extend local search to web data sources within your client application.
Internet Explorer 8, Silverlight and Windows Presentation Foundation (WPF) enable web to rich client applications – using common platform and tools
Windows Web Services API enables high-performance web-services integration.
Enable rich web experiences
Standards compliant IE8 delivers of ‘out-of-the-box’ access to online services from within the page
Built-in dev tools within IE8 allows you to write code, run anywhere
Windows 7 for DevelopersA solid foundation for new possibilities
Windows 7 features
demo
Experiences
• Running remediation labs in UK etc• 95% in 5 types of errors
Top AppCompat Issues
• Moving from XP to Win 7• User Account Control• Services Isolation
• Moving from Vista to Win 7• Version checking• High DPI• Low level binary changes
User Account Control – Why?
• Applications run as Standard User by default• What is a Standard User?
Not Allowed
• Install applications•Change system components•Change per machine settings•Admin “privileges”
Allowed
• Run most applications• Change per user settings
Why User Account Control?
• Running as administrator increases malware threats
• Windows XP had misplaced administrator checks that needed to get fixed
• Enterprises realize significant TCO reductions when running with managed systems
Windows 7 UAC goals• All users run as Standard User by
default• Filtered token created during logon• Only specially marked apps get the
unfiltered token
• Explicit consent required for elevation• Predictable shell elevation paths
• High application compatibility• Data redirection• Enabling legacy apps to run as standard user
• Installer Detection
UAC Architecture Standard User Rights
Administrative Rights
Admin logon
“Standard User” Token
Admin TokenAbby
UAC Architecture Standard User Rights
Administrative Rights
User Process
• Read mail
• Write documents
• Run IT Approved Applications
• Change Time Zone
• Install Fonts, Printers
• Run MSN Messenger
• Etc.
Standard User Mode
Standard User Privilege
Abby
UAC Architecture Standard User Rights
Administrative Rights
User Process
• Change Time Zone
• Run IT Approved Applications
• Install Fonts
• Install Printers
• Run MSN Messenger
• Etc.
Admin Privileges
Standard User Privilege
Abby
Admin Process
Install Application
Admin Process
Configure IIS
Admin Process
Change Time
Admin Privilege
Admin Privilege
Admin Privilege
Consent UIOS Application
Unsigned Application
Signed Application
Credential UI (Over The Shoulder)
UX Goals: Simple & Predictable1 Make application Standard user only2 Clearly identify Administrative tasks• Ensure Standard users can be fully
productive• Identify tasks that need elevation with a
“shield”
UX: The Shield
• Attached to controls to indicate that elevation is required to use their associated feature
• Has only one state (i.e. no hover, disabled etc.)
• Does not remember elevated state• Not an unlock operation
• Can be programmatically set:• IDI_SHIELD icon resource• BCM_SETSHIELD button message
Security Shield UI Examples
The Standard User Problem
I am a developer,
not a STANDARD
user!
Too many apps break as standard
user. It’s not worth the trouble.
The UAC Solution
Make it possible for most apps to run
Remove excuses for running as administrator
Encourage ISVs to develop for non-admins
UAC for Standard Users
We fix thingsWe allow you to elevate to admin
File and Registry Virtualization
Client onlyLegacy applications only32-bit applications onlyNon-elevated apps onlyMultiple copies of filesDoesn’t apply to executable files
File Virtualization
c:\program filesc:\programdatac:\windows
File Virtualization
Luafv.sys
Ntfs.sys
Legacy Application
User Mode
Kernel Mode
\Windows\App.ini
\Users\<user>\AppData\Local\VirtualStore\Windows\App.ini
Vista Application
\Windows\App.ini
Access Denied
Registry Virtualization
HKEY_LOCAL_MACHINE\Software
Registry Virtualization
Ntoskrnl.exe
Legacy Application
User Mode
Kernel Mode
HKLM\Software\App
HKCU\Software\Classes\VirtualStore\Machine\Software\App
Vista Application
Registry
Access Denied
File Virtualization
demo
UAC for Administrators
We fix thingsWe let you run with fewer rightsWe let you elevate to full rights
The Split Token
Run with fewer rights most of the timeConveniently elevate when you need rightsApplies to interactive logons only
Creating the Split Token
winlogon
Create LUID withfull token
Create LUID withprotected token
CreateProcess explorer.exe
with protected token
UAC OTS Elevation
Protected Administrator System Administrator
explorer.exe AppInfo Service
consent.exe
elevatedapp.exeRPC
Reparented
ShellExecute(elevatedapp.exe) CreateProcessAsUser(elevatedapp.exe)
UAC: OTS Dialogs
The Split Token
• Run with fewer rights most of the time• Conveniently elevate when you need
rights• Applies to interactive logons only
Standard User Platform Fixes
Installer Detection
• Almost 100% of legacy installations would fail without installer detection and elevation
• Looks for Setup, Install, Update, etc.• Looks in binary name and resources• Automatically adds the shield icon
when detected
Application Manifests
• Vista-aware applications embed an XML manifest
• Manifest contains a requestedExecutionLevel:
asInvoker Launch with the same token as the parent process
highestAvailable Launch with the highest token this user possesses
requireAdministrator
Highest token of the User provided User is a member of Administrators group
Sample Manifest
• MyAdminApp.exe.manifest:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86“ name="MyAdminApp" type="win32"/>
<!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/>
</requestedPrivileges> </security> </trustInfo></assembly>
Mandatory Integrity Control (MIC)
• Traditional NT security revolves around process token
• Windows 7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level
• There are four levels:• 0: Low • 1: Medium (Default)• 2: High• 3: System
MIC: Process Isolation:Protecting Administrative Applications • Administrative and standard user applications share the same desktop• Primary threats• Cross-process Window messages• DLL injection and create remote thread
• Process Isolation mechanisms• Integrity level for processes• UI privilege isolation
• “Lower” cannot interfere with “Higher”
User ProcessMIC = Medium
Admin AppMIC = High
Process Isolation
Show integrity levels
Demo
MIC and Resources
• MIC levels apply to:• Processes• COM components• Services• Files• Registry keys
• View MIC level on files and other resources using “accesschk –i” (tool from www.sysinternals.com)
• IE currently only application that has a MIC level of Low
• All IE resources need low as well• Resources medium by default in Vista
IE – Protected Mode
• Internet explorer runs with low permissions• IE cannot modify user files, registry keys• File/registry writes are redirected, visible from IE only.
• Different than UAC virtualization
• Windows messaging blocked• Issues
• Controls that share data with external processes fail• New prompts requesting user permission may impact some
apps
• Mitigations• Add the site to the trusted sites list (turns off protected
mode)
• Surprising twists• Creating a COM component from IE
Session 0
Window StationDesktop
Screen Saver
Login
Sessions in XP/W2K/WS03
Services
1st User’sWindow
1st User’sWindow
1st User’sWindow
Shatter Attack
Sessions in Vista/Windows 7Session 0
Window StationDesktop
Service
Service
Session 1
Window StationDesktop
Screen Saver
Login
1st User’sWindow
1st User’sWindow
1st User’sWindow
Secure
Session 0 Isolation
demo
Application Shim Technology
• “Shim Technology is an elegant technique that is used to fool some applications into running on versions of the operating system they may not have been designed for. It’s a method of 'hooking' the Win32 APIs that are called by a particular application program. Once installed, such hooks permit developers and support engineers to install alternate (stub) functions to be called in place of the original functions. The actions taken by the stub function comprise the fix for a particular application compatibility problem.”• - Mark Derbecker
Shims for ISVs?
• Windows components change to support:• New technology• Bug fixes• Strategy changes
• OS changes may fix some, break others
• Simulate previous Windows ONLY for an app
Shim Application
• Implements Windows API hooks• Shim engine is responsible for
applying the shims
Load the shim DLL
Retrieve the APIs which should be hooked
Review the import table
of the application
to determine
where hooks should be
placed
Overwrite the
addresses of the API calls
with the address in the shim
How Shims are Loaded
• Shims are applied per executable
Run initialization routines
Shim engine applies
API hooks
Loader maps executable
and statically linked DLLs into memory
Operating System Version
Windows 7 is … Windows 6.1?dwMajorVersion stays the samedwMinorVersion changes
RemediationCheck for features, not versionsUse the > keyVersion lies
xxxVersionLie
Symptoms“Unsupported operating system”
Fix descriptionLies
Version Lie Shims
Win95VersionLieWinNT4SP5VersionLieWin98VersionLieWin2000VersionLieWin2000SP1VersionLieWin2000SP2VersionLie
Win2000SP3VersionLieWinXPVersionLieWinXPSP1VersionLieWinXPSP2VersionLieWin2K3RTMVersionLieWin2K3SP1VersionLieVistaRTMVersionLie
Version Lie Layers
Win95NT4SP5Win98Win2000Win2000SP2Win2000SP3
WinXPWinXPSP1WinXPSP2WinXPSP2VersionLieWinSrv03WinSrv03SP1VistaRTM
Shims and Layers
Windows
Shim
ApplicationChild
Application
Layer
Layers: More Than Version LiesVistaRTM Layer:
DelayAppDllMainElevateCreateProcessFailObsoleteShellAPIsFaultTolerantHeapGlobalMemoryStatus2GBHandleBadPtr
NoGhostRedirectMP3CodecVirtualRegistryVistaRTMVersionLieWRPDllRegisterWRPMitigation
ISV Impact Summary• Certified for Windows Logo for Standard User?• It will just work on Windows 7
• Fails on Windows XP as Standard User?Possibly:• Mitigated by Redirection• Mitigated by App Compat Shim “IsAdmin()?”• Simple app with Admin dependencies: split up• Admin app on Windows XP: Needs to be
manifested• Web applications need special attention due to
Protected Mode IE
• There are tools to help with this process (more later)
Resources
• Cookbooks• “Application Compatibility Cookbook”• “Windows 7 Application Quality Cookbook”
• MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx
• TechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx
• DevReadiness.org• Channel 9:
http://channel9.msdn.com/tags/Application+Compatibility/
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing
market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.