Developing Compatible Software for Windows 7

Paul van WingerdenDeveloper & Platform GroupMicrosoft BVpaulvanw@microsoft.com

Agenda

Experiences with LabsBuilts on top of VistaDemoOverview UAC, WRP, …, …

Next Steps

Few Changes: Most software that runs on Windows Vista will run on Windows 7 - exceptions will be low level code (AV,

Firewall, Imaging, etc). Hardware that runs Windows Vista well will run Windows 7 well.

Windows 7

Few Changes: Focus on quality and reliability improvements

Windows 7 Builds on Windows VistaDeployment, Testing, and Pilots Today Will Continue to Pay Off

Deep Changes: New models for security, drivers, deployment, and

networking

Enable Richer Application Experiences

More natural user interaction

Windows Touch, ink and gesture support plus handwriting recognition enable new input capabilities.

New taskbar, destinations and shell integration enhance discoverability and usability

New extensible Ribbon adds Office 2007-style controls, menus, and galleries to your application.

Rich animation framework helps you integrate smooth dynamic motion.

Access hardware innovations

Direct 2D/3D allow you to deliver high-Fidelity graphics and media

Multi-core support enhances application and device performance

Device Stage enables rich, customizable software experiences for connected devices

Build on a solid foundation

Improved fundamentalsCompatible: Works with your Windows Vista-based applications and devices

Secure: Greater flexibility with UAC while keeping security a priority

Responsive: Improved system performance and resource management

Greater developer productivity

More powerful scripting automation with PowerShell 2.0

Enhanced MSI engine makes software deployment easier

Improved accessibility and global support

Remote and virtual multi-monitor support

Simpler VHD mounting from within explorer

Integrate the best of Windows and web

services

Extend web services to client applications

Federated Search allows you to extend local search to web data sources within your client application.

Internet Explorer 8, Silverlight and Windows Presentation Foundation (WPF) enable web to rich client applications – using common platform and tools

Windows Web Services API enables high-performance web-services integration.

Enable rich web experiences

Standards compliant IE8 delivers of ‘out-of-the-box’ access to online services from within the page

Built-in dev tools within IE8 allows you to write code, run anywhere

Windows 7 for DevelopersA solid foundation for new possibilities

Windows 7 features

demo

Experiences

• Running remediation labs in UK etc• 95% in 5 types of errors

Top AppCompat Issues

• Moving from XP to Win 7• User Account Control• Services Isolation

• Moving from Vista to Win 7• Version checking• High DPI• Low level binary changes

User Account Control – Why?

• Applications run as Standard User by default• What is a Standard User?

Not Allowed

• Install applications•Change system components•Change per machine settings•Admin “privileges”

Allowed

• Run most applications• Change per user settings

Why User Account Control?

• Running as administrator increases malware threats

• Windows XP had misplaced administrator checks that needed to get fixed

• Enterprises realize significant TCO reductions when running with managed systems

Windows 7 UAC goals• All users run as Standard User by

default• Filtered token created during logon• Only specially marked apps get the

unfiltered token

• Explicit consent required for elevation• Predictable shell elevation paths

• High application compatibility• Data redirection• Enabling legacy apps to run as standard user

• Installer Detection

UAC Architecture Standard User Rights

Administrative Rights

Admin logon

“Standard User” Token

Admin TokenAbby

UAC Architecture Standard User Rights

Administrative Rights

User Process

• Read mail

• Write documents

• Run IT Approved Applications

• Change Time Zone

• Install Fonts, Printers

• Run MSN Messenger

• Etc.

Standard User Mode

Standard User Privilege

Abby

UAC Architecture Standard User Rights

Administrative Rights

User Process

• Change Time Zone

• Run IT Approved Applications

• Install Fonts

• Install Printers

• Run MSN Messenger

• Etc.

Admin Privileges

Standard User Privilege

Abby

Admin Process

Install Application

Admin Process

Configure IIS

Admin Process

Change Time

Admin Privilege

Admin Privilege

Admin Privilege

Consent UIOS Application

Unsigned Application

Signed Application

Credential UI (Over The Shoulder)

UX Goals: Simple & Predictable1 Make application Standard user only2 Clearly identify Administrative tasks• Ensure Standard users can be fully

productive• Identify tasks that need elevation with a

“shield”

UX: The Shield

• Attached to controls to indicate that elevation is required to use their associated feature

• Has only one state (i.e. no hover, disabled etc.)

• Does not remember elevated state• Not an unlock operation

• Can be programmatically set:• IDI_SHIELD icon resource• BCM_SETSHIELD button message

Security Shield UI Examples

The Standard User Problem

I am a developer,

not a STANDARD

user!

Too many apps break as standard

user. It’s not worth the trouble.

The UAC Solution

Make it possible for most apps to run

Remove excuses for running as administrator

Encourage ISVs to develop for non-admins

UAC for Standard Users

We fix thingsWe allow you to elevate to admin

File and Registry Virtualization

Client onlyLegacy applications only32-bit applications onlyNon-elevated apps onlyMultiple copies of filesDoesn’t apply to executable files

File Virtualization

c:\program filesc:\programdatac:\windows

File Virtualization

Luafv.sys

Ntfs.sys

Legacy Application

User Mode

Kernel Mode

\Windows\App.ini

\Users\<user>\AppData\Local\VirtualStore\Windows\App.ini

Vista Application

\Windows\App.ini

Access Denied

Registry Virtualization

HKEY_LOCAL_MACHINE\Software

Registry Virtualization

Ntoskrnl.exe

Legacy Application

User Mode

Kernel Mode

HKLM\Software\App

HKCU\Software\Classes\VirtualStore\Machine\Software\App

Vista Application

Registry

Access Denied

File Virtualization

demo

UAC for Administrators

We fix thingsWe let you run with fewer rightsWe let you elevate to full rights

The Split Token

Run with fewer rights most of the timeConveniently elevate when you need rightsApplies to interactive logons only

Creating the Split Token

winlogon

Create LUID withfull token

Create LUID withprotected token

CreateProcess explorer.exe

with protected token

UAC OTS Elevation

Protected Administrator System Administrator

explorer.exe AppInfo Service

consent.exe

elevatedapp.exeRPC

Reparented

ShellExecute(elevatedapp.exe) CreateProcessAsUser(elevatedapp.exe)

UAC: OTS Dialogs

The Split Token

• Run with fewer rights most of the time• Conveniently elevate when you need

rights• Applies to interactive logons only

Standard User Platform Fixes

Installer Detection

• Almost 100% of legacy installations would fail without installer detection and elevation

• Looks for Setup, Install, Update, etc.• Looks in binary name and resources• Automatically adds the shield icon

when detected

Application Manifests

• Vista-aware applications embed an XML manifest

• Manifest contains a requestedExecutionLevel:

asInvoker Launch with the same token as the parent process

highestAvailable Launch with the highest token this user possesses

requireAdministrator

Highest token of the User provided User is a member of Administrators group

Sample Manifest

• MyAdminApp.exe.manifest:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86“ name="MyAdminApp" type="win32"/>

<!-- Identify the application security requirements. --> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator"/>

</requestedPrivileges> </security> </trustInfo></assembly>

Mandatory Integrity Control (MIC)

• Traditional NT security revolves around process token

• Windows 7 enhances this with MIC:• Each process gets a MIC level• All resources get a MIC level

• There are four levels:• 0: Low • 1: Medium (Default)• 2: High• 3: System

MIC: Process Isolation:Protecting Administrative Applications • Administrative and standard user applications share the same desktop• Primary threats• Cross-process Window messages• DLL injection and create remote thread

• Process Isolation mechanisms• Integrity level for processes• UI privilege isolation

• “Lower” cannot interfere with “Higher”

User ProcessMIC = Medium

Admin AppMIC = High

Process Isolation

Show integrity levels

Demo

MIC and Resources

• MIC levels apply to:• Processes• COM components• Services• Files• Registry keys

• View MIC level on files and other resources using “accesschk –i” (tool from www.sysinternals.com)

• IE currently only application that has a MIC level of Low

• All IE resources need low as well• Resources medium by default in Vista

IE – Protected Mode

• Internet explorer runs with low permissions• IE cannot modify user files, registry keys• File/registry writes are redirected, visible from IE only.

• Different than UAC virtualization

• Windows messaging blocked• Issues

• Controls that share data with external processes fail• New prompts requesting user permission may impact some

apps

• Mitigations• Add the site to the trusted sites list (turns off protected

mode)

• Surprising twists• Creating a COM component from IE

Session 0

Window StationDesktop

Screen Saver

Login

Sessions in XP/W2K/WS03

Services

1st User’sWindow

1st User’sWindow

1st User’sWindow

Shatter Attack

Sessions in Vista/Windows 7Session 0

Window StationDesktop

Service

Service

Session 1

Window StationDesktop

Screen Saver

Login

1st User’sWindow

1st User’sWindow

1st User’sWindow

Secure

Session 0 Isolation

demo

Application Shim Technology

• “Shim Technology is an elegant technique that is used to fool some applications into running on versions of the operating system they may not have been designed for. It’s a method of 'hooking' the Win32 APIs that are called by a particular application program. Once installed, such hooks permit developers and support engineers to install alternate (stub) functions to be called in place of the original functions. The actions taken by the stub function comprise the fix for a particular application compatibility problem.”• - Mark Derbecker

Shims for ISVs?

• Windows components change to support:• New technology• Bug fixes• Strategy changes

• OS changes may fix some, break others

• Simulate previous Windows ONLY for an app

Shim Application

• Implements Windows API hooks• Shim engine is responsible for

applying the shims

Load the shim DLL

Retrieve the APIs which should be hooked

Review the import table

of the application

to determine

where hooks should be

placed

Overwrite the

addresses of the API calls

with the address in the shim

How Shims are Loaded

• Shims are applied per executable

Run initialization routines

Shim engine applies

API hooks

Loader maps executable

and statically linked DLLs into memory

Operating System Version

Windows 7 is … Windows 6.1?dwMajorVersion stays the samedwMinorVersion changes

RemediationCheck for features, not versionsUse the > keyVersion lies

xxxVersionLie

Symptoms“Unsupported operating system”

Fix descriptionLies

Version Lie Shims

Win95VersionLieWinNT4SP5VersionLieWin98VersionLieWin2000VersionLieWin2000SP1VersionLieWin2000SP2VersionLie

Win2000SP3VersionLieWinXPVersionLieWinXPSP1VersionLieWinXPSP2VersionLieWin2K3RTMVersionLieWin2K3SP1VersionLieVistaRTMVersionLie

Version Lie Layers

Win95NT4SP5Win98Win2000Win2000SP2Win2000SP3

WinXPWinXPSP1WinXPSP2WinXPSP2VersionLieWinSrv03WinSrv03SP1VistaRTM

Shims and Layers

Windows

Shim

ApplicationChild

Application

Layer

Layers: More Than Version LiesVistaRTM Layer:

DelayAppDllMainElevateCreateProcessFailObsoleteShellAPIsFaultTolerantHeapGlobalMemoryStatus2GBHandleBadPtr

NoGhostRedirectMP3CodecVirtualRegistryVistaRTMVersionLieWRPDllRegisterWRPMitigation

ISV Impact Summary• Certified for Windows Logo for Standard User?• It will just work on Windows 7

• Fails on Windows XP as Standard User?Possibly:• Mitigated by Redirection• Mitigated by App Compat Shim “IsAdmin()?”• Simple app with Admin dependencies: split up• Admin app on Windows XP: Needs to be

manifested• Web applications need special attention due to

Protected Mode IE

• There are tools to help with this process (more later)

Resources

• Cookbooks• “Application Compatibility Cookbook”• “Windows 7 Application Quality Cookbook”

• MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspx

• TechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx

• DevReadiness.org• Channel 9:

http://channel9.msdn.com/tags/Application+Compatibility/

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows 7 and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.