Windows Vista Application Compatibility 101 Heinrich Gantenbein Senior Consultant Application Experience SWAT

Windows Vista Windows Vista Application Compatibility Application Compatibility 101101

Heinrich GantenbeinHeinrich GantenbeinSenior ConsultantSenior ConsultantApplication Experience SWATApplication Experience SWAT

Session ObjectivesSession Objectives

You will gain knowledge about known You will gain knowledge about known Windows Vista application Windows Vista application compatibility issues compatibility issues

You will learn best practices for You will learn best practices for troubleshooting some of the more troubleshooting some of the more common known Windows Vista common known Windows Vista application compatibility issues application compatibility issues

What We Will Cover TodayWhat We Will Cover TodayProgram Compatibility AssistantProgram Compatibility AssistantAppHelp MessagesAppHelp MessagesIn-depth look at the most common In-depth look at the most common issues: issues:

OS VersionOS VersionUser Account Control (UAC)User Account Control (UAC)Windows Resource Protection (WRP)Windows Resource Protection (WRP)Internet Explorer Protected ModeInternet Explorer Protected Mode

A brief look at some less common A brief look at some less common issuesissues

Program Compatibility Program Compatibility AssistantAssistantInstall FailuresInstall Failures

Application FailuresApplication Failures

Excluding ApplicationsExcluding Applications

Program Compatibility Program Compatibility AssistantAssistant

Program Compatibility Assistant (PCA) is Program Compatibility Assistant (PCA) is a new, client-only featurea new, client-only feature

PCA automatically detects and PCA automatically detects and mitigates some known application mitigates some known application compatibility issuescompatibility issues

If PCA detects a compatibility issue in a If PCA detects a compatibility issue in a program, it…program, it…

Notifies the userNotifies the user

Offers to apply solutions that could resolve Offers to apply solutions that could resolve the issuethe issue

PCA: Detecting Install PCA: Detecting Install Failure Failure Monitors a program detected as an Monitors a program detected as an installer by Windows Vista and checks installer by Windows Vista and checks whether the program registers an whether the program registers an entry in Add or Remove Programs entry in Add or Remove Programs (ARP)(ARP)

If no entries are created in ARP, PCA If no entries are created in ARP, PCA concludes that setup did not complete concludes that setup did not complete successfullysuccessfully

PCA: Detecting Install Failure PCA: Detecting Install Failure (cont.)(cont.)PCA relies on the User Access Control PCA relies on the User Access Control (UAC) feature in Windows Vista to (UAC) feature in Windows Vista to know if a program is an installerknow if a program is an installer

UAC includes detection for installers and UAC includes detection for installers and will make sure the detected setup will make sure the detected setup programs will run elevated (as programs will run elevated (as administrator) administrator)

This includes getting administrative This includes getting administrative credentials or confirmation from the user credentials or confirmation from the user before launching the programbefore launching the program

PCA: Install FailurePCA: Install Failure

Typical Error Message

PCA: Install Failure (cont.)PCA: Install Failure (cont.)

PCA will detect this failure scenario and PCA will detect this failure scenario and display a user interface similar to this.display a user interface similar to this.

PCA: Install Failure ActionsPCA: Install Failure Actions'Reinstall using 'Reinstall using recommended recommended settings' settings'

Applies the Windows XP Applies the Windows XP compatibility mode and compatibility mode and restarts the program. restarts the program.

'The program installed 'The program installed correctly' correctly'

In some cases, PCA In some cases, PCA might come up for a might come up for a setup program that setup program that completed correctly but completed correctly but did not create an entry did not create an entry in ARP. In those cases, in ARP. In those cases, users can use this users can use this option. option.

'Cancel' 'Cancel' PCA will do nothing. PCA will do nothing.

PCA: Install Failure Fix Under PCA: Install Failure Fix Under the Hoodthe HoodThe compatibility mode will be applied The compatibility mode will be applied to programs by setting a registry key to programs by setting a registry key under ‘HKLM\Software\Microsoft\under ‘HKLM\Software\Microsoft\Windows NT\Windows NT\CurrentVersion\AppCompatFlags\CurrentVersion\AppCompatFlags\Layers’ with key name = ‘full path of Layers’ with key name = ‘full path of the exe’ and string value = the exe’ and string value = ‘WINXPSP2’ indicating the ‘WINXPSP2’ indicating the compatibility modecompatibility mode

The fix is effective for all users (due to The fix is effective for all users (due to HKLM).HKLM).

PCA: Detecting Application PCA: Detecting Application Failure Failure Problem scenarioProblem scenario

Child process launch fails due to the Child process launch fails due to the requirement to run elevated.requirement to run elevated.

Detection mechanismDetection mechanismCreateProcess API InstrumentationCreateProcess API Instrumentation

SolutionSolutionApplies the ElevateCreateProcess Applies the ElevateCreateProcess Compatibility Fix automatically due to Compatibility Fix automatically due to high confidence on the issue detectionhigh confidence on the issue detection

Detecting Application Failure Detecting Application Failure (cont.)(cont.)

PCA: Application Failure Fix PCA: Application Failure Fix Under the HoodUnder the HoodThe compatibility mode will be applied The compatibility mode will be applied to programs by setting a registry key to programs by setting a registry key under ‘HKCU\Software\Microsoft\under ‘HKCU\Software\Microsoft\Windows NT\Windows NT\CurrentVersion\AppCompatFlags\CurrentVersion\AppCompatFlags\Layers’ with key name = ‘full path of Layers’ with key name = ‘full path of the exe’ and string value = the exe’ and string value = ‘ElevateCreateProcess’ indicating the ‘ElevateCreateProcess’ indicating the compatibility modecompatibility mode

The fix is effective only for the current The fix is effective only for the current user (due to HKCU).user (due to HKCU).

Excluding Programs from PCAExcluding Programs from PCA

PCA is intended to detect issues with PCA is intended to detect issues with programs designed for previous programs designed for previous versions of Windows.versions of Windows.

To exclude a program from PCA To exclude a program from PCA include an application manifest with include an application manifest with run level (either admin or as limited run level (either admin or as limited user) marking for UAC. user) marking for UAC.

This applies to both installer and regular This applies to both installer and regular programs. programs.

Excluding Programs from PCA Excluding Programs from PCA (cont.)(cont.)A group policy setting is provided to A group policy setting is provided to disable PCA for all programs if disable PCA for all programs if required. required.

The name of the policy is ‘Turn Off The name of the policy is ‘Turn Off Program Compatibility Assistant’ and Program Compatibility Assistant’ and can be found under ‘can be found under ‘Administrative Administrative Templates Templates Windows Windows Components Components Application Application CompatibilityCompatibility’ in the group policy ’ in the group policy editor (gpedit.msc).editor (gpedit.msc).

To keep tests from succeeding by To keep tests from succeeding by accidentaccident

During application developmentDuring application development

Application Help MessagesApplication Help Messages

Application Help MessagesApplication Help Messages

System contains list of programs System contains list of programs known to have compatibility issues.known to have compatibility issues.

The list is stored in the System The list is stored in the System application database.application database.

Messages are known as the Messages are known as the Application Help (apphelp) messages.Application Help (apphelp) messages.

Messages must be approved by the Messages must be approved by the ISV to be included.ISV to be included.

AppHelp: Hard BlockAppHelp: Hard BlockIf the program is known to be incompatible If the program is known to be incompatible and if allowing the program may result in and if allowing the program may result in severe impactsevere impact to the system (for example, to the system (for example, a stop error or unable to boot after the a stop error or unable to boot after the install, etc.) the following blocking message install, etc.) the following blocking message will be displayed. will be displayed.

AppHelp: Soft BlockAppHelp: Soft BlockThis type of warning message is used in This type of warning message is used in the case of programs that have known the case of programs that have known compatibility issues but the impact is not compatibility issues but the impact is not severe to the system. severe to the system.

AppHelp: Check for AppHelp: Check for SolutionsSolutionsTypically the response will be one of Typically the response will be one of three types:three types:

Pointing the user to an update from the Pointing the user to an update from the software vendor for that program.software vendor for that program.

Pointing the user to a Software vendor Pointing the user to a Software vendor website for more information.website for more information.

Pointing the user to a Microsoft Pointing the user to a Microsoft Knowledge base article for more Knowledge base article for more information.information.

Common IssuesCommon IssuesOS VersionOS Version

User Account ControlUser Account Control

Windows Resource ProtectionWindows Resource Protection

Internet Explorer Protected ModeInternet Explorer Protected Mode





Operating System VersionOperating System VersionInternal version number for Windows Internal version number for Windows Vista is 6.0. GetVersionVista is 6.0. GetVersion function function returns this version number.returns this version number.SymptomsSymptoms

Applications that check for OS version Applications that check for OS version will get higher version number.will get higher version number.Application installers may prevent Application installers may prevent themselves from installing the app and themselves from installing the app and apps may prevent themselves from apps may prevent themselves from starting.starting.Applications may warn users and Applications may warn users and continue to function properly.continue to function properly.

OS Version: Mitigation OS Version: Mitigation For apps and installers that check for OS For apps and installers that check for OS version, a Compatibility mode is provided version, a Compatibility mode is provided in Windows Vista.in Windows Vista.

Users can right-click the shortcut or the Users can right-click the shortcut or the EXE and apply the Windows XP SP2 EXE and apply the Windows XP SP2 compatibility mode from the Compatibilitycompatibility mode from the Compatibility tab. This applies multiple shims including tab. This applies multiple shims including “WinXPSP2VersionLie”.“WinXPSP2VersionLie”.

Better: Apply the shim Better: Apply the shim “WinXPSP2VersionLie”“WinXPSP2VersionLie”

In many cases, applications will work the In many cases, applications will work the same way that it did in Windows XP and same way that it did in Windows XP and there is no need for changes to the there is no need for changes to the application.application.

Version Problem and Version Problem and MitigationMitigation

OS Version: FixesOS Version: FixesApplications should not perform version Applications should not perform version checks for equality (== 5.1)checks for equality (== 5.1)

If you need a specific feature, check whether If you need a specific feature, check whether the feature is availablethe feature is available

If you need Windows XP, check for Windows If you need Windows XP, check for Windows XP or later (>= 5.1)XP or later (>= 5.1)

Exceptions to this occur when there is a very Exceptions to this occur when there is a very specific business, or legal need to do a specific business, or legal need to do a version check, such as a regulatory body version check, such as a regulatory body requires you to certify your application for requires you to certify your application for each operating system and versioneach operating system and version





Why: User Account ControlWhy: User Account Control

OS is at risk from malware when user OS is at risk from malware when user is running as Administratoris running as Administrator

Ease with which malware can self-installEase with which malware can self-install

Privilege elevation through security holes Privilege elevation through security holes in softwarein software

Extent of damage caused by malware is Extent of damage caused by malware is potentially greaterpotentially greater

Accidental damage caused by userAccidental damage caused by user

How: User Account ControlHow: User Account ControlWith Windows Vista, all users run as With Windows Vista, all users run as Standard User by default, including Standard User by default, including members of Admin groupmembers of Admin group

Only true for interactive logins; services Only true for interactive logins; services continue to run as before in Windows XPcontinue to run as before in Windows XP

Two tokens are created at logon (split Two tokens are created at logon (split token)token)

Standard User TokenStandard User TokenAdministrator SID set as Deny Only (can still be used Administrator SID set as Deny Only (can still be used to deny access, but not to grant)to deny access, but not to grant)Runs with medium integrity level (IL)Runs with medium integrity level (IL)Most privileges removed (e.g. SeDebugPrivilege)Most privileges removed (e.g. SeDebugPrivilege)

Administrator TokenAdministrator TokenAdministrator SID has all rights assignedAdministrator SID has all rights assignedRuns with high integrity level (IL)Runs with high integrity level (IL)All privileges are presentAll privileges are present

How: User Account Control How: User Account Control (cont.)(cont.)

Standard User Token is used until Standard User Token is used until explicit consent is given, then explicit consent is given, then Administrator Token is used (Consent Administrator Token is used (Consent UI)UI)

Supporting feature: Unnecessary Supporting feature: Unnecessary Administrator checks (in XP) have Administrator checks (in XP) have been removedbeen removed

Example: Change time zoneExample: Change time zone

UAC Split TokenUAC Split Token

UAC: Automatic MitigationsUAC: Automatic Mitigations

PCA automates mitigation of PCA automates mitigation of some UAC compatibility issuessome UAC compatibility issuesUAC detects installers and UAC detects installers and automatically elevates them to automatically elevates them to admin statusadmin status

Heuristics such as string “Setup” in:Heuristics such as string “Setup” in:NameName

Resource stringsResource strings

Application Compatibility shims in Application Compatibility shims in system databasesystem database

UAC: Automatic Mitigations UAC: Automatic Mitigations (cont.)(cont.)

VirtualizationVirtualizationRedirects privileged file access to C:\Users\Redirects privileged file access to C:\Users\%username%\AppData\Local\VirtualStore%username%\AppData\Local\VirtualStore

C:\Program FilesC:\Program Files

C:\Program DataC:\Program Data

C:\WindowsC:\Windows

Redirects registry access from HKLM to Redirects registry access from HKLM to HKCU\Software\Classes\VirtualStore\HKCU\Software\Classes\VirtualStore\MACHINEMACHINE

UAC: Automatic Mitigations UAC: Automatic Mitigations (cont.)(cont.)

Virtualization (cont.)Virtualization (cont.)Redirection is “sticky”Redirection is “sticky”

Deleting all virtual copies removes the Deleting all virtual copies removes the “stickiness”“stickiness”

Elevated process not affectedElevated process not affected

Executables with manifest do not Executables with manifest do not participateparticipate

Side effects: multiple virtualized Side effects: multiple virtualized copies (one per user and one for all copies (one per user and one for all elevated processes) elevated processes)

RedirectionRedirectionof Privileged File Accessof Privileged File Access

UAC: Generic SymptomsUAC: Generic SymptomsExplicit Explicit access rightaccess right error message error message

Event Log contains security or Event Log contains security or application messages indicating security application messages indicating security problemsproblems

Application crashes or fails to install Application crashes or fails to install

Application fails to update for automatic Application fails to update for automatic updaterupdater

Application fails to remember saved Application fails to remember saved settingssettings

Symptoms vary widely and are difficult Symptoms vary widely and are difficult to diagnoseto diagnose

Investigation Steps and Investigation Steps and ToolsToolsDetermine whether application was Determine whether application was

designed to run as administratordesigned to run as administrator

Run as administrator – does it work?Run as administrator – does it work?

Check redirection locationsCheck redirection locations

C:\Users\%username%\AppData\Local\C:\Users\%username%\AppData\Local\VirtualStoreVirtualStore

HKCU\Software\Classes\VirtualStore\HKCU\Software\Classes\VirtualStore\MACHINEMACHINE

Event LogEvent Log

Regmon for failed registry accessRegmon for failed registry access

Filemon for failed file accessFilemon for failed file access

Investigation Steps and Tools Investigation Steps and Tools (cont.)(cont.)

Application Compatibility specific Application Compatibility specific toolstools

Enterprises: UAC Compatibility Evaluator Enterprises: UAC Compatibility Evaluator in ACT 5.0in ACT 5.0

Standard User Analyzer (SUA)Standard User Analyzer (SUA)

LUA BuglightLUA Buglight

Debuggers (if all else fails)Debuggers (if all else fails)

Visual StudioVisual Studio

Debugging Tools for Windows (e.g. Debugging Tools for Windows (e.g. Windbg)Windbg)

Failure to work Failure to work Run Run elevatedelevated

Event LogEvent Log

UAC: MitigationUAC: Mitigation

Right click on executable Right click on executable Select Run Select Run as administrator (elevated)as administrator (elevated)

Set Properties Set Properties Compatibility Tab Compatibility Tab Run as administratorRun as administrator

Use an application manifest to specify Use an application manifest to specify desired run leveldesired run level

All applications should have one All applications should have one

Removes application compatibility overhead Removes application compatibility overhead (Shims, PCA, virtualization) at run time(Shims, PCA, virtualization) at run time

Internal manifest (compiled into the Internal manifest (compiled into the application)application)

External manifest (added as a separate file)External manifest (added as a separate file)

Properties Compatibility Properties Compatibility TabTab

UAC Manifest FileUAC Manifest File?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1"

manifestVersion="1.0"> <assemblyIdentity type="Win32" processorArchitecture="*"

version="1.0.0.0" name="AppCompatDemo.exe"/> <description>Vista Application Compatibility Class

Demo</description> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-

microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel

level="highestAvailable" uiAccess="false"/> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo></assembly>

Possible Execution LevelsPossible Execution Levels

requireAdministratorrequireAdministratorThe application runs only for The application runs only for administrators and requires that the administrators and requires that the application be launched with the full application be launched with the full token of an administrator token of an administrator

asInvokerasInvokerThe application runs with the same token The application runs with the same token as the parent processas the parent process

highestAvailablehighestAvailableThe application runs with the highest The application runs with the highest privileges the current user can obtainprivileges the current user can obtain

UAC External ManifestUAC External Manifest

Create a manifest file with the name Create a manifest file with the name <app_name>.exe.manifest <app_name>.exe.manifest and put and put in the same directory as the EXEin the same directory as the EXE

Ignored if application has an internal Ignored if application has an internal manifestmanifest

Many applications have an internal Many applications have an internal manifestmanifest

UAC External ManifestUAC External Manifest

UAC Internal ManifestUAC Internal Manifest

Build manifest into application Build manifest into application binarybinary

Disables PCA, shims and Disables PCA, shims and virtualizationvirtualization

Preferred method for all new Preferred method for all new applicationsapplications

To learn more check the following To learn more check the following resources:resources: http://blogs.msdn.com/cjacks/archive/2006/09/08/745729.aspx http://blogs.msdn.com/cheller/archive/2006/08/24/718757.aspx

http://blogs.msdn.com/cjacks/archive/2006/09/08/745729.aspx

http://blogs.msdn.com/cjacks/archive/2006/09/08/745729.aspx

http://blogs.msdn.com/cheller/archive/2006/08/24/718757.aspx

http://blogs.msdn.com/cheller/archive/2006/08/24/718757.aspx

UAC: Installer Fails (1)UAC: Installer Fails (1)

Symptoms Symptoms No UAC promptNo UAC prompt

Failure of installerFailure of installer

CauseCauseInstaller not detected due to non-Installer not detected due to non-standard name and therefore not standard name and therefore not elevatedelevated

FixesFixesRename to setup.exeRename to setup.exe

Mark executable to run elevatedMark executable to run elevated

Rename Custom InstallerRename Custom Installer

UAC: Installer Fails (2)UAC: Installer Fails (2)SymptomSymptom

MSI with delayed custom action runs MSI with delayed custom action runs elevated but failselevated but fails

CauseCauseMSI contains delayed custom action MSI contains delayed custom action (ActionType=1025)(ActionType=1025)

FixesFixesRedesign to use non-delayed custom Redesign to use non-delayed custom action (ActionType=3073)action (ActionType=3073)

Edit MSI to change ActionType to 3073Edit MSI to change ActionType to 3073

Run from elevated command prompt Run from elevated command prompt

Change Action Type in Change Action Type in MSI Using ORCAMSI Using ORCA

UAC: Installer Fails (3)UAC: Installer Fails (3)SymptomSymptom

Self-extracting EXE or custom wrapper runs Self-extracting EXE or custom wrapper runs elevated and executes a script, but script failselevated and executes a script, but script fails

Cause Cause UAC prompt occurs on self-extracting EXE or UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are custom wrapper, but elevated privileges are not transferred to scriptnot transferred to script

FixesFixesRedesign to use MSIRedesign to use MSI

Run from elevated command prompt Run from elevated command prompt

UAC: Integrated Updater FailsUAC: Integrated Updater FailsSymptoms Symptoms

Update fails when application with integrated Update fails when application with integrated updater tries to update itselfupdater tries to update itselfVarious manifestations: silent, error message, Various manifestations: silent, error message, crash, etc.crash, etc.

CauseCauseApplication not running elevatedApplication not running elevatedApplication not designed to prompt for elevationApplication not designed to prompt for elevation

FixesFixesRedesign by separating the privileged functionsRedesign by separating the privileged functions

Separate EXESeparate EXEUse Shield Icon when redesigningUse Shield Icon when redesigning

Use alternate deployment technologiesUse alternate deployment technologiesClickOnce ClickOnce MSI patchingMSI patching

Run application elevated (not recommended)Run application elevated (not recommended)

Setting up a Security Setting up a Security ShieldShieldSend the BCM_SETSHIELD message to a Send the BCM_SETSHIELD message to a button control, using SendMessagebutton control, using SendMessage

Fails for owner-drawn buttonsFails for owner-drawn buttons

Get icon and render in owner draw handlerGet icon and render in owner draw handlerHICON shieldIcon = LoadIcon(null, IDI_SHIELD);HICON shieldIcon = LoadIcon(null, IDI_SHIELD);

Unmanaged code (C++)Unmanaged code (C++)

SendMessage call can be invoked more easily SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macrousing the Button_SetElevationRequiredState macro

Managed code (C#, VB.NET)Managed code (C#, VB.NET)

Use pinvokeUse pinvoke

Proper Design Proper Design for Elevation UIfor Elevation UI

UAC: Separate Updater UAC: Separate Updater Fails Fails Symptoms Symptoms

Update fails when application with separate Update fails when application with separate updater tries to update itselfupdater tries to update itself

Various manifestations: silent, error message, Various manifestations: silent, error message, crash, etc.crash, etc.

CausesCausesSeparate updaterSeparate updater not detected and therefore not detected and therefore not elevated by PCAnot elevated by PCA

FixesFixesMark updater to run elevatedMark updater to run elevated

Use alternate deployment technologiesUse alternate deployment technologiesClickOnce ClickOnce

MSI patchingMSI patching

UAC: Application Fails (1)UAC: Application Fails (1)Symptoms Symptoms

Many – from minor feature misbehavior Many – from minor feature misbehavior to spectacular crashto spectacular crash

CauseCauseApplication attempts to execute Application attempts to execute privileged operation; access denied privileged operation; access denied because not running elevatedbecause not running elevated

Mitigation & FixesMitigation & FixesRedesign to work with least privileged Redesign to work with least privileged resourcesresources

Eliminate need for privilege completely Eliminate need for privilege completely (least privilege)(least privilege)Separate administrative functions from Separate administrative functions from regular operationsregular operations

UAC: Application Fails (1) UAC: Application Fails (1) (cont.)(cont.)

Mitigations and Fixes (cont.) Mitigations and Fixes (cont.) Apply a redirection shim (e.g. Apply a redirection shim (e.g. RedirectFiles, RedirectRegistry)RedirectFiles, RedirectRegistry)

Change ACL for selected files and Change ACL for selected files and registry keysregistry keys

Deployment time mitigation using scripting Deployment time mitigation using scripting or group policyor group policy

Warning: Perform a full security review firstWarning: Perform a full security review first

Mark application to run elevatedMark application to run elevatedGood solution if application has only Good solution if application has only administrative tasks. (e.g. Event Viewer)administrative tasks. (e.g. Event Viewer)

Bad solution if mixed usageBad solution if mixed usage

ACL RelaxingACL Relaxing

ACL Relaxing ScriptACL Relaxing ScriptEnterprises will use a script to relax Enterprises will use a script to relax ACLsACLs

Warning: Perform a full security review Warning: Perform a full security review firstfirst

Deploy with standard enterprise Deploy with standard enterprise deploymentdeployment

XCACLS Script HelperXCACLS Script HelperXCACLS <dirname> /G <domain>\XCACLS <dirname> /G <domain>\<username>:M<username>:M

Package in .cmd filePackage in .cmd file

Download and documentsDownload and documentshttp://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en

http://support.microsoft.com/default.aspx?scid=kb;en-us;825751

http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bda&DisplayLang=en









Why: Windows Resource Why: Windows Resource ProtectionProtection

Core operating system files and Core operating system files and registry keys can be overwritten registry keys can be overwritten with older versions or malicious with older versions or malicious code causing serious stability and code causing serious stability and security issues. security issues.

Windows Resource Protection (WRP) Windows Resource Protection (WRP) is designed to protect those objects is designed to protect those objects from being overwritten.from being overwritten.

Increases system stability, Increases system stability, predictability, and reliabilitypredictability, and reliability

How: Windows Resource How: Windows Resource ProtectionProtection

Updates to protected resources are Updates to protected resources are restricted to the OS trusted installers, restricted to the OS trusted installers, such as Windows Update such as Windows Update

Affects specific files, folders, and registry Affects specific files, folders, and registry keys keys

The majority of core OS modules (EXE The majority of core OS modules (EXE and DLL) and DLL)

Majority of core OS HKCR Registry Keys Majority of core OS HKCR Registry Keys

Folders used exclusively by OS Folders used exclusively by OS resources, (e.g. some of the inetpub resources, (e.g. some of the inetpub folders) folders)

WRP: Application FailsWRP: Application Fails

Symptoms Symptoms Application does not install or fails to Application does not install or fails to work properlywork properly

Similar to those of UAC issues but UAC Similar to those of UAC issues but UAC mitigation does not workmitigation does not work

Generally only affects installersGenerally only affects installers

CauseCauseApplication tries to modify or delete a Application tries to modify or delete a protected resourceprotected resource

WRP: Mitigations and FixesWRP: Mitigations and FixesAutomatic MitigationAutomatic Mitigation

Access Denied return codes are suppressed if Access Denied return codes are suppressed if the application is detected as a legacy installer the application is detected as a legacy installer (no manifest)(no manifest)

Manual MitigationManual MitigationApply shim “WRPMitigation”Apply shim “WRPMitigation”

Rename custom installer to setup.exe to Rename custom installer to setup.exe to trigger automatic mitigation trigger automatic mitigation

FixesFixesUse Microsoft-provided redistributable Use Microsoft-provided redistributable packages designed specifically for packages designed specifically for Windows Vista.Windows Vista.

Never redistribute system files. Never redistribute system files.

Redesign apps that use protected system Redesign apps that use protected system resources.resources.

WRP in ActionWRP in Action





Why: IE7 Protected Mode Why: IE7 Protected Mode

Helps protect users from attack by Helps protect users from attack by running IE process with greatly running IE process with greatly restricted privilegesrestricted privileges

Significantly reduces the ability of Significantly reduces the ability of an attack to write, alter, or destroy an attack to write, alter, or destroy data on user's machine or to install data on user's machine or to install malicious codemalicious code

Helps protect a user from malicious Helps protect a user from malicious code installing itself without code installing itself without authorizationauthorization

How: IE7 Protected ModeHow: IE7 Protected Mode

In Windows Vista, Microsoft Internet In Windows Vista, Microsoft Internet Explorer 7 runs in Protected Mode Explorer 7 runs in Protected Mode (IEPM) for non-trusted sites (IEPM) for non-trusted sites (installation default)(installation default)

IE runs as separate IE runs as separate process instancesprocess instances for different protection modes for different protection modes

Prevents buffer overflow exploits from Prevents buffer overflow exploits from affecting higher trust level sitesaffecting higher trust level sites

Required by IEPM’s underlying Required by IEPM’s underlying mechanism: mechanism:

Mandatory Integrity Control (MIC)Mandatory Integrity Control (MIC)• User Interface Process Isolation (UIPI)User Interface Process Isolation (UIPI)

How: IE7 Protected Mode How: IE7 Protected Mode (cont.)(cont.)

Integrity Levels (IL) for IE7Integrity Levels (IL) for IE7IEPM: Low Integrity LevelIEPM: Low Integrity LevelUnprotected: Medium Integrity LevelUnprotected: Medium Integrity Level

Low-integrity processes (such as Low-integrity processes (such as IEPM) can only write to folders, files, IEPM) can only write to folders, files, and registry keys that have been and registry keys that have been assigned a low-integrity mandatory assigned a low-integrity mandatory label. label.

Temporary Internet Files folderTemporary Internet Files folderHistory folderHistory folderCookies folderCookies folderFavorites folderFavorites folderWindows Temporary Files folders Windows Temporary Files folders

Integrity Levels ExplainedIntegrity Levels ExplainedWindows Vista implements Mandatory Windows Vista implements Mandatory Integrity Control (MIC).Integrity Control (MIC).

Processes run at one of four Integrity Processes run at one of four Integrity Levels:Levels:

System processes run at System processes run at SystemSystem IL IL

Applications that require Applications that require administrative privileges run at administrative privileges run at HighHigh IL IL

Standard applications run at Standard applications run at MediumMedium IL IL

Restricted apps run at Restricted apps run at LowLow IL IL

Integrity Levels Explained (cont.)Integrity Levels Explained (cont.)Securable objects (Files, Processes, Securable objects (Files, Processes, Windows Stations, Message queues) Windows Stations, Message queues) define the minimum IL for a process to define the minimum IL for a process to access themaccess them

Low IL: All processes can access this objectLow IL: All processes can access this object

Medium IL: Only medium IL and higher Medium IL: Only medium IL and higher processes can access this objectprocesses can access this object

High IL: Only high and system IL processes High IL: Only high and system IL processes can access this objectcan access this object

System IL: Only system IL processes can System IL: Only system IL processes can access this objectaccess this object

Default IL: Objects that do not specify an IL Default IL: Objects that do not specify an IL are defaulted to Medium ILare defaulted to Medium IL

UI Process Isolation (UIPI)UI Process Isolation (UIPI)UIPI uses MIC’s Integrity Levels to UIPI uses MIC’s Integrity Levels to restrict sending Windows Messagesrestrict sending Windows Messages

Applications cannot send messages to Applications cannot send messages to other applications running at a higher other applications running at a higher integrity levelintegrity level

Where compatibility impact is high, Where compatibility impact is high, lower IL applications can be lower IL applications can be manifested to opt out of UIPI. (This manifested to opt out of UIPI. (This setting should only be used for UI setting should only be used for UI accessibility applications)accessibility applications)

UIPI In ActionUIPI In Action

Medium IL

Standard User

High IL

Administrator

Low IL

IE7 PM

IE7 PM: SymptomsIE7 PM: Symptoms

Attempts by ActiveX controls to Attempts by ActiveX controls to modify medium and higher IL modify medium and higher IL objects failobjects fail

e.g. writing to the user’s Documents e.g. writing to the user’s Documents folderfolder

ActiveX controls fail to installActiveX controls fail to install

IE7 PM: Automatic IE7 PM: Automatic MitigationMitigation

Redirects access to medium Redirects access to medium integrity files, such as the integrity files, such as the Documents folder to %userprofile%\Documents folder to %userprofile%\LocalSettings\LocalSettings\Temporary Internet Files\VirtualizedTemporary Internet Files\Virtualized

Redirects access to HKCU registry Redirects access to HKCU registry hive to HKCU\Software\Microsoft\ hive to HKCU\Software\Microsoft\ InternetExplorer\InternetRegistryInternetExplorer\InternetRegistry

IE7 PM: Automatic Mitigation IE7 PM: Automatic Mitigation (cont.)(cont.)

Two higher privilege broker Two higher privilege broker processes allow Internet Explorer processes allow Internet Explorer and extensions to perform elevated and extensions to perform elevated operationsoperations

The user privilege broker (ieuser.exe) The user privilege broker (ieuser.exe) process provides a set of functions that process provides a set of functions that let the user save files to areas outside let the user save files to areas outside of low-integrity areasof low-integrity areas

The administrator privilege broker The administrator privilege broker (ieinstal.exe) process allows Internet (ieinstal.exe) process allows Internet Explorer to install ActiveX controlsExplorer to install ActiveX controls

IE Compatibility IE Compatibility ArchitectureArchitecture

Internet Explorer

7 in Protected Mode

(Low IL)

Compatibility

Layer

Low Rights

ieinstal.exe Admin Broker

(High IL)

Administrative Rights Required

ieuser.exeUser Broker(Medium IL)

User Rights Required

Virtualized Files and Registry KeysIn

tegrity

Mech

anism

IE7 PM: Manual MitigationIE7 PM: Manual Mitigation

Add site to trusted sites.Add site to trusted sites.

Protected Mode is not enabled for trusted Protected Mode is not enabled for trusted sitessites

Use new ActiveX Install Server (AXIS) Use new ActiveX Install Server (AXIS) for enterprise deploymentsfor enterprise deployments

Motivation for the ActiveX Motivation for the ActiveX Installer ServiceInstaller Service

ActiveX controls are installed on a per-ActiveX controls are installed on a per-machine basis and require Admin machine basis and require Admin privileges for installationprivileges for installation

This creates a challenge to deploying This creates a challenge to deploying ActiveX controls across an enterprise ActiveX controls across an enterprise running Standard User desktops.running Standard User desktops.

ActiveX Installer Service (AXIS) is a ActiveX Installer Service (AXIS) is a new solution to address this issue.new solution to address this issue.

AXIS: How It WorksAXIS: How It WorksIE7 parses a page that requires an ActiveX IE7 parses a page that requires an ActiveX control.control.

If the user is a Standard User, the ActiveX If the user is a Standard User, the ActiveX Installer Service is called.Installer Service is called.

The ActiveX Installer Service will perform a The ActiveX Installer Service will perform a lookup in the Allowed Installation Sites list lookup in the Allowed Installation Sites list deployed via Group Policy.deployed via Group Policy.

If the Host URL is within policy, the control If the Host URL is within policy, the control will be downloaded by the service.will be downloaded by the service.

If the control meets the signing criteria, it If the control meets the signing criteria, it will be installed as the LocalSystem will be installed as the LocalSystem account.account.

AXIS: Enabling the ServiceAXIS: Enabling the Service

The ActiveX Installer Service is an The ActiveX Installer Service is an optional component that must be optional component that must be enabledenabled

Deploy through SMSDeploy through SMS

Run cmd.exe as Administrator, then run Run cmd.exe as Administrator, then run this command: ocsetup.exe this command: ocsetup.exe AxInstallService AxInstallService

Control Panel Control Panel Programs Programs Turn Turn Windows Features on or offWindows Features on or off

AXIS: Configuring the AXIS: Configuring the PolicyPolicyPolicy is configured using an Policy is configured using an Administrative Template in Group Administrative Template in Group Policy.Policy.

Run gpedit.mscRun gpedit.msc

Navigate to Computer Settings Navigate to Computer Settings

Administrative TemplatesAdministrative Templates

Windows ComponentsWindows Components

ActiveX Installer ServiceActiveX Installer Service

Enter in the Host URL and the policy…Enter in the Host URL and the policy…

AXIS: Configuring the Policy AXIS: Configuring the Policy (cont.)(cont.)The policy consists of the Host URL and the The policy consists of the Host URL and the install policy settingsinstall policy settingsHost URLHost URL

Must specify protocol: http or https(preferred)Must specify protocol: http or https(preferred)Example: Example: http://download.microsoft.com

Install Policy consists of 4 comma separated Install Policy consists of 4 comma separated values.values.1. Trusted Signature behavior: 1 is best value1. Trusted Signature behavior: 1 is best value2. Signed Controls behavior: 1 is best value2. Signed Controls behavior: 1 is best value3. Unsigned Controls behavior: 1 is best value3. Unsigned Controls behavior: 1 is best value4. HTTPS connection flags: 0 is best value4. HTTPS connection flags: 0 is best value

http://download.microsoft.com/

AXIS: Host URL Install Policy AXIS: Host URL Install Policy ValuesValuesInstall Policy consists of 4 comma separated Install Policy consists of 4 comma separated values.values.1. Trusted Signature behavior1. Trusted Signature behavior

Can be Silent (2* or 1) or Disallowed (0)Can be Silent (2* or 1) or Disallowed (0)

2. Signed Controls behavior2. Signed Controls behaviorCan be Silent (2), Prompt (1*), or Disallowed (0)Can be Silent (2), Prompt (1*), or Disallowed (0)

3. Unsigned Controls behavior3. Unsigned Controls behaviorCan be Prompt(1) or Disallowed (0*)Can be Prompt(1) or Disallowed (0*)

4. HTTPS connection flags4. HTTPS connection flagsBitmask of the following values. Bitmask of the following values.

0* means all connections checks must pass.0* means all connections checks must pass.0x00000100 Ignore Unknown CA 0x00000100 Ignore Unknown CA 0x00001000 Ignore Invalid CN0x00001000 Ignore Invalid CN0x00002000 Ignore invalid certificate date0x00002000 Ignore invalid certificate date0x00000200 Ignore wrong certificate usage 0x00000200 Ignore wrong certificate usage

* * Means default setting if no policy is specified for the Host URL.Means default setting if no policy is specified for the Host URL.

AXIS: Other InformationAXIS: Other Information

AuditingAuditingThere are several events created by the There are several events created by the ActiveX Installer ServiceActiveX Installer Service

Currently only success and failure are reported Currently only success and failure are reported when the service is calledwhen the service is called

For more information about centrally For more information about centrally managing ActiveX controls, see the managing ActiveX controls, see the following article:following article:

http://msdn.microsoft.com/library/default.asp?url=/workshop/delivery/download/overview/implementation.asp

http://msdn.microsoft.com/library/%0Bdefault.asp?url=/workshop/delivery/download/%0Boverview/implementation.asp



ActiveX Installer ServiceActiveX Installer Service

Less Common IssuesLess Common IssuesSession 0 IsolationSession 0 Isolation

Critical Section Code ChangesCritical Section Code Changes

Painting BehaviorPainting Behavior

Networking IPv6Networking IPv6

My Documents LocationMy Documents Location



Painting Behavior Painting Behavior



Session 0

Sessions in Windows Sessions in Windows XP/2003XP/2003Windows XPWindows XP

Creates Session 0 with interactive Windows Creates Session 0 with interactive Windows Station for Services and User Mode DriversStation for Services and User Mode Drivers

The first user logging in is added to Session 0 The first user logging in is added to Session 0 and user applications will run in this session and user applications will run in this session as wellas well

Windows Station 0

Desktop 0ServicesWindows

1st User’sWindows

Sessions in Windows VistaSessions in Windows VistaCreates Session 0 for Services and User Mode Creates Session 0 for Services and User Mode DriversDriversCreates Session 1 for first user logging in. Creates Session 1 for first user logging in. Applications will run in Session 1Applications will run in Session 1Interaction between Session 0 and Session 1 Interaction between Session 0 and Session 1 desktops is prohibited via Windows messagesdesktops is prohibited via Windows messages

Windows Station 1Desktop 1Services

User Mode Drivers

User’sWindows

User’s Windows

Why: Session 0 IsolationWhy: Session 0 IsolationRunning services and user Running services and user applications together in Session 0 is applications together in Session 0 is a security risk a security risk

Potential exploitation by sending Potential exploitation by sending messages between services and messages between services and applications applications

Malicious agents looking for a means to Malicious agents looking for a means to elevate their own privilege level can elevate their own privilege level can target services target services

Running services and user Running services and user applications in separate sessions applications in separate sessions prevents such attacks.prevents such attacks.

User mode drivers and services that User mode drivers and services that work with multiple users in Windows XP work with multiple users in Windows XP (Fast User Switching) will work in most (Fast User Switching) will work in most cases.cases.

Session 0: Compatibility Session 0: Compatibility Impact Impact A service and a user application that A service and a user application that

use window message functions (e.g. use window message functions (e.g. SendMessage, PostMessage) to SendMessage, PostMessage) to communicate will silently fail.communicate will silently fail.

A service and a user application that A service and a user application that use local objects to communicate use local objects to communicate will silently fail.will silently fail.

A service that uses a UI to interact A service that uses a UI to interact with the user will display the UI on a with the user will display the UI on a special desktop which is special desktop which is inaccessible.inaccessible.

Session 0: Automatic Session 0: Automatic MitigationMitigation

Symptom:Symptom:UI displayed by service is not visibleUI displayed by service is not visible

Mitigation:Mitigation:Windows Vista allows the user to Windows Vista allows the user to interact with the Session 0 UI in a interact with the Session 0 UI in a special desktopspecial desktop

Detects problem that UI is not being Detects problem that UI is not being displayeddisplayed

Prompts the user to choose whether to Prompts the user to choose whether to display the message now or laterdisplay the message now or later

Switches display to a special desktop where Switches display to a special desktop where UI is visibleUI is visible

Session 0 - Service UISession 0 - Service UI

Session 0: FixesSession 0: FixesProblem:Problem:

Service and user application Service and user application communicate using Windows communicate using Windows message functions or local objectsmessage functions or local objects

Solution:Solution:Redesign the application and Redesign the application and service to use client or server service to use client or server mechanisms, e.g. remote mechanisms, e.g. remote procedure call (RPC) or named procedure call (RPC) or named pipespipes

Session 0: Fixes (cont.)Session 0: Fixes (cont.)Problem:Problem:

Service displays a UI to interact Service displays a UI to interact with userwith user

Solution:Solution:Redesign the service to no longer Redesign the service to no longer interact directly with the userinteract directly with the userUse the WTSSendMessage Use the WTSSendMessage function to create a simple function to create a simple message box on the user’s message box on the user’s desktop (Not recommended)desktop (Not recommended)






Critical Section Code Critical Section Code ChangesChangesWhy: Changed to increase security Why: Changed to increase security

and robustness and robustness

How: Prior versions of Windows How: Prior versions of Windows automatically initialized Critical automatically initialized Critical Sections Sections

Symptoms: Programs that relied on Symptoms: Programs that relied on on-demand initializations will fail on-demand initializations will fail with an access violationwith an access violation

Mitigation: apply shim Mitigation: apply shim “EnterUninitializedCriticalSection”“EnterUninitializedCriticalSection”

Fixes: Rewrite code to initialize Fixes: Rewrite code to initialize Critical SectionCritical Section

Critical Section ChangesCritical Section Changes







Why: To improve user experienceWhy: To improve user experience

How: All top-level windows are rendered How: All top-level windows are rendered to an off-screen bitmap; Desktop Window to an off-screen bitmap; Desktop Window Manager combines the images to draw Manager combines the images to draw the desktopthe desktop

Impact: Some applications will render Impact: Some applications will render incorrectlyincorrectly

Mitigation: Disable desktop compositionMitigation: Disable desktop compositionApply shim “DisableDWM”Apply shim “DisableDWM”

PropertiesProperties Compatibility Tab Compatibility Tab Disable Disable desktop compositiondesktop composition

Fixes: Redesign application to not assume Fixes: Redesign application to not assume that it is rendering directly to the screenthat it is rendering directly to the screen

Disabling Desktop Disabling Desktop CompositionComposition






IPv6IPv6The TCP/IP stack in Windows Vista The TCP/IP stack in Windows Vista has IPv6 enabled by defaulthas IPv6 enabled by default

IPv6 traffic will be sent by the IPv6 traffic will be sent by the Windows Vista stack regardless of Windows Vista stack regardless of whether the network supports IPv6 or whether the network supports IPv6 or not. (e.g. router solicitation and not. (e.g. router solicitation and neighbor discovery messages will be neighbor discovery messages will be generated by default)generated by default)

Single stack and API for IPv4 and Single stack and API for IPv4 and IPv6IPv6

Applications using the IPv4 specific Applications using the IPv4 specific API will failAPI will fail

IPv6: FixIPv6: Fix

StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET6, ...); setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...); WSAConnectByName(ClientSocket, HostName, Port, ...);}

StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET, ...); HostEntry = gethostbyname(HostName); A.sin_addr = *(HostEntry->h_addr); A.sin_port = htons(Port); connect(ClientSocket, &A, ...);}

BeforeBefore

AfterAfter






My Documents LocationMy Documents LocationMy Documents location and My Documents location and structure has changed to provide a structure has changed to provide a better user experience better user experience

The user data is now stored in:The user data is now stored in: \users\%username%\ folder structure \users\%username%\ folder structure

Pictures, Music, Documents, Desktop, Pictures, Music, Documents, Desktop, and Favorites are all new folders and Favorites are all new folders directly under this structure directly under this structure

Apps that use the ShGetFolderPath Apps that use the ShGetFolderPath function and the folder path function and the folder path dynamically are OKdynamically are OK

Never hard code absolute paths Never hard code absolute paths (AppVerifier includes test for this)(AppVerifier includes test for this)

My Documents: Automatic My Documents: Automatic MitigationMitigation

Directory junction (symbolic link) Directory junction (symbolic link)

Provides backward compatibility for Provides backward compatibility for hard-coded pathshard-coded paths

e.g. ‘Documents and Settings’ e.g. ‘Documents and Settings’ Users Users

DENY_READ set for ‘Everyone’DENY_READ set for ‘Everyone’

Cannot be enumeratedCannot be enumerated

Only allows full path to be accessedOnly allows full path to be accessed

e.g. ‘Documents and Settings\%username%\e.g. ‘Documents and Settings\%username%\My Documents\foo.doc My Documents\foo.doc

Prevents the folders from being backed Prevents the folders from being backed up twiceup twice

My DocumentsMy Documents

Low ImpactLow ImpactWindows Vista 64-BitWindows Vista 64-Bit

Deprecated APIsDeprecated APIs

Help Center DeprecatedHelp Center Deprecated

64-bit Support64-bit Support

64-bit version of Windows Vista can 64-bit version of Windows Vista can run all 32-bit applications with the run all 32-bit applications with the help of the WOW64 emulatorhelp of the WOW64 emulator32-bit user mode drivers will work 32-bit user mode drivers will work on the 64-bit version of on the 64-bit version of Windows VistaWindows Vista16-bit applications, 16-bit installers, 16-bit applications, 16-bit installers, and 32-bit kernel mode drivers are and 32-bit kernel mode drivers are not supportednot supported

64-bit Support (cont.)64-bit Support (cont.)

All 64-bit drivers have to be digitally All 64-bit drivers have to be digitally signed for Windows Vista. signed for Windows Vista. Unsigned drivers not supported and Unsigned drivers not supported and cannot be installed on 64-bit cannot be installed on 64-bit Windows Vista. Windows Vista. The digital signature check is done The digital signature check is done both during installation and driver both during installation and driver load time.load time.

Deprecated ComponentsDeprecated Components

The following components from The following components from earlier Windows releases will not be earlier Windows releases will not be present in Windows Vista:present in Windows Vista:

Kernel mode Printer driver supportKernel mode Printer driver support

Microsoft® FrontPage® server Microsoft® FrontPage® server extensions. extensions.

Services for MacintoshServices for Macintosh

D3DRMD3DRM

Web Publishing WizardWeb Publishing Wizard

NetDDE (optional in XP)NetDDE (optional in XP)

GINAGINA

Help and SupportHelp and Support

Previous versions of Windows included Previous versions of Windows included support for Win Help files (.HLP)support for Win Help files (.HLP)

Not included in Windows Vista Not included in Windows Vista

Download available for Win Help support after Download available for Win Help support after Vista shipsVista ships

CHM is preferredCHM is preferred

163

Wrap-Wrap-upup

© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation

as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.