Windows 7 AppCompatLynn Langithttp://blogs.msdn.com/SoCalDevGalMicrosoft – Developer Evangelist

Few Changes: Most software that runs on Windows Vista® will run on Windows® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). Hardware that runs Windows Vista well will run Windows 7 well.

Few Changes: Focus on quality and reliability improvements

Windows 7 Builds on Windows Vista

Deep Changes: New models for security, drivers, deployment, and networking

AppCompat & LightUp

• from XP to Win 7• User Account

Control• Services Isolation

• from Vista to Win 7• Version checking• High DPI• Low level binary

changes

• UX• Taskbar• Libraries

• Internals• Trigger Start Services• Timer Coalescence

• New hardware• Multi touch• Sensors

From XP to Windows 7http://code.msdn.microsoft.com/XP2Win7

The Application

Image ViewerWPF Application

Runs on XP, Vista, Win7On XP basic functionality with no special OS features

Manually Create albumCrawler (expensive) Service searching imagesChange SkinReset DB / Reset configuration

Lights Up on Windows 7

Application Running on XP

The Application Running on 7Enhancing an existing Windows XP application with Windows 7 features

IO Background PriorityLibraries Trigger Start ServicesPower ManagementCommand Links Scheduled TasksPowerShell 2Windows 7 MultitouchWindows 7 SensorsOther…

Application Restart and RecoveryPreview HandlersWindows SearchWindows 7 Event TracingUser Account ControlWindows 7 TaskbarTransactional NTFSMicrosoft Management Console Snap-In

Application Running on 7

DemoPhoto Viewer on Windows 7

Compat - New Folder Locations

“My Documents” folder structure has changed The user data is now stored in:

‘\users\%username%\’ folder structure Pictures, Music, Documents, Desktop, and Favorites are

all new folders directly under this structure The “My “ prefix was dropped from Documents, Music,

etc. “All Users” became “Public” and “\ProgramData”

My Documents still exist as directory junction Use the SHGetKnownFolderPath APIs

Compat - Application Data Best Practices

Where to put your data:1. Place per-user configuration data into %LOCALAPPDATA%

(Roaming into %APPDATA%)2. Place Per-Machine (Shared) configuration data into

%ALLUSERSPROFILE% (e.g. c:\ProgramData)3. Per-Machine (Shared) user documents into %PUBLIC%4. Per user documents go to %USERPROFILE%

Compat - User Account Control • Applications run as Standard User by default• Standard User has some permissions

• Run most applications • Change per user settings

• Standard User can NOT do many things• Install applications•Change system components•Change per machine settings•Admin “privileges”

Windows UAC

All users run as Standard User by default Filtered token created during logon Only specially marked apps get the unfiltered token

Explicit consent required for elevation Predictable shell elevation paths

High application compatibility Data redirection Enabling legacy apps to run as standard user Installer Detection

UAC Architecture Standard User Rights

Administrative Rights

Admin logon

“Standard User” Token

Admin TokenAbby

UAC Architecture Standard User Rights

Administrative Rights

User Process

• Change Time Zone

• Run IT Approved Applications

• Install Fonts

• Install Printers

• Run MSN Messenger

• Etc.

Standard User Mode

Standard User Privilege

Abby

UAC Architecture Standard User Rights

Administrative Rights

User Process

• Change Time Zone

• Run IT Approved Applications

• Install Fonts

• Install Printers

• Run MSN Messenger

• Etc.

Admin Privileges

Standard User Privilege

Abby

Admin Process

Install Application

Admin Process

Configure IIS

Admin Process

Change Time

Admin Privilege

Admin Privilege

Admin Privilege

Consent UIOS Application

Unsigned Application

Signed Application

Credential UI

UAC Split Tokens Demo

Designing for UAC

1st Choice: Make application run as Standard User only

2nd Choice: Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”

UX: The Shield

Attached to controls to indicate that elevation is required to use their associated feature

Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state

Not an unlock operationCan be programmatically set:

HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD)SendMessage(button, BCM_SETSHIELD, 0, TRUE)

or using the macro in Commctrl.h:Button_SetElevationRequiredState(commandLink, TRUE)

Security Shield UI Examples

Application Manifests

Vista-aware applications embed an XML manifest

Manifest contains a RequestedExecutionLevel:

asInvoker Launch with the same token as the parent process

highestAvailable Launch with the highest token this user possesses

requireAdministrator Highest token of the User provided User is a member of Administrators group

Finding/Solving UAC Issues

Do you? Write to Program Files, Windows, System32,

HKLM/Software, or Root? Create anything “globally” UseWindows messages between isolation levels

Try Running the application “As Administrator” Testing with UAC off

Tools Process Monitor Standard User Analyzer

Windows Services Basics Started and managed by Service Control Manager Controlled by SCM

Starting and stopping services Disabled, Manual and Automatic

Managing running services Maintaining service-related state information

Started – Stopped - Paused Services can run in their own process or shared hosted

process (e.g. svchost.exe)

Services and Security

Attractions for malware May be configured to auto start on boot

Potential to run from boot without using well known auto-start methods

Often run in highly privileged contexts As mentioned, runs outside of UAC and enables

app to potentially take control of UAC behavior (e.g. MSI)

Services can run in their own process or shared hosted process

Sessions in XP/W2K/WS03Session 0

Window StationDesktop

Screen Saver

Login

Services

1st User’sWindow

1st User’sWindow

1st User’sWindow

Shatter Attack

Sessions in Win7/Vista/Windows 2008Session 0

Window StationDesktop

Service

Service

Session 1

Window StationDesktop

Screen Saver

Login

1st User’sWindow

1st User’sWindow

1st User’sWindow

Secure

Session 0 Isolation

demo

Service HardeningWindows XP services made great attack vectors:

Running in shared session, usually w/high privilege Sometimes w/UI (interactive services) So we had Shatter Attacks good reasons to have Service Isolation in session 0

and Mandatory Integrity ControlWindows Vista and 7

Services run outside of UAC ISVs may be tempted to circumvent OS security The potential attack surface has lessened so services are

a more attractive target

Three Service Hardening Designs

Services need to run least privilegedServices can now have their own SIDThis can be used to lock down / sandbox the

resources that the Service has access to

Good

a) Move to a least privilege account.b) Refactor services into two parts where necessary.c) Privilege stripping on a per-service basis.

Better Grant Service Sid access via ACLs on service specific resources.

Besta) Use Service-SID, ACLs and “write-restricted token” to isolate services.b) Supply network firewall rules.

Perf Enhance - Trigger Start Service

New in Windows 7 - SCM registers for system events via interesting providers: Device arrival IP address Domain join and leave Group policy updates Custom Event Tracing for Windows event

SCM starts or stops registered services: TabletInputService started only if digitizer is present StorSvc starts when group policy updates are applied,

automatically stops

Trigger Start Examples

Service Name Description Trigger Type

AELookupSvc Processes application compatibility cache requests for applications as they are launched

Custom ETW

BDESVC Provides BitLocker client services for user interface and auto-unlocking of data volumes

Custom ETW

BTHSERV The Bluetooth service supports discovery and association of remote Bluetooth devices.

Device

SensorsMTPMonitor Monitors MTP (Media Transfer Protocol) sensors (such as a cell phone with a GPS receiver) to communicate sensor data to programs

Device

TabletInputService Enables Tablet PC pen and ink functionality Device

WinDefend Protection against spyware and potentially unwanted software

Group Policy

Service or Scheduled Task?W

indo

ws

Serv

ice • Continuous activity

from boot to shutdown

• Service Control Manager (SCM) programming model

• Can specify dependency Sc

hedu

led

Task

• Short duration action

• Idle activity• Take action

on user login• Standalone

executable or out-of-process COM server

• Generally execute in user session

Compat - Operating System Version

Windows 7 is … Windows 6.1? (for Vista Compat)dwMajorVersion stays the samedwMinorVersion changes

RemediationCheck for features, not versionsIf checking for version, then use the > key (check the OS version as >= so that your app can work on future releases of the OS)Version lies

Compatibility Tab

Layers

Shim Application

Implements Windows API hooksShim engine is responsible for applying the shims

Load the shim DLL

Retrieve the APIs which should be hooked

Review the import table

of the application

to determine

where hooks should be

placed

Overwrite the

addresses of the API calls

with the address in the shim

How Shims are Loaded

Shims are applied per executable

Run initialization routines

Shim engine applies

API hooks

Loader maps executable

and statically linked DLLs into memory

Compat – Misc Regressions

• Removal of Windows Mail • Removal of Windows Movie Maker • NLS Sorting Changes • Internet Explorer 8 - User Agent String • Removal of Windows Registry Reflection • Removal of WPDUSB.SYS Driver for Windows Portable

Devices • Microsoft Message Queuing (MSMQ)

Problem Step Recorder

%windir%\system32\psr.exeAllows testers and users to track, step by step, exactly what an application is doing, creating an .mht file with screenshots illustrating the bug reproductionCreates a .zip file containing an .mht fileIntegrated with Dr. Watson for Windows

This Was Very Surprising To Us…

Monitor Max Resolution

% Set to Maximum

1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%

User's Chosen

Resolution

% using that resolution

640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%

Total 100.00%

Details Users with Max Resolution of 1600X1200

Almost half of all of users are not

configuring their display to maximum

resolution (!)

Users are lowering their screen resolution to get larger text…

High DPI - Why Do We Care?Non-native resolution negates the value of high fidelity displaysText looks blurry because ClearType requires native resolutionCan’t display native high def content

720p high definition video requires 1280x720 resolution1080p requires 1920x10801.9 megapixel photos requires 1600x1200 native

Many people accidentally select a non-native aspect ratio

Pixilated Content does not take advantage of the display

Non-native aspect Ratio Settings “Squishes” Content

High DPI Issues

Clipped Text

Layout Issues & Image Size Issues

Pixilated Bitmaps

WinForms Issues

Blurry UI Mismatched Font Sizes

Graphics Improvements in Windows 7New

Graphics APIs for Rich Client Applications

GDI GDI+ DirectX WPF

Native Development

Managed Development

Hardware Acceleration

ImmediateMode

PrimarilyRendering

Input, Focus, Events, Controls

DirectX: When the application needs control over features and performance

WPF: When the application needs richness but needs to be built quickly and there is no need for fine grained control over hw performance and features

GDI: When the application needs to work on all Microsoft OSs and the lowest common denominator functionality is sufficient

When to use which APIIn

crea

sing

HW

Exp

loiti

vene

ss

Area Existing API(s) Challenges

3D D3D3…D3D10 Not always available:•No HW•Server•Remoted

Direct3D 10.1

2D GDI, GDI+ Quality, Performance Direct2D

Text GDI Quality, Not up to date DirectWrite

Imaging GDI, GDI+, WIC Extensive format support, Security

Updated WIC

Device Control GDI Outdated notion of HW config

DXGI 1.1

Advancing the platform

Direct2D

Direct3D Segoe UIDirectWrite

DXVA & WIC

Graphic ImprovementsWindows 7 DWM memory consumption is cut by 50% per windowTake advantage of the GPU’s computation powerHigh-DPI support & High ColorWindows 7 DWM uses Direct3D10.1 API

Direct2D And DirectWriteNew APIs in Windows 7

Win32 developersInteroperabilityUsable in service context

Direct2D2D graphics rendering tasks Increased performance and visual quality

DirectWriteVertical stack for text servicesFonts, Script Processing, Layout

Direct2D: New in Windows 7

Rendering Focused Immediate Mode API:

2D Vectors & Geometry, Bitmaps & TextHardware & Software Pipelines

Built for Performance on Direct3D 10.1Interoperable with Direct3D & GDIHigh Quality Rendering:

Per Primitive Anti-Aliasing & MSAA via Direct3D

Remoted via Direct3D 10.1Printing support via XPS

Direct2D Performancedemo

DirectWrite

Modern TypographyEnables world-wide applicationsClearType advancesWorks with any rendering technologyHardware accelerated via Direct2DBest reading experience for the PC

Gabriola

DirectWritedemo

Call to Action: Fundamentals

Compatible•UAC aware, Support x64, Sign files & drivers, no OS version checking, support multi user sessions…. •Install to correct folders / transactional uninstall•Self Certified with new Logo automatic tool •www.isvappcompat.com (FrontRunner)

Resource Optimized and more

•Power aware•Retire old “XP” services to Win 7 tasks •Use triggered Services•Provide a troubleshoot pack & WER

Windows 7 Readiness Programs

Make sure your applications work with Windows 7Allow MS to tell our customers about your Apps

Publish your support policy for Windows 7List your solutions on the Compatibility Center

Get the Windows 7 LogoFocused on Compatible ApplicationsSimple Process – No 3rd party testing required

http://connect.microsoft.com/InvitationUse.aspx?ProgramID=2872&SiteID=704&InvitationID=Win7-K86V-HW3G

ResourcesCookbooks

“Application Compatibility Cookbook”“Windows 7 Application Quality Cookbook”

MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspxTechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspxDevReadiness.orgChannel 9: http://channel9.msdn.com/tags/Application+Compatibility/

Track ResourcesWindows 7 RC Training for Developers Windows content on Channel 9 Windows 7 Developer Center on MSDN Windows Application Compatibility Roadmap Windows 7 Blog for Developers

My blog series – http://blogs.msdn.com/SoCalDevGal #Win7DevSeriesMy MSDN show – MSDN geekSpeak My Facebook group ‘Windows 7 Developers’

Links, Video & Screencasts

Related ContentBreakout Sessions WCL201 Developing for Windows 7 WCL301 Windows Application Readiness for Developers WCL302 Optimizing Your Application for the Windows 7 User Experience

Whiteboard SessionWTB215 Windows Client Development Discussion

Hands-on LabWCL08-HOL Windows 7: Mitigating Application Issues Using Shims

www.microsoft.com/teched

International Content & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources Tech·Ed Africa 2009 sessions will be made available for download the week after the event from: www.tech-ed.co.za

Complete a session evaluation and enter to win!

10 pairs of MP3 sunglasses to be won

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.