3 App Compat Win7
-
Upload
llangit -
Category
Technology
-
view
4.002 -
download
0
description
Transcript of 3 App Compat Win7
Windows 7 AppCompatLynn Langithttp://blogs.msdn.com/SoCalDevGalMicrosoft – Developer Evangelist
Few Changes: Most software that runs on Windows Vista® will run on Windows® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). Hardware that runs Windows Vista well will run Windows 7 well.
Few Changes: Focus on quality and reliability improvements
Windows 7 Builds on Windows Vista
Deep Changes: New models for security, drivers, deployment, and networking
AppCompat & LightUp
• from XP to Win 7• User Account
Control• Services Isolation
• from Vista to Win 7• Version checking• High DPI• Low level binary
changes
• UX• Taskbar• Libraries
• Internals• Trigger Start Services• Timer Coalescence
• New hardware• Multi touch• Sensors
From XP to Windows 7http://code.msdn.microsoft.com/XP2Win7
The Application
Image ViewerWPF Application
Runs on XP, Vista, Win7On XP basic functionality with no special OS features
Manually Create albumCrawler (expensive) Service searching imagesChange SkinReset DB / Reset configuration
Lights Up on Windows 7
Application Running on XP
The Application Running on 7Enhancing an existing Windows XP application with Windows 7 features
IO Background PriorityLibraries Trigger Start ServicesPower ManagementCommand Links Scheduled TasksPowerShell 2Windows 7 MultitouchWindows 7 SensorsOther…
Application Restart and RecoveryPreview HandlersWindows SearchWindows 7 Event TracingUser Account ControlWindows 7 TaskbarTransactional NTFSMicrosoft Management Console Snap-In
Application Running on 7
DemoPhoto Viewer on Windows 7
Compat - New Folder Locations
“My Documents” folder structure has changed The user data is now stored in:
‘\users\%username%\’ folder structure Pictures, Music, Documents, Desktop, and Favorites are
all new folders directly under this structure The “My “ prefix was dropped from Documents, Music,
etc. “All Users” became “Public” and “\ProgramData”
My Documents still exist as directory junction Use the SHGetKnownFolderPath APIs
Compat - Application Data Best Practices
Where to put your data:1. Place per-user configuration data into %LOCALAPPDATA%
(Roaming into %APPDATA%)2. Place Per-Machine (Shared) configuration data into
%ALLUSERSPROFILE% (e.g. c:\ProgramData)3. Per-Machine (Shared) user documents into %PUBLIC%4. Per user documents go to %USERPROFILE%
Compat - User Account Control • Applications run as Standard User by default• Standard User has some permissions
• Run most applications • Change per user settings
• Standard User can NOT do many things• Install applications•Change system components•Change per machine settings•Admin “privileges”
Windows UAC
All users run as Standard User by default Filtered token created during logon Only specially marked apps get the unfiltered token
Explicit consent required for elevation Predictable shell elevation paths
High application compatibility Data redirection Enabling legacy apps to run as standard user Installer Detection
UAC Architecture Standard User Rights
Administrative Rights
Admin logon
“Standard User” Token
Admin TokenAbby
UAC Architecture Standard User Rights
Administrative Rights
User Process
• Change Time Zone
• Run IT Approved Applications
• Install Fonts
• Install Printers
• Run MSN Messenger
• Etc.
Standard User Mode
Standard User Privilege
Abby
UAC Architecture Standard User Rights
Administrative Rights
User Process
• Change Time Zone
• Run IT Approved Applications
• Install Fonts
• Install Printers
• Run MSN Messenger
• Etc.
Admin Privileges
Standard User Privilege
Abby
Admin Process
Install Application
Admin Process
Configure IIS
Admin Process
Change Time
Admin Privilege
Admin Privilege
Admin Privilege
Consent UIOS Application
Unsigned Application
Signed Application
Credential UI
UAC Split Tokens Demo
Designing for UAC
1st Choice: Make application run as Standard User only
2nd Choice: Clearly identify Administrative tasks Ensure Standard users can be fully productive Identify tasks that need elevation with a “shield”
UX: The Shield
Attached to controls to indicate that elevation is required to use their associated feature
Has only one state (i.e. no hover, disabled etc.) Does not remember elevated state
Not an unlock operationCan be programmatically set:
HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD)SendMessage(button, BCM_SETSHIELD, 0, TRUE)
or using the macro in Commctrl.h:Button_SetElevationRequiredState(commandLink, TRUE)
Security Shield UI Examples
Application Manifests
Vista-aware applications embed an XML manifest
Manifest contains a RequestedExecutionLevel:
asInvoker Launch with the same token as the parent process
highestAvailable Launch with the highest token this user possesses
requireAdministrator Highest token of the User provided User is a member of Administrators group
Finding/Solving UAC Issues
Do you? Write to Program Files, Windows, System32,
HKLM/Software, or Root? Create anything “globally” UseWindows messages between isolation levels
Try Running the application “As Administrator” Testing with UAC off
Tools Process Monitor Standard User Analyzer
Windows Services Basics Started and managed by Service Control Manager Controlled by SCM
Starting and stopping services Disabled, Manual and Automatic
Managing running services Maintaining service-related state information
Started – Stopped - Paused Services can run in their own process or shared hosted
process (e.g. svchost.exe)
Services and Security
Attractions for malware May be configured to auto start on boot
Potential to run from boot without using well known auto-start methods
Often run in highly privileged contexts As mentioned, runs outside of UAC and enables
app to potentially take control of UAC behavior (e.g. MSI)
Services can run in their own process or shared hosted process
Sessions in XP/W2K/WS03Session 0
Window StationDesktop
Screen Saver
Login
Services
1st User’sWindow
1st User’sWindow
1st User’sWindow
Shatter Attack
Sessions in Win7/Vista/Windows 2008Session 0
Window StationDesktop
Service
Service
Session 1
Window StationDesktop
Screen Saver
Login
1st User’sWindow
1st User’sWindow
1st User’sWindow
Secure
Session 0 Isolation
demo
Service HardeningWindows XP services made great attack vectors:
Running in shared session, usually w/high privilege Sometimes w/UI (interactive services) So we had Shatter Attacks good reasons to have Service Isolation in session 0
and Mandatory Integrity ControlWindows Vista and 7
Services run outside of UAC ISVs may be tempted to circumvent OS security The potential attack surface has lessened so services are
a more attractive target
Three Service Hardening Designs
Services need to run least privilegedServices can now have their own SIDThis can be used to lock down / sandbox the
resources that the Service has access to
Good
a) Move to a least privilege account.b) Refactor services into two parts where necessary.c) Privilege stripping on a per-service basis.
Better Grant Service Sid access via ACLs on service specific resources.
Besta) Use Service-SID, ACLs and “write-restricted token” to isolate services.b) Supply network firewall rules.
Perf Enhance - Trigger Start Service
New in Windows 7 - SCM registers for system events via interesting providers: Device arrival IP address Domain join and leave Group policy updates Custom Event Tracing for Windows event
SCM starts or stops registered services: TabletInputService started only if digitizer is present StorSvc starts when group policy updates are applied,
automatically stops
Trigger Start Examples
Service Name Description Trigger Type
AELookupSvc Processes application compatibility cache requests for applications as they are launched
Custom ETW
BDESVC Provides BitLocker client services for user interface and auto-unlocking of data volumes
Custom ETW
BTHSERV The Bluetooth service supports discovery and association of remote Bluetooth devices.
Device
SensorsMTPMonitor Monitors MTP (Media Transfer Protocol) sensors (such as a cell phone with a GPS receiver) to communicate sensor data to programs
Device
TabletInputService Enables Tablet PC pen and ink functionality Device
WinDefend Protection against spyware and potentially unwanted software
Group Policy
Service or Scheduled Task?W
indo
ws
Serv
ice • Continuous activity
from boot to shutdown
• Service Control Manager (SCM) programming model
• Can specify dependency Sc
hedu
led
Task
• Short duration action
• Idle activity• Take action
on user login• Standalone
executable or out-of-process COM server
• Generally execute in user session
Compat - Operating System Version
Windows 7 is … Windows 6.1? (for Vista Compat)dwMajorVersion stays the samedwMinorVersion changes
RemediationCheck for features, not versionsIf checking for version, then use the > key (check the OS version as >= so that your app can work on future releases of the OS)Version lies
Compatibility Tab
Layers
Shim Application
Implements Windows API hooksShim engine is responsible for applying the shims
Load the shim DLL
Retrieve the APIs which should be hooked
Review the import table
of the application
to determine
where hooks should be
placed
Overwrite the
addresses of the API calls
with the address in the shim
How Shims are Loaded
Shims are applied per executable
Run initialization routines
Shim engine applies
API hooks
Loader maps executable
and statically linked DLLs into memory
Compat – Misc Regressions
• Removal of Windows Mail • Removal of Windows Movie Maker • NLS Sorting Changes • Internet Explorer 8 - User Agent String • Removal of Windows Registry Reflection • Removal of WPDUSB.SYS Driver for Windows Portable
Devices • Microsoft Message Queuing (MSMQ)
Problem Step Recorder
%windir%\system32\psr.exeAllows testers and users to track, step by step, exactly what an application is doing, creating an .mht file with screenshots illustrating the bug reproductionCreates a .zip file containing an .mht fileIntegrated with Dr. Watson for Windows
This Was Very Surprising To Us…
Monitor Max Resolution
% Set to Maximum
1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%
User's Chosen
Resolution
% using that resolution
640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%
Total 100.00%
Details Users with Max Resolution of 1600X1200
Almost half of all of users are not
configuring their display to maximum
resolution (!)
Users are lowering their screen resolution to get larger text…
High DPI - Why Do We Care?Non-native resolution negates the value of high fidelity displaysText looks blurry because ClearType requires native resolutionCan’t display native high def content
720p high definition video requires 1280x720 resolution1080p requires 1920x10801.9 megapixel photos requires 1600x1200 native
Many people accidentally select a non-native aspect ratio
Pixilated Content does not take advantage of the display
Non-native aspect Ratio Settings “Squishes” Content
High DPI Issues
Clipped Text
Layout Issues & Image Size Issues
Pixilated Bitmaps
WinForms Issues
Blurry UI Mismatched Font Sizes
Graphics Improvements in Windows 7New
Graphics APIs for Rich Client Applications
GDI GDI+ DirectX WPF
Native Development
Managed Development
Hardware Acceleration
ImmediateMode
PrimarilyRendering
Input, Focus, Events, Controls
DirectX: When the application needs control over features and performance
WPF: When the application needs richness but needs to be built quickly and there is no need for fine grained control over hw performance and features
GDI: When the application needs to work on all Microsoft OSs and the lowest common denominator functionality is sufficient
When to use which APIIn
crea
sing
HW
Exp
loiti
vene
ss
Area Existing API(s) Challenges
3D D3D3…D3D10 Not always available:•No HW•Server•Remoted
Direct3D 10.1
2D GDI, GDI+ Quality, Performance Direct2D
Text GDI Quality, Not up to date DirectWrite
Imaging GDI, GDI+, WIC Extensive format support, Security
Updated WIC
Device Control GDI Outdated notion of HW config
DXGI 1.1
Advancing the platform
Direct2D
Direct3D Segoe UIDirectWrite
DXVA & WIC
Graphic ImprovementsWindows 7 DWM memory consumption is cut by 50% per windowTake advantage of the GPU’s computation powerHigh-DPI support & High ColorWindows 7 DWM uses Direct3D10.1 API
Direct2D And DirectWriteNew APIs in Windows 7
Win32 developersInteroperabilityUsable in service context
Direct2D2D graphics rendering tasks Increased performance and visual quality
DirectWriteVertical stack for text servicesFonts, Script Processing, Layout
Direct2D: New in Windows 7
Rendering Focused Immediate Mode API:
2D Vectors & Geometry, Bitmaps & TextHardware & Software Pipelines
Built for Performance on Direct3D 10.1Interoperable with Direct3D & GDIHigh Quality Rendering:
Per Primitive Anti-Aliasing & MSAA via Direct3D
Remoted via Direct3D 10.1Printing support via XPS
Direct2D Performancedemo
DirectWrite
Modern TypographyEnables world-wide applicationsClearType advancesWorks with any rendering technologyHardware accelerated via Direct2DBest reading experience for the PC
Gabriola
DirectWritedemo
Call to Action: Fundamentals
Compatible•UAC aware, Support x64, Sign files & drivers, no OS version checking, support multi user sessions…. •Install to correct folders / transactional uninstall•Self Certified with new Logo automatic tool •www.isvappcompat.com (FrontRunner)
Resource Optimized and more
•Power aware•Retire old “XP” services to Win 7 tasks •Use triggered Services•Provide a troubleshoot pack & WER
Windows 7 Readiness Programs
Make sure your applications work with Windows 7Allow MS to tell our customers about your Apps
Publish your support policy for Windows 7List your solutions on the Compatibility Center
Get the Windows 7 LogoFocused on Compatible ApplicationsSimple Process – No 3rd party testing required
http://connect.microsoft.com/InvitationUse.aspx?ProgramID=2872&SiteID=704&InvitationID=Win7-K86V-HW3G
ResourcesCookbooks
“Application Compatibility Cookbook”“Windows 7 Application Quality Cookbook”
MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspxTechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspxDevReadiness.orgChannel 9: http://channel9.msdn.com/tags/Application+Compatibility/
Track ResourcesWindows 7 RC Training for Developers Windows content on Channel 9 Windows 7 Developer Center on MSDN Windows Application Compatibility Roadmap Windows 7 Blog for Developers
My blog series – http://blogs.msdn.com/SoCalDevGal #Win7DevSeriesMy MSDN show – MSDN geekSpeak My Facebook group ‘Windows 7 Developers’
Links, Video & Screencasts
Related ContentBreakout Sessions WCL201 Developing for Windows 7 WCL301 Windows Application Readiness for Developers WCL302 Optimizing Your Application for the Windows 7 User Experience
Whiteboard SessionWTB215 Windows Client Development Discussion
Hands-on LabWCL08-HOL Windows 7: Mitigating Application Issues Using Shims
www.microsoft.com/teched
International Content & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources Tech·Ed Africa 2009 sessions will be made available for download the week after the event from: www.tech-ed.co.za
Complete a session evaluation and enter to win!
10 pairs of MP3 sunglasses to be won
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.