Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

37
Case of the App Compat Bug Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301

Transcript of Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Page 1: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the App Compat BugAaron MargosisPrincipal ConsultantMicrosoft Corporation

SESSION CODE: WCL301

Page 2: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Some Available Techniques

Get rid of the app!Update the application

Acquire new version from vendorFix compatibility bugs in the source code

Pre-install required files, registry keysModify the installer with transforms (e.g., remove Windows version checks)Let Windows handle it (file/reg virtualization)Apply shimsChange Permissions or PoliciesEmploy application or machine virtualization

Page 3: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the…

FAILING FILE VIRTUALIZATION

Page 4: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 420500 (*)

Fails when run as standard userTested on Windows 7, 32-bitError message about a file and then exit

File virtualization in effect?TaskMgr and Process Explorer say “yes”Some app files appearing in Virtual Store

But: access-denied on a config.dat under Program FilesWhy? (*.dat files should virtualize!)

(*) Names of apps and vendors have been removed to protect the guilty

Page 5: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the Failing File VirtualizationFeatured Tools:Process MonitorLoggerCompatAdmin

DEMO

Page 6: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 420500

Figure out what the app is doingLook at call stack in Process MonitorIdentify failing APIUse Logger to identify API parameters

Solve with VirtualizeDeleteFile shimUAC file virt does not fix attempted file deletions or in-place renames

Page 7: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the…

FAILING CorrectFilePaths SHIM

Page 8: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Writes to Options.xml in the Program Files folder, fails and exitsTested on Windows 7, 32-bit

What does the vendor say?

Page 9: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Customer says “No!” to thatHooray for the customer!

Page 10: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Why isn’t file virtualization kicking in?Check application manifest with SigCheckAha! The app is no longer a “legacy” app!How did that happen?

Because it was built with VS 2008!

Page 11: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Consultant applied a CorrectFilePaths shim

Replaces instances of: C:\Program Files\[app name removed]\Program\Options.xmlWith: %userprofile%\Options.xml

And...The app still failed in the same way.

Page 12: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

How Can CorrectFilePaths fail?

1. Does the target location exist?2. Exact text match, not actual file match

Example – shim configured to look forC:\Program Files\[app name removed]\Program\Options.xml

If program sets current directory and opens.\Program\Options.xml No match, shim not applied

3. Is the calling DLL getting hooked?What is the immediate calling DLL?

Verify 2 and 3 with LUA Buglight

Page 13: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Process

Kernel32.dll

CreateFileWimplementation

Shim DLLCorrectFilePathsimplementation

How Shims Work

App.exeIAT• CreateFile

Custom1.dll

IAT• CreateFile

Custom2.dll

IAT• CreateFile

Crypt32.dll

IAT• CreateFile

Msxml3.dll

IAT• CreateFile

Urlmon.dll

IAT• CreateFile

Page 14: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

CorrectFilePaths Intercepted APIs

API Family Intercepted APIs

CreateProcess Routines (4) CreateProcess[AW], WinExec, ShellExecute[AW], ShellExecuteEx[AW]

Profile (Ini-File) Routines (8) GetPrivateProfileInt[AW], GetPrivateProfileSection[AW], GetPrivateProfileSectionNames[AW], GetPrivateProfileString[AW], GetPrivateProfileStruct[AW], WritePrivateProfileSection[AW], WritePrivateProfileString[AW], WritePrivateProfileStruct[AW]

File Routines (22) CopyFile[AW], CopyFileEx[AW], CreateDirectory[AW], CreateDirectoryEx[AW], CreateFile[AW], DeleteFile[AW], FindFirstFile[AW], FindFirstFileEx[AW], GetBinaryType[AW], GetFileAttributes[AW], GetFileAttributesEx[AW], SetFileAttributes[AW], GetTempFileName[AW], GetLongPathName[AW], MoveFile[AW], MoveFileEx[AW], MoveFileWithProgress[AW], RemoveDirectory[AW], SetCurrentDirectory[AW], OpenFile, _lopen, _lcreat

ShellLink Routines (4) IShellLink[AW]::SetPath, IShellLink[AW]::SetArguments, IShellLink[AW]::SetIconLocation, IPersistFile::Save

LoadImage Routines (1) LoadImageA

Page 15: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the Failing CorrectFilePaths ShimFeatured Tools:LUA BuglightProcess Monitorwith customer logs

DEMO

Page 16: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Verify inputs and modules with LUA BuglightConfigure shim for msxml3.dllApp still failedLook at Procmon traces with shim applied

Page 17: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 73052

Options:Configure shim to intercept from all modulesChange permissions on Options.xml

Lesson 1: may need to look at more than failure casesLUA Buglight and Standard User Analyzer show only the failure casesProcmon filtered on “access denied” shows only failure cases

Lesson 2: CorrectFilePaths is a pain in the …

Page 18: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the…

MISSING OR UNREGISTERED OCX

Page 19: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case # 2011961

Page 20: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Run-Once bugs

No repro after app runs (as admin) one timeInstallation steps performed at runtimeTypical bugs:

Copy executable files into placeRegister a COM or .NET componentModify a required configuration file

Page 21: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Solving Run-Once Bugs

Know when future results compromisedTesting that can hide Run-Once bugs

“Try running it as admin”Test with LUA Buglight or Standard User Analyzer

How do you know it’s a Run-Once bug?Bug doesn’t repro at next standard user run

Need to be able to reimage quicklyVirtual machines (snapshots, undo disks)MDT deployment (e.g., PXE boot)

Best fix for Run-Once bugs: Augment the installation

Page 22: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Case of the…

UNSIGNED JAVA INSTALLER

Page 23: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Unsigned Packages

Packages that should be signed report as not signedE.g., latest Java installer from Java.com

Happens in locked-down environmentsFDCC/USGCB, DISA STIGs

“Root” cause:Turn off Automatic Root Certificates Update

Page 24: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

REFERENCES

Page 25: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Utilities

Sysinternals Process MonitorLogger (Debugging Tools for Windows)Standard User Analyzer (App Compat Toolkit)LUA Buglight

v2.1 recently releasedIncludes support for Windows 7 and x64http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx

Page 26: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

References

Detailed shim documentationACT.chm in the App Compat ToolkitSame material on technet.microsoft.com

Chris Jackson’s blog: blogs.msdn.com/cjacksMy blog: blogs.msdn.com/aaron_margosis

See “Changing Permissions on Folders vs. Files”http://blogs.msdn.com/aaron_margosis/archive/2006/06/19/638148.aspx

FDCC blog: blogs.technet.com/fdcc

Page 27: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Weekly, Monthly and Quarterly Rhythm of Topical Content

What is the Springboard Series?

To the IT pro, our goal is• Be the definitive resource for Desktop IT pros• Open, honest; show don’t tell• Information at right time, right level across Adoption Lifecycle

Inside of Microsoft we are• A turnkey IT pro engagement platform for depth and breadth• The program to mobilize MS marketing and field to

focus on desktop OS IT pros

Visit the Springboard Series on TechNet at www.microsoft.com/springboard

The Springboard Series IT pro experience offers dynamic content and structured guidance across the adoption lifecycle

DEPLOYPILOT MANAGEEXPLOREDISCOVER

Is it worth the pain?How does it change

my work? Is our environment ready? Is the organization ready?How do I maintain

and optimize?

one-Windows TechCenter in 10 languagesVirtual Roundtable Events

Springboard Technical Experts Panel Event Support

and Resources

Straight-talk Monthly Feature Articles and Overview Guides

TalkingAboutWindowsVideo Blogs

Page 28: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

Page 29: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Complete an evaluation on CommNet and enter to win!

Page 30: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the

North America 2011 kiosk located at registrationJoin us in Atlanta next year

Page 31: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Page 32: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

BONUS TRACKS

Page 33: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

When to Use Shims

Define standards for when to use this technique:Vendor no longer in businessInternal applicationsSupport negotiable

Shimming applications can be outsourced

Page 34: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

When Shims Are Used

Windows APIs•Kernel32•User32

•Advapi32•OleAut32•…

AppY.exev 2.3.4.5

Windows loads app.

Checks AppCompat DB(s).

Match found:

Selected API calls intercepted and modified.

AppY.exev 2.3.4.5

Page 35: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

How do I know what's wrong?

Problem Type SymptomsInvalid Windows version check Says “This app requires Windows XP”

Admin rights issueSays “Requires admin rights”, orFails non-elevated, works elevated(Caveat about testing elevated)

Security configuration Works when Group Policy or security template setting is removed

New platform Works with Windows Classic theme

Page 36: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

Some Useful Shims

Problem Type Shim

Bad Windows version checks Version Lie Shims(e.g., WinXPSP3VersionLie)

Writing to HKCR at runtime VirtualizeHKCRLite

Unnecessary checks for “am I admin?” ForceAdminAccess

Writing to WRP-protected keys and filesWRPMitigationWRPDllRegisterWRPRegDeleteKey

Windows thinks your app is an installer SpecificNonInstaller

Writing to protected folder and registry locations CorrectFilePathsVirtualRegistry

Using kernel object in global space LocalMappedObject

Page 37: Aaron Margosis Principal Consultant Microsoft Corporation SESSION CODE: WCL301.

JUNE 7-10, 2010 | NEW ORLEANS, LA