Application Compatibility Remediation: The Dark Magic of Fixing Broken Applications Aaron Margosis

Principal ConsultantMicrosoftSession Code: CLI405

Some Available TechniquesGet rid of the app!Let Windows handle it

File/registry virtualizationLimitations on file/registry virtualization

Update the applicationAcquire new version from vendorFix compatibility bugs in the source code

Apply shimsPre-install required files, registry keysEmploy application or machine virtualization

When to Use Shims

Define standards for when to use this technique:

Vendor no longer in businessInternal applicationsSupport negotiable

Shimming applications can be outsourced

Application Windows

How Shims Work

Shim DLL

ImportFunction

ExportFunction

ImportFunction

When Shims Are Used

Windows APIs

•Kernel32

•User32•Advapi32•OleAut32•…

AppY.exev 2.3.4.5

Windows loads app.

Checks AppCompat DB(s).

Match found:

Selected API calls intercepted and modified.

AppY.exev 2.3.4.5

Some Useful Shims

Problem Type Shim

Bad Windows version checks Version Lie Shims(e.g., WinXPSP3VersionLie)

Writing to HKCR at runtime VirtualizeHKCRLite

Unnecessary checks for “am I admin?” ForceAdminAccess

Writing to WRP-protected keys and files

WRPMitigationWRPDllRegisterWRPRegDeleteKey

Windows thinks your app is an installer SpecificNonInstaller

Writing to protected folder and registry locations

CorrectFilePathsVirtualRegistry

Using kernel object in global space LocalMappedObject

Detailed Shim Information

Install App Compat Toolkit and look in act.chmAlso on technet.microsoft.com

Chris Jackson’s blog (blogs.msdn.com/cjacks)

Show me the shimsdemo

How do I know what's wrong?

Problem Type SymptomsInvalid Windows version check Says “This app requires Windows XP”

Admin rights issueSays “Requires admin rights”, orFails non-elevated, works elevated(Caveat about testing elevated)

Security configuration Works when Group Policy or security template setting is removed

New platform Works with Windows Classic theme

Testing environment

Have multiple configurations availableBe able to reimage quickly

Virtual machines (snapshots, undo disks)MDT deployment (e.g., PXE boot)

Apply security policies to local Group Policy rather than domain

LGPO utilities: blogs.technet.com/fdcc

Tools for identifying specific issues

Sysinternals Process MonitorStandard User Analyzer (App Compat Toolkit)LUA Buglight

v2.1 just releasedIncludes support for Windows 7 and x64http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx

LUA Buglight, Process Monitor, SUAdemo

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.