Application compatibility final

Everything You Want to Know About Application Compatibility But Were Afraid to Ask

Harold Wong

blogs.technet.com/haroldwong

TechNet goes virtual

Click to edit Master title style


How much is this app compat thing going to cost me?

Should I just stay on Windows XP?

Why did you break half of my software?

Why cant my company afford a chair for me?

Can I just stroke a check and have this problem go away?

Doesnt App-V just fix it all for me?

All I need to do is run ACT long enough, and its fixed, right?

No, seriously, can I have a chair, please?

The MED-V brochure said just virtualize it all and migrate.

The tool brochure said it fixes 90% of the problems.

The Internets said to just turn off UAC.

Listen, Im not talking about App Compat until I get a chair.



2

http://www.microsoft.com/technet

ITPROSRV-202

App-V

Beyond Trust

ACT 5.5

Win XP Mode

ACF Partners

MED-V

AppDNA

ChangeBase

Shims

Disable UAC

There Are No Silver Bullets



3


ITPROSRV-202

Session Objectives and Takeaways

Session Objectives:

Understand that app compat isnt easy

Understand that app compat is not impossible

Key Takeaway:

Chris home number is a 900 number. Check the bathroom wall for details.



4

2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/15/2010


ITPROSRV-202

Things I Heard on the Internets About

Were going to be speaking mainly the truth today

but well also be confronting some mistruths along the way

Mistruths and misconceptions will be identified with the headingThings I Heard on the Internet About:

For those who are not familiar with The Internets, its a series of tubes



Why Is App-Compat Hard?

It never used to be this hard!

Backward-compatibility used to win

Shell Folders

p:\\products\public

CON, PRN, NUL

Starting with XP SP2, not anymore

Customers demanded better security

Vista was the first major desktop OS release after TWC memo

Starting with Windows 7, were winning again



6


ITPROSRV-202

How Do I Run an App-Compat Project?

Planning, Planning, Planning!!!



Automated Analysis Assessment

start

end

ACT Inventory

Rationalize

Install Manual Test

Ready to Deploy

Remediate

InitialBudget

Refine Budget

Refine Budget

App Install Green?

Runtime

Manual Test

User

Manual Test

Detailed Automated Analysis

Yes

No

App Run Green?

Yes

No

App Compat Project Plan



8


ITPROSRV-202

Planning an App Compat Project

TechNet Magazine

June 2009

Articles by:

Chris Jackson and Chris Corio

http://technet.microsoft.com/en-us/magazine/dd799202.aspx



9


ITPROSRV-202

What Breaks in Windows 7?

features



10

Tech Ed North America 2010

9/15/2010 4:26 PM




ITPROSRV-202

Some things that had to changeMicrosoft Agent had to go

Productivity killer

Users hypnotized by agents antics

More popular than YouTube

Made computers too easy to use

Killed market for instructional videos

The single biggest app-compat hit, ever



11


ITPROSRV-202

Nobody uses the Agent control!Do they?

Actual screenshot from a real customer engagement.

No consultants were (seriously) harmed in the capture of this screenshot.



12


ITPROSRV-202

Some things that had to changeEveryone runs as standard user

The infamous User Account Control

Even admins run as standard user

The single biggest app-compat hit, ever



13


ITPROSRV-202

Things I Heard on the Internet About: User Account Control

UAC is

Windows asking me Are you sure? over and over and over again

A useless pain in the @$$

Stupid, and smart people disable it

Especially smart developers

UAC breaks everything

Its OK to say, We recommend turning off UAC to run this software.

Wrong!



14


ITPROSRV-202

The Truth About UAC

The first step toward Standard User

Required to improve security and TCO

Suite of technologies to fix stuff, not break it

Running as standard user breaks stuff

Thats why no one did it before UAC!

Admin-Approval Mode enables legit admins to run as standard user

And then perform admin actions using the same account

Your end users shouldnt be admins to begin with

And cant approve elevation prompts

Disabling UAC turns off IE Protected Mode



15


ITPROSRV-202

We break we fixUACs file and registry virtualization

Redirects access attempts from protected areas to non-roaming parts of user profile

Not related to App-Vs bubble

This is per-user, not per-application



16


ITPROSRV-202

Virtual overloadIts the new .NET!

Virtual memory

Virtual address space

Virtual communities

NT Virtual DOS Machine (NTVDM)

Java Virtual Machine (JVM)

MS Visual Basic Virtual Machine (MSVBVM)

Virtual processors (hyperthreading)

Virtual reality

Virtual teams

Virtual private network (VPN)

UAC file and registry virtualization

Application virtualization

Machine virtualization (Virtual PC, Virtual Server, Hyper-V)

Virtual Earth

MS Enterprise Desktop Virtualization (MED-V)

Virtual pets

Virtual Desktop Infrastructure (VDI)

virtual keyword (C++, C#)

Virtual directory (IIS)

Virtual device driver (VxD obsolete!)



17


ITPROSRV-202

We break we fixUACs file and registry virtualization

Redirects access attempts from protected areas to non-roaming parts of user profile

Transparent to the app

Fixes many permissions-related issues

Does not apply to all apps or all file types

New in Win7: Writing to root of C:\ redirects



18


ITPROSRV-202

Things I Heard on the Internet about:Internet Explorer 8 Standards Compliance

IE8 breaks the web and makes little girls cry

If your site works on IE6, but breaks on IE8, the fix is easy use Firefox!

Wrong!



19


ITPROSRV-202

Some things that had to changeInternet Explorer 8 Standards Compliance

Meets customer demand, good for the web

App compat > 80%

Compatibility View is extremely helpful

On by default for Intranet

Quirks mode also helpful, but no admin UI!

Many tools available for troubleshooting

Fixes either super easy or require devs

Hardest problem: server apps for IE6 only

E.g., Oracle, SAP

MED-V a great solution



20


ITPROSRV-202

Things I Heard on the Internet About:Internet Explorer Protected Mode

Almost like running a secure browser!

Like Safari!

More Microsoft security theater

Breaks all my Java

Breaks all my ActiveX controls

Wrong!



21


ITPROSRV-202

Some things that had to changeInternet Explorer Protected Mode

IEPM has protected you from exploits

if you left UAC enabled

With IE8, off by default for Intranet zone

May need to configure to recognize Intranet

External sites can be added to Trusted Sites

E.g., sites that require Java

Other products like the idea!

Google Chrome

Office 2010



22


ITPROSRV-202

Things I Heard on the Internet About:Windows version number changed

No earthly reason for doing that!

Couldnt possibly cause any problems!

Windows 7 is version 7.0, right?

No, Windows 7 is version 6.1 because its just a minor upgrade, and therefore probably should be free so go ahead and steal it

Wrong!



23


ITPROSRV-202

Some things that just changedWindows version number changed

The most common bugs we find

Making it 6.1 keeps more apps working!

Version lie shims are easy to apply

And now easier to lie to MSIs

Still dont think it can be that common?



24


ITPROSRV-202

Check the Windows version!

// This program requires WinXP or newer.

// Windows XP is version 5.1

// This is easy!

If Not (vMajor >= 5 AND vMinor >= 1) Then

{

DisplayMessage(This program requires Windows XP or newer);

LayDownAndDie;

}

Win7 as Windows 7.0?

vMajor: 7 >= 5

vMinor: 0 >= 1? Crap!

Vista is Windows 6.0:

vMajor: 6 >= 5

vMinor: 0 >= 1? Oops!

Win7 as Windows 6.1?

vMajor: 6 >= 5

vMinor: 1 >= 1! It works!



25


ITPROSRV-202

More things that just changedFolder locations

We moved the profiles again!

Myth: We did this for no good reason

Truth: There was probably a good reason

And we changed where files need to go!

Myth: No guidance about where to put stuff

Truth: Well, yeah, but were fixing that

Myth: Everything breaks, apps actually cry

Truth 1: Correctly-written apps still work

Truth 2: Junctions fix many bad apps



26


ITPROSRV-202

Directory Junctions

Some support for old folder names

Can traverse, but cannot list

Can directly access files through old names

Cannot list contents of these junctions



27


ITPROSRV-202

Where Should I Store Files?
Per-User FilesLocation (Symbolic Constant and Examples)Visible to user in ExplorerWindows 7 example:Windows XP equivalent:FOLDERID_Documents / CSIDL_MYDOCUMENTSC:\Users\username\DocumentsC:\Documents and Settings\username\My DocumentsHidden from user, LocalWindows 7 example:Windows XP equivalent:FOLDERID_LocalAppData / CSIDL_LOCAL_APPDATAC:\Users\username\AppData\LocalC:\Documents and Settings\username\Local Settings\Application Data Hidden from user, RoamingWindows 7 example:Windows XP equivalent:FOLDERID_RoamingAppData / CSIDL_APPDATAC:\Users\username\AppData\RoamingC:\Documents and Settings\username\Application DataShared FilesLocation (Symbolic Constant and Examples)Visible to user in ExplorerWindows 7 example:Windows XP equivalent:FOLDERID_PublicDocuments / CSIDL_COMMON_DOCUMENTSC:\Users\Public\DocumentsC:\Documents and Settings\All Users\DocumentsHidden from user, LocalWindows 7 example:Windows XP equivalent:FOLDERID_ProgramData / CSIDL_COMMON_APPDATAC:\ProgramDataC:\Documents and Settings\All Users\Application Data



28


ITPROSRV-202

More things that just changedDefault color scheme

Question:

What happens when a VB6 dev modernizes the dialog background using the first white color he/she finds (Active Title Bar Text)?



29


ITPROSRV-202

More things that just changedDefault color scheme

Occasional mistake by VB6 devs

Easy to fix (if you have the source)

.NET WinForms made themes easy to use

Oops: everyone tested only on Luna

Fortunately, we have FakeLunaTheme shim

Note: apps that work only with one theme probably violate accessibility laws

You WILL go to jail!

Push back if developer or vendor insists on Windows Classic Theme



30


ITPROSRV-202

How Good are the Tools to Find Problems?

tools



31


9/15/2010 4:26 PM




ITPROSRV-202

Things I Heard on the Internet About:Application Compatibility Toolkit

Its all you need for app compat!

It must be! Look at the name!

If ACT hasnt found all of your issues, you just havent run it long enough

We compete directly with the static analysis tools venders, and its critical that we WIN!

Wrong!



32


ITPROSRV-202

Application Compatibility Toolkit

Great at inventory

Some agent data can be useful

at the right time

Standard User Analyzer makes folks happy

(LUA Buglight makes engineers happy)

IE Compatibility Test Tool makes some AJAX devs happy

Setup Analysis Tool makes very few people happy

Compatibility Administrator makes people with a lot of free time happy



33


ITPROSRV-202


start

end

ACT Inventory

Rationalize

Install Manual Test

Ready to Deploy

Remediate

InitialBudget

Refine Budget

Refine Budget

App Install Green?

Runtime

Manual Test

User

Manual Test


Yes

No

App Run Green?

Yes

No

ACT & App Compat Project Plan



34


ITPROSRV-202

Things I Heard on the Internet About:Static Analysis

Finds and fixes 95% of all problems with all software ever made by anyone anywhere!

Humans are no longer a necessary part of the process

Static analysis is expensive and not worth the money unless it does all of the above

Wrong!



35


ITPROSRV-202

Static Analysis Reality

These tools average 90 95% at telling you if the app as a whole will work

False green the primary accuracy issue

Will not detect every issue

More impact on setup, less on runtime

Complementary to ACT

ACT does inventory

ACT does runtime analysis

ACT does no better than chance at predicting application breakage for the app as a whole



36


ITPROSRV-202

Static Analysis The Ugly

Can be hard to set up and configure

Setup has to follow written instructions or it doesnt work

Failure of any other component typically results in the app crashing or just vanishing

Never, ever use without experienced services accompanying the tools

NOT a substitute for knowledge/training!

Ensure you tune so that Red actually means broken and not could be better in an ideal world



37


ITPROSRV-202

Static Analysis Value Proposition

Can give you the data you need to start a project with a reasonable budget

Can save millions of dollars in install testing and a percentage reduction in runtime testing

Run the numbers!



38


ITPROSRV-202


start

end

ACT Inventory

Rationalize

Install Manual Test

Ready to Deploy

Remediate

InitialBudget

Refine Budget

Refine Budget

App Install Green?

Runtime

Manual Test

User

Manual Test


Yes

No

App Run Green?

Yes

No

Static Analysis & App Compat Project Plan



39


ITPROSRV-202

How Good are the Tools to Fix Problems

tools



40


9/15/2010 4:26 PM




ITPROSRV-202

Things I Heard on the Internet About:Shims

Shims are scary and unpredictable

Shims reduce the security of the system

Shims are unsupported

Shims fix everything

Shims are useful only in the hands of ShimFreaks

SHIMS is an acronym for ?

Software Happens to Implode Magically Solve?

See How Ive Misdirected Sneakily?

Wrong!



41


ITPROSRV-202

What Are Shims?

Applied to specific apps

Configured with ACT tools

Deployable to enterprise

Changes what the app thinks it sees

Does not change what app is allowed to do



42


ITPROSRV-202

What Are Shims Good For?

Great for many kinds of bugs:

Bad Windows version checks

Writing to HKCU at runtime

Unnecessary checks for am I admin?

Writing to WRP-protected keys and files

Windows thinks your app is an installer

Some file/registry redirections



43


ITPROSRV-202

Shims The Rest of the Story

Some considerations

Not all general purpose shims have the same customer love applied in their creation

The tools are primitive

Shims management not integrated into other management tools (e.g. Group Policy)

You can do a lot with just the Top 10 shims

But to becoming a shim ninja takes time and much practice



44


ITPROSRV-202

Virtualization

the V word



45


9/15/2010 4:26 PM




ITPROSRV-202

Things I Heard on the Internet About:Application Virtualization

If you cant fix it with shims, you can just use App-V and sequence it on XP!

App-V fixes app-to-OS bugs

You cant shim App-V applications

Wrong!



46


ITPROSRV-202

Application Virtualization

Formerly SoftGrid; now part of MDOP

Isolates apps from one another

Does not isolate it from the OS

Side effects (not really advertised):

Apps can write anywhere in the registry

Apps can be allowed to write to specific files in protected locations

Apps actually write to private copies

NOTE: May not be true in future versions of App-V

Yes, you can shim sequenced apps



47


ITPROSRV-202

Application Virtualization

Lots of goodness beyond app-compat

Licensing, deployment

Key part of larger virtualization vision



48


ITPROSRV-202

Things I Heard on the Internets About:MED-V

Migrate to Windows 7 today

Put all of your apps in MED-V

No need to worry about app compat!

Wrong!



49


ITPROSRV-202

What is MED-V?Microsoft Enterprise Desktop Virtualization

Machine virtualization solution

App actually runs on an XP OS

User sees only the app window

Centrally managed

Part of MDOP

Compelling IE6 app compat story

Seamless redirection of the browser



50


ITPROSRV-202

MED-VMicrosoft Enterprise Desktop Virtualization

Please, use it as a backstop, not as the plan of record

Requires an exit strategy

How and when to lose XP dependency

Once a VM is deployed, it needs to be managed like any physical machine

Makes a great if all else fails strategy

v1 SP1 coming soon; v2 dates not set yet

Neither v1 nor v2 requires Hardware Assisted Virtualization (HAV)

MED-V v2 TAP starting soon! Email [email protected] if you are interested in participating!



51


ITPROSRV-202

Things I Heard on the Internet About:XP Mode

If the app fails, just run it in XP Mode!

XP Mode fixes everything!

As long as you maintain your Windows 7 host, XP Mode requires no maintenance or anti-malware.

XP Mode will be supported as long as Windows 7.

XP Mode is as safe as Windows 7.

People dont notice when their XP Mode My Documents is different than their Windows 7 My Documents!

XP Mode is a silver bullet! Its magic!

Wrong!



52


ITPROSRV-202

Things I Heard on the Internet About:How To Use XP Mode

Wrong!



53


ITPROSRV-202

What is Windows XP Mode?

Windows XP SP3 virtual machine

It is not a mode within Windows 7

Similar to MED-V, without manageability

License included with certain Windows 7 SKUs

Designed only for Small Business market

Install apps in the XP VM; shortcuts in the All Users Start Menu get copied to the host

Click on shortcut in host Start menu, app appears in a window

eventually



54


ITPROSRV-202

Windows XP Mode the Good

App designed for XP actually runs on XP

Windows 7 deployment not held hostage by one app that resists other compat solutions

What its good for:

Web apps that require IE6

Running 16-bit apps on x64

Some types of desktop apps

Microsoft Agent



55


ITPROSRV-202

Windows XP ModeThe rest of the story

You must have an explicit exit strategy

XP is out of mainstream support

Extended support ends in 2014

Resource requirements

Need RAM, CPU to support guest VM

Out of the box, requires HAV (hotfix available to support non-HAV)

Management requirements

It is a separate computer

AV, patches, policies, domain not inherited from host

VM is hibernated when not running an app



56


ITPROSRV-202

Windows XP ModeMore of that story

Apps cant interact with host desktop apps

E.g., app wants to send email

Does not have MED-Vs IE6 redirection

Default XP Mode user is admin

Might conflict with enterprise policies



57


ITPROSRV-202

Things I Heard on the Internet About:Changing Security

Running as standard user on XP? Youre probably modifying ACLs. Theres nothing wrong with doing that forever

Security settings that break stuff cant be turned off

If I have given the Users group SeBackup, SeRestore, and SeLoadDriver, oh, and write access to Program Files, its OK, because theyre standard users

Wrong!



58


ITPROSRV-202

Changing Security

Only if other options dont work

Loosen file or registry permissions

Allow interactive user to start/stop a particular service or driver

Disable an IE security feature (e.g. DEP)

Must be done surgically

Least amount of additional privilege on the smallest number of objects



59


ITPROSRV-202

Changing Security

Benefits:

Results often more predictable than with shims

Drawbacks:

Risk of elevation of privilege

Risk of system instability

Requires threat modeling hard to do right



60


ITPROSRV-202

Changing SecurityHow some did standard user on XP

ACL loosening scripts

Most required fixes are now automatic

Installing apps to writable folders

Exposes EoP and infection risks

Granting admin-equivalent rights

(What could possibly go wrong?)

We can help



61


ITPROSRV-202

App doesnt work now what?What are those geeks doing?

Make sure they dont debug what they dont plan to fix (support required)

Layer debugging and remediation

Tier 1: get the repro, run scripted tests of common solutions

Tier 2: leverage tools, configure basic fixes

Tier 3: deep debugging, complex remediation (typically just a few per customer)

Important: efficient handoff between IT Pros and Developers



62


ITPROSRV-202

Who Is There to Help Me?



63


ITPROSRV-202

Plan

MCS Desktop Application Compatibility Strategy

Collect

MCS Desktop Application Compatibility Remediation

ACF Engagement

Analyze


ACF Engagement

Test and Remediate


ACF Engagement

AE SWAT Workshop

Premiere App Compat for the Enterprise / Developers

CSS CAST

What can you do?

Turn UAC back on

No, really, turn UAC back on

STOP building Microsoft Agent applications!!!

Come on, you just turned UAC back off I saw that!



64


ITPROSRV-202

What can you do?

Dont seek silver bullets

Make sure youre not writing apps today which will become incompatible

Start thinking about the problem today

Get your developers running your future platform early



65


ITPROSRV-202

Additional Resources

Application compatibility portal: http://technet.com/appcompat

Find whether apps/hardware are compatible:http://www.microsoft.com/windows/compatibility



66


ITPROSRV-202

Application compatibility final

Technology

Transcript of Application compatibility final