Lynn Langit httpblogsmsdncomSoCalDevGal Microsoft Developer Evangelist Few Changes Most software that runs on Windows Vista will run on Windows 7 exceptions will be lowlevel code AV Firewall Imaging etc ID: 461150
Download Presentation The PPT/PDF document "Windows 7 AppCompat" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Windows 7 AppCompat
Lynn Langithttp://blogs.msdn.com/SoCalDevGalMicrosoft – Developer EvangelistSlide2
Few Changes:
Most software that runs on Windows Vista
®
will run on Windows
® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). Hardware that runs Windows Vista well will run Windows 7 well.
Few Changes:
Focus on quality and reliability improvements
Windows 7 Builds on Windows Vista
Deep Changes:
New models for security, drivers, deployment, and networkingSlide3
AppCompat & LightUp
from XP to Win 7
User Account Control
Services Isolationfrom Vista to Win 7Version checking
High DPILow level binary changesUX
TaskbarLibraries
Internals
Trigger Start Services
Timer CoalescenceNew hardware
Multi touch
SensorsSlide4
From XP to Windows 7
http://code.msdn.microsoft.com/XP2Win7 Slide5
The Application
Image ViewerWPF Application Runs on XP, Vista, Win7On XP basic functionality with no special OS features
Manually Create album
Crawler (expensive) Service searching imagesChange SkinReset DB / Reset configurationLights Up on Windows 7Slide6
Application Running on XPSlide7
The Application Running on 7
Enhancing an existing Windows XP application with Windows 7 features
IO Background Priority
Libraries Trigger Start ServicesPower ManagementCommand Links Scheduled Tasks
PowerShell 2Windows 7 MultitouchWindows 7 SensorsOther…Application Restart and Recovery
Preview HandlersWindows Search
Windows 7 Event Tracing
User Account Control
Windows 7 TaskbarTransactional NTFSMicrosoft Management Console Snap-InSlide8
Application Running on 7Slide9
Demo
Photo Viewer on Windows 7Slide10
Compat
- New Folder Locations
“My Documents” folder structure has changed
The user data is now stored in: ‘\users\%username%\’ folder structure
Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structureThe “My “ prefix was dropped from Documents, Music, etc.“All Users” became “Public” and “\ProgramData”My Documents still exist as directory junctionUse the SHGetKnownFolderPath APIsSlide11
Compat
- Application Data Best Practices
Where to put your data:
Place per-user configuration data into %LOCALAPPDATA% (
Roaming into %APPDATA%)Place Per-Machine (Shared) configuration data into %ALLUSERSPROFILE% (e.g. c:\ProgramData)Per-Machine (Shared) user documents into %PUBLIC%Per user documents go to %USERPROFILE%Slide12
Compat - User Account Control
Applications run as Standard User by default
Standard User has some permissions
Run most applications Change per user settings
Standard User can NOT do many thingsInstall applicationsChange system componentsChange per machine settingsAdmin “privileges”Slide13
Windows
UAC
All users run as Standard User by default
Filtered token created during logonOnly specially marked apps get the unfiltered token
Explicit consent required for elevationPredictable shell elevation pathsHigh application compatibilityData redirectionEnabling legacy apps to run as standard userInstaller DetectionSlide14
UAC Architecture
Standard User Rights
Administrative Rights
Admin logon
“Standard User” Token
Admin Token
AbbySlide15
UAC Architecture
Standard User Rights
Administrative Rights
User Process
Change Time Zone
Run IT Approved Applications
Install Fonts
Install Printers
Run MSN Messenger
Etc.
Standard User Mode
Standard User Privilege
AbbySlide16
UAC Architecture
Standard User Rights
Administrative Rights
User Process
Change Time Zone
Run IT Approved Applications
Install Fonts
Install Printers
Run MSN Messenger
Etc.
Admin Privileges
Standard User Privilege
Abby
Admin Process
Install Application
Admin Process
Configure IIS
Admin Process
Change Time
Admin Privilege
Admin Privilege
Admin PrivilegeSlide17
Consent UI
OS Application
Unsigned Application
Signed ApplicationSlide18
Credential UISlide19
UAC Split Tokens
DemoSlide20
Designing for UAC
1st Choice: Make application run as Standard User only
2
nd Choice: Clearly identify Administrative tasksEnsure Standard users can be fully productiveIdentify tasks that need elevation with a “shield” Slide21
UX: The Shield
Attached to controls to indicate that elevation is required to use their associated featureHas only one state (i.e. no hover, disabled etc.)
Does not remember elevated state
Not an unlock operationCan be programmatically set:
HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD)SendMessage(button, BCM_SETSHIELD, 0, TRUE) or using the macro in Commctrl.h:Button_SetElevationRequiredState(commandLink, TRUE
)Slide22
Security Shield UI ExamplesSlide23
Application Manifests
Vista-aware applications embed an XML manifestManifest contains a RequestedExecutionLevel:
asInvoker
Launch with the same token as the parent process
highestAvailableLaunch with the highest token this user possessesrequireAdministratorHighest token of the User provided User is a member of Administrators groupSlide24
Finding/Solving UAC Issues
Do you?Write to Program Files, Windows, System32, HKLM/Software, or Root?
Create anything “globally”
UseWindows messages between isolation levelsTryRunning the application “As Administrator”Testing with UAC offTools
Process MonitorStandard User AnalyzerSlide25
Windows Services Basics
Started and managed by Service Control M
anager
Controlled by SCMStarting and stopping servicesDisabled, Manual and AutomaticManaging running servicesMaintaining service-related state information
Started – Stopped - PausedServices can run in their own process or shared hosted process (e.g. svchost.exe)Slide26
Services and Security
Attractions for malwareMay be configured to auto start on bootPotential to run from boot without using well known auto-start methodsOften run in highly privileged contexts
As mentioned, runs outside of UAC and enables app to potentially take control of UAC behavior (e.g. MSI)
Services can run in their own process or shared hosted processSlide27
Sessions in XP/W2K/WS03
Session 0
Window Station
Desktop
Screen Saver
Login
Services
1
st
User’sWindow
1
st
User’s
Window
1
st
User’s
Window
Shatter AttackSlide28
Sessions in
Win7/Vista/Windows 2008
Session 0
Window Station
Desktop
Service
Service
Session 1
Window Station
Desktop
Screen Saver
Login
1
st
User’s
Window
1
st
User’s
Window
1
st
User’s
Window
SecureSlide29
Session 0 Isolation
demoSlide30
Service Hardening
Windows XP services made great attack vectors:Running in shared session, usually w/high privilegeSometimes w/UI (interactive services)So we had Shatter Attacks
good reasons to have Service Isolation in session 0 and Mandatory Integrity Control
Windows Vista and 7Services run outside of UACISVs may be tempted to circumvent OS securityThe potential attack surface has lessened so services are a more attractive targetSlide31
Three Service Hardening Designs
Services need to run least privilegedServices can now have their own SIDThis can be used to lock down / sandbox the resources that the Service has access to
Good
Move to a least privilege account.
Refactor services into two parts where necessary.
Privilege stripping on a per-service basis.Better
Grant Service Sid access via ACLs on service specific resources.
Best
Use Service-SID, ACLs and “write-restricted token” to isolate services.Supply network firewall rules.Slide32
Perf
Enhance - Trigger Start ServiceNew in Windows 7 - SCM registers for system events via interesting providers:Device arrival
IP address
Domain join and leaveGroup policy updatesCustom E
vent Tracing for Windows eventSCM starts or stops registered services:TabletInputService started only if digitizer is presentStorSvc starts when group policy updates are applied, automatically stopsSlide33
Trigger Start Examples
Service Name
Description
Trigger Type
AELookupSvc
Processes application compatibility cache requests for applications as they are launched
Custom ETW
BDESVC
Provides
BitLocker
client services for user interface and auto-unlocking of data volumes
Custom ETW
BTHSERV
The Bluetooth service supports discovery and association of remote Bluetooth devices.
Device
SensorsMTPMonitor
Monitors MTP (Media Transfer Protocol) sensors (such as a cell phone with a GPS receiver) to communicate sensor data to programs
Device
TabletInputService
Enables Tablet PC pen and ink functionality
Device
WinDefend
Protection against spyware and potentially unwanted software
Group PolicySlide34
Service or Scheduled Task?
Windows Service
Continuous activity from boot to shutdown
Service Control Manager (SCM) programming model
Can specify dependency
Scheduled Task
Short
duration action
Idle activity
Take action
on user login
Standalone executable or
out-of-process
COM server
Generally execute
in user sessionSlide35
Compat - Operating System Version
Windows 7 is … Windows 6.1? (for Vista Compat)dwMajorVersion stays the same
dwMinorVersion
changesRemediationCheck for features, not versionsIf checking for version, then use the > key (check the OS version as >= so that your app can work on future releases of the OS)
Version liesSlide36
Compatibility Tab
LayersSlide37
Shim Application
Implements Windows API hooksShim engine is responsible for applying the shimsSlide38
How Shims are Loaded
Shims are applied per executable
Run initialization
routines
Shim engine applies API hooks
Loader maps executable and statically
linked DLLs into memorySlide39
Compat – Misc Regressions
Removal of Windows Mail
Removal of Windows Movie Maker
NLS Sorting Changes
Internet Explorer 8 - User Agent String Removal of Windows Registry Reflection Removal of WPDUSB.SYS Driver for Windows Portable Devices Microsoft Message Queuing (MSMQ)Slide40
Problem Step Recorder
%windir%\system32\psr.exeAllows testers and users to track, step by step, exactly what an application is doing, creating an .mht
file with screenshots illustrating the bug reproduction
Creates a .zip file containing an .mht fileIntegrated with Dr. Watson for WindowsSlide41
This Was Very Surprising To Us…
Monitor
Max Resolution
%
Set to Maximum
1280X1024
56%
1400X1050
79%1600X1200
32%
1680X1050
66%
1920X1050
39%
1920X1200
78%
Avg. set
to
default
55%
User's Chosen Resolution
% using that resolution
640X480
1%
800X600
7%
1024X768
57%
1280X1024
3%
1600X1200
32%
Total
100.00%
Details
Users with Max Resolution of 1600X1200
Almost half of all of users are not configuring their display to maximum resolution (!)
Users are lowering their screen resolution to get larger text…Slide42
High DPI - Why Do We Care?
Non-native resolution negates the value of high fidelity displaysText looks blurry because ClearType
requires native resolution
Can’t display native high def content720p high definition video requires 1280x720 resolution1080p requires 1920x1080
1.9 megapixel photos requires 1600x1200 nativeMany people accidentally select a non-native aspect ratioPixilated Content does not take advantage of the display
Non-native aspect Ratio Settings “Squishes” ContentSlide43
High DPI Issues
Clipped Text
Layout Issues & Image Size Issues
Pixilated Bitmaps
WinForms
Issues
Blurry UI
Mismatched Font SizesSlide44
Graphics Improvements in Windows 7
NewSlide45
Graphics APIs for Rich Client Applications
GDI
GDI+
DirectX
WPFNative DevelopmentManaged DevelopmentHardware AccelerationImmediate
ModePrimarilyRenderingInput, Focus,
Events, ControlsSlide46
DirectX: When the application needs control over features and performance
WPF: When the application needs richness but needs to be built quickly and there is no need for fine grained control over hw performance and features
GDI: When the application needs to work on all Microsoft OSs and the lowest common denominator functionality is sufficient
When to use which API
Increasing HW ExploitivenessSlide47
Area
Existing
API(s)
Challenges
3DD3D3…D3D10Not always available:No HWServerRemotedDirect3D 10
.12DGDI, GDI+Quality, PerformanceDirect2DText
GDIQuality, Not up to date
DirectWrite
ImagingGDI, GDI+, WICExtensive format support, SecurityUpdated WIC Device ControlGDIOutdated notion of HW config
DXGI 1.1Advancing the platformSlide48
Direct2D
Direct3D
Segoe
UI
DirectWrite
DXVA & WIC
Graphic Improvements
Windows 7 DWM memory consumption is cut by 50% per window
Take advantage of the GPU’s computation power
High-DPI support & High Color
Windows 7 DWM uses Direct3D10.1 APISlide49
Direct2D And DirectWrite
New APIs in Windows 7 Win32 developersInteroperability
Usable in service context
Direct2D2D graphics rendering tasks
Increased performance and visual qualityDirectWriteVertical stack for text servicesFonts, Script Processing, LayoutSlide50
Direct2D: New in Windows 7
Rendering Focused Immediate Mode API: 2D Vectors & Geometry, Bitmaps & Text
Hardware & Software Pipelines
Built for Performance on Direct3D 10.1Interoperable with Direct3D & GDIHigh Quality Rendering:Per Primitive Anti-Aliasing &
MSAA via Direct3DRemoted via Direct3D 10.1Printing support via XPSSlide51
Direct2D Performance
demoSlide52
DirectWrite
Modern TypographyEnables world-wide applications
ClearType
advancesWorks with any rendering technology
Hardware accelerated via Direct2DBest reading experience for the PCSlide53
GabriolaSlide54
DirectWrite
demoSlide55
Call to Action: FundamentalsSlide56
Windows 7 Readiness Programs
Make sure your applications work with Windows 7Allow MS to tell our customers about your AppsPublish your support policy for Windows 7List your solutions on the Compatibility
Center
Get the Windows 7 LogoFocused on Compatible ApplicationsSimple Process – No 3rd party testing required
http://connect.microsoft.com/InvitationUse.aspx?ProgramID=2872&SiteID=704&InvitationID=Win7-K86V-HW3GSlide57
Resources
Cookbooks“Application Compatibility Cookbook”“Windows 7 Application Quality Cookbook
”
MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspxTechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspx
DevReadiness.orgChannel 9: http://channel9.msdn.com/tags/Application+Compatibility/Slide58
Track Resources
Windows 7 RC Training for Developers Windows content on Channel 9
Windows 7 Developer Center on MSDN Windows Application Compatibility Roadmap
Windows 7 Blog for Developers My blog series – http://blogs.msdn.com/SoCalDevGal #Win7DevSeriesMy MSDN show – MSDN geekSpeak My Facebook group ‘Windows 7 Developers’Links, Video & ScreencastsSlide59
Related Content
Breakout Sessions WCL201 Developing for Windows 7 WCL301 Windows Application Readiness for Developers WCL302 Optimizing Your Application for the Windows 7 User Experience
Whiteboard Session
WTB215 Windows Client Development Discussion
Hands-on LabWCL08-HOL Windows 7: Mitigating Application Issues Using ShimsSlide60
www.microsoft.com/teched
International Content & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Tech
·Ed
Africa 2009 sessions will be made available for download the week after the event from:
www.tech-ed.co.zaSlide61
Required Slide
Complete a session evaluation and enter to win!
10 pairs of MP3
sunglasses
to be
wonSlide62
©
2007 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.