© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts: //.

Seamless integration in Windows 7Peter Kirchner Program Manager ISV, Microsoft [email protected]

© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.

MSDN Webcasts: http://www.msdn-online.de/webcasts

Agenda

Application Compatibility» Compatibility Issues XP Vista Win 7» User Account Control» Internet Explorer Protected Mode» Mandatory Integrity Control» Background Services» High DPI

New Windows 7 Features

© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.

MSDN Webcasts: http://www.msdn-online.de/webcasts

Top AppCompat Issues

• Moving from XP to Win 7• Version checking• Services Isolation• User Account Control

• Moving from Vista to Win 7• High DPI• Low level binary changes

Windows Vista to Windows 7

• Application Compatibility is a main goal• Very few breaking changes

• If your app works on Vista, it will likely work on Windows 7

• …but there are a few things to verify

Version Checking

• Applications check Windows OS version and block themselves

• If absolutely needed, check for >= OS version

• Don’t block.

• Present a warning message

• Allow applications to continue

• Check for existence of specific features if

that is important

• Windows 7 is version 6.1

Service Isolation

Session 0

Window StationDesktop

Screen Saver

Login

Sessions in XP/W2K/WS03

Services

1st User’sWindow

1st User’sWindow

1st User’sWindow

Shatter Attack

Sessions in Vista/Windows 7Session 0

Window StationDesktop

Service

Service

Session 1

Window StationDesktop

Screen Saver

Login

1st User’sWindow

1st User’sWindow

1st User’sWindow

Secure

Service Isolation

demo

User Account ControlOverview

User Account Control – Why?

• Applications run as Standard User by default• What is a Standard User?

Allowed

• Run most applications

• Change per user settings

Not Allowed

• Install applications

• Change system components

• Change per machine settings

• Admin “privileges”

UAC Architecture

“Standard User” Token

Admin TokenAbby

Admin Token

AppAdmin Token

Child App

Standard User Token

AppStandard

User TokenChild App

Standard User Token

UAC OTS Elevation

Protected Administrator System Administrator

explorer.exe AppInfo Service

consent.exe

elevatedapp.exeRPC

Reparented

ShellExecute(elevatedapp.exe) CreateProcessAsUser(elevatedapp.exe)

UAC: OTS Dialogs

Standard User Platform Fixes

UAC Split Tokens

demo

Legacy Applications

Setup DetectionWhy is my app running elevated?» We think it’s an installer!

Specific InstallerGeneric InstallerSpecific Noninstaller

Data Redirection• This is a intended for existing legacy applications

and will be removed in a future OS version• 32-bit legacy interactive applications that write to

administrator locations• HKLM\Software; • %SystemDrive%\Program Files• %WinDir%\System32

• Redirected to:• HKCU\Software\Classes\VirtualStore• %LocalAppData%\VirtualStore\

• Redirection removes need for elevation• Writes to HKLM go to HKCU redirected store• Writes to system directories redirected to per-

user store• When running 32-bit applications on x64,

WOW64…

File and Registry Virtualization

Client onlyLegacy applications only32-bit applications only“Sticky”Non-elevated apps onlyMultiple copies of filesDoesn’t apply to executable files

Data Redirection and explorer

Data Redirection

demo

Shims?

Windows components change to support:» New technology» Bug fixes» Strategy changesOS changes may fix some, break othersSimulate previous Windows ONLY for an app

Application Windows

How Shims Work

Shim DLL

ImportFunction

ExportFunction

ImportFunction

ExportFunction

Compatibility Modes (Layers)

Collection of shims to address scenarios» Emulating a specific OS» Compatibility conditionSome shown on the compatibility tab

Vista / Win 7 “Aware” Application• Vista/Win 7-aware applications embed

an XML manifest• Disables all mitigations• Manifest contains a

RequestedExecutionLevel:

asInvoker Launch with the same token as the parent process

highestAvailable Launch with the highest token this user possesses

requireAdministrator Highest token of the User provided User is a member of Administrators group

Internet ExplorerProtected Mode

Access Check – HistoricallyThree inputs

Request Access:

Read + Write

Request Access:

ReadRead

Access Token:• Who I am• Groups• Privileges

Security Descriptor:• Object Owner• Discretionary ACL

“Toby”Groups:• Users

DACL:• Users: Read• Admins: Full Ctrl

Access Check – Historically"Who am I" – based solely on Identity

Request Access:

Read + Write

Request Access:

Read + WriteR+W

Internet Explorer + 3rd party add-ons

MS Money

Toby’s Startup folder

R+W

Mandatory Integrity Control (MIC)

Access control model extendedPrimary purpose is to block modifications» Protect INTEGRITY» Not to prevent information disclosure

Object can have an integrity label» Stored in its Security Descriptor

Processes run at an integrity level (IL)» Stored in its Access Token

Integrity LevelsFour primary integrity levels

Level Typical process

System Services

High Elevated user apps

Medium Normal user apps – default

Low IE Protected Mode

Integrity LabelsEvery securable object has oneIncludes Level and PolicyPolicies can include:» No-Write-Up: Lower IL can’t write to object» No-Read-Up: Lower IL can’t read object» No-Execute-Up: Lower IL can’t execute object

No label = Medium + No-Write-UpProcesses are No-Write-Up + No-Read-Up

Access Check – With MIC"Who am I" – Identity + trust level

Request Access:

Read + Write

Request Access:

Read + WriteR+W

Internet Explorer[LOW IL]

MS Money[Medium IL]

Toby’s Startup Folder

Medium (NW)

Window Messageswindows are message-driven objectsMessages tell the window what to do or what occurred» “Redraw yourself”» “Set your text content to this”» “Copy your text content to this memory buffer”» “The ‘Enter’ key was pressed”» “The mouse moved to location (x,y)”

Sent from any thread on the same desktopArchitecture goes back to Windows 1.0» windows have no security descriptors!

Window Messaging

HWND 00040650SendMessage 00040650 WM_COMMAND/BM_CLICK

FindWindow “Calculator”

Program 1

Window Manager

Program 2

User Interface Privilege Isolation (UIPI)

Builds on Mandatory Integrity ControlWindow manager looks at IL of sender and receiver processesDoes not allow lower IL process to send messages to a higher IL process» Certain messages are allowed (mostly “read”

ops)» Higher IL process can define more exceptions

uiAccess bypasses this

Bypassing UIPIAccessibility apps need to drive all appsThese apps exempted from UIPI restrictionsMust be» Manifested with uiAccess=true» Installed in “secure” location (e.g., ProgramFiles)» Signed by trusted publisher

ChangeWindowMessageFilter API

Background Services

Impact of Background ActivitiesMany Activities in the Background

Performance• Responsiven

ess• Consumes

resources• Boot,

Shutdown, Logoff, etc.

Reliability• Memory

leaks• System

crashes & hangs

• Dependent application crashes

Security• Greater

Attach Surface

• System privileges

• Successful attack may compromise entire system

Power consumption• Extra disk,

CPU utilization

• Decrease in battery life

• Prevents idle efficiencies

Service Startup TypesBefore Windows Vista

Auto-Start» Your service is always there» Launched as part of the boot sequence• Startup time• “footprint”

Demand-Start» You must programmatically launch the

serviceProblems?» Auto-start adds latency to boot/shutdown,

always consumes resources …» Demand-start is hard to program against

Delayed Auto-Start ServicesIntroduced in Windows Vista

Sure, they are auto-start, but …But the system waits before starting them» Approximately 2 minutesRuns their ServiceMain at lowest priorityResults:» Improves boot/logon latency» Very appropriate for non-critical services:• Windows Update

Trigger-Start ServicesIntroduced in Windows 7

The service should be running only if it has something to do» Network-related service without

connectivity» USB-related service without USB devices» File transfer service with firewall port

closed

Trigger-start services are started when needed» Responsible for stopping when idle or

done

Trigger-Start ServicesIntroduced in Windows 7

Available service triggers:» Device interface arrival» Domain join or leave» Firewall port opened or closed» Group policy change» First IP address available» Custom ETW event

High DPI

This Was Very Surprising To Us…

Monitor Max Resolution

% Set to Maximum

1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%

User's Chosen

Resolution

% using that resolution

640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%

Total 100.00%

Details Users with Max Resolution of 1600X1200

Almost half of all of users are not

configuring their display to maximum

resolution (!)

Users are lowering their screen resolution to get larger text…

High DPI

• Windows 7 clean install determines DPI by heuristics

• Try• Running with at least at a DPI of 125%

• Guidance• Fix issues and declare you are DPIAware

High DPI Issues

Clipped Text

Layout Issues & Image Size Issues

Pixilated Bitmaps

WinForms Issues

Blurry UI Mismatched Font Sizes

High DPI Test MatrixHigh level functional test pass, including install and uninstall, at the following settings:

Setting What to look for1024x768 @ 120 DPI* This is an effective resolution of ~800x600, so look for UI

clipped off the screen or layout issues. Also look for pixilated bitmaps and icons.

*NOTE: if your app requires 1024x768, then do this test at 1280x960.

1600x1200 @ 144 DPI Blurry UI. Verify that all mouse operations work, especially drag and drop operations. Also verify full-screen modes work properly

1600x1200 @ 144 DPI with DPI Virtualization Disabled from DPI UI -> Custom -> use XP Style Scaling

Often buttons and UI won’t scale in relation to larger text and there will be significant text clipping. Look for layout issues in general and pixilated bitmaps and icons.

Recommendation: Write a list of the issues identified, best is to add them to your bug DB with a High DPI tag for later validation. Integrate a variety of configurations into all future test passes. Also see references for link to whitepaper on how to remedy issue you find.

New and updates APIs in Windows 7Active Directory Rights Management Services Biometric Service API COM Core Windows Enhanced Storage Enhanced Taskbar Event Tracing for Windows (ETW) Extended Linguistic Services File Server resource Manager Hardware Counter Profiling Hyper-V Internet Explorer Location API Mobile Broadband Native Wifi Network Share Management Packaging Parental Controls

Peer Distribution Performance Counters Power Management Scenic Animation Sensor API Virtual Disk Service Virtual Hard Disk Volume Shadow Copy Service Windows Connect Now Windows Error Reporting Windows Event Log Windows Gadget Platform Windows Installer Windows Scenic Ribbon Windows Touch Windows Troubleshooting Platform Windows Web Services XPS Documents

Developer Ressources

Windows 7 SDK

Windows API Code Pack

Windows 7 Training Kit

Windows SDK Tools, code samples, documentation, compilers, headers and libraries to create Win 32 applications

Generally, you should use the last version of the Windows SDK

Link: http://msdn.microsoft.com/de-de/windows/bb980924.aspx

Blog of the Windows SDK Team: http://blogs.msdn.com/windowssdk/

Windows API Code Packfor Microsoft .NET Framework

Windows API Code Pack

The Windows API Code Pack for Microsoft .NET Framework contains libraries that support development for the new Windows 7 features

Link: http://code.msdn.microsoft.com/WindowsAPICodePack

Windows 7 Training Kit

The Windows 7 Training Kit contains presentations, hands-on-labs und demos to leverage the new Windows 7 features Focus on migration topics

Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=1C333F06-FADB-4D93-9C80-402621C600E7&displaylang=en

The New Taskbar

…and beyond

demo

Taskbar Buttons

Consolidation:» Quick launch» Notification area icon» Desktop shortcut» Running application windows

RunningNot

running

Multiple windows + hoverActive

Jump List

It’s a mini-Start Menu

Jump ListsA Detailed Look

Destinations(“nouns”)

Tasks(“verbs”)

Known categories

Custom categories

User Tasks

Taskbar Tasks

Pinned category

Jump ListsDesign Considerations

Surface key destinations and tasks» Recent and frequent are free» Pinned is also free (if users use it)» Respect items the user removes!

Addictive: You don’t look for documents anywhere else!» You also expect the common tasks to be

there

Get More From Taskbar ButtonsOverlay and Progress Icons

Consolidate: Uncluttered notification areaProvide progress and additional information through the taskbar button» It’s free if you use standard progress

dialogs

Taskbar Overlay And ProgressDesign Considerations

Notification area is now user-controlled:» Leave yourself out if possible!Use taskbar buttons for custom progress or status information

Give your application the green light!

3 steps to success» Register on

www.isvappcompat.com/de

» Use technical ressources to make your apps compatible

» Present your software in the Windows 7 – solution catalog

Microsoft BizSpark™ is a global program designed to unite Startups with resources. It is an extension to the existing Local Software Economy and academic programs, such as DreamSpark, and is delivered in partnership with the entrepreneur community providing:

© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.

MSDN Webcasts: http://www.msdn-online.de/webcasts

Software• Full Featured Development tools and production licenses of server products• No upfront costs (USD$100 at program exit)

Support• Community support from network and hosting partners• Professional technical support from Microsoft

Visibility• Profile and promotion on the BizSparkDB

Software

Visibility

Support

www.microsoft.com/bizspark

1

2

3

Drive new business opportunities

o WebsiteSpark Marketplace

o Partner Recruiting Portal

o Web App Gallery

Benefit from professional support and training

o Two professional support incidents per program membership for break-fix issues

o Unlimited access to technical managed newsgroups on MSDNo Unlimited program support for non-technical issueso Broad community support through partners and peers

Receive software and solutions for development and hosting

o Design Tools/Development Tools/Testing Tools:o Visual Studio® 2008 Professional Edition – 3 user licenseso Expression® Studio 2 (or 3) – 1 user licenseo Expression® Web 2 (or 3) – 2 user licenseso Windows Web Server® 2008 (or R2 when available) – 3 user

licenseso SQL Server® 2008 Web – 3 user licenses

o Production Hosting Licenses (if self-hosting)o Windows Web Server 2008 R2 (when available) – 4 processor

licenseso SQL Server 2008 Web Edition – 4 processor licenses

o Premium Web site control panel (DotNetPanel)

For Web Pros www.microsoft.com/web/websitespark

The AppCompat “Cookbooks”

• Everything else that we haven’t covered

• XP-> Vista/2008 -> Win7• “Application Compatibility Cookbook”• “Application Compatibility” on MSDN

• Vista -> Win 7• “Windows 7 Application Quality Cookbook

”

References

MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspxTechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspxDevReadiness.orgChannel 9: http://channel9.msdn.com/tags/Application+Compatibility/

References (IE Protected Mode)Understanding and Working in Protected Mode Internet Explorerhttp://msdn2.microsoft.com/en-us/library/bb250462.aspx

Windows Vista Integrity Mechanism Technical Referencehttp://msdn2.microsoft.com/en-us/library/bb625964.aspx

Additional References (High DPI)

Whitepaper for Writing DPI Aware Win32 Applications» http://go.microsoft.com/fwlink/?LinkID=129586

EDID Specification» http://www.vesa.org/Public/EEDIDguideV1.pdf

Information for OEMs configuring OOBE via XML Override » http://technet.microsoft.com/en-us/library/cc722301.aspx» http://technet.microsoft.com/en-us/library/cc721929.aspx

Windows 7 Engineering Blog High DPI Post» http://blogs.msdn.com/e7/archive/2008/09/13/follow-up-

on-high-dpi-resolution.aspx» http://blogs.msdn.com/e7/archive/2008/09/16/more-follow-

up-to-discussion-about-high-dpi.aspx

For more information or questions, send e-mail to» [email protected]

Q & AAsk us now

in the exhibition room in the break

or email us at

[email protected]

Slides in my blog available next week: blogs.msdn.com/pkirchner/

© 2009 Microsoft Corporation. All rights reserved. Microsoft, MSDN, the MSDN logo, and [list other trademarks referenced] are trademarks of the Microsoft group of companies.  The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.  Because Microsoft must respond

to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. 

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.