Seamless integration in Windows 7 Peter Kirchner Program Manager ISV, Microsoft Germany [email protected] © Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten. MSDN Webcasts: http://www.msdn-online.de/webcasts
Jan 11, 2016
Seamless integration in Windows 7Peter Kirchner Program Manager ISV, Microsoft [email protected]
© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.
MSDN Webcasts: http://www.msdn-online.de/webcasts
Agenda
Application Compatibility» Compatibility Issues XP Vista Win 7» User Account Control» Internet Explorer Protected Mode» Mandatory Integrity Control» Background Services» High DPI
New Windows 7 Features
© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.
MSDN Webcasts: http://www.msdn-online.de/webcasts
Top AppCompat Issues
• Moving from XP to Win 7• Version checking• Services Isolation• User Account Control
• Moving from Vista to Win 7• High DPI• Low level binary changes
Windows Vista to Windows 7
• Application Compatibility is a main goal• Very few breaking changes
• If your app works on Vista, it will likely work on Windows 7
• …but there are a few things to verify
Version Checking
• Applications check Windows OS version and block themselves
• If absolutely needed, check for >= OS version
• Don’t block.
• Present a warning message
• Allow applications to continue
• Check for existence of specific features if
that is important
• Windows 7 is version 6.1
Service Isolation
Session 0
Window StationDesktop
Screen Saver
Login
Sessions in XP/W2K/WS03
Services
1st User’sWindow
1st User’sWindow
1st User’sWindow
Shatter Attack
Sessions in Vista/Windows 7Session 0
Window StationDesktop
Service
Service
Session 1
Window StationDesktop
Screen Saver
Login
1st User’sWindow
1st User’sWindow
1st User’sWindow
Secure
Service Isolation
demo
User Account ControlOverview
User Account Control – Why?
• Applications run as Standard User by default• What is a Standard User?
Allowed
• Run most applications
• Change per user settings
Not Allowed
• Install applications
• Change system components
• Change per machine settings
• Admin “privileges”
UAC Architecture
“Standard User” Token
Admin TokenAbby
Admin Token
AppAdmin Token
Child App
Standard User Token
AppStandard
User TokenChild App
Standard User Token
UAC OTS Elevation
Protected Administrator System Administrator
explorer.exe AppInfo Service
consent.exe
elevatedapp.exeRPC
Reparented
ShellExecute(elevatedapp.exe) CreateProcessAsUser(elevatedapp.exe)
UAC: OTS Dialogs
Standard User Platform Fixes
UAC Split Tokens
demo
Legacy Applications
Setup DetectionWhy is my app running elevated?» We think it’s an installer!
Specific InstallerGeneric InstallerSpecific Noninstaller
Data Redirection• This is a intended for existing legacy applications
and will be removed in a future OS version• 32-bit legacy interactive applications that write to
administrator locations• HKLM\Software; • %SystemDrive%\Program Files• %WinDir%\System32
• Redirected to:• HKCU\Software\Classes\VirtualStore• %LocalAppData%\VirtualStore\
• Redirection removes need for elevation• Writes to HKLM go to HKCU redirected store• Writes to system directories redirected to per-
user store• When running 32-bit applications on x64,
WOW64…
File and Registry Virtualization
Client onlyLegacy applications only32-bit applications only“Sticky”Non-elevated apps onlyMultiple copies of filesDoesn’t apply to executable files
Data Redirection and explorer
Data Redirection
demo
Shims?
Windows components change to support:» New technology» Bug fixes» Strategy changesOS changes may fix some, break othersSimulate previous Windows ONLY for an app
Application Windows
How Shims Work
Shim DLL
ImportFunction
ExportFunction
ImportFunction
ExportFunction
Compatibility Modes (Layers)
Collection of shims to address scenarios» Emulating a specific OS» Compatibility conditionSome shown on the compatibility tab
Vista / Win 7 “Aware” Application• Vista/Win 7-aware applications embed
an XML manifest• Disables all mitigations• Manifest contains a
RequestedExecutionLevel:
asInvoker Launch with the same token as the parent process
highestAvailable Launch with the highest token this user possesses
requireAdministrator Highest token of the User provided User is a member of Administrators group
Internet ExplorerProtected Mode
Access Check – HistoricallyThree inputs
Request Access:
Read + Write
Request Access:
ReadRead
Access Token:• Who I am• Groups• Privileges
Security Descriptor:• Object Owner• Discretionary ACL
“Toby”Groups:• Users
DACL:• Users: Read• Admins: Full Ctrl
Access Check – Historically"Who am I" – based solely on Identity
Request Access:
Read + Write
Request Access:
Read + WriteR+W
Internet Explorer + 3rd party add-ons
MS Money
Toby’s Startup folder
R+W
Mandatory Integrity Control (MIC)
Access control model extendedPrimary purpose is to block modifications» Protect INTEGRITY» Not to prevent information disclosure
Object can have an integrity label» Stored in its Security Descriptor
Processes run at an integrity level (IL)» Stored in its Access Token
Integrity LevelsFour primary integrity levels
Level Typical process
System Services
High Elevated user apps
Medium Normal user apps – default
Low IE Protected Mode
Integrity LabelsEvery securable object has oneIncludes Level and PolicyPolicies can include:» No-Write-Up: Lower IL can’t write to object» No-Read-Up: Lower IL can’t read object» No-Execute-Up: Lower IL can’t execute object
No label = Medium + No-Write-UpProcesses are No-Write-Up + No-Read-Up
Access Check – With MIC"Who am I" – Identity + trust level
Request Access:
Read + Write
Request Access:
Read + WriteR+W
Internet Explorer[LOW IL]
MS Money[Medium IL]
Toby’s Startup Folder
Medium (NW)
Window Messageswindows are message-driven objectsMessages tell the window what to do or what occurred» “Redraw yourself”» “Set your text content to this”» “Copy your text content to this memory buffer”» “The ‘Enter’ key was pressed”» “The mouse moved to location (x,y)”
Sent from any thread on the same desktopArchitecture goes back to Windows 1.0» windows have no security descriptors!
Window Messaging
HWND 00040650SendMessage 00040650 WM_COMMAND/BM_CLICK
FindWindow “Calculator”
Program 1
Window Manager
Program 2
User Interface Privilege Isolation (UIPI)
Builds on Mandatory Integrity ControlWindow manager looks at IL of sender and receiver processesDoes not allow lower IL process to send messages to a higher IL process» Certain messages are allowed (mostly “read”
ops)» Higher IL process can define more exceptions
uiAccess bypasses this
Bypassing UIPIAccessibility apps need to drive all appsThese apps exempted from UIPI restrictionsMust be» Manifested with uiAccess=true» Installed in “secure” location (e.g., ProgramFiles)» Signed by trusted publisher
ChangeWindowMessageFilter API
Background Services
Impact of Background ActivitiesMany Activities in the Background
Performance• Responsiven
ess• Consumes
resources• Boot,
Shutdown, Logoff, etc.
Reliability• Memory
leaks• System
crashes & hangs
• Dependent application crashes
Security• Greater
Attach Surface
• System privileges
• Successful attack may compromise entire system
Power consumption• Extra disk,
CPU utilization
• Decrease in battery life
• Prevents idle efficiencies
Service Startup TypesBefore Windows Vista
Auto-Start» Your service is always there» Launched as part of the boot sequence• Startup time• “footprint”
Demand-Start» You must programmatically launch the
serviceProblems?» Auto-start adds latency to boot/shutdown,
always consumes resources …» Demand-start is hard to program against
Delayed Auto-Start ServicesIntroduced in Windows Vista
Sure, they are auto-start, but …But the system waits before starting them» Approximately 2 minutesRuns their ServiceMain at lowest priorityResults:» Improves boot/logon latency» Very appropriate for non-critical services:• Windows Update
Trigger-Start ServicesIntroduced in Windows 7
The service should be running only if it has something to do» Network-related service without
connectivity» USB-related service without USB devices» File transfer service with firewall port
closed
Trigger-start services are started when needed» Responsible for stopping when idle or
done
Trigger-Start ServicesIntroduced in Windows 7
Available service triggers:» Device interface arrival» Domain join or leave» Firewall port opened or closed» Group policy change» First IP address available» Custom ETW event
High DPI
This Was Very Surprising To Us…
Monitor Max Resolution
% Set to Maximum
1280X1024 56%1400X1050 79%1600X1200 32%1680X1050 66%1920X1050 39%1920X1200 78%Avg. set to default 55%
User's Chosen
Resolution
% using that resolution
640X480 1%800X600 7%1024X768 57%1280X1024 3%1600X1200 32%
Total 100.00%
Details Users with Max Resolution of 1600X1200
Almost half of all of users are not
configuring their display to maximum
resolution (!)
Users are lowering their screen resolution to get larger text…
High DPI
• Windows 7 clean install determines DPI by heuristics
• Try• Running with at least at a DPI of 125%
• Guidance• Fix issues and declare you are DPIAware
High DPI Issues
Clipped Text
Layout Issues & Image Size Issues
Pixilated Bitmaps
WinForms Issues
Blurry UI Mismatched Font Sizes
High DPI Test MatrixHigh level functional test pass, including install and uninstall, at the following settings:
Setting What to look for1024x768 @ 120 DPI* This is an effective resolution of ~800x600, so look for UI
clipped off the screen or layout issues. Also look for pixilated bitmaps and icons.
*NOTE: if your app requires 1024x768, then do this test at 1280x960.
1600x1200 @ 144 DPI Blurry UI. Verify that all mouse operations work, especially drag and drop operations. Also verify full-screen modes work properly
1600x1200 @ 144 DPI with DPI Virtualization Disabled from DPI UI -> Custom -> use XP Style Scaling
Often buttons and UI won’t scale in relation to larger text and there will be significant text clipping. Look for layout issues in general and pixilated bitmaps and icons.
Recommendation: Write a list of the issues identified, best is to add them to your bug DB with a High DPI tag for later validation. Integrate a variety of configurations into all future test passes. Also see references for link to whitepaper on how to remedy issue you find.
New and updates APIs in Windows 7Active Directory Rights Management Services Biometric Service API COM Core Windows Enhanced Storage Enhanced Taskbar Event Tracing for Windows (ETW) Extended Linguistic Services File Server resource Manager Hardware Counter Profiling Hyper-V Internet Explorer Location API Mobile Broadband Native Wifi Network Share Management Packaging Parental Controls
Peer Distribution Performance Counters Power Management Scenic Animation Sensor API Virtual Disk Service Virtual Hard Disk Volume Shadow Copy Service Windows Connect Now Windows Error Reporting Windows Event Log Windows Gadget Platform Windows Installer Windows Scenic Ribbon Windows Touch Windows Troubleshooting Platform Windows Web Services XPS Documents
Developer Ressources
Windows 7 SDK
Windows API Code Pack
Windows 7 Training Kit
Windows SDK Tools, code samples, documentation, compilers, headers and libraries to create Win 32 applications
Generally, you should use the last version of the Windows SDK
Link: http://msdn.microsoft.com/de-de/windows/bb980924.aspx
Blog of the Windows SDK Team: http://blogs.msdn.com/windowssdk/
Windows API Code Packfor Microsoft .NET Framework
Windows API Code Pack
The Windows API Code Pack for Microsoft .NET Framework contains libraries that support development for the new Windows 7 features
Link: http://code.msdn.microsoft.com/WindowsAPICodePack
Windows 7 Training Kit
The Windows 7 Training Kit contains presentations, hands-on-labs und demos to leverage the new Windows 7 features Focus on migration topics
Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=1C333F06-FADB-4D93-9C80-402621C600E7&displaylang=en
The New Taskbar
…and beyond
demo
Taskbar Buttons
Consolidation:» Quick launch» Notification area icon» Desktop shortcut» Running application windows
RunningNot
running
Multiple windows + hoverActive
Jump List
It’s a mini-Start Menu
Jump ListsA Detailed Look
Destinations(“nouns”)
Tasks(“verbs”)
Known categories
Custom categories
User Tasks
Taskbar Tasks
Pinned category
Jump ListsDesign Considerations
Surface key destinations and tasks» Recent and frequent are free» Pinned is also free (if users use it)» Respect items the user removes!
Addictive: You don’t look for documents anywhere else!» You also expect the common tasks to be
there
Get More From Taskbar ButtonsOverlay and Progress Icons
Consolidate: Uncluttered notification areaProvide progress and additional information through the taskbar button» It’s free if you use standard progress
dialogs
Taskbar Overlay And ProgressDesign Considerations
Notification area is now user-controlled:» Leave yourself out if possible!Use taskbar buttons for custom progress or status information
Give your application the green light!
3 steps to success» Register on
www.isvappcompat.com/de
» Use technical ressources to make your apps compatible
» Present your software in the Windows 7 – solution catalog
Microsoft BizSpark™ is a global program designed to unite Startups with resources. It is an extension to the existing Local Software Economy and academic programs, such as DreamSpark, and is delivered in partnership with the entrepreneur community providing:
© Copyright 2009 Microsoft Corporation. Alle Rechte vorbehalten.
MSDN Webcasts: http://www.msdn-online.de/webcasts
Software• Full Featured Development tools and production licenses of server products• No upfront costs (USD$100 at program exit)
Support• Community support from network and hosting partners• Professional technical support from Microsoft
Visibility• Profile and promotion on the BizSparkDB
Software
Visibility
Support
www.microsoft.com/bizspark
1
2
3
Drive new business opportunities
o WebsiteSpark Marketplace
o Partner Recruiting Portal
o Web App Gallery
Benefit from professional support and training
o Two professional support incidents per program membership for break-fix issues
o Unlimited access to technical managed newsgroups on MSDNo Unlimited program support for non-technical issueso Broad community support through partners and peers
Receive software and solutions for development and hosting
o Design Tools/Development Tools/Testing Tools:o Visual Studio® 2008 Professional Edition – 3 user licenseso Expression® Studio 2 (or 3) – 1 user licenseo Expression® Web 2 (or 3) – 2 user licenseso Windows Web Server® 2008 (or R2 when available) – 3 user
licenseso SQL Server® 2008 Web – 3 user licenses
o Production Hosting Licenses (if self-hosting)o Windows Web Server 2008 R2 (when available) – 4 processor
licenseso SQL Server 2008 Web Edition – 4 processor licenses
o Premium Web site control panel (DotNetPanel)
For Web Pros www.microsoft.com/web/websitespark
The AppCompat “Cookbooks”
• Everything else that we haven’t covered
• XP-> Vista/2008 -> Win7• “Application Compatibility Cookbook”• “Application Compatibility” on MSDN
• Vista -> Win 7• “Windows 7 Application Quality Cookbook
”
References
MSDN Application Compatibility: http://msdn.microsoft.com/en-us/windows/aa904987.aspxTechNet Windows Application Compatibility: http://technet.microsoft.com/en-us/desktopdeployment/bb414773.aspxDevReadiness.orgChannel 9: http://channel9.msdn.com/tags/Application+Compatibility/
References (IE Protected Mode)Understanding and Working in Protected Mode Internet Explorerhttp://msdn2.microsoft.com/en-us/library/bb250462.aspx
Windows Vista Integrity Mechanism Technical Referencehttp://msdn2.microsoft.com/en-us/library/bb625964.aspx
Additional References (High DPI)
Whitepaper for Writing DPI Aware Win32 Applications» http://go.microsoft.com/fwlink/?LinkID=129586
EDID Specification» http://www.vesa.org/Public/EEDIDguideV1.pdf
Information for OEMs configuring OOBE via XML Override » http://technet.microsoft.com/en-us/library/cc722301.aspx» http://technet.microsoft.com/en-us/library/cc721929.aspx
Windows 7 Engineering Blog High DPI Post» http://blogs.msdn.com/e7/archive/2008/09/13/follow-up-
on-high-dpi-resolution.aspx» http://blogs.msdn.com/e7/archive/2008/09/16/more-follow-
up-to-discussion-about-high-dpi.aspx
For more information or questions, send e-mail to» [email protected]
Q & AAsk us now
in the exhibition room in the break
or email us at
Slides in my blog available next week: blogs.msdn.com/pkirchner/
© 2009 Microsoft Corporation. All rights reserved. Microsoft, MSDN, the MSDN logo, and [list other trademarks referenced] are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond
to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.