Jan 17, 2016
Application Compatibility Remediation: The Dark Magic of Fixing Broken Applications Aaron Margosis
Principal ConsultantMicrosoftSession Code: CLI405
Some Available TechniquesGet rid of the app!Let Windows handle it
File/registry virtualizationLimitations on file/registry virtualization
Update the applicationAcquire new version from vendorFix compatibility bugs in the source code
Apply shimsPre-install required files, registry keysEmploy application or machine virtualization
When to Use Shims
Define standards for when to use this technique:
Vendor no longer in businessInternal applicationsSupport negotiable
Shimming applications can be outsourced
Application Windows
How Shims Work
Shim DLL
ImportFunction
ExportFunction
ImportFunction
When Shims Are Used
Windows APIs
•Kernel32
•User32•Advapi32•OleAut32•…
AppY.exev 2.3.4.5
Windows loads app.
Checks AppCompat DB(s).
Match found:
Selected API calls intercepted and modified.
AppY.exev 2.3.4.5
Some Useful Shims
Problem Type Shim
Bad Windows version checks Version Lie Shims(e.g., WinXPSP3VersionLie)
Writing to HKCR at runtime VirtualizeHKCRLite
Unnecessary checks for “am I admin?” ForceAdminAccess
Writing to WRP-protected keys and files
WRPMitigationWRPDllRegisterWRPRegDeleteKey
Windows thinks your app is an installer SpecificNonInstaller
Writing to protected folder and registry locations
CorrectFilePathsVirtualRegistry
Using kernel object in global space LocalMappedObject
Detailed Shim Information
Install App Compat Toolkit and look in act.chmAlso on technet.microsoft.com
Chris Jackson’s blog (blogs.msdn.com/cjacks)
Show me the shimsdemo
How do I know what's wrong?
Problem Type SymptomsInvalid Windows version check Says “This app requires Windows XP”
Admin rights issueSays “Requires admin rights”, orFails non-elevated, works elevated(Caveat about testing elevated)
Security configuration Works when Group Policy or security template setting is removed
New platform Works with Windows Classic theme
Testing environment
Have multiple configurations availableBe able to reimage quickly
Virtual machines (snapshots, undo disks)MDT deployment (e.g., PXE boot)
Apply security policies to local Group Policy rather than domain
LGPO utilities: blogs.technet.com/fdcc
Tools for identifying specific issues
Sysinternals Process MonitorStandard User Analyzer (App Compat Toolkit)LUA Buglight
v2.1 just releasedIncludes support for Windows 7 and x64http://blogs.msdn.com/aaron_margosis/pages/LuaBuglight.aspx
LUA Buglight, Process Monitor, SUAdemo
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.