1 / 62

Windows 7 AppCompat

Windows 7 AppCompat. Lynn Langit http://blogs.msdn.com/SoCalDevGal Microsoft – Developer Evangelist. Windows 7 Builds on Windows Vista. Few Changes: Most software that runs on Windows Vista ® will run on Windows ® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.).

ernie
Télécharger la présentation

Windows 7 AppCompat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Windows 7 AppCompat Lynn Langit http://blogs.msdn.com/SoCalDevGal Microsoft – Developer Evangelist

  2. Windows 7 Builds on Windows Vista • Few Changes: Most software that runs on Windows Vista® will run on Windows® 7 – exceptions will be low-level code (AV, Firewall, Imaging, etc.). • Hardware that runs Windows Vista well will run Windows 7 well. Few Changes: Focus on quality and reliability improvements Deep Changes: New models for security, drivers, deployment, and networking

  3. AppCompat & LightUp • from XP to Win 7 • User Account Control • Services Isolation • from Vista to Win 7 • Version checking • High DPI • Low level binary changes • UX • Taskbar • Libraries • Internals • Trigger Start Services • Timer Coalescence • New hardware • Multi touch • Sensors

  4. From XP to Windows 7 http://code.msdn.microsoft.com/XP2Win7

  5. The Application • Image Viewer • WPF Application • Runs on XP, Vista, Win7 • On XP basic functionality with no special OS features • Manually Create album • Crawler (expensive) Service searching images • Change Skin • Reset DB / Reset configuration • Lights Up on Windows 7

  6. Application Running on XP

  7. The Application Running on 7 • Enhancing an existing Windows XP application with Windows 7 features • IO Background Priority • Libraries • Trigger Start Services • Power Management • Command Links • Scheduled Tasks • PowerShell 2 • Windows 7 Multitouch • Windows 7 Sensors • Other… • Application Restart and Recovery • Preview Handlers • Windows Search • Windows 7 Event Tracing • User Account Control • Windows 7 Taskbar • Transactional NTFS • Microsoft Management Console Snap-In

  8. Application Running on 7

  9. Demo Photo Viewer on Windows 7

  10. Compat - New Folder Locations • “My Documents” folder structure has changed • The user data is now stored in: ‘\users\%username%\’ folder structure • Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure • The “My “ prefix was dropped from Documents, Music, etc. • “All Users” became “Public” and “\ProgramData” • My Documents still exist as directory junction • Use the SHGetKnownFolderPath APIs

  11. Compat - Application Data Best Practices Where to put your data: • Place per-user configuration data into %LOCALAPPDATA% (Roaming into %APPDATA%) • Place Per-Machine (Shared) configuration data into %ALLUSERSPROFILE% (e.g. c:\ProgramData) • Per-Machine (Shared) user documents into %PUBLIC% • Per user documents go to %USERPROFILE%

  12. Compat - User Account Control • Applications run as Standard User by default • Standard User has some permissions • Run most applications • Change per user settings • Standard User can NOT do many things • Install applications • Change system components • Change per machine settings • Admin “privileges”

  13. Windows UAC • All users run as Standard User by default • Filtered token created during logon • Only specially marked apps get the unfiltered token • Explicit consent required for elevation • Predictable shell elevation paths • High application compatibility • Data redirection • Enabling legacy apps to run as standard user • Installer Detection

  14. Abby UAC Architecture Standard User Rights Administrative Rights Admin logon Admin Token “Standard User” Token

  15. Change Time Zone • Run IT Approved Applications • Install Fonts • Install Printers • Run MSN Messenger • Etc. Abby User Process Standard User Privilege UAC Architecture Standard User Rights Administrative Rights Standard User Mode

  16. Change Time Zone • Run IT Approved Applications • Install Fonts • Install Printers • Run MSN Messenger • Etc. Abby User Process Change Time Standard User Privilege Admin Privilege Admin Privilege Admin Privilege Admin Process Configure IIS Admin Process Install Application Admin Process UAC Architecture Standard User Rights Administrative Rights Admin Privileges

  17. Consent UI OS Application Unsigned Application Signed Application

  18. Credential UI

  19. UAC Split Tokens Demo

  20. Designing for UAC • 1st Choice: Make application run as Standard User only • 2nd Choice: Clearly identify Administrative tasks • Ensure Standard users can be fully productive • Identify tasks that need elevation with a “shield”

  21. UX: The Shield • Attached to controls to indicate that elevation is required to use their associated feature • Has only one state (i.e. no hover, disabled etc.) • Does not remember elevated state • Not an unlock operation • Can be programmatically set: HICON shieldIcon = LoadIcon(NULL, IDI_SHIELD) SendMessage(button, BCM_SETSHIELD, 0, TRUE) or using the macro in Commctrl.h: Button_SetElevationRequiredState(commandLink, TRUE)

  22. Security Shield UI Examples

  23. Application Manifests • Vista-aware applications embed an XML manifest • Manifest contains a RequestedExecutionLevel:

  24. Finding/Solving UAC Issues • Do you? • Write to Program Files, Windows, System32, HKLM/Software, or Root? • Create anything “globally” • UseWindows messages between isolation levels • Try • Running the application “As Administrator” • Testing with UAC off • Tools • Process Monitor • Standard User Analyzer

  25. Windows Services Basics • Started and managed by Service Control Manager • Controlled by SCM • Starting and stopping services • Disabled, Manual and Automatic • Managing running services • Maintaining service-related state information • Started – Stopped - Paused • Services can run in their own process or shared hosted process (e.g. svchost.exe)

  26. Services and Security • Attractions for malware • May be configured to auto start on boot • Potential to run from boot without using well known auto-start methods • Often run in highly privileged contexts • As mentioned, runs outside of UAC and enables app to potentially take control of UAC behavior (e.g. MSI) • Services can run in their own process or shared hosted process

  27. Sessions in XP/W2K/WS03 Session 0 Window Station Desktop Services Shatter Attack 1st User’sWindow 1st User’sWindow 1st User’sWindow Screen Saver Login

  28. Sessions in Win7/Vista/Windows 2008 Session 0 Session 1 Window Station Window Station Desktop Desktop Service 1st User’sWindow 1st User’sWindow Service 1st User’sWindow Screen Saver Login Secure

  29. demo Session 0 Isolation

  30. Service Hardening • Windows XP services made great attack vectors: • Running in shared session, usually w/high privilege • Sometimes w/UI (interactive services) • So we had Shatter Attacks • good reasons to have Service Isolation in session 0 and Mandatory Integrity Control • Windows Vista and 7 • Services run outside of UAC • ISVs may be tempted to circumvent OS security • The potential attack surface has lessened so services are a more attractive target

  31. Three Service Hardening Designs • Services need to run least privileged • Services can now have their own SID • This can be used to lock down / sandbox the resources that the Service has access to

  32. Perf Enhance - Trigger Start Service • New in Windows 7 - SCM registers for system events via interesting providers: • Device arrival • IP address • Domain join and leave • Group policy updates • Custom Event Tracing for Windows event • SCM starts or stops registered services: • TabletInputService started only if digitizer is present • StorSvc starts when group policy updates are applied, automatically stops

  33. Trigger Start Examples

  34. Service or Scheduled Task? • Continuous activity from boot to shutdown • Service Control Manager (SCM) programming model • Can specify dependency • Short duration action • Idle activity • Take action on user login • Standalone executable or out-of-process COM server • Generally execute in user session • Windows Service • Scheduled Task

  35. Compat - Operating System Version • Windows 7 is … Windows 6.1? (for Vista Compat) • dwMajorVersion stays the same • dwMinorVersion changes • Remediation • Check for features, not versions • If checking for version, then use the > key (check the OS version as >= so that your app can work on future releases of the OS) • Version lies

  36. Compatibility Tab Layers

  37. Shim Application • Implements Windows API hooks • Shim engine is responsible for applying the shims

  38. How Shims are Loaded • Shims are applied per executable Shim engine applies API hooks Run initialization routines Loader maps executable and statically linked DLLs into memory

  39. Compat – Misc Regressions • Removal of Windows Mail • Removal of Windows Movie Maker • NLS Sorting Changes • Internet Explorer 8 - User Agent String • Removal of Windows Registry Reflection • Removal of WPDUSB.SYS Driver for Windows Portable Devices • Microsoft Message Queuing (MSMQ)

  40. Problem Step Recorder • %windir%\system32\psr.exe • Allows testers and users to track, step by step, exactly what an application is doing, creating an .mht file with screenshots illustrating the bug reproduction • Creates a .zip file containing an .mht file • Integrated with Dr. Watson for Windows

  41. This Was Very Surprising To Us… Users with Max Resolution of 1600X1200 Details Almost half of all of users are not configuring their display to maximum resolution (!) Users are lowering their screen resolution to get larger text…

  42. High DPI - Why Do We Care? • Non-native resolution negates the value of high fidelity displays • Text looks blurry because ClearType requires native resolution • Can’t display native high def content • 720p high definition video requires 1280x720 resolution • 1080p requires 1920x1080 • 1.9 megapixel photos requires 1600x1200 native • Many people accidentally select a non-native aspect ratio Pixilated Content does not take advantage of the display Non-native aspect Ratio Settings “Squishes” Content

  43. High DPI Issues Clipped Text Layout Issues & Image Size Issues WinForms Issues Pixilated Bitmaps Blurry UI Mismatched Font Sizes

  44. New Graphics Improvements in Windows 7

  45. Graphics APIs for Rich Client Applications

  46. When to use which API • DirectX: When the application needs control over features and performance • WPF: When the application needs richness but needs to be built quickly and there is no need for fine grained control over hw performance and features • GDI: When the application needs to work on all Microsoft OSs and the lowest common denominator functionality is sufficient Increasing HW Exploitiveness

  47. Advancing the platform

  48. Direct3D Segoe UI DirectWrite Direct2D Graphic Improvements • Windows 7 DWM memory consumption is cut by 50% per window • Take advantage of the GPU’s computation power • High-DPI support & High Color • Windows 7 DWM uses Direct3D10.1 API DXVA & WIC

  49. Direct2D And DirectWrite • New APIs in Windows 7 • Win32 developers • Interoperability • Usable in service context • Direct2D • 2D graphics rendering tasks • Increased performance and visual quality • DirectWrite • Vertical stack for text services • Fonts, Script Processing, Layout

  50. Rendering Focused Immediate Mode API: 2D Vectors & Geometry, Bitmaps & Text Hardware & Software Pipelines Built for Performance on Direct3D 10.1 Interoperable with Direct3D & GDI High Quality Rendering: Per Primitive Anti-Aliasing & MSAA via Direct3D Remoted via Direct3D 10.1 Printing support via XPS Direct2D: New in Windows 7

More Related