jeremy chapman aaron margosis microsoft session code: cli310
TRANSCRIPT
Is Virtualisation the Silver Bullet for Compatibility? What EVERYONE Should Know about Application and Hardware Compatibility Jeremy Chapman
Aaron MargosisMicrosoftSession Code: CLI310
How much is this app compat thing going to
cost me? Should I just stay on Windows XP?
Why did you break half of my software?
Why can’t my company afford a
chair for me?
Can I just stroke a check and have this problem
go away?Doesn’t App-V just
fix it all for me?
All I need to do is run ACT long enough, and
it’s fixed, right?
No, seriously, can I have a chair,
please?
The MED-V brochure said just virtualize it all
and migrate.
The tool brochure said it fixes 90% of
the problems.
The Internets said to just turn off UAC.
Listen, I’m not talking about App Compat until I get
a chair.
App-V
Beyond TrustACT 5.5
Win XP Mode
ACF PartnersMED-V
AppDNA
ChangeBase Shims
Disable UAC
There are no silver bullets.
Why is app-compat hard?
It never used to be this hard!Backward-compatibility used to trump everything
Shell Foldersp:\\products\publicCON, PRN, NUL
Starting with XP SP2, not anymoreCustomers demanded better securityVista was the first major desktop OS release after TWC memo.
Some things that had to change
Microsoft Agent was too awesomeMade computers too easy to useMore popular than Solitaire and pornThe single biggest app-compat hit, ever
Nobody uses the Agent control!Do they?
Some things that had to change
Everyone runs as “standard user”
The infamous User Account ControlEven admins run as “standard user”The single biggest app-compat hit, ever
Every time you disable UAC…Steve Ballmer kills a kitten
Please, think of the kittens
Some things that had to change
Everyone runs as “standard user”
The infamous User Account ControlEven admins run as “standard user”The single biggest app-compat hit, ever
No more interactive services“Session 0 isolation”Side effects – breaks other IPCs that “always” worked before
IE standards complianceInternet Explorer Protected Mode64-bit computingWindows Resource Protection
Some things that just changed
Windows version number changedWell, duh!You’d think that couldn’t cause problems!Why is Windows 7 internally 6.1?
Check the Windows version!
// This program requires WinXP or newer.// Windows XP is version 5.1// This is easy!If Not (vMajor >= 5 AND vMinor >= 1) Then{
DisplayMessage(“This program requires Windows XP or newer”);
LayDownAndDie;}Win7 as Windows 7.0?
vMajor: 7 >= 5vMinor: 0 >= 1? Crap!
Vista is Windows 6.0:vMajor: 6 >= 5vMinor: 0 >= 1? Oops!
Win7 as Windows 6.1?vMajor: 6 >= 5vMinor: 1 >= 1! It works!
More things that just changed
New folder locationsWe moved the profiles – again!
Default color schemeWhat happens when a dev assumes that active title bar text will always be a light color and uses it as a background color?
Aero – desktop composition
We break – we fixUAC’s file and registry “virtualization”
Redirects access attempts from protected areas to non-roaming parts of user profileNot related to App-V’s “bubble”
This is per-user, not per-application
Virtual overloadIt’s the new “.NET”!
Virtual memoryVirtual address spaceVirtual communitiesNT Virtual DOS Machine (NTVDM)Java Virtual Machine (JVM)MS Visual Basic Virtual Machine (MSVBVM)Virtual processors (hyperthreading)Virtual realityVirtual teamsVirtual private network (VPN)UAC file and registry virtualizationApplication virtualizationMachine virtualization (Virtual PC, Virtual Server, Hyper-V)Virtual EarthMS Enterprise Desktop Virtualization (MED-V)Virtual petsVirtual Desktop Infrastructure (VDI)virtual keyword (C++, C#)Virtual directory (IIS)Virtual device driver (VxD – obsolete!)
We break – we fixUAC’s file and registry “virtualization”
Redirects access attempts from protected areas to non-roaming parts of user profileTransparent to the appFixes many permissions-related issuesDoes not apply to all apps or all file typesNew in Win7: Writing to root of C:\ redirects
We break – we fixJunctions
Some support for old folder namesCan traverse, but cannot listCan directly access files through old namesCannot list contents of these junctions
We break – we fixApp-Compat Shim Database
Fixups auto-applied to some known apps6307 apps in Win7 RTM
Jet database in %windir%\AppPatch, and cached information in registryChecked whenever a new process startsCreated by Windows team; updated by WUDoes not guarantee that the app works
We break – the user fixesCompatibility Tab
We break – the user fixesProgram Compatibility Assistant (PCA)
Windows predicts helpful fixes for next runDisplayed after program has been runUp to user to decide what to doPlease disable in amanagedenvironment
We break – IT admin fixesApplication Compatibility Toolkit 5.5
Doesn’t it fix everything?I mean, look at the name!
StrengthsInventoryVendor dataCompatAdmin (see Custom Shim Databases)Developer/Tester Tools
WeaknessesCompatibility evaluatorsApplication import
We break – IT admin fixesApplication Compatibility Toolkit 5.5
TechNet MagazineJune 2009Articles by Chris Jackson
and Chris Corio
We break – IT admin fixesCustom App-Compat Shim Database(s)
Same mechanisms as the in-box shimsBuild shim DBs with tools in the App Compat ToolkitEasy to use? Let’s see…
Fixing apps is easy!video
We break – IT admin fixesCustom App-Compat Shim Database(s)
Good for some kinds of bugs:Bad Windows version checksWriting to HKCR at runtimeUnnecessary checks for “am I admin?”Writing to WRP-protected keys and filesWindows thinks your app is an installerSome file/registry redirections
We break – IT admin fixesCustom App-Compat Shim Database(s)
Drawbacks…Not all general purpose shims have the same … “customer love” applied in their creationThe tools are … “primitive”The main file redirection shim is really, really literal (really)Shims management story could be … “better”
Compatibility AdministratorHow to Fix Stuff
Demo
We break – IT admin fixesApplication Virtualization (App-V)
Formerly SoftGridIsolates apps from one anotherDoes not isolate it from the OSSide effects of current implementation:
Apps can write anywhere in “the registry”Apps can be allowed to write to specific files in “protected” locationsApps actually write to private copiesNOTE: May not be true in future versions of App-V
We break – IT admin fixesApplication Virtualization (App-V)
Lots of goodness beyond app-compatPackaging and DeploymentLicensing
Drawbacks…Mitigates only limited types of AC problems
Machine Virtualization
Virtual PCVirtual PC 2007Windows Virtual PCRemote App patch
There is a technical title – if you find it let us know
We break – IT admin fixesMS Enterprise Desktop Virtualization (MED-V)
Uses machine virtualizationApp actually runs on XP or other downlevel OSUser sees only the app windowSimilar to Windows XP Mode, but with manageability
Intended for larger organizations
We break – IT admin fixesMS Enterprise Desktop Virtualization (MED-V)
Benefits:App designed for XP actually runs on XP!
Drawbacks:Most of the drawback of XP Mode (… next)
We break – IT admin fixesWindows XP Mode
Similar to MED-V, without manageabilityLicense for the Windows XP VM included with certain Win7 SKUsInstall apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the hostClick on shortcut in host Start menu, app appears in a window
…eventually
We break – IT admin fixesWindows XP Mode
App designed for XP actually runs on XPOne critical app that absolutely will not work on Win7 doesn’t hold up deploymentWhat it’s good for:
Web apps that require IE6Running 16-bit apps on x64Some types of desktop appsMicrosoft Agent
We break – IT admin fixesWindows XP Mode
Trade-offsXP Mode is not for the enterprise!XP VM needs maintenance (AV, hotfixes, policies, etc)
VM is hibernated when you’re not running an appApps can’t interact with apps on the host
E.g., app wants to send email, or interact with window messaging
May not support custom hardwareMuch greater hardware requirements
Incl. Hardware Assisted Virtualization.Default XP Mode user is admin
Might conflict with enterprise policies
Windows XP ModeDemo
We break – IT admin fixesChange permissions on system objects
Only if other options don’t workLoosen file or registry permissionsAllow interactive user to start/stop a particular service or driverMust be done surgically
Least amount of additional privilege on the smallest number of objects
We break – IT admin fixesChange permissions on system objects
Benefits:Results often more predictable than with shims
Drawbacks:Risk of elevation of privilegeRisk of system instabilityRequires threat modeling – hard to do right
We break – IT admin fixes3rd Party Static Analysis Tools
Primarily ChangeBase and AppDNAThese tools average 90 – 95% at telling you if the app as a whole will work
False “green” the primary accuracy issueWill not detect every issueComplementary to ACT
ACT does runtime analysisACT does no better than chance at predicting application breakage for the app as a whole
We break – IT admin fixesLet the app run as admin
Absolute last resortUAC elevation
Enterprise users should not have this option!3rd party, BeyondTrust Privilege ManagerDecent solution in some casesImpossible to prevent elevation of privilegeNot a silver bullet…
App doesn’t work – now what?What are those geeks doing?
Make sure they don’t debug what they don’t plan to fix (support required)Layer debugging and remediation
Tier 1: get the repro, run scripted tests of common solutionsTier 2: leverage tools, configure basic fixesTier 3: deep debugging, complex remediation (typically just a few per customer)
Important: efficient handoff between IT Prosand Developers
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.