Professional Documents
Culture Documents
Version 6.6
Microsoft / Windows Application Experience
Legal Preamble
THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
Information in this document is subject to change without notice. The example companies,
organizations, products, people, and events depicted herein are fictitious. No association with any real
company, organization, product, person or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarked, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Table of Contents
Introduction .................................................................................................................................................. 6
Quick Compatibility Check ............................................................................................................................ 7
Operating System Versioning........................................................................................................................ 8
User Account Control .................................................................................................................................... 9
UAC – Application Update Guidelines ........................................................................................................ 11
UAC – COM Per-User Configuration ........................................................................................................... 14
Windows Resource Protection (WRP) ........................................................................................................ 14
Internet Explorer Protected Mode ............................................................................................................. 17
Windows 64-bit ........................................................................................................................................... 19
IIS 7 .............................................................................................................................................................. 20
Microsoft Graphical Identification and Authentication (GINA) .................................................................. 23
Session 0 Isolation....................................................................................................................................... 24
Networking: TCP/IP Stack and the Windows Filtering Platform ................................................................. 26
Networking: Kernel Mode IP Helper APIs ................................................................................................... 27
Networking: IPv6......................................................................................................................................... 28
Compatibility Risks ...................................................................................................................................... 30
Windows Display Driver Model................................................................................................................... 31
Default Programs ........................................................................................................................................ 33
Program Compatibility Assistant (PCA) ....................................................................................................... 36
Graphical Device Interface - GDI ................................................................................................................. 47
User Interface Privilege Isolation (UIPI) ...................................................................................................... 49
High DPI Scaling........................................................................................................................................... 51
PNG Icons .................................................................................................................................................... 52
Named Pipe Hardening ............................................................................................................................... 52
SPAP Deprecation (Pstore).......................................................................................................................... 53
WMI Providers: Default Security Hosting Model ........................................................................................ 54
Table of Figures
Figure 1: IE Protected Mode Compatibility Architecture ........................................................................... 18
Figure 2: Example of a PCA Error Message ................................................................................................. 36
Figure 3: PCA UI after Installer Termination. .............................................................................................. 37
Figure 4: PCA dialog box for program trying to launch a child.exe............................................................. 39
Figure 5: Detecting installers that need to run as Administrator ............................................................... 40
Figure 6: Legacy Control Panel item that needs to run as Administrator................................................... 41
Figure 7: Dialog displayed when PCA detects a deprecated Windows component ................................... 42
Figure 8: PCA dialog when unsigned driver detected ................................................................................. 44
Figure 9:Hard block apphelp message - displayed when incompatibility would have severe impact ....... 45
Figure 10: Soft block dialog displayed when incompatibility issues would not cause severe impact ........ 45
Introduction
Windows Vista and Windows Server 2008 introduce the next generation operating system technology
and software development platform that will be used by application developers and enterprises
worldwide. As part of enhancing the security and user experience of Windows Vista and Windows
Server 2008, many new features have been introduced and existing features have been improved.
While Windows Vista and Windows Server 2008 are highly compatible with most of the applications
written for Microsoft Windows XP, Microsoft Windows Server 2003, and their service packs, some
amount of compatibility breaks are inevitable due to new innovations, security tightening, and increased
reliability. Overall, Windows Vista and Windows Server 2008 compatibility is high, and Microsoft is
continuously striving to achieve the best possible compatibility solutions for existing applications for
Windows Vista and Windows Server 2008.
This document is the first step for application developers to become familiar with how to verify the
compatibility of their applications. This document also provides an overview of the few known
application incompatibility issues in Windows Vista and Windows Server 2008 and provides links to
detailed white papers and other developer guidance.
There are several new features that will enable developers to troubleshoot and workaround applications
that do not function properly under Windows Vista and Windows Server 2008. Two such features are
particularly useful:
The Windows XP SP2 compatibility mode allows an application to work as it did on Windows XP SP2.
To run an application in this mode, right-click the application’s EXE or icon and open the Properties
property sheet. Click the Compatibility tab and select Run this program in compatibility mode for
Windows XP (Service Pack 2).
Security restrictions enforced by the User Account Control (UAC) might prevent applications that
require administrative privileges from running properly, even if the user is a member of the
administrators group. To override the UAC, a user with administrative privileges can run an application
with elevated privileges by right-clicking the applications EXE or icon and clicking Run as
administrator on the popup menu. The system displays a UAC dialog box, and the user can then click
Allow to run the application with appropriate privileges.
NOTE: All items in this document are appropriate for both Windows Vista and Windows Server 2008
unless otherwise noted. There are no architectural changes for Windows Vista SP1. Applications that
are compatible with Windows Vista RTM should continue to be compatible with Windows Vista SP1.
5. If the application does not install, launch successfully, crashes, encounters an error, or fails
major functionality tests, it may be one of the small set of applications that are impacted by
Windows Vista and Windows Server 2008 changes. Use the topics in this document to check
your application.
6. You have completed the scenario.
If both scenarios have been completed and the application has performed properly, then the application
functions properly under Windows Vista and Windows Server 2008. For information about obtaining
certification for your application, see the Windows Vista Home Page.
Brief Description
The internal version number for Windows Vista and Windows Server 2008 is 6. The GetVersion function
will now return this version number to applications when queried.
Note: This is the next major version number from Windows XP (version 5.x).
Manifestation
The manifestation of this version change is very application-specific, as follows:
Any application that specifically checks for the OS version will get a higher version number.
Application installers may prevent themselves from installing the application and applications
may prevent themselves from starting.
Applications may warn users and continue to function properly.
Some applications may become unstable or crash.
Mitigation
Most applications will function properly on Windows Vista and Windows Server 2008 because the
application compatibility in Windows Vista and Windows Server 2008 is very high. However, for
applications and installers that check for OS version, a Compatibility mode is provided in Windows Vista
and Windows Server 2008.
Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the
Compatibility tab. In most cases, this should enable the application to work as it did on Windows XP
without a need for any changes to the application.
Remedies
Generally, applications should not perform OS version checks or, at minimum, always accept
version 6 or later for the OS. This behavior should be followed unless there is a very specific
legal, business, or system-component need to do this version check.
Ensure that any drivers an application uses are user mode drivers as much as possible to
maintain multiplatform (32-bit and 64-bit) compatibility.
Feature Impact
High
Brief Description
A fundamental step toward increasing the security of Windows is enabling interactive users to run with
a standard user account, which gives them access to only a limited set of permissions and privileges. By
default, Windows Vista and Windows Server 2008 will run every application as a standard user even if
you log on as a member of the administrator's group. Conversely, when users attempt to launch an
application that has been marked as requiring administrator permissions, the system will explicitly ask
them to confirm their intention to do so. Only applications running with administrator privileges can
modify system and global settings and behavior. This feature of Windows Vista and Windows Server
2008 is the User Account Control (UAC).
Manifestation
Custom installers, uninstallers, and updaters may not be detected and elevated to run as
administrator.
Standard user applications that require administrative privileges to perform their tasks may fail
or may not make this task available to standard users.
Applications that attempt to perform tasks for which the current user does not have the
necessary permissions, may fail. How the failure manifests itself is dependent upon how the
application was written.
Control panel applications that perform administrative tasks and make global changes may not
function properly and may fail.
DLL applications that run using RunDLL32.EXE may not function properly if they perform global
operations.
Standard user applications writing to global locations will be redirected to per-user locations
through virtualization.
Remedies
Quick solution for custom installers
A user can launch the installer or updater by right-clicking and selecting Run this program as
administrator.
Apply an application compatibility fix to indicate that specific installers require elevation. To do
so, right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from
the Compatibility tab.
Quick solution for applications that require administrative privileges to perform system
modifications or write to privileged areas
Corporate users will be able to apply an application compatibility fix to indicate that the legacy
application requires administrator permissions or privileges to run correctly.
Reducing the restrictions of access control lists (ACLs) on certain restricted files may help
applications that attempt to write to these files.
Check the virtualized folders or registry keys to see if applications are accessing something that
requires administrator privileges. This information can be used to remove the requirements of
accessing administrator-protected locations from future versions of the application. For more
information about virtualized files, folders, and locations, see Shell: Themes and My Documents
Locations on page 32.
Wrap a "Run DLL as an app" DLL call in a separate EXE and include a manifest for this EXE to
require elevated privileges.
Compatibility test
Any install, uninstall, or update scenario should prompt the user for consent or credentials.
Upon receiving user approval, the action should succeed.
Attempt to reproduce the failing scenario as the built-in-administrator. If this scenario passes,
the failure is probably due to a lack of privileges.
Use the User Account Control predictor tool of the Application Compatibility Toolkit's
Compatibility Administrator to identify those areas of an application that are performing
administrator operations.
Follow the prescribed guidelines found in the Windows Vista and Windows Server 2008 LOGO
programs and user experience (UX) guidelines documentation (see the "Links" section).
Use embedded manifests to indicate their specific requestedExecutionLevel (formerly known as
RunLevel).
Separate all administrative and non-administrative functions into separate EXEs. All functions
that need higher privileges should be in a separate executable EXE with manifested execution
level or a COM object running with administrative privileges. Launch the administrative tasks
only when required. This holds true for all applications.
For applications that are not specifically administrative in nature, modify code to eliminate need
for administrator permissions or privileges.
For applications that are only used by administrators, mark the application so it will run with
administrator permissions or privileges.
When updating an application, use a separate updater EXE to update the target application.
Control panel applications must move away from .cpl files to .exe files, and include a manifest
for their EXE-based control panel applications that specifies the execution level required.
DLLs running under RunDLL32.EXE that need elevation should be modified into an executable
EXE with its elevation level indicated in its manifest.
Always open files and registry keys with read-only access when possible. Use read-write access
only when needed and revert the permissions back to read-only once the operation is complete.
UACBlog
UAC-related question on Microsoft Forums
Aaron Margosis' WebLog; search for "Not running as administrator"
Brief Description
Many existing applications have a tendency to incorporate update functionality in their application. The
goal of embedding update functionality is to ensure that the client is running the most up to date binary
that the ISV can offer.
Some applications require more privileges than that of a Standard user when they perform their
updating functions. Often times, the per-machine files that were laid down during installation need to
be serviced. As per the UAC model for running and installation applications, only the elevated
administrator in Admin Approval Mode Admin has sufficient privileges to perform these actions.
Windows Vista and Windows Server 2008 includes built-in Installer Detection heuristics to detect many
application updaters correctly and elevate the updater process appropriately so that the update
completes successfully on elevation. However a few areas remain where application updates cannot be
completed successfully as follows:
Out of Process Updaters not Install Detected - Updaters that do not get detected through install
detection heuristics
Multi-purposed executables/In-process updates - Overloaded executables that perform more
than one operation. e.g. The binary is both the main application and the updating application
OR the multi-purposed executable runs as a thread within the application
Manifestation
Application update functionality fails
Remedies
Out of Process updaters not Install Detected
This is an issue that could occur within any enterprise and could result in that enterprise requiring an
application to be run with Administrator privileges. If an application updates itself by using a separate
process that is not installer detected then this separate process should be marked as requiring
Administrator privileges using App Fix.
Updaters that do not work as a user will prohibit an enterprise from running with least privilege.
The updater should be written as a separate process with a desired run level of Requires
Administrator.
This process should only execute when necessary for updating purposes.
Checking for whether the program needs updates should be done as the user.
i. Use MSI to create your initial installer and embed a certificate in the
MsiPatchCertificate table.
ii. Create an update for your application and sign it with the previously specified
certificate.
iii. MSI will perform the elevation for the application when applying the patch.
iv. The main advantage of this method over others is that it works with Standard
User, and keeps the system secure. It provides a better user experience
because the Standard User account doesn't have to ask an Administrator to
install the patch or request permanent Administrator privileges to run the
application.
Brief Description
The Component Object Model (COM) leverages the registry to maintain information about all of the
COM objects installed on a computer. This registry hive (HKEY_CLASSES_ROOT) is a virtual registry hive,
which allows for both per-user and per-machine object registration. Per-user COM objects
configurations are stored in HKEY_CURRENT_USER\Software\Classes, while per-machine configurations
are stored in HKEY_LOCAL_MACHINE\Software\Classes. Typically, COM per-user configurations take
precedence.
Beginning with Windows Vista and Windows Server 2008, if the Integrity Level of a process is higher
than Medium, the COM runtime ignores per-user COM configuration, and only accesses per-machine
COM configuration. This reduces the surface area for elevation of privilege attacks, preventing a process
with standard user privileges from configuring a COM object with arbitrary code and having this code
called from an elevated process.
Manifestation
Applications that are run elevated (whether manifested as requireAdministrator or user-selected by
right click Run as Administrator), as well as applications run from an account that is a member of the
Administrators group where UAC is disabled, will not be able to access any COM objects configured per-
user.
Remedies
Applications that will require administrator rights should register any dependent COM objects during
installation to the per-machine COM configuration store (HKEY_LOCAL_MACHINE\Software\Classes).
Brief Description
As an initiative to increase system stability, predictability and reliability, Windows Resource Protection
(WRP) protects Windows read-only resources specifically OS files, folders, and registry keys that are non-
configurable by design. See the Protected Resource List for a full accounting of protected resources.
WRP enforces this protection using Windows Security by specifying special security descriptors on the
resource. Any process including those running as administrator or system do not have rights to make
changes to WRP resources, they can read and execute. Full access to WRP resources is restricted to
Windows Modules Installer service.
As a result, read-only system state is protected from the inadvertent impact of application installs and
administrator modifications. This improves system stability.
Manifestation
Applications will not succeed in replacing or modifying protected OS resources, (typically this happens
during application install and uninstall) with the following results:
Attempts to replace, modify, or delete OS files and/or registry keys that are protected by WRP
may fail with an error message indicating that the resource could not be updated. This is
because access to these resources is denied.
Attempts to write new registry keys or values to protected registry keys may fail with an error
message that indicates that the change failed because access was denied.
Attempts to write to protected resources may fail if they rely on the application succeeding in
writing to protected registry keys or values.
Because applications are prevented from making changes to WRP resources and related errors are
suppressed, this may result in runtime errors.
Mitigations
Important Note: The following mitigation will not be applied if the application has a
manifest that specifies a requestedExecutionLevel as required by UAC.
For well-known installers, Access Denied errors resulting from attempts to create/modify/delete WRP
resources will be suppressed, and no changes are applied to the WRP resource.
Remedies
Do not install or update system state (files and registry) on Windows Vista and Windows Server
2008 except when using Microsoft provided redistributable packages designed for Windows
Vista and Windows Server 2008.
Do not install individual components of a whole Microsoft-provided redistributable designed for
Windows Vista and Windows Server 2008.
Use the SfcIsFileProtected API to detect WRP-protected files. If a file is WRP, then the
application installer should not install or modify the file.
For registry keys protected by WRP, applications should gracefully handle "Access Denied"
messages that are due to WRP.
Test and verify that legacy applications that rely on WRP mitigation are working properly by
installing the application.
Use SfcIsKeyProtected API to detect WRP-protected key. If a key is WRP, then the
application installer should not install or modify the key.
Brief Description
In Windows Vista and Windows Server 2008, Microsoft® Internet Explorer 7 runs in Protected Mode,
which can help protect users from attack by running the Internet Explorer process with greatly restricted
privileges. Protected Mode significantly reduces the ability of an attack to write, alter, or destroy data
on the user's machine or to install malicious code. It can help protect a user from malicious code
installing itself without authorization. This is the default mode for Internet Explorer when Windows Vista
and Windows Server 2008 are installed.
Manifestation
Applications that use Internet Explorer 7 will not be able to write directly to disk while in the
Internet or Intranet zone.
Applications may not know how to handle new prompts.
Protected Mode builds on the new integrity mechanism to restrict write access to securable objects like
processes, files, and registry keys with higher integrity levels. When run in Protected Mode, Internet
Explorer is a low-integrity process. It cannot gain write access to files and registry keys in a user's profile
or system locations.
Low-integrity processes can only write to folders, files, and registry keys that have been assigned a low-
integrity mandatory label. As a result, Internet Explorer and its extensions run in Protected Mode, which
can only write to low-integrity locations, such as the new low-integrity Temporary Internet Files folder,
the History folder, the Cookies folder, the Favorites folder, and the Windows Temporary Files folder.
Furthermore, the Protected Mode process will run with a low desktop integrity level when Windows
Vista and Windows Server 2008 ship, which will prevent Protected Mode from sending specific window
messages to higher integrity processes.
By preventing unauthorized access to sensitive areas of a user's system, Protected Mode limits the
amount of damage that can be caused by a compromised Internet Explorer process or malware. An
attacker cannot, for example, silently install a keystroke logger to the user's Startup folder. Likewise, a
compromised process cannot manipulate applications on the desktop through window messages.
Of course, these defenses also limit legitimate changes to higher integrity locations (IL). As a result,
Protected Mode provides a compatibility architecture that reduces the impact on existing extensions, as
shown in the following figure.
Remedies
Quick solution
Add the site in question to the trusted sites list.
Turn off Protected Mode (not recommended).
Compatibility test
Apply the quick solution and ensure that the application can perform the dependent functions
as in Windows XP SP2.
Change the application to handle Protected Mode, including any related prompts that may be
displayed.
Windows 64-bit
Feature Impact
High
Brief Description
Windows Vista and Windows Server 2008 fully support the 64-bit architecture processors from AMD and
Intel. The 64-bit version of Windows Vista and Windows Server 2008 can run all 32-bit applications with
the help of the WOW64 emulator. However, 16-bit applications, 32-bit installers, and 32-bit kernel
mode drivers are not supported by the kernel.
All 64-bit drivers have to be digitally signed for Windows Vista and Windows Server 2008 64-bit editions.
Unsigned drivers are not supported and cannot be installed on 64-bit Windows Vista and Windows
Server 2008. The digital signature check is done both during installation and driver load time.
Manifestation
Applications or components that use 16-bit executables, 16-bit installers or 32-bit kernel drivers
will either fail to start or will function improperly on a 64-bit edition of Windows Vista and
Windows Server 2008. In this case, the following error message is displayed:
The program or feature "[exepath]\[app16bit].exe" cannot start or run due to incompatibility
with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows
compatible version is available.
When a 16-bit installer or application is launched, the following error message is displayed:
The version of this file is not compatible with the version of Windows you're running. Check your
computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of
the program, and then contact the software publisher.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a
driver by editing the registry, the system will not load this driver and this action could cause the
system to fail.
Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds
a driver by editing the registry, the system will not load the driver during load time if it is not
signed.
Remedies
Leverage new capability solution
All 16-bit components should be removed from applications and replaced with 32-bit or 64-bit
equivalents.
All 16-bit installers should be converted to 32-bit or 64-bit installers.
If the application uses kernel mode drivers, then a 64-bit version of the driver needs to be
authored. The application should detect the platform of the OS (32-bit or 64-bit) and then install
the proper architecture of the driver based on the OS platform.
Ensure that all 64-bit drivers are digitally signed.
Compatibility test
Install and launch the application on a 32-bit and a 64-bit Windows Vista and Windows Server
2008 machine. The application should function properly on both architectures.
IIS 7
Feature Impact
High
Brief Description
Internet Information Server 7 provides a revolutionary way to develop and manage web applications. It
introduces granular controls over the various components, reduces administrative costs, provides better
security, and simplifies development.
IIS 7 also enhances features from the older versions in various ways. Some of the changes that could
impact compatibility for applications developed for IIS 6 or older versions are below:
IIS is componentized and Setup is granular; not all components are installed by default: NTLM is
not installed by default
Buffering files to memory is on by default
ISAPI changes
Manifestation
Sites using missing components may fail to run.
Sites using deprecated components will not run without modification.
Management tools and methods dependent upon the deprecated IIS metabase will break.
Cycling the W3SVC alone may not resolve problems like it did in earlier versions.
Remedies
Review installed IIS features and enable those that are required to enable proper functionality. IIS 7.0
breaks up the Web server into a lightweight server core and more than 40 feature modules that can be
plugged into this core. These modules - like StaticFileModule, which allows downloads of static Web
content, or WindowsAuthModule, which supports integrated NTLM authentication - can be
independently installed on the server to provide the exact functionality you need.
IIS 7.0 features a new delegated configuration system based on a hierarchy of distributed XML
configuration files. These files provide a portable method of configuration management which allows
the side-by-side storage of IIS and ASP.NET configuration, using clean and strongly structured XML
directives.
Cycling of all IIS 7 related services may be necessary to provide the reset functionality from earlier
versions. Each service should be checked when restarted to confirm the restart.
Brief Description
Prior to Windows Vista and Windows Server 2008, to log on to a third-party server or with a third-party
device, ISVs had to replace the Graphical Identification and Authentication (GINA) dynamic-link library in
Windows XP. Such applications also had to replace the existing UI and implement smart card and
remote desktop features on Windows XP.
Note: If an application did not function this way in Windows XP, then this information does not apply.
Windows Vista and Windows Server 2008 introduce a new authentication model where LogonUI and
WinLogon communicate directly with each other. This model provides simplicity, scalability, and
flexibility that did not exist with GINA. Unlike the GINA module, ISVs no longer need to replace the UI for
the logon screen, thus relieving the ISV of the burden of re-authoring the user interface for the user. An
ISV can author a credential provider, which is a module that plugs into the LogonUI, to describe the UI
and to gather the credential and pass it on to WinLogon. Credential providers are completely
transparent to WinLogon.
Credential providers are also additive meaning that users can install multiple credential providers and
pick the one they want to use. Credential providers can be user selected and/or event driven. Multiple
credential providers can coexist on Windows Vista and Windows Server 2008 and are not only for third
parties. In fact, Windows will ship two credential providers in the box: a user name and password
credential provider and a smart card credential provider.
Additionally, credential providers can be reused within CredUI. That is, the same object that describes
and collects credential information on LogonUI can be used to gather the very same credentials in
CredUI scenarios.
The GINA functionality from Windows XP and Windows Server 2003 has been deprecated and removed
from Windows Vista and Windows Server 2008. The GINA modules of applications will not function and
must be re-authored using the new authentication model for Windows Vista and Windows Server 2008.
Manifestation
User will not be able to successfully install custom logon applications.
User will not be able to log on using custom logon applications (using the Windows XP
technology) in Windows Vista and Windows Server 2008. These may include biometric devices,
custom UI for logon, or virtual private network (VPN) solutions for remote users with custom
logon UI.
Remedies
Leverage new capability solution.
The applications or components that use the GINA technology must be re-authored to use the
new logon authentication model for Windows Vista and Windows Server 2008.
Session 0 Isolation
Feature Impact
High (frequency: low)
Brief Description
In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all
services run in the same session as the first user who logs on to the console. This session is called
Session 0. Running services and user applications together in Session 0 poses a security risk because
services run at elevated privilege and therefore are targets for malicious agents that are looking for a
means to elevate their own privilege levels.
The Microsoft Windows Vista and Windows Server 2008 and Windows Server 2008 operating systems
mitigate this security risk by isolating services in Session 0 and making Session 0 non-interactive. In
Windows Vista and Windows Server 2008, only system processes and services run in Session 0. The first
user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services
never run in the same session as users' applications and are therefore protected from attacks that
originate in application code.
Specific examples of affected driver classes include:
Printer drivers, which are loaded by the spooler service
All drivers authored with the User Mode Driver Framework (UMDF), because these drivers are
hosted by a process in Session 0
Application classes affected by this feature include:
Manifestation
If a service belonging to an application throws a UI, the application is waiting on the service, and the UI
is not displayed in the user session.
Remedies
Quick solution
If the application's service uses a UI, a built-in mitigation in Windows Vista and Windows Server
2008 allows the user to interact with the Session 0 UI in a special desktop. This will make
available the UI specific to the application, rather than the entire Session 0 desktop.
If the application creates globally named objects, then use the Windows XP compatibility mode
to ensure that the application will continue to work with the Session 0 services.
Compatibility test
Test and verify the application on Windows XP in a Terminal Server mode or a Fast User Switching (FUS)
mode. If the application works properly on Windows XP in these scenarios, then it is very likely to work
under Windows Vista and Windows Server 2008.
Verify that the application functions properly after applying the Windows XP compatibility mode, which
contains mitigation for some of the Session 0 issues.
Test the driver in Windows Vista and Windows Server 2008 to ensure that it runs properly. If that is not
possible, test the driver in Windows XP with FUS enabled and multiple users logged on. If the driver
works correctly for second and subsequent logged-on users, it is not likely to be affected by the Session
0 changes in Windows Vista and Windows Server 2008. The only issues that this test does not detect are
those related to the absence of the video driver in Session 0 in Windows Vista and Windows Server
2008.
Brief Description
The Windows Vista and Windows Server 2008 networking stack has been completely rewritten. Instead
of the dual stack model that exists in Windows XP or Windows Server 2003 (to support IPv4 and IPv6),
the networking stack implements a new architecture whereby there is a single transport and framing
layer that supports multiple IP layers. There are several new features along with several protocol
enhancements. The new stack is very modular, flexible, and extensible. While all attempts have been
made to maintain application compatibility with the existing applications that interface with the stack at
various layers, nevertheless, there are changes (that are mostly side-effects of the improvements) that
may have potential application compatibility issues. Application developers must carefully evaluate to
understand the impact of these changes on their applications.
The Microsoft Windows Filtering Platform (WFP) API allows developers to create code that interacts
with the filtering that takes place at several layers in the Windows Vista and Windows Server 2008
operating system networking stack and throughout the operating system. WFP also integrates with and
provides support for firewall features, such as authenticated communication and dynamic firewall
configuration, based on an application's use of the sockets API.
Note: WFP is not a firewall itself. It is a set of system services and APIs that enable firewalls to be
implemented.
The following elements of the TCP/IP stack will not be supported on Windows Vista and Windows Server
2008:
The firewall-hook driver functions and the filter-hook driver functions have been deprecated.
The R-series tools, including rexec, rsh, finger, etc. These tools are available from the Services
for Unix components, if needed.
The Internetwork Packet Exchange (IPX) protocol. IPX has been deprecated and is no longer
available from Microsoft There should be little, if any impact on application compatibility
because of this change.
Manifestation
If an application built for Windows XP was using only public functions for networking, it should
not see any break in functionality; it should be tested on Windows Vista and Windows Server
2008 to verify its functionality.
Applications using any of the firewall-hook driver or filter-hook driver functions will not work.
Applications relying on internal structures and functions calls that were never published by
Microsoft will fail.
Transport Driver Interface (TDI) filter drivers written in Kernel mode may not work properly after
an OS upgrade.
Note: The TDI interface is on a path to deprecation in a future release. However, these drivers will still
work on Windows Vista and Windows Server 2008.
Remedies
Leverage new capability solution
The WFP exposes a rich set of functions and services for network security developers and provides
guidance and documentation on the available feature sets.
Note: Applications and scripts that rely on Services for Unix and R-series must now install these tools
first.
Brief Description
In prior releases of Windows, Winsock clients did not have an API set to access the kernel. This has
changed in Windows Vista and Windows Server 2008. Also, Windows Vista and Windows Server 2008
now support IPv6 by default. Instead of providing separate APIs for IPv4 and IPv6, a new Helper API set
has been designed to provide a common functionality across all the new technologies, as follows:
Manifestation
Applications using the older Helper APIs or undocumented kernel function calls will fail to function and
may become unstable.
Remedies
Applications need to support and implement the new kernel mode IP helper APIs.
Networking: IPv6
Feature Impact
High (frequency: medium)
Brief Description
The TCP/IP stack in Windows Vista and Windows Server 2008 has IPv6 enabled by default. IPv6
connectivity is preferred, if available. This has the following implications for applications that hook into
the TCP/IP stack:
Applications and services that are IPv6 compatible can have a much improved peer-to-peer
connection success rate on IPv4 networks due to the built-in NAT traversal capabilities of Teredo
(which encapsulates IPv6 inside of IPv4 across NATs).
IPv6 traffic will be created by the Windows Vista and Windows Server 2008 stack regardless of
whether the network supports IPv6 or not. Therefore, for example, all Windows Vista and
Windows Server 2008 systems will have at least one IPv6 address (for link-local), and will
attempt DNS lookups for both IPv4 and IPv6.
The Windows Vista and Windows Server 2008 stack will always prefer using IPv6 when it can
find an IPv6 address for the remote system it needs to talk to. Network communication will take
place for any IPv6 compatible application or service if both systems in a session have IPv6
addresses (e.g. sharing files on a LAN will usually be done over IPv6).
IPv6 addresses will be present and on by default. There may be multiple IPv6 addresses
associated with link-local, global, temporary, or transition technologies like 6to4, 6over4,
ISATAP, or Teredo.
Note: Teredo will be enabled by default, but remains dormant unless an application or service tries to
use it. The Teredo service becomes active if: 1. The Windows Firewall exception for a listening application
or service has Edge Traversal option enabled (an advanced setting in the MMC snap-in of the Windows
Firewall, or invoked via an option in the Windows Firewall APIs). 2. An application or service attempts to
communicate with a Teredo address (the regular stateful inspection features of the Windows Firewall
will ensure that only IPv6 responses matching the outbound requests will be allowed in).
Windows Vista and Windows Server 2008 will allow a system to be configured in an IPv6-only
mode. In this case, no IPv4 support will be available.
The TCP/IP stack in Windows Vista and Windows Server 2008 supports a strong host routing model. This
means that packets are routed from a multi-homed machine not only based on the destination address
but also based on the source address of a packet. This change is needed because in IPv6, each machine
gets multiple IP addresses and, with transition technologies, essentially appears as a multi-homed
machine as far as routing is concerned. To ensure proper connectivity happens in these scenarios, the
networking stack has to implement a strong host routing model.
Manifestation
Applications using the Windows XP TCP/IP stack and/or unaware of the IPv6 protocol will not function
properly and may crash or create an unstable system.
The implication of the strong host routing model for the applications is as follows:
Connection from a non-loopback address to a loopback address and vice-versa will fail.
Packets with a source address of 127.0.0.0/8 will not be allowed to be sent by a Windows Vista
or Windows Server 2008 machine on a network.
Applications that do not use protocol agnostic APIs, and aren’t IPv6 compatible, will not be able to take
advantage of Teredo IPv4 NAT traversal and connections may fail when one or more parties is behind an
NAT.
Remedies
Applications will need to be re-authored as follows:
Any application that hooks into the stack must be capable of handling IPv6 traffic. Minimally, it
should not crash on receiving IPv6 traffic.
Any application that relies on there being a single IPv4 address will need to be modified to
handle multiple IPv6 addresses. Further, any application that picked the first address may have
to more carefully identify the IPv6 address to use. This is because an IPv6 link-local address is
not routable and hence, the application may not work. Instead, the application should use
functions that allow connection by name and choose the most appropriate address
automatically.
Applications must handle and support IPv6-only scenarios.
Applications must support and implement the strong host routing model.
IPv6 compatible applications that set the Edge Traversal flag in the Windows Firewall exceptions
(using Windows Firewall APIs) will automatically take advantage of Teredo for traversing IPv4
NATs.
Compatibility Risks
Deprecated Components
The following components from earlier Windows releases will not be present in Windows Vista nor
Windows Server 2008:
Kernel mode Printer driver support: All printer drivers will now have to follow the User mode
driver framework. All kernel mode printer drivers will be blocked from loading on Windows Vista
and Windows Server 2008. For more information, see the User-Mode Driver Framework (UMDF)
site.
Windows Help for 32-bit applications (WinHlp32.exe) -Windows Help is not supported and some
of the Windows Help code has been removed for the release. To view 32-bit Help files with the
.HLP file name extension in Windows Vista and Windows Server 2008, you will need to
download and install Windows Help from the Microsoft Download Center. For more
information, see Help Engine Support.
Note: HTML Help and .CHM files will continue to be supported for Windows Vista and Windows
Server 2008.
Microsoft® FrontPage® server extensions - Windows® SharePoint® Services now provides an
enhanced feature set to the developer community.
Services for Macintosh - There is no replacement for this component.
D3DRM - DirectX will be the only supported graphics package for Windows Vista and Windows
Server 2008.
Web Publishing Wizard - There is no replacement for this component.
NTLMSSSP Service
Windows Management Instrumentation Driver Extensions (WMI) Services
RPC-Locator Service
POP3 Email Server – There is no replacement for this component.
NetDDE - For security reasons, Windows Vista and Windows Server 2008 does not support
NetDDE. (NetDDE is disabled by default on Windows XP SP 2 and Windows Server 2003.) Regular
DDE is still supported. NetDDE is a technology that allows applications that use the DDE
transport to transparently exchange data over a network. The result is the application fails to
exchange data over the network. To workaround, use a different networking technology, such
as DCOM or Windows Communication Foundation.
will need to download and install Windows Help from the Microsoft Download Center. For more
information, see Help Engine Support.
Note: HTML Help and .CHM files will continue to be supported for Windows Vista and Windows Server
2008.
Help for Windows Vista and Windows Server 2008
Efficient management of video memory for DX applications and the new Desktop Window
Manager (DWM). Multiple 3-D applications will be using the graphics processor unit (GPU) in
Windows Vista and Windows Server 2008.
Driver upgrades without reboot.
Dynamic detection of GPU hangs and recovery without reboot.
Hot Plug detection support of monitors.
Using the hardware features mandated by DX9L.
Glitch-free video playback.
An opportunity for a very secure design.
While most of the applications from earlier versions of Windows should not be impacted by VDDM,
some risks include:
DX Games compatibility, resulting in DX run-time or IHV driver or core graphics stack issues.
Mobile functionality like hotkey, cloneview, brightness and zoom due to stricter ACPI
requirements.
Accessibility specifically that screen magnification applications designed by Windows XP will not
work on Windows Vista or Windows Server 2008.
DllMain Operations
The load order of DLLs during process creation is not guaranteed and should never be depended upon to
perform operations. Complex processing in DllMain may cause applications to hang or crash because of
new OS component dependencies. For details, see the following pages on MSDN:
DllMain Callback Function
"Calls to an OLE Object Should Not Be Done from DllMain"
"PRB: Cannot Create an MFC Thread During DLL Startup"
"Your application may fail with an 'Access Violation' error message when you use ODBC or DAO
in the InitInstance or DllMain functions of a DLL"
"COM application hangs when you call CoCreateInstance from DllMain"
Should not read into undocumented objects. Applications that read into the undocumented
structures to assess the status of a critical section will most likely break if they are looking for
uninitialized and freed critical sections.
Should prevent starvation. Applications that call Sleep while holding the critical section lock now
can cause starvation for other threads that need the lock. Sleep calls should be placed after the
LeaveCriticalSection call.
For more information, see the critical section objects topic in MSDN.
Default Programs
Brief Description
Default Programs has a new infrastructure to manage per user file and protocol associations designed
with contentious applications in mind. Applications need to register in order to use Default Programs’
functionality. Be aware that Default Programs will get a lot of visibility in Windows Vista and Windows
Server 2008 and beyond and make certain tasks much easier for applications to code and maintain.
Remedies
Windows Vista In Windows Vista and Windows Server 2008, we have provided a new set of functionality
for applications to take advantage of. This new set of functionality is called “Default Programs”.
Default Programs was designed to help users make choices about their default behaviors. A large part
of this is that defaults in Windows Vista and Windows Server 2008 and beyond will be primarily
controlled at the Per User level instead of the Per Machine level. This allows much more flexibility for
the multi user computer environment that we believe is going to become the standard. Part of this is
adding a new centralized UI for the user, but the other part is giving ISVs the tools they need to help a
user express choice. Default Programs gives an application:
Default Programs by writing a specific schema. This will allow the application to show up in the Default
Programs control panels so a user can restore the applications default file associations and protocols at
any given time.
Once an application has registered with Default Programs the application can take advantage of new
functionality provided through APIs. Default Programs provides APIs to:
Restore all registered defaults
Restore single registered default
Query for the owner of a specific default file association/protocol/start menu canonical
Launch Defaults UI for a specific app
Clear all per user associations
The Default Programs work is intended to make it very easy to express user choice post install and
provide applications a simple framework to contend for defaults and claim them.
claim the defaults on the per user level instead of the per machine level. Switching to the new API set
does this automatically. Applications that try to claim per machine defaults post install will fail.
The other strong reason to update an application to use Default Programs is to consistently achieve the
desired results. File and protocol associations are derived from a hierarchical structure in registry. Part
of this structure dictates that per user defaults will always be chosen over per machine defaults. This
means that if an application decided to build elevation points in its code to claim defaults by writing to
HKLM like in XP, it would not always achieve the desired result. As soon as another similar application is
installed and uses Default Programs’ APIs that take per user file and protocol associations, the previous
application would no longer be the default because per user defaults have a higher precedence.
Videos
Default Programs Videos - Watch Video
PCA Scenarios
Detecting failures in setup programs
One of the main scenarios for PCA is to detect setup programs failing to install on Windows Vista and
Windows Server 2008 and to provide the solution of applying the Windows XP compatibility mode.
The most common setup failure is due to installers hard coding the check for the Windows OS version.
These installers will typically fail with an error message saying that the current version of Windows is not
supported and installation will be terminated.
Below is an example of such error message, illustrated by a test program.
major version. If the program is hard coded to look for the XP version, which is major version 5, then it
will fail in Windows Vista and Windows Server 2008. The XPVersionLie fix included in the Windows XP
compatibility mode will provide the XP version of the OS to the program, when it calls GetVersion or
GetVersionEx APIs.
PCA targets to detect this scenario and will display a user interface similar to the one below after the
installer is terminated. This scenario also covers uninstallers and a similar dialog will soon be shown.
PCA relies on the User Access Control (UAC) feature in Windows Vista and Windows Server 2008 to
know whether a program is a setup program. UAC includes detection for setup programs and will make
sure the detected setup programs will be run as administrator. This includes getting administrative
credentials or confirmation from the user before launching the program.
3. What does each option in the PCA dialog for setups do?
'Reinstall using recommended settings'
This will apply the Windows XP compatibility mode and restart the program. Refer to the section
below on managing PCA settings to get more details on how the compatibility mode is applied.
'Cancel'
PCA will do nothing.
All these options will result in the PCA dialog disappearing. PCA will not show up again for the same
setup program except when the user selected the 'cancel' option on the previous PCA dialog.
typically custom made installers which are not built using standard installer technologies like Install
Shield, Microsoft Windows Installer, etc.,
PCA detects this scenario and will display a user interface similar to the one below after the installer is
terminated.
It is possible that in some cases, PCA might come up for a setup program that completed correctly. In
those cases, users can use this option to suppress the PCA dialog the next time.
'Cancel'
PCA will do nothing.
PCA will not show up again for the same program except when the user selected the 'cancel' option on
the 'The program installed correctly’ PCA dialog.
What does each option in the PCA dialog for this scenario do?
'Open the control panel using recommended settings'
This will apply the ‘RunAsAdmin’ compatibility mode and restart the control panel item as
administrator. Refer to the section below on managing PCA settings to get more details on how the
compatibility mode is applied.
'Cancel'
PCA will do nothing.
All these options will result in the PCA dialog to disappear. PCA will not show up again for the same
control panel item except when the user selected the 'cancel' option on the 'The control panel
works correctly' PCA dialog.
Here the test program was trying to use the COM objects associated with the DHTML editing control,
which is removed from Windows Vista and Windows Server 2008.
More details on what happens under the covers are explained through Question/Answer below.
1. What is the detection logic and how does PCA know that the program failed to launch a child
exe which needs to run as administrator?
The detection for this scenario is accomplished through instrumentation at the CoCreateInstance API
and the Loader (NTDLL) to detect load failures on COM objects and DLLs respectively. When there is a
failure due to an object or file not found then it will be checked against a known list of DLLs and COM
objects. If a match is found PCA will trigger after the program termination
2. What happens when ‘Check for solutions online’ option is selected?
'Check for solutions online' sends a Windows Error Report to get an online response from Microsoft. The
responses will be displayed in the client Solutions to Problems (wercon.exe) UI. Typically the response
will point the user to a Knowledge Base article that talks about alternatives to the deprecated
component and in some cases provides a link to download the deprecated component from online.
Hard Block Messages - If the program is known to be incompatible and if allowing the program
could result in severe impact to the system (for example, a stop error or unable to boot after the
install, etc.) then a blocking message as shown below will be displayed.
Note: Microsoft gets approval from each ISV whose program is going to be blocked.
Figure 9:Hard block apphelp message - displayed when incompatibility would have severe impact
Soft Block Messages - The other type of message is a non-blocking message similar to the one
below. This will be used in the case of programs that have known compatibility issues but the
impact is not severe to the system.
Figure 10: Soft block dialog displayed when incompatibility issues would not cause severe impact
In both cases, 'Check for solutions' sends a Windows Error Report to get an online response from
Microsoft. The responses will be displayed in the client Solutions to Problems (wercon.exe) UI. Typically
the responses will be of 3 types:
1. Pointing the user to an update from the ISV for that program.
2. Pointing the user to an ISV website for more information.
3. Pointing the user to a Microsoft Knowledge base article for more information.
Event logging
After the user has acted on PCA, an event will be logged in the event log. The events can be found under
‘Application and Services Logs->Microsoft->Windows->Program-Compatibility-Assistant->Operational’
in the Event viewer. The event log includes the following information: Application name, Application
version, Executable path, Scenario ID, User action and names of the compatibility modes applied if any.
The values of the scenario ID are listed in the table below.
Scenario ID Description
Brief Description
As part of the Desktop Window Manager work, Microsoft has made subtle but important changes to the
way applications paint to the screen. Prior to Windows Vista and Windows Server 2008, an hwnd was
painted directly to the screen, which had certain benefits but really limited how Windows could display
and manage top-level windows. In Windows Vista and Windows Server 2008, all top-level windows are
rendered to an off-screen bitmap (similar to WS_EX_LAYERED), and the Desktop Window Manager
combines the images together to draw the desktop.
Manifestation
Black areas around tool tips, pop-up menus, balloons, splash screens, etc.
This can happen when the application has not painted the entire hwnd, usually because that application
assumed that the pixels in the background windows are good enough.
Flashes of black
A related issue can occur where the background contains uninitialized pixels that appear to the user as
flashes of black on the screen. This occurs when applications do painting that is not part of a
WM_PAINT message. The system detects that the application is drawing and redraws the desktop, but
the application may not have finished drawing the hwnd. This causes the flashes of black.
Rendering Performance
Feature Impact
Low
Brief Description
Most applications will run as fast or faster on Windows Vista and Windows Server 2008, but there are
some changes that may require monitoring.
Manifestation
Overall GDI drawing performance is slower
GDI primitives like LineTo and Rectangle are now rendered in software rather than video hardware,
which greatly simplify the display drivers.
Brief Description
As an added layer of defense against malicious software, Windows Vista and Windows Server 2008 allow
different UI applications to run with three different levels of UI privilege. Applications can freely interact
with other applications of the same and lower permission, but can’t modify or talk to applications of
higher permission. Most applications will run with the middle permission, while applications that require
administrator privileges run in a higher mode. Restricted processes such as low rights Internet Explorer
use the lowest privilege mode.
More specifically, applications in lower privilege modes cannot generally send messages to higher
privileged applications unless the higher privileged application explicitly allows that message by calling
ChangeWindowMessageFilter(). Similarly, lower privileged applications can read but cannot modify
an HWND owned by a higher privileged application. For compatibility reasons, SendMessage and
other APIs will return success even if the API was blocked because of privilege issues. Similarly, where
compatibility impact is high and security risk is low, sometimes low-privileged applications are allowed
to send unsolicited messages to high privileged applications.
Manifestation
Applications that interact with other applications stop doing so.
Utilities that reposition windows, type keystrokes for you, add extra buttons to windows, etc.
Cut and paste between different applications fails.
An Application may not work at all, or it may not support all the different clipboard formats you expect
(rich text, HTML, etc.)?
Remedies
Journaling hooks
WH_JOURNALPLAYBACK and WH_JOURNALRECORD are inherently cross-process, so they require
the highest privilege level. The SendInput() API, which doesn’t require full UI privilege for many cases,
can often be used instead of journaling hooks.
The WH_JOURNALPLAYBACK and WH_JOURNALRECORD journaling hooks are inherently cross-
process, so they require the highest privilege level. An alternative to journaling hooks is the SendInput()
function, which doesn’t require full UI privilege for many cases.
If you have the source code for the program, consider reviewing any code that uses the following
functions, as they often indicate cross-process messaging. The list is not exhaustive, and might not find
every issue, but it provides a good balance between finding issues and minimizing false positives.
SendInput
RegisterWindowMessage
BroadcastSystemMessageEx
BroadcastSystemMessage
SetWindowsHook
SetWindowsHookEx
CallNextHookEx
CallNextHook
SetWinEventHook
AttachThreadInput
FindWindowEx
FindWindow
CreateDesktop
CreateDesktopEx
OpenDesktop
OpenInputDesktop
EnumDesktops
EnumDesktopWindows
SwitchDesktop
SetThreadDesktop
GetThreadDesktop
CloseDesktop
CreateWindowStation
OpenWindowStation
EnumWindowStations
CloseWindowStation
GetProcessWindowStation
Search for source files with findstr /s /g:temp.txt *.c *.cpp *.h *.hpp where temp.txt is the above
list of APIs copied to a text file. While not an exhaustive search, it will help to identify issues versus
minimizing false positives.
Brief Description
On systems using the high dpi setting, applications that don’t natively understand high dpi will be
automatically scaled up.
Manifestation
Pixel sizes have been roughly constant for a long time, but LCD manufacturers are increasingly coming
out with monitors with smaller and smaller pixels, also known as high dots per inch (dpi). If an
application uses the same number of pixels on a high dpi screen as it does on a standard 96 dpi screen,
the application will look very small. Windows Vista and Windows Server 2008 introduce the ability to
scale applications that were written for 96 dpi screens, which they do by rendering the application’s
bitmap at a larger size. Like all bitmap scaling, this can result in some blurriness, but otherwise gives a
correctly sized and properly rendered image. Applications can also decide to support high dpi natively,
which will give the crispest possible look. Currently an application can turn off scaling & declare itself
dpi-aware by calling SetProcessDPIAware(). A manifest-based way to declare this is under
investigation. For more information about writing applications that natively support high dpi, see
http://msdn2.microsoft.com/en-us/library/ms969894.aspx .
The rest of this section talks about potential problems with non-DPI aware applications. Applications ask
Windows questions like "how many pixels wide is a scrollbar", so when a 96 dpi application asks,
Windows Vista and Windows Server 2008 give the application the 96 dpi answer. There are, however
cases where Windows doesn’t provide an answer based on the application, usually because Windows
Vista and Windows Server 2008 don't yet have enough information (please give us this feedback), and
sometimes because the “right” answer depends on what the application is trying to do with the answer.
(Screen coordinates often raise this problem.)
Most compatibility problems come from these imperfect conditions. Things to look for when testing:
Text is clipped (partially hidden).
Text is too big.
Something is drawn at the wrong size or in the wrong place.
Remedies
For more information about writing applications that natively support high dpi, see
http://msdn2.microsoft.com/en-us/library/ms969894.aspx .
PNG Icons
Feature Impact
Low
Brief Description
The icon file format (*.ico) now supports PNG images in addition to the older BMP-style icons; many
Windows Vista and Windows Server 2008 icons use the PNG variant.
Manifestation
Applications that view or edit icon files may not understand the new format.
Brief Description
In Windows Vista and Windows Server 2008, many services are running under lesser privileged accounts
like NetworkService (NS) or LocalService (LS) rather than Local System. Service hardening is an initiative
to improve the compartmentalization between the services such that if one service is compromised, it
cannot easily attack other services on the system. Windows Vista and Windows Server 2008 harden the
named pipes used by RPC servers to prevent other processes from being able to hijack them.
Under Windows XP an RPC server creates a named pipe and the ACL on the pipe grants LocalService or
NetworkService Full Control. This includes the ability to create “server instances” of the pipe, so clients
can connect. The only process that should create instances of a pipe is the process that initially created
the pipe. Microsoft’s ACL change restricts the ability to create server instances to the process that
created the pipe initially.
Manifestation
The following services have been affected; Services that run as LocalService or NetworkService, services
that opt-in to using service Sids and services using RPC over named pipes that request the “default”
named pipe security descriptor.
Services that opt-in to using service Sids means no 3rd party service will be affected by default. Service
Sids is a new feature in Windows Vista and Windows Server 2008 that you have to opt-in by setting a
DWORD in your service configuration. When developers opt-in they have the opportunity to test with
the new service hardening behavior; this change would be one of those behaviors.
Services using RPC over named pipes that request the “default” named pipe security descriptor means
that if some RPC server is specifying a custom security descriptor because of special needs, they will see
no change. Below is a list of the affected Pipes:
Epmapper
Eventlog
Dav rpc
Keysvc
Winreg
Tapserv
W32time_alt
Termsvcapi
Ctx_winsta
Hydralspipe
Remedies
Use DPAPI for future PStore procedures.
Brief Description
The Default HostingModel for WMI providers has changed from LocalSystem to NetworkServiceHost.
In previous releases of Windows (Pre-Windows Vista and Windows Server 2008 Beta2), if the
HostingModel of a WMI provider (__Win32Provider.HostingModel property) was unspecified, it was
defaulted to LocalSystem. Because LocalSystem is a highly privileged account, the WMI provider running
in this security context exposes the Operating System to a risk of elevation of privileges depending on
the provider code quality and testing.
For most cases LocalSystem is unnecessary and the NetworkServiceHost context is more appropriate.
This is especially true because most WMI Providers must impersonate (ImpersonationLevel=1) the client
security context to perform the requested operations on behalf of the WMI client.
Manifestation
If a WMI provider lacks a definition for hosting model and executes as if it is running under the
LocalSystem level, it will not run properly.
Remedies
The expected hosting model must be changed to ensure that the WMI provider code performs the
operations in the client security context by impersonating the WMI client. Cases that require the
LocalSystem security context are extremely rare; however, if LocalSystem is an absolute requirement,
specify the hosting model explicitly with the HostingModel=LocalSystemHost statement in the provider
MOF file.
subsystems, and storage management applications (including backup applications). This service defines,
persists, and exploits point-in-time copies of storage data.
Manifestations
Compatibility with XP backup applications
Several interfaces have changed since XP and the libraries are not compatible with Windows Vista and
Windows Server 2008. At a minimum the application will need to be recompiled using either headers or
libraries from VSS SDK 7.2 or from the Platform SDK released with Windows Vista and Windows Server
2008 Beta 2.
Compiling backup applications for Windows Vista and Windows Server 2008
Applications that use interfaces available in Windows Server 2003 can be compiled using the headers
and libs provided in VSS SDK 7.2. To use new interfaces specific to Windows Vista and Windows Server
2008, recompile using the VSS headers and libs included in the Platform SDK for Windows Vista and
Windows Server 2008.
VSS writers
Registry Writer
The Registry writer now performs in-place backups and restores of the Registry as compared to the spit
writer scheme earlier. User hives are not reported by the Registry Writer.
MS Search Writer
This deletes the search index from shadow copies after creation
MSDE Writer
This is the default writer for SQL 2000 and SQL 2005 databases.
WMI Writer
WMI VSS writer is used for backing up WMI specific states and data during backup operations. The data
includes files from the WBEM Repository and requires Registry Backup.
System Writer
On Windows Vista and Windows Server 2008 the System Writer will generate a list of files using the
following formula:
1. All static files that have been installed. These are identified by the attribute writeabletype =
“static “Or writeabletype is “” in the component manifest. This will include all WRP files,
additionally there may be some files marked as static that are not WRP. For example games are
static but not WRP so that administrators can change parental controls.
2. The WinSxS folder which includes all manifests, optional components and 3rd party Win32 files
3. All PnP Files for installed drivers (owned by PnP)
4. All User Mode Services and non PNP drivers
5. All Catalogs owned by CryptSvc
The files in %windir%\system32 are hard links to the winsxs directory.
The restore app is responsible for laying down files and registry and setting ACLs to match the system
snapshot. The appropriate hard links must also be created.
Installation prerequisites: The Application Verifier must be installed before the Standard User
Analyzer installation is launched. The Application Verifier is a free download on the Microsoft
Web site.
Installation
To install the Standard User Analyzer, run the SUAnalyzer.msi file. All Standard User Analyzer
files are installed to the “Program Files\Standard User Analyzer” folder.
Note: Prior to using Standard User Analyzer, you must install the latest Application Verifier.
Use the Standard User Analyzer to diagnose standard user compatibility issues within an
application.
Note: The Standard User Analyzer should be run on a Windows Vista or Windows Server 2008 computer
to properly identify an application’s standard user compatibility issues.
The following procedure is written to be performed by a standard user on a Windows Vista and
Windows Server 2008 computer:
1. Click Start, point to All Programs, and then double-click Standard User Analyzer.
2. On the App Info tab, in the Target Application field, enter the directory location of the target
application’s executable file or use the Browse function.
3. On the App Info tab, in the Parameters field, enter parameters for the application, if applicable.
4. On the App Info tab, select the Launch Elevated checkbox, and then click the Launch button.
5. If a User Account Control credential prompt appears for SUAnalyzerSrv.exe, provide
administrator credentials and click Submit.
6. In the User Account Control credential prompt for target application, provide administrator
credentials and click Submit.
Note: The SUAnalyzerSrv.exe process may request elevation while performing this procedure. This
process is a backend process that is responsible for managing tasks that require an administrator access
token, such as changing settings in the Application Verifier.
During the test, the Standard User Analyzer will launch the application, monitor its actions, and wait for
the application to be closed. The Standard User Analyzer will then generate and parse a log for the
application, which might take some time to complete. Once the log has been generated and parsed,
click on individual tabs to view specific issues found by Standard User Analyzer.
Tab Details
File Lists file system access issues.
For example, an application attempting to write to a file that normally only administrators can
access.
Other Objects Lists issues related to accessing objects other than files and registry keys.
the stack trace. ISVs can use stack trace data to track down the problem in the application’s source
code.
View menu:
Choose what kinds of messages you want to display. Usually only view “error messages” is
necessary.
Options menu:
Filter Noise: Toggle between display/hide entries that are “noisy”.
Load Noise Filter File: Load a noise filter file.
Export Noise Filter File: Save a noise filter file.
Only Display Records with Application Name in StackTrace: This will reduce the noise; however
since the Standard User Analyzer only captures the first 32 stack frames, enabling this option
might filter out real issues if a call stack is deeper than 32 frames.
Logging: Logging options. It is recommended that you leave the “Log Information” checkbox
unchecked in order to keep the log file from getting too large.
Help menu:
Help menu.
support in Windows Vista and Windows Server 2008 for four Microsoft Help technologies: Windows
Help, HTML Help 1.x, the Help and Support Center, and the Assistance Platform client.
In Windows Vista and Windows Server 2008, the Assistance Platform client can be customized by OEMs,
system builders, and enterprise customers under license agreement, but cannot be used by third-party
programs. For more information on customizing the Assistance Platform client, see the Windows SDK.
Figure 15: Per User Application Data Legacy Folder Junction Requirements
Figure 17: Legacy Profile Folders where Junctions Are Not Required
..\Documents and Settings\<username>\ Covered by the junction for the Local Settings folder to
Local Settings\Temp Local.
Compiling Backup Applications for Windows Vista and Windows Server 2008
Applications that use interfaces available in Windows Server 2003 can be compiled using the headers
and libraries provided in VSS SDK 7.2. In order to use new specific Windows Vista and Windows Server
2008 interfaces, the user would need to compile the application using VSS headers and libraries included
in the Platform SDK for Windows Vista and Windows Server 2008. Note that Binaries compiled using
Windows Vista and Windows Server 2008 headers and libraries will not run on Windows Server 2003.
VSS_E_TRANSACTION_FREEZE_TIMEOUT
VSS_E_TRANSACTION_THAW_TIMEOUT
In case the requestor receives either of these errors it must retry snapshot creation. Registry and file
system operations may also be transacted. In the case of the registry, the registry writer ensures
transactional consistency. Transactional consistency of NTFS operations is ensured by mounting the
shadow copy read/write after creation and then rolling pack partially committed operations.
Extensibility
Below outlines how an application can correctly handle being invoked from the Search the Internet
feature.
Windows Vista and Windows Server 2008 enable users to launch an Internet Search directly
from the Start Menu search box.
where szBrowser contains the location of the executable file of the browser currently registered.
Internet Explorer:
Contoso Browser:
C:\Folder\contoso.exe "? <search term> "
C:\Folder\contoso.exe "? Hello World"
Brief Description
MMC.EXE always runs with DEP (Data execution protection) enabled. Snap-ins must be DEP aware. This
feature cannot be turned off, and no compatibility mode exists.
Manifestation
Snap-ins that are not DEP aware may cause a failure to load within MMC or not work properly.
Remedies
This feature cannot be turned off, and no compatibility mode exists.
Brief Description
In order to avoid the situation where a user–installed firewall (which is compatible with Windows XP but
is incompatible with Windows Vista and Windows Server 2008) attempts to turn off the Windows
Firewall in Windows Vista and Windows Server 2008, Microsoft has deprecated the Windows Firewall XP
SP2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function in Windows Vista and Windows Server
2008. When called on Windows Vista and Windows Server 2008, this function will
1. Return an error code of E_NOTIMPL
Manifestation
Applications using the Windows XP SP2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function to
turn-off the Windows Firewall on Windows Vista and Windows Server 2008 will receive an error code.
Remedies
Applications (typically firewalls) replacing the Windows Firewall with their own firewall solution, must
carefully consider the following security-related points:
Windows Vista and Windows Server 2008 support IPv6 and IPv4 out-of-the-box and will
automatically have an IPv6 address; therefore, it is essential that your firewall solution filters
BOTH IPv4 & IPv6.
Windows Vista and Windows Server 2008 also support additional IP protocols (e.g., GRE, L2TP,
PGM & ICMPv6); therefore, it is essential that your firewall solution filters arbitrary protocol
filtering (IANA Protocol 0-255) & ICMP type and code filtering.
In Windows Vista and Windows Server 2008 there are listening processes in both user mode and
Kernel mode (i.e., system process, http.sys, smb.sys); therefore, it is essential to filter BOTH
User mode and Kernel mode network traffic.
Microsoft further recommends that these applications:
Do not replace the Windows Firewall unless your application addresses all of the security-
related points specified above.
Check the firewall status before your application turns-off or disables Windows Firewall with
Advanced Security so that it can be restored later if necessary.
Do not turn off the firewall service (mpssvc) since this is the service that enforces Windows
Service Hardening restrictions. Instead, use the Windows Firewall API’s to modify the firewall
state to “OFF” so that the firewall is effectively disabled but the Windows Service Hardening
restrictions are still in place.
To protect users, you should only disable Windows Firewall with Advanced Security after: (1) you have
successfully turned on your firewall solution with the recommended settings; and (2) you have notified
the user that Windows Firewall with Advanced Security is going to be disabled.
Additional resources:
http://blogs.technet.com/all_things_appcompat/
Windows Vista Development Center
WWW.Devreadiness.org
Videos
Virtual Labs
Feature Intros:
Application Compatibility with Hatem Zeine - Watch Video
Application Toolkit with John Melton - Watch Video
Error Reporting with Jeff Braunstein and Jason Hardester - Watch Video
Introduction to Default Programs with Ed Averett - Watch Video
Kernel Mode Signing with Ramesh Chinta - Watch Video
Networking with Neeraj Garg - Watch Video
Windows Filtering Platform w/ Madhurima Pawar & Salahuddin Khan - Watch Video
Windows Resource Protection with RoseMarie FitzSimons - Watch Video
Windows Vista Logo Programs with Brad Sullivan & Venkat Krishnamachari - Watch Video,
Watch Video
User Account Control with Chris Corio - Watch Video
Windows Vista and Windows Server 2008: Understanding, Enhancing, and Extending Security
Videos
Part 1: Watch Video (23:23 minutes)
Part 2: Watch Video (7:33 minutes)
Part 3: Watch Video (19:16 minutes)
Part 4: Watch Video (2:50 minutes)
Part 5: Watch Video (15:12 minutes)
Brief Description
A Read Only Domain Controller is a new type of domain controller in the Windows Server 2008
operating system. With an RODC, organizations can easily deploy a domain controller in locations where
physical security cannot be guaranteed. An RODC hosts a read-only replica of the database in
Active Directory® Domain Services (AD DS) for a given domain.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a
wide area network (WAN), there was no real alternative. In many cases, this was not an efficient
solution. Branch offices often cannot provide adequate physical security that is required for a writable
domain controller. Furthermore, branch offices often have poor network bandwidth when connected to
a hub site. This can increase the amount of time required to log on; it can also hamper access to
network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems.
As a result, users in this situation can benefit from:
Improved security
Faster logon times
More efficient access to resources on the network
Manifestation
Any application that writes to the Active Directory is potentially impacted by RODCs, and may see
compatibility issues involving failed writes, or failed reads of newly written data.
Remedies
Applications which write data may locate a DC using methods which do not differentiate between
writable and read-only DCs.
There are two methods that applications typically use to request the nearest domain controller:
In Windows Server 2008, a domain controller Locator call can return any domain controller. This
includes a domain controller running Windows 2000 Server or Windows Server 2003, or a writable or
read-only domain controller running Windows Server 2008.
Problems can occur if an application needs to write to directory objects and it gets an RODC from calling
a serverless bind. In that case, the write operations are referred to a writable domain controller running
Windows Server 2008 at the hub site. Depending on the WAN connection to the hub site at that time,
the application can fail to connect to the hub and can report errors. The application must also correctly
handle these referrals. Even if the write operation succeeds, any subsequent reading of the data that
was just written might fail. This is because of inherent latency that is required to replicate this data back
to the RODC.
To determine this, check the supportedCapabilities attribute on the rootDSE. For more information, see
Serverless Binding and RootDSE (http://go.microsoft.com/fwlink/?LinkId=67638). The presence of object
identifier value 1.2.840.113556.1.4.1920 indicates that the specified domain controller is an RODC.
You can also use the DsRoleGetPrimaryDomainInformation function to determine if the domain
controller is an RODC. A new flag has been added to the DSROLE_PRIMARY_DOMAIN_INFO_BASIC
structure. The following table describes the new flag.
Brief Description
Windows Server 2008 is now completely componentized. The roles for Windows Server 2008 are now
highly granular and optional. By default, no server roles are activated. Server roles from prior versions of
Windows Server are not exactly the same in Windows Server 2008.
Web Server and Application Server which were one role in Win2k3 and are now split into two roles for
Windows Server 2008.
Manifestation
Installation instructions and scripts may break or produce improper results.
Remedies
Installation instructions and scripts to install new servers will have to be updated.
Brief Description
Windows Server 2008 does not, by default, install applications and accessories that are considered to be
part of a user’s desktop experience. These applications can be selectively installed using Server
Manager.
Manifestation
Applications and Installers that rely on windows desktop applications and accessories may fail to run or
install. Desktop accessories and tools have been removed into a separate feature install since most
users of Windows Server do not need desktop applications.
Remedies
Applications dependent upon desktop accessories and tools will need to ensure that they are installed
prior to application installation.
Brief Description
Windows Server 2008 introduces a new concept called Server Core. Server Core is a minimal server
installation option for computers running on the Windows Server 2008 operating system. Server Core is
available for x86 and x64 (note: not Itanium).
Server Core provides a low-maintenance server environment with limited functionality. The server core
supports a limited set of roles. Currently, Server Core supports the following roles:
DHCP
DNS
Active Directory Domain Controller (including RODC)
Active Directory LDS (formerly ADAM)
File Server, including:
o DFSR (formerly FRS)
o NFS
o File quota
Print Server
Media Services
Windows Virtualization
IIS 7.0 (note: no support for ASP.NET and no remote Administration)
WINS
Failover Clustering
Subsystem for UNIX-based applications
Backup
Multipath IO
Removable Storage Management
Bitlocker Drive Encryption
SNMP
Telnet Client
(S)NTP
It also does not support .NET functionality; however, it does support development of management
tools, utilities, and agents.
Since Server Core is new, it has little impact on current applications. Understanding the limitations of
Server Core is imperative to proper implementation for maximum benefit. There is no upgrade path
from a downlevel version of Windows Server to Server Core, only a clean install is supported. There is
also no way to upgrade Server Core to Server with the gui shell, this requires a reinstallation.
Feature Impact
Low
Brief Description
The existing Cluster API’s have remained largely the same as in Windows Server 2003. A dozen or so
new ones have been added, such as CreateCluster(), DestroyCluster(), AddClusterNode(),
EvictClusterNode(), SetClusterQuorumResource(), and SetClusterResourceDependencyExpression() to
name a few. The only ones that have been completely removed are BackupClusterDatabase() and
RestoreClusterDatabase(). You now need to use the new Cluster VSS Writer to perform backups and
restores of the cluster configuration.
The Cluster Automation Server (MSClus) COM interface is being deprecated, so none of the new API's
are exposed through MSClus. MSClus will still be there for Windows Server 2008, but it will be removed
in a future release. The recommendation is to stay away from writing new code leveraging it. In
Win2008 there now is full parity between the Cluster API and the WMI provider MSCluster.
http://msdn2.microsoft.com/en-us/library/aa372876.aspx
A new control code has been added that will be of interest if you have a storage class resource. It is
called CLUSCTL_RESOURCE_STORAGE_GET_DISK_INFO_EX
Finally, backward compatability has been broken. This means you can’t call Cluster API's from a
Win2008 Cluster to a downlevel cluster (NT4 / Win2k / Win2003). And the same you can’t be on a
downlevel client and remotely call Cluster API's against a Win2008 node. But this does not affect code
running on a Win2008, so in general your code should just work.
Manifestation
Applications that use BackupClusterDatabase and RestoreClusterDatabase will no longer function when
used on a Windows Server 2008 Cluster.
Remedies
Applications that use the API mentioned above will have to be re-engineered for backup and restore.
Feature Impact
Moderate
Brief Description
Windows Firewall is on by default: This means that the application installers need to be aware of the
ports that the application uses so that these firewall ports are explicit opened, or to turn off Windows
Firewall (recommended only if another firewall is installed).
On Server, Server Roles and Optional Components are aware of the firewall and will plumb firewall rules
automatically upon installation. Conversely, the same components and roles will remove their firewall
rules when they are uninstalled.
Manifestation
Legacy application installers may break because dependent TCP/IP ports will not be open by default.
Legacy applications may break after installation because dependent TCP/IP ports will not be open by
default. On Windows Vista, client applications will prompt the user for a decision to Allow or to Keep
Blocking the application. On Server, there’s no such prompt. Instead, a Security audit event is logged to
signal that an application was blocked.
Remedies
For legacy application installers, the ports need to be explicitly opened by an administrator, or turn
Windows Firewall off.
Administrators can leverage:
The ‘netsh advfirewall’ context to work with firewall rules from scripts.
Security Configuration Wizard templates to configure their Servers only
The INetFwPolicy2 Firewall APIs to integrate their installers with the Windows Firewall with
Advanced Security