Application compatibility final

Everything You Want to Know About Application Compatibility But Were Afraid to AskHarold Wongblogs.technet.com/haroldwong

How much is this app compat thing going to cost me?Why did you break half of my software?All I need to do is run ACT long enough, and it’s fixed, right?Can I just stroke a check and have this problem go away?Should I just stay on Windows XP?The Internets said to just turn off UAC.Doesn’t App-V just fix it all for me?The MED-V brochure said just virtualize it all and migrate.The tool brochure said it fixes 90% of the problems.Why can’t my company afford a chair for me?No, seriously, can I have a chair, please?Listen, I’m not talking about App Compat until I get a chair.

App-VBeyond TrustACT 5.5Win XP ModeACF PartnersMED-VAppDNAChangeBaseShimsDisable UACThere Are No Silver Bullets

Session Objectives and TakeawaysSession Objectives:Understand that app compat isn’t easyUnderstand that app compat is not impossibleKey Takeaway:Chris’ home number is a 900 number. Check the bathroom wall for details.

Things I Heard on the Internets About…We’re going to be speaking mainly the truth today…but we’ll also be confronting some mistruths along the wayMistruths and misconceptions will be identified with the heading“Things I Heard on the Internet About:…”For those who are not familiar with The Internets, it’s a series of tubes 

Why Is App-Compat Hard?It never used to be this hard!Backward-compatibility used to winShell Foldersp:\\products\publicCON, PRN, NULStarting with XP SP2, not anymoreCustomers demanded better securityVista was the first major desktop OS release after TWC memoStarting with Windows 7, we’re winning again…

How Do I Run an App-Compat Project?Planning, Planning, Planning!!!

Automated Analysis AssessmentACT InventoryRationalizeInitialBudgetRefine BudgetRefine BudgetstartApp Run Green?App Install Green?YesYesInstall Manual TestDetailed Automated AnalysisRuntimeManual TestUserManual TestNoNoRemediateReady to DeployendApp Compat Project Plan

Planning an App Compat ProjectTechNet MagazineJune 2009Articles by:Chris Jackson and Chris Coriohttp://technet.microsoft.com/en-us/magazine/dd799202.aspx

What Breaks in Windows 7?features

Some things that had to changeMicrosoft Agent had to goProductivity killerUsers hypnotized by agents’ anticsMore popular than YouTubeMade computers too easy to useKilled market for instructional videosThe single biggest app-compat hit, ever

Nobody uses the Agent control!Do they?Actual screenshot from a real customer engagement.No consultants were (seriously) harmed in the capture of this screenshot.

Some things that had to changeEveryone runs as “standard user”The infamous User Account ControlEven admins run as “standard user”The single biggest app-compat hit, ever

Things I Heard on the Internet About: User Account ControlUAC is…Windows asking me “Are you sure?”… over and over and over againA useless pain in the @$$Stupid, and smart people disable itEspecially smart developersUAC breaks everythingIt’s OK to say, “We recommend turning off UAC to run this software.”Wrong!

The Truth About UACThe first step toward Standard UserRequired to improve security and TCOSuite of technologies to fix stuff, not break itRunning as standard user breaks stuffThat’s why no one did it before UAC!Admin-Approval Mode enables legit admins to run as standard userAnd then perform admin actions using the same accountYour end users shouldn’t be admins to begin withAnd can’t approve elevation promptsDisabling UAC turns off IE Protected Mode

We break – we fixUAC’s file and registry “virtualization”Redirects access attempts from protected areas to non-roaming parts of user profileNot related to App-V’s “bubble”This is per-user, not per-application

Virtual memoryVirtual address spaceVirtual communitiesNT Virtual DOS Machine (NTVDM)Java Virtual Machine (JVM)MS Visual Basic Virtual Machine (MSVBVM)Virtual processors (hyperthreading)Virtual realityVirtual teamsVirtual private network (VPN)UAC file and registry virtualizationApplication virtualizationMachine virtualization (Virtual PC, Virtual Server, Hyper-V)Virtual EarthMS Enterprise Desktop Virtualization (MED-V)Virtual petsVirtual Desktop Infrastructure (VDI)virtual keyword (C++, C#)Virtual directory (IIS)Virtual device driver (VxD – obsolete!)Virtual overloadIt’s the new “.NET”!

We break – we fixUAC’s file and registry “virtualization”Redirects access attempts from protected areas to non-roaming parts of user profileTransparent to the appFixes many permissions-related issuesDoes not apply to all apps or all file typesNew in Win7: Writing to root of C:\ redirects

Things I Heard on the Internet about:Internet Explorer 8 Standards ComplianceIE8 breaks the web and makes little girls cryIf your site works on IE6, but breaks on IE8, the fix is easy – use Firefox!Wrong!

Some things that had to changeInternet Explorer 8 Standards ComplianceMeets customer demand, good for the webApp compat > 80%Compatibility View is extremely helpfulOn by default for IntranetQuirks mode also helpful, but no admin UI!Many tools available for troubleshootingFixes either super easy or require devsHardest problem: server apps for IE6 onlyE.g., Oracle, SAP MED-V a great solution

Things I Heard on the Internet About:Internet Explorer Protected ModeAlmost like running a secure browser!Like Safari!More Microsoft security theaterBreaks all my JavaBreaks all my ActiveX controlsWrong!

Some things that had to changeInternet Explorer Protected ModeIEPM has protected you from exploits…if you left UAC enabledWith IE8, off by default for Intranet zoneMay need to configure to recognize IntranetExternal sites can be added to Trusted SitesE.g., sites that require JavaOther products like the idea!Google ChromeOffice 2010

Things I Heard on the Internet About:Windows version number changedNo earthly reason for doing that!Couldn’t possibly cause any problems!Windows 7 is version 7.0, right?No, Windows 7 is version 6.1 because it’s just a minor upgrade, and therefore probably should be free so go ahead and steal itWrong!

Some things that just changedWindows version number changedThe most common bugs we findMaking it 6.1 keeps more apps working!“Version lie” shims are easy to applyAnd now easier to lie to MSIsStill don’t think it can be that common?

Check the Windows version!// This program requires WinXP or newer.// Windows XP is version 5.1// This is easy!If Not (vMajor >= 5 AND vMinor >= 1) Then{DisplayMessage(“This program requires Windows XP or newer”);LayDownAndDie;}Win7 as Windows 7.0?vMajor: 7 >= 5vMinor: 0 >= 1? Crap!Vista is Windows 6.0:vMajor: 6 >= 5vMinor: 0 >= 1? Oops!Win7 as Windows 6.1?vMajor: 6 >= 5vMinor: 1 >= 1! It works!

More things that just changedFolder locationsWe moved the profiles – again!Myth: We did this for no good reasonTruth: There was probably a good reasonAnd we changed where files need to go!Myth: No guidance about where to put stuffTruth: Well, yeah, but we’re fixing thatMyth: Everything breaks, apps actually cryTruth 1: Correctly-written apps still workTruth 2: Junctions fix many bad apps

Directory JunctionsSome support for old folder namesCan traverse, but cannot listCan directly access files through old namesCannot list contents of these junctions

More things that just changedDefault color schemeQuestion:What happens when a VB6 dev “modernizes” the dialog background using the first white color he/she finds (Active Title Bar Text)?

More things that just changedDefault color schemeOccasional mistake by VB6 devsEasy to fix (if you have the source).NET WinForms made themes easy to useOops: everyone tested only on LunaFortunately, we have FakeLunaTheme shimNote: apps that work only with one theme probably violate accessibility lawsYou WILL go to jail!Push back if developer or vendor insists on “Windows Classic” Theme

How Good are the Tools to Find Problems?tools

Things I Heard on the Internet About:Application Compatibility ToolkitIt’s all you need for app compat!It must be! Look at the name!If ACT hasn’t found all of your issues, you just haven’t run it long enoughWe compete directly with the static analysis tools venders, and it’s critical that we WIN!Wrong!

Application Compatibility ToolkitGreat at inventorySome agent data can be useful…at the right timeStandard User Analyzer makes folks happy(LUA Buglight makes engineers happy)IE Compatibility Test Tool makes some AJAX devs happySetup Analysis Tool makes very few people happyCompatibility Administrator makes people with a lot of free time happy

Automated Analysis AssessmentACT InventoryRationalizeInitialBudgetRefine BudgetRefine BudgetstartApp Run Green?App Install Green?YesYesInstall Manual TestDetailed Automated AnalysisRuntimeManual TestUserManual TestNoNoRemediateReady to DeployendACT & App Compat Project Plan

Things I Heard on the Internet About:Static AnalysisFinds and fixes 95% of all problems with all software ever made by anyone anywhere!Humans are no longer a necessary part of the processStatic analysis is expensive and not worth the money – unless it does all of the aboveWrong!

Static Analysis – RealityThese tools average 90 – 95% at telling you if the app as a whole will workFalse “green” the primary accuracy issueWill not detect every issueMore impact on setup, less on runtimeComplementary to ACTACT does inventoryACT does runtime analysisACT does no better than chance at predicting application breakage for the app as a whole

Static Analysis – The UglyCan be hard to set up and configureSetup has to follow written instructions or it doesn’t workFailure of any other component typically results in the app crashing or just vanishingNever, ever use without experienced services accompanying the toolsNOT a substitute for knowledge/training!Ensure you tune so that “Red” actually means “broken” and not “could be better in an ideal world”

Static Analysis Value PropositionCan give you the data you need to start a project with a reasonable budgetCan save millions of dollars in install testing and a percentage reduction in runtime testingRun the numbers!

Automated Analysis AssessmentACT InventoryRationalizeInitialBudgetRefine BudgetRefine BudgetstartApp Run Green?App Install Green?YesYesInstall Manual TestDetailed Automated AnalysisRuntimeManual TestUserManual TestNoNoRemediateReady to DeployendStatic Analysis & App Compat Project Plan

How Good are the Tools to Fix Problemstools

Things I Heard on the Internet About:ShimsShims are scary and unpredictableShims reduce the security of the systemShims are unsupportedShims fix everythingShims are useful only in the hands of ShimFreaksSHIMS is an acronym for …?Software Happens to Implode – Magically Solve?See How I’ve Misdirected Sneakily? Wrong!

What Are Shims?Applied to specific appsConfigured with ACT toolsDeployable to enterpriseChanges what the app thinks it seesDoes not change what app is allowed to do

What Are Shims Good For?Great for many kinds of bugs:Bad Windows version checksWriting to HKCU at runtimeUnnecessary checks for “am I admin?”Writing to WRP-protected keys and filesWindows thinks your app is an installerSome file/registry redirections

Shims – The Rest of the StorySome considerations…Not all general purpose shims have the same … “customer love” applied in their creationThe tools are … “primitive”Shims management not integrated into other management tools (e.g. Group Policy)You can do a lot with just the Top 10 shimsBut to becoming a shim ninja takes time and much practice

Things I Heard on the Internet About:Application VirtualizationIf you can’t fix it with shims, you can just use App-V and sequence it on XP!App-V fixes app-to-OS bugsYou can’t shim App-V applicationsWrong!

Application VirtualizationFormerly SoftGrid; now part of MDOPIsolates apps from one anotherDoes not isolate it from the OSSide effects (not really advertised):Apps can write anywhere in “the registry”Apps can be allowed to write to specific files in “protected” locationsApps actually write to private copiesNOTE: May not be true in future versions of App-VYes, you can shim sequenced apps

Application VirtualizationLots of goodness beyond app-compatLicensing, deploymentKey part of larger virtualization vision

Things I Heard on the Internets About:MED-VMigrate to Windows 7 todayPut all of your apps in MED-VNo need to worry about app compat!Wrong!

What is MED-V?Microsoft Enterprise Desktop VirtualizationMachine virtualization solutionApp actually runs on an XP OSUser sees only the app windowCentrally managedPart of MDOPCompelling IE6 app compat storySeamless redirection of the browser

MED-VMicrosoft Enterprise Desktop VirtualizationPlease, use it as a backstop, not as the plan of record…Requires an exit strategyHow and when to lose XP dependencyOnce a VM is deployed, it needs to be managed like any physical machineMakes a great “if all else fails” strategyv1 SP1 coming soon; v2 dates not set yetNeither v1 nor v2 requires Hardware Assisted Virtualization (HAV)MED-V v2 TAP starting soon! Email medvtap@microsoft.com if you are interested in participating!

Things I Heard on the Internet About:XP ModeIf the app fails, just run it in XP Mode!XP Mode fixes everything!As long as you maintain your Windows 7 host, XP Mode requires no maintenance or anti-malware.XP Mode will be supported as long as Windows 7.XP Mode is as safe as Windows 7.People don’t notice when their XP Mode My Documents is different than their Windows 7 My Documents!XP Mode is a silver bullet! It’s magic!Wrong!

Things I Heard on the Internet About:How To Use XP ModeWrong!

What is Windows XP Mode?Windows XP SP3 virtual machineIt is not a “mode” within Windows 7Similar to MED-V, without manageabilityLicense included with certain Windows 7 SKUsDesigned only for Small Business marketInstall apps in the XP VM; shortcuts in the All Users’ Start Menu get copied to the hostClick on shortcut in host Start menu, app appears in a window…eventually

Windows XP Mode – the GoodApp designed for XP actually runs on XPWindows 7 deployment not held hostage by one app that resists other compat solutionsWhat it’s good for:Web apps that require IE6Running 16-bit apps on x64Some types of desktop appsMicrosoft Agent

Windows XP ModeThe rest of the storyYou must have an explicit exit strategyXP is out of mainstream supportExtended support ends in 2014Resource requirementsNeed RAM, CPU to support guest VMOut of the box, requires HAV (hotfix available to support non-HAV)Management requirementsIt is a separate computerAV, patches, policies, domain not inherited from hostVM is hibernated when not running an app

Windows XP ModeMore of that storyApps can’t interact with host desktop appsE.g., app wants to send emailDoes not have MED-V’s IE6 redirectionDefault XP Mode user is adminMight conflict with enterprise policies

Things I Heard on the Internet About:Changing SecurityRunning as standard user on XP? You’re probably modifying ACLs. There’s nothing wrong with doing that foreverSecurity settings that break stuff can’t be turned offIf I have given the Users group SeBackup, SeRestore, and SeLoadDriver, oh, and write access to Program Files, it’s OK, because they’re standard usersWrong!

Changing SecurityOnly if other options don’t workLoosen file or registry permissionsAllow interactive user to start/stop a particular service or driverDisable an IE security feature (e.g. DEP)Must be done surgicallyLeast amount of additional privilege on the smallest number of objects

Changing SecurityBenefits:Results often more predictable than with shimsDrawbacks:Risk of elevation of privilegeRisk of system instabilityRequires threat modeling – hard to do right

Changing SecurityHow some did “standard user” on XP…ACL loosening scriptsMost “required fixes” are now automaticInstalling apps to writable foldersExposes EoP and infection risksGranting admin-equivalent rights(What could possibly go wrong?) We can help

App doesn’t work – now what?What are those geeks doing?Make sure they don’t debug what they don’t plan to fix (support required)Layer debugging and remediationTier 1: get the repro, run scripted tests of common solutionsTier 2: leverage tools, configure basic fixesTier 3: deep debugging, complex remediation (typically just a few per customer)Important: efficient handoff between IT Pros and Developers

What can you do?Turn UAC back onNo, really, turn UAC back onSTOP building Microsoft Agent applications!!!Come on, you just turned UAC back off – I saw that!

What can you do?Don’t seek silver bulletsMake sure you’re not writing apps today which will become incompatibleStart thinking about the problem todayGet your developers running your future platform early

Additional ResourcesApplication compatibility portal: http://technet.com/appcompatFind whether apps/hardware are compatible:http://www.microsoft.com/windows/compatibility

Application compatibility final

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to Application compatibility final (20)

More from Harold Wong (20)

Recently uploaded (20)

Application compatibility final