Windows 7 Application Compatibility – Part 2
In the first part of this series, I covered the internals of Windows in-built application compatibility. Version checks and folder location differences are the most common types of problem you are likely to encounter, but the full list of major changes in Windows 7 (or Vista for that matter) compared to Windows XP are the five things covered below:
Operating System and Browser Version Checks
Many applications check the version of the OS and behave differently or fail to run when an unexpected version number is detected. This issue can be resolved by setting appropriate compatibility modes or applying version lie shims.
User folders, "My Documents” folders and folders with localization have changed moving to Windows Vista and with File Libraries in Windows 7. Applications with hard-coded paths may fail. This can be mitigated using directory junctions or by replacing hard coded paths w/ appropriate API calls to get folder locations.
Session 0 Isolation
Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents looking for a means to elevate their own privilege level. In earlier versions of the Windows OS, services and applications run in the same session as the first user who logs on to the console (Session 0). To help protect against malicious agents, in Windows 7, Session 0 has been isolated from other sessions. This could impact services which communicate with applications using standard in-built message services.
Windows Resource Protection
WRP is designed to protect the system in a read-only state to increase system stability, predictability and reliability. This will affect specific files, folders, and registry keys. Updates to protected resources are restricted to the OS trusted installers, (e.g. Windows Servicing). This helps to protect components and apps that ship with the OS from any impact of other apps and administrators. This can be an issue for custom installations not detected as setup by Windows 7 when they try to replace WRP files/registry and check for specific versions/values.
Internet Explorer Protected Mode (IEPM)
In Windows 7 and Windows Vista, Microsoft IE8 processes run in IEPM with greatly restricted privileges to help protect users from attack. IEPM significantly reduces the ability of an attack to write, alter, or destroy data on the user's machine, or to install malicious code. This could impact ActiveX controls and other script code which try to modify higher integrity level objects.
User Account Control (UAC)
Windows 7 and Windows Vista, all interactive users including members of the administrators group run as standard user. UAC is the mechanism through which users can elevate applications to full administrator privileges. Because of UAC, applications that require administrator rights or check for administrator privileges behave differently in Windows 7 and Windows Vista even when run by a user as administrator.
Testing for Application Problems
The Setup Analysis Tool (SAT) automates the running of application installations while monitoring the actions taken by each application’s installer. The standalone version of SAT can monitor any Windows installers and third-party installers. The SAT detects the following potential issues:
- Installation of kernel mode drivers
- Installation of 16-bit components
- Installation of Graphical Identification and Authentication (GINA) DLLs
- Modification of files or registry keys that exist under Windows® Resource Protection
Standalone SAT (also known as SAT Guest) is the version of the SAT that runs locally for analyzing application installation issues. This version is recommended for monitoring a single application setup using a test, standard Windows XP computer (it has to be XP as the application installation may not work on Windows 7 full stop, so it needs to be tested down-level). The user interface is shown in the screen-shots below:
SAT runs as a wrapper to the installation or setup program (.exe or .msi) and records and logs everything that happens during the installation to report on where the installation would “break the rules” if it was installed under Windows 7.
The SAT tool is that straightforward. The application issues it detect can usually be fixed through, updated versions, standard “shims” or occasional re-packaging. The “real biggie” is UAC and that’s why I’ve left that to last to cover in the next posting in this series.