4/21/2017 10:35 AM.

4/21/ :35 AM

Windows Vista Application Compatibility 101
4/21/ :35 AM 4/21/ :35 AM Windows Vista Application Compatibility 101 Heinrich Gantenbein Senior Consultant Application Experience SWAT 2

4/21/ :35 AM Session Objectives You will gain knowledge about known Windows Vista application compatibility issues You will learn best practices for troubleshooting some of the more common known Windows Vista application compatibility issues

What We Will Cover Today
4/21/ :35 AM What We Will Cover Today Program Compatibility Assistant AppHelp Messages In-depth look at the most common issues: OS Version User Account Control (UAC) Windows Resource Protection (WRP) Internet Explorer Protected Mode A brief look at some less common issues

Program Compatibility Assistant
Install Failures Application Failures Excluding Applications

Program Compatibility Assistant
Program Compatibility Assistant (PCA) is a new, client-only feature PCA automatically detects and mitigates some known application compatibility issues If PCA detects a compatibility issue in a program, it… Notifies the user Offers to apply solutions that could resolve the issue

PCA: Detecting Install Failure
4/21/ :35 AM PCA: Detecting Install Failure Monitors a program detected as an installer by Windows Vista and checks whether the program registers an entry in Add or Remove Programs (ARP) If no entries are created in ARP, PCA concludes that setup did not complete successfully

PCA: Detecting Install Failure (cont.)
4/21/ :35 AM PCA: Detecting Install Failure (cont.) PCA relies on the User Access Control (UAC) feature in Windows Vista to know if a program is an installer UAC includes detection for installers and will make sure the detected setup programs will run elevated (as administrator) This includes getting administrative credentials or confirmation from the user before launching the program

4/21/ :35 AM PCA: Install Failure Typical Error Message

PCA: Install Failure (cont.)
4/21/ :35 AM PCA: Install Failure (cont.) PCA will detect this failure scenario and display a user interface similar to this.

PCA: Install Failure Actions
4/21/ :35 AM PCA: Install Failure Actions 'Reinstall using recommended settings' Applies the Windows XP compatibility mode and restarts the program. 'The program installed correctly' In some cases, PCA might come up for a setup program that completed correctly but did not create an entry in ARP. In those cases, users can use this option. 'Cancel' PCA will do nothing.

PCA: Install Failure Fix Under the Hood
4/21/ :35 AM PCA: Install Failure Fix Under the Hood The compatibility mode will be applied to programs by setting a registry key under ‘HKLM\Software\Microsoft\Windows NT\ CurrentVersion\AppCompatFlags\ Layers’ with key name = ‘full path of the exe’ and string value = ‘WINXPSP2’ indicating the compatibility mode The fix is effective for all users (due to HKLM).

PCA: Detecting Application Failure
4/21/ :35 AM PCA: Detecting Application Failure Problem scenario Child process launch fails due to the requirement to run elevated. Detection mechanism CreateProcess API Instrumentation Solution Applies the ElevateCreateProcess Compatibility Fix automatically due to high confidence on the issue detection

Detecting Application Failure (cont.)
4/21/ :35 AM Detecting Application Failure (cont.)

PCA: Application Failure Fix Under the Hood
4/21/ :35 AM PCA: Application Failure Fix Under the Hood The compatibility mode will be applied to programs by setting a registry key under ‘HKCU\Software\Microsoft\Windows NT\ CurrentVersion\AppCompatFlags\Layers’ with key name = ‘full path of the exe’ and string value = ‘ElevateCreateProcess’ indicating the compatibility mode The fix is effective only for the current user (due to HKCU).

Excluding Programs from PCA
PCA is intended to detect issues with programs designed for previous versions of Windows. To exclude a program from PCA include an application manifest with run level (either admin or as limited user) marking for UAC. This applies to both installer and regular programs.

Excluding Programs from PCA (cont.)
A group policy setting is provided to disable PCA for all programs if required. The name of the policy is ‘Turn Off Program Compatibility Assistant’ and can be found under ‘Administrative Templates  Windows Components  Application Compatibility’ in the group policy editor (gpedit.msc). To keep tests from succeeding by accident During application development

Application Help Messages
4/21/ :35 AM Application Help Messages

Application Help Messages
4/21/ :35 AM Application Help Messages System contains list of programs known to have compatibility issues. The list is stored in the System application database. Messages are known as the Application Help (apphelp) messages. Messages must be approved by the ISV to be included.

4/21/ :35 AM AppHelp: Hard Block If the program is known to be incompatible and if allowing the program may result in severe impact to the system (for example, a stop error or unable to boot after the install, etc.) the following blocking message will be displayed.

4/21/ :35 AM AppHelp: Soft Block This type of warning message is used in the case of programs that have known compatibility issues but the impact is not severe to the system.

AppHelp: Check for Solutions
4/21/ :35 AM AppHelp: Check for Solutions Typically the response will be one of three types: Pointing the user to an update from the software vendor for that program. Pointing the user to a Software vendor website for more information. Pointing the user to a Microsoft Knowledge base article for more information.

Common Issues OS Version User Account Control
4/21/ :35 AM Common Issues OS Version User Account Control Windows Resource Protection Internet Explorer Protected Mode

Operating System Version
4/21/ :35 AM Operating System Version Internal version number for Windows Vista is 6.0. GetVersion function returns this version number. Symptoms Applications that check for OS version will get higher version number. Application installers may prevent themselves from installing the app and apps may prevent themselves from starting. Applications may warn users and continue to function properly.

OS Version: Mitigation
4/21/ :35 AM OS Version: Mitigation For apps and installers that check for OS version, a Compatibility mode is provided in Windows Vista. Users can right-click the shortcut or the EXE and apply the Windows XP SP2 compatibility mode from the Compatibility tab. This applies multiple shims including “WinXPSP2VersionLie”. Better: Apply the shim “WinXPSP2VersionLie” In many cases, applications will work the same way that it did in Windows XP and there is no need for changes to the application.

Version Problem and Mitigation
4/21/ :35 AM Version Problem and Mitigation

Demo: Versioning Double click “AppCompatDemo.exe”
4/21/ :35 AM Demo: Versioning Double click “AppCompatDemo.exe” Select tests “Version tested unnecessarily” Click Execute

Demo: Versioning (cont.)
4/21/ :35 AM Demo: Versioning (cont.) Right-click on “AppCompatDemo.exe” Select “Properties” Select Compatibility tab Select “Run this program in compatibility mode for” and “Windows XP (Service Pack 2)”

Demo: Versioning (cont.)
4/21/ :35 AM Demo: Versioning (cont.) Double click “AppCompatDemo.exe” Select tests “Version tested unnecessarily” Click Execute

4/21/ :35 AM OS Version: Fixes Applications should not perform version checks for equality (== 5.1) If you need a specific feature, check whether the feature is available If you need Windows XP, check for Windows XP or later (>= 5.1) Exceptions to this occur when there is a very specific business, or legal need to do a version check, such as a regulatory body requires you to certify your application for each operating system and version

Why: User Account Control
4/21/ :35 AM 4/21/ :35 AM Why: User Account Control OS is at risk from malware when user is running as Administrator Ease with which malware can self-install Privilege elevation through security holes in software Extent of damage caused by malware is potentially greater Accidental damage caused by user 33

How: User Account Control
4/21/ :35 AM 4/21/ :35 AM How: User Account Control With Windows Vista, all users run as Standard User by default, including members of Admin group Only true for interactive logins; services continue to run as before in Windows XP Two tokens are created at logon (split token) Standard User Token Administrator SID set as Deny Only (can still be used to deny access, but not to grant) Runs with medium integrity level (IL) Most privileges removed (e.g. SeDebugPrivilege) Administrator Token Administrator SID has all rights assigned Runs with high integrity level (IL) All privileges are present 34

How: User Account Control (cont.)
4/21/ :35 AM 4/21/ :35 AM How: User Account Control (cont.) Standard User Token is used until explicit consent is given, then Administrator Token is used (Consent UI) Supporting feature: Unnecessary Administrator checks (in XP) have been removed Example: Change time zone 35

4/21/ :35 AM UAC Split Token

Demo: UAC Split Token Double click “AppCompatDemo.exe”
4/21/ :35 AM Demo: UAC Split Token Double click “AppCompatDemo.exe” Select “Administrator Test” Click Execute Click “Execute”

Demo: UAC Split Token (cont.)
4/21/ :35 AM Demo: UAC Split Token (cont.) Right-click on short cut “AppCompatDemo.exe” and select “Run as administrator” Note: This prompt is your consent to run at the elevated level. If you are not an administrator you would be given the chance to enter administrator credentials

Demo: UAC Split Token (cont.)
4/21/ :35 AM Demo: UAC Split Token (cont.) Select tests “Administrator Test” Click “Execute”

UAC: Automatic Mitigations
4/21/ :35 AM UAC: Automatic Mitigations PCA automates mitigation of some UAC compatibility issues UAC detects installers and automatically elevates them to admin status Heuristics such as string “Setup” in: Name Resource strings Application Compatibility shims in system database

UAC: Automatic Mitigations (cont.)
4/21/ :35 AM UAC: Automatic Mitigations (cont.) Virtualization Redirects privileged file access to C:\Users\%username%\AppData\Local\VirtualStore C:\Program Files C:\Program Data C:\Windows Redirects registry access from HKLM to HKCU\Software\Classes\VirtualStore\MACHINE

UAC: Automatic Mitigations (cont.)
4/21/ :35 AM UAC: Automatic Mitigations (cont.) Virtualization (cont.) Redirection is “sticky” Deleting all virtual copies removes the “stickiness” Elevated process not affected Executables with manifest do not participate Side effects: multiple virtualized copies (one per user and one for all elevated processes)

Redirection of Privileged File Access
4/21/ :35 AM Redirection of Privileged File Access

Demo: Redirection of Privileged File Access
4/21/ :35 AM Demo: Redirection of Privileged File Access Create directory C:\Program Files\AppCompatDemo Double click “AppCompatDemo.exe” Select tests “UAC: file access to C:\Program Files\AppCompatDemo\ UacTest.exe” Click “Execute”

Demo: Redirection of Privileged File Access (cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access (cont.) Open Explorer and browse to “C:\Program Files\AppCompatDemo”; the file does not exist.

Demo: Redirection of Privileged File Access (cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access (cont.) Browse to “C:|\Users\%username%\AppData\Local\VirtualStore\Program Files\AppCompatDemo”; the file is here.

Demo: Redirection of Privileged File Access - Part 2
4/21/ :35 AM Demo: Redirection of Privileged File Access - Part 2 Start application again by right clicking and selecting “Run as administrator.” Select tests “UAC: file access to C:\Program Files\AppCompatDemo\UacTest.exe.” Click Execute.

Demo: Redirection of Privileged File Access - Part 2 ( cont.)
4/21/ :35 AM Demo: Redirection of Privileged File Access - Part 2 ( cont.) Open a new explorer and browse to “C:\Program Files\AppCompatDemo”; the file exists. Think about why this might occur.

UAC: Generic Symptoms Explicit access right error message
4/21/ :35 AM UAC: Generic Symptoms Explicit access right error message Event Log contains security or application messages indicating security problems Application crashes or fails to install Application fails to update for automatic updater Application fails to remember saved settings Symptoms vary widely and are difficult to diagnose

Investigation Steps and Tools
Determine whether application was designed to run as administrator Run as administrator – does it work? Check redirection locations C:\Users\%username%\AppData\Local\VirtualStore HKCU\Software\Classes\VirtualStore\MACHINE Event Log Regmon for failed registry access Filemon for failed file access

Investigation Steps and Tools (cont.)
Application Compatibility specific tools Enterprises: UAC Compatibility Evaluator in ACT 5.0 Standard User Analyzer (SUA) LUA Buglight Debuggers (if all else fails) Visual Studio Debugging Tools for Windows (e.g. Windbg)

Failure to work  Run elevated
4/21/ :35 AM Failure to work  Run elevated

Demo: Failure to Run Elevated
4/21/ :35 AM Demo: Failure to Run Elevated Switch to demo app Select “UAC: file access to C:\UACTest.txt” Click Execute. It fails (no redirection) Click OK Quit application .

Demo: Failure to Run Elevated (cont.)
4/21/ :35 AM Demo: Failure to Run Elevated (cont.) Start application elevated Select UAC: file access to C:\UacTest.txt Click Execute. It Succeeds

4/21/ :35 AM Event Log

Demo: Event Log Open Event Viewer Expand Windows Logs
4/21/ :35 AM Demo: Event Log Open Event Viewer Expand Windows Logs Select the first entry Find and double click on entry from latest failed UAC test. This should be the last entry

4/21/ :35 AM Demo: Event Log (cont.) Show Details tab

4/21/ :35 AM Demo: Eventlog (cont.) Scroll down and find the UAC Demo failure text data Switch to friendly view

4/21/ :35 AM Regmon and Filemon

Demo: Regmon and Filemon
4/21/ :35 AM Demo: Regmon and Filemon

4/21/ :35 AM UAC: Mitigation Right click on executable  Select Run as administrator (elevated) Set Properties  Compatibility Tab  Run as administrator Use an application manifest to specify desired run level All applications should have one Removes application compatibility overhead (Shims, PCA, virtualization) at run time Internal manifest (compiled into the application) External manifest (added as a separate file)

Properties Compatibility Tab
4/21/ :35 AM Properties Compatibility Tab

Demo: Properties Compatibility Tab
4/21/ :35 AM Demo: Properties Compatibility Tab Open properties for an executable Select tab Compatibility and discuss content

4/21/ :35 AM UAC Manifest File ?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="Win32" processorArchitecture="*" version=" " name="AppCompatDemo.exe"/> <description>Vista Application Compatibility Class Demo</description> <ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"> <ms_asmv2:security> <ms_asmv2:requestedPrivileges> <ms_asmv2:requestedExecutionLevel level="highestAvailable" uiAccess="false"/> </ms_asmv2:requestedPrivileges> </ms_asmv2:security> </ms_asmv2:trustInfo> </assembly>

Possible Execution Levels
requireAdministrator The application runs only for administrators and requires that the application be launched with the full token of an administrator asInvoker The application runs with the same token as the parent process highestAvailable The application runs with the highest privileges the current user can obtain

UAC External Manifest Create a manifest file with the name <app_name>.exe.manifest and put in the same directory as the EXE Ignored if application has an internal manifest Many applications have an internal manifest

4/21/ :35 AM UAC External Manifest

Demo: External Manifest
4/21/ :35 AM Demo: External Manifest Run “AppCompatDemo.exe”. It does not run elevated Rename file “AppCompatDemo.exe.manifestIgnored” to “AppCompatDemo.exe.manifest” Edit “AppCompatDemo.exe.manifest” with Notepad and show content; talk about RequestedExecutionLevel Run “AppCompatDemo.exe”. It does run elevated

UAC Internal Manifest Build manifest into application binary
4/21/ :35 AM UAC Internal Manifest Build manifest into application binary Disables PCA, shims and virtualization Preferred method for all new applications To learn more check the following resources:

UAC: Installer Fails (1)
4/21/ :35 AM UAC: Installer Fails (1) Symptoms No UAC prompt Failure of installer Cause Installer not detected due to non-standard name and therefore not elevated Fixes Rename to setup.exe Mark executable to run elevated

Rename Custom Installer

Demo: Rename Custom Installer
Start badly named setup application “AppCompatBitDepositor.exe”. Click Quit.

Demo: Rename Custom Installer (cont.)
Rename “AppCompatBitDepositor.exe” to “Setup.exe”. Start “Setup.exe” -> autodetected installer need to run elevated. Click “Allow” in elevation prompt. Click OK Click Close

4/21/ :35 AM 4/21/ :35 AM UAC: Installer Fails (2) Symptom MSI with delayed custom action runs elevated but fails Cause MSI contains delayed custom action (ActionType=1025) Fixes Redesign to use non-delayed custom action (ActionType=3073) Edit MSI to change ActionType to 3073 Run from elevated command prompt 75

Change Action Type in MSI Using ORCA
4/21/ :35 AM Change Action Type in MSI Using ORCA . 76

Demo: Changing Action Type in MSI Using ORCA
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA Start All Programs  ORCA Click Allow on UAC Consent UI Select File  Open 77

Demo: Changing Action Type in MSI Using ORCA (cont.)
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA (cont.) Navigate to Communicator3073.msi Click Open Select CustomAction in Tables pane Find the offending 3073 action type. Double click on the number Select File  Save As Type a new file name. Done 78

Demo: Changing Action Type in MSI Using ORCA (cont.)
4/21/ :35 AM 4/21/ :35 AM Demo: Changing Action Type in MSI Using ORCA (cont.) Replace with correct type 1025 79

4/21/ :35 AM 4/21/ :35 AM UAC: Installer Fails (3) Symptom Self-extracting EXE or custom wrapper runs elevated and executes a script, but script fails Cause UAC prompt occurs on self-extracting EXE or custom wrapper, but elevated privileges are not transferred to script Fixes Redesign to use MSI Run from elevated command prompt 80

UAC: Integrated Updater Fails
4/21/ :35 AM 4/21/ :35 AM UAC: Integrated Updater Fails Symptoms Update fails when application with integrated updater tries to update itself Various manifestations: silent, error message, crash, etc. Cause Application not running elevated Application not designed to prompt for elevation Fixes Redesign by separating the privileged functions Separate EXE Use Shield Icon when redesigning Use alternate deployment technologies ClickOnce MSI patching Run application elevated (not recommended) 81

Setting up a Security Shield
4/21/ :35 AM Setting up a Security Shield Send the BCM_SETSHIELD message to a button control, using SendMessage Fails for owner-drawn buttons Get icon and render in owner draw handler HICON shieldIcon = LoadIcon(null, IDI_SHIELD); Unmanaged code (C++) SendMessage call can be invoked more easily using the Button_SetElevationRequiredState macro Managed code (C#, VB.NET) Use pinvoke

Proper Design for Elevation UI
4/21/ :35 AM Proper Design for Elevation UI .

Demo: Proper Design for Elevation UI
4/21/ :35 AM Demo: Proper Design for Elevation UI Start “Task Manager” Click “Processes” tab Show “Show processes from all users” button and shield icon Click “Show processes from all users” button Click continue on elevation prompt Tell audience about closing of standard Task Manager and opening of elevated one

UAC: Separate Updater Fails
4/21/ :35 AM 4/21/ :35 AM UAC: Separate Updater Fails Symptoms Update fails when application with separate updater tries to update itself Various manifestations: silent, error message, crash, etc. Causes Separate updater not detected and therefore not elevated by PCA Fixes Mark updater to run elevated Use alternate deployment technologies ClickOnce MSI patching 85

UAC: Application Fails (1)
4/21/ :35 AM 4/21/ :35 AM UAC: Application Fails (1) Symptoms Many – from minor feature misbehavior to spectacular crash Cause Application attempts to execute privileged operation; access denied because not running elevated Mitigation & Fixes Redesign to work with least privileged resources Eliminate need for privilege completely (least privilege) Separate administrative functions from regular operations 86

UAC: Application Fails (1) (cont.)
4/21/ :35 AM 4/21/ :35 AM UAC: Application Fails (1) (cont.) Mitigations and Fixes (cont.) Apply a redirection shim (e.g. RedirectFiles, RedirectRegistry) Change ACL for selected files and registry keys Deployment time mitigation using scripting or group policy Warning: Perform a full security review first Mark application to run elevated Good solution if application has only administrative tasks. (e.g. Event Viewer) Bad solution if mixed usage 87

4/21/ :35 AM ACL Relaxing

Demo: ACL Relaxing Create directory “C:\Program Files\AppCompatDemoAcl” Right click and select “Properties” Select tab “Security” Select Edit Click Continue Select “Users (<machinename>\Users)” Check “Modify” Click OK twice .

Demo: ACL Relaxing (cont.)
4/21/ :35 AM Demo: ACL Relaxing (cont.) Start “AppCompatDemo.exe” Select “UAC: file access to C:\Program Files\AppCompatDemoAcl\UacTest.txt”

Demo: ACL Relaxing (cont.)
4/21/ :35 AM Demo: ACL Relaxing (cont.) Click Execute. Click OK. Open Explorer and browse to “C:\Program files\AppCompatDemoAcl”. Here is the file (not redirected).

ACL Relaxing Script Enterprises will use a script to relax ACLs
4/21/ :35 AM ACL Relaxing Script Enterprises will use a script to relax ACLs Warning: Perform a full security review first Deploy with standard enterprise deployment XCACLS Script Helper XCACLS <dirname> /G <domain>\<username>:M Package in .cmd file Download and documents

Why: Windows Resource Protection
4/21/ :35 AM 4/21/ :35 AM Why: Windows Resource Protection Core operating system files and registry keys can be overwritten with older versions or malicious code causing serious stability and security issues. Windows Resource Protection (WRP) is designed to protect those objects from being overwritten. Increases system stability, predictability, and reliability 94

How: Windows Resource Protection
4/21/ :35 AM 4/21/ :35 AM How: Windows Resource Protection Updates to protected resources are restricted to the OS trusted installers, such as Windows Update Affects specific files, folders, and registry keys The majority of core OS modules (EXE and DLL) Majority of core OS HKCR Registry Keys Folders used exclusively by OS resources, (e.g. some of the inetpub folders) 95

WRP: Application Fails
4/21/ :35 AM 4/21/ :35 AM WRP: Application Fails Symptoms Application does not install or fails to work properly Similar to those of UAC issues but UAC mitigation does not work Generally only affects installers Cause Application tries to modify or delete a protected resource 96

WRP: Mitigations and Fixes
4/21/ :35 AM 4/21/ :35 AM WRP: Mitigations and Fixes Automatic Mitigation Access Denied return codes are suppressed if the application is detected as a legacy installer (no manifest) Manual Mitigation Apply shim “WRPMitigation” Rename custom installer to setup.exe to trigger automatic mitigation Fixes Use Microsoft-provided redistributable packages designed specifically for Windows Vista. Never redistribute system files. Redesign apps that use protected system resources. 97 97

4/21/ :35 AM WRP in Action

Demo: WRP in Action “Run as administrator” “AppCompatDemo.exe”
4/21/ :35 AM Demo: WRP in Action “Run as administrator” “AppCompatDemo.exe” Select “WRP: overwrite file C:\Windows\System32\append.exe” . Click Execute; operation fails despite running as administrator. This is WRP in action.

Demo: WRP in Action (cont.)
4/21/ :35 AM Demo: WRP in Action (cont.) Rename resulting duplicate to “Setup.exe” Start “Setup.exe” Select “WRP: overwrite file C:\Windows\System32\append.exe” Click Execute; operation succeeds. This is WRP mitigation in action.

Demo: WRP in Action (cont.)
4/21/ :35 AM Demo: WRP in Action (cont.) Browse to the file and notice that the date and timestamp or size has not changed

4/21/ :35 AM 4/21/ :35 AM Why: IE7 Protected Mode Helps protect users from attack by running IE process with greatly restricted privileges Significantly reduces the ability of an attack to write, alter, or destroy data on user's machine or to install malicious code Helps protect a user from malicious code installing itself without authorization 103

4/21/ :35 AM 4/21/ :35 AM How: IE7 Protected Mode In Windows Vista, Microsoft Internet Explorer 7 runs in Protected Mode (IEPM) for non-trusted sites (installation default) IE runs as separate process instances for different protection modes Prevents buffer overflow exploits from affecting higher trust level sites Required by IEPM’s underlying mechanism: Mandatory Integrity Control (MIC) User Interface Process Isolation (UIPI) 104

How: IE7 Protected Mode (cont.)
4/21/ :35 AM 4/21/ :35 AM How: IE7 Protected Mode (cont.) Integrity Levels (IL) for IE7 IEPM: Low Integrity Level Unprotected: Medium Integrity Level Low-integrity processes (such as IEPM) can only write to folders, files, and registry keys that have been assigned a low-integrity mandatory label. Temporary Internet Files folder History folder Cookies folder Favorites folder Windows Temporary Files folders 105

Integrity Levels Explained
4/21/ :35 AM Integrity Levels Explained Windows Vista implements Mandatory Integrity Control (MIC). Processes run at one of four Integrity Levels: System processes run at System IL Applications that require administrative privileges run at High IL Standard applications run at Medium IL Restricted apps run at Low IL

Integrity Levels Explained (cont.)
4/21/ :35 AM Integrity Levels Explained (cont.) Securable objects (Files, Processes, Windows Stations, Message queues) define the minimum IL for a process to access them Low IL: All processes can access this object Medium IL: Only medium IL and higher processes can access this object High IL: Only high and system IL processes can access this object System IL: Only system IL processes can access this object Default IL: Objects that do not specify an IL are defaulted to Medium IL

UI Process Isolation (UIPI)
4/21/ :35 AM UI Process Isolation (UIPI) UIPI uses MIC’s Integrity Levels to restrict sending Windows Messages Applications cannot send messages to other applications running at a higher integrity level Where compatibility impact is high, lower IL applications can be manifested to opt out of UIPI. (This setting should only be used for UI accessibility applications)

UIPI In Action High IL Administrator Medium IL Standard User Low IL
4/21/ :35 AM UIPI In Action High IL Administrator Medium IL Standard User Low IL IE7 PM

4/21/ :35 AM 4/21/ :35 AM IE7 PM: Symptoms Attempts by ActiveX controls to modify medium and higher IL objects fail e.g. writing to the user’s Documents folder ActiveX controls fail to install 110

IE7 PM: Automatic Mitigation
4/21/ :35 AM IE7 PM: Automatic Mitigation Redirects access to medium integrity files, such as the Documents folder to %userprofile%\LocalSettings\ Temporary Internet Files\Virtualized Redirects access to HKCU registry hive to HKCU\Software\Microsoft\ InternetExplorer\InternetRegistry

IE7 PM: Automatic Mitigation (cont.)
4/21/ :35 AM IE7 PM: Automatic Mitigation (cont.) Two higher privilege broker processes allow Internet Explorer and extensions to perform elevated operations The user privilege broker (ieuser.exe) process provides a set of functions that let the user save files to areas outside of low-integrity areas The administrator privilege broker (ieinstal.exe) process allows Internet Explorer to install ActiveX controls

IE Compatibility Architecture
4/21/ :35 AM 4/21/ :35 AM IE Compatibility Architecture Internet Explorer 7 in Protected Mode (Low IL) Compatibility Layer ieinstal.exe Admin Broker (High IL) Integrity Mechanism Administrative Rights Required ieuser.exe User Broker (Medium IL) User Rights Required Low Rights Virtualized Files and Registry Keys 113

IE7 PM: Manual Mitigation
4/21/ :35 AM 4/21/ :35 AM IE7 PM: Manual Mitigation Add site to trusted sites. Protected Mode is not enabled for trusted sites Use new ActiveX Install Server (AXIS) for enterprise deployments 114

Motivation for the ActiveX Installer Service
4/21/ :35 AM Motivation for the ActiveX Installer Service ActiveX controls are installed on a per- machine basis and require Admin privileges for installation This creates a challenge to deploying ActiveX controls across an enterprise running Standard User desktops. ActiveX Installer Service (AXIS) is a new solution to address this issue.

AXIS: How It Works IE7 parses a page that requires an ActiveX control.
4/21/ :35 AM AXIS: How It Works IE7 parses a page that requires an ActiveX control. If the user is a Standard User, the ActiveX Installer Service is called. The ActiveX Installer Service will perform a lookup in the Allowed Installation Sites list deployed via Group Policy. If the Host URL is within policy, the control will be downloaded by the service. If the control meets the signing criteria, it will be installed as the LocalSystem account.

AXIS: Enabling the Service
4/21/ :35 AM AXIS: Enabling the Service The ActiveX Installer Service is an optional component that must be enabled Deploy through SMS Run cmd.exe as Administrator, then run this command: ocsetup.exe AxInstallService Control Panel  Programs  Turn Windows Features on or off

AXIS: Configuring the Policy
4/21/ :35 AM AXIS: Configuring the Policy Policy is configured using an Administrative Template in Group Policy. Run gpedit.msc Navigate to Computer Settings Administrative Templates Windows Components ActiveX Installer Service Enter in the Host URL and the policy…

AXIS: Configuring the Policy (cont.)
4/21/ :35 AM AXIS: Configuring the Policy (cont.) The policy consists of the Host URL and the install policy settings Host URL Must specify protocol: http or https(preferred) Example: Install Policy consists of 4 comma separated values. 1. Trusted Signature behavior: 1 is best value 2. Signed Controls behavior: 1 is best value 3. Unsigned Controls behavior: 1 is best value 4. HTTPS connection flags: 0 is best value

AXIS: Host URL Install Policy Values
4/21/ :35 AM AXIS: Host URL Install Policy Values Install Policy consists of 4 comma separated values. 1. Trusted Signature behavior Can be Silent (2* or 1) or Disallowed (0) 2. Signed Controls behavior Can be Silent (2), Prompt (1*), or Disallowed (0) 3. Unsigned Controls behavior Can be Prompt(1) or Disallowed (0*) 4. HTTPS connection flags Bitmask of the following values. 0* means all connections checks must pass. 0x Ignore Unknown CA 0x Ignore Invalid CN 0x Ignore invalid certificate date 0x Ignore wrong certificate usage * Means default setting if no policy is specified for the Host URL.

AXIS: Other Information
4/21/ :35 AM AXIS: Other Information Auditing There are several events created by the ActiveX Installer Service Currently only success and failure are reported when the service is called For more information about centrally managing ActiveX controls, see the following article: default.asp?url=/workshop/delivery/download/ overview/implementation.asp

ActiveX Installer Service
4/21/ :35 AM ActiveX Installer Service

Demo: AXIS Open gpedit .msc (run as administrator)
4/21/ :35 AM Demo: AXIS Open gpedit .msc (run as administrator) Navigate to Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\ActiveX Installation Service Select Approved Installation Sites for ActiveX Controls Click Properties

Demo: Axis Change the setting to “enabled”
4/21/ :35 AM Demo: Axis Change the setting to “enabled” Click “Show” to edit URL list Click “Apply” Paste into the first box Type “1,1,1,0” into the second box Click OK, OK and OK to close

Critical Section Code Changes
4/21/ :35 AM Less Common Issues Session 0 Isolation Critical Section Code Changes Painting Behavior Networking IPv6 My Documents Location

Sessions in Windows XP/2003
4/21/ :35 AM 4/21/ :35 AM Sessions in Windows XP/2003 Windows XP Creates Session 0 with interactive Windows Station for Services and User Mode Drivers The first user logging in is added to Session 0 and user applications will run in this session as well Session 0 Windows Station 0 Desktop 0 Services Windows 1st User’s Windows 127

Sessions in Windows Vista
4/21/ :35 AM 4/21/ :35 AM Sessions in Windows Vista Creates Session 0 for Services and User Mode Drivers Creates Session 1 for first user logging in. Applications will run in Session 1 Interaction between Session 0 and Session 1 desktops is prohibited via Windows messages Session 0 Session 1 Windows Station 1 Services User Mode Drivers Desktop 1 User’s Windows User’s Windows 128

Why: Session 0 Isolation
4/21/ :35 AM 4/21/ :35 AM Why: Session 0 Isolation Running services and user applications together in Session 0 is a security risk Potential exploitation by sending messages between services and applications Malicious agents looking for a means to elevate their own privilege level can target services Running services and user applications in separate sessions prevents such attacks. User mode drivers and services that work with multiple users in Windows XP (Fast User Switching) will work in most cases. 129

Session 0: Compatibility Impact
4/21/ :35 AM 4/21/ :35 AM Session 0: Compatibility Impact A service and a user application that use window message functions (e.g. SendMessage, PostMessage) to communicate will silently fail. A service and a user application that use local objects to communicate will silently fail. A service that uses a UI to interact with the user will display the UI on a special desktop which is inaccessible. 130

Session 0: Automatic Mitigation
4/21/ :35 AM Session 0: Automatic Mitigation Symptom: UI displayed by service is not visible Mitigation: Windows Vista allows the user to interact with the Session 0 UI in a special desktop Detects problem that UI is not being displayed Prompts the user to choose whether to display the message now or later Switches display to a special desktop where UI is visible

4/21/ :35 AM Session 0 - Service UI

Demo: Session 0 - Service UI
4/21/ :35 AM Demo: Session 0 - Service UI Set Windows XP compatibility for “WindowsVistaReadiness.exe” Start “WindowsVistaReadiness.exe” Click “Service UI”

4/21/ :35 AM Demo: Session 0 - Service UI Click “Show me the message” Various messages will display

4/21/ :35 AM Demo: Session 0 - Service UI Various messages will display.

Session 0: Fixes Problem: Solution:
4/21/ :35 AM 4/21/ :35 AM Session 0: Fixes Problem: Service and user application communicate using Windows message functions or local objects Solution: Redesign the application and service to use client or server mechanisms, e.g. remote procedure call (RPC) or named pipes 136

Session 0: Fixes (cont.) Problem: Solution:
4/21/ :35 AM 4/21/ :35 AM Session 0: Fixes (cont.) Problem: Service displays a UI to interact with user Solution: Redesign the service to no longer interact directly with the user Use the WTSSendMessage function to create a simple message box on the user’s desktop (Not recommended) 137 137

4/21/ :35 AM Critical Section Code Changes Why: Changed to increase security and robustness How: Prior versions of Windows automatically initialized Critical Sections Symptoms: Programs that relied on on-demand initializations will fail with an access violation Mitigation: apply shim “EnterUninitializedCriticalSection” Fixes: Rewrite code to initialize Critical Section .

Critical Section Changes
4/21/ :35 AM Critical Section Changes

Demo: Critical Section
4/21/ :35 AM Demo: Critical Section Start “CriticalSection.exe” Click “Locks Bug” Click “OK” Click “Cancel”

Painting Behavior Why: To improve user experience
4/21/ :35 AM Painting Behavior Why: To improve user experience How: All top-level windows are rendered to an off-screen bitmap; Desktop Window Manager combines the images to draw the desktop Impact: Some applications will render incorrectly Mitigation: Disable desktop composition Apply shim “DisableDWM” Properties Compatibility Tab  Disable desktop composition Fixes: Redesign application to not assume that it is rendering directly to the screen 143

Disabling Desktop Composition
4/21/ :35 AM Disabling Desktop Composition

Demo: Disabling Desktop Composition
4/21/ :35 AM Demo: Disabling Desktop Composition Right click “AppCompatDemo.exe”. Select Properties. Select Compatibility tab. Check “Disable desktop composition”. Run application and observe how Aero Glass disappears. Exit application and observe how Aero Glass is back.

IPv6 The TCP/IP stack in Windows Vista has IPv6 enabled by default
4/21/ :35 AM 4/21/ :35 AM IPv6 The TCP/IP stack in Windows Vista has IPv6 enabled by default IPv6 traffic will be sent by the Windows Vista stack regardless of whether the network supports IPv6 or not. (e.g. router solicitation and neighbor discovery messages will be generated by default) Single stack and API for IPv4 and IPv6 Applications using the IPv4 specific API will fail 147

IPv6: Fix Before After StartClient(PCSTR HostName, USHORT Port) {
ClientSocket = socket(AF_INET, ...); HostEntry = gethostbyname(HostName); A.sin_addr = *(HostEntry->h_addr); A.sin_port = htons(Port); connect(ClientSocket, &A, ...); } After StartClient(PCSTR HostName, USHORT Port) { ClientSocket = socket(AF_INET6, ...); setsockopt(ClientSocket, IPPROTO_IPV6, IPV6_V6ONLY, ...); WSAConnectByName(ClientSocket, HostName, Port, ...); }

4/21/ :35 AM My Documents Location My Documents location and structure has changed to provide a better user experience The user data is now stored in: \users\%username%\ folder structure Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure Apps that use the ShGetFolderPath function and the folder path dynamically are OK Never hard code absolute paths (AppVerifier includes test for this)

My Documents: Automatic Mitigation
4/21/ :35 AM My Documents: Automatic Mitigation Directory junction (symbolic link) Provides backward compatibility for hard-coded paths e.g. ‘Documents and Settings’  Users DENY_READ set for ‘Everyone’ Cannot be enumerated Only allows full path to be accessed e.g. ‘Documents and Settings\%username%\ My Documents\foo.doc Prevents the folders from being backed up twice

4/21/ :35 AM My Documents

Demo: My Documents Click Execute Run “AppCompatDemo.exe”
4/21/ :35 AM Demo: My Documents Run “AppCompatDemo.exe” Select “My Documents: file access to C:\Documents and Settings\%username%\My Documents\MyDocumentsRedirectionTest.txt” Click Execute

Demo: My Documents (cont.)
4/21/ :35 AM Demo: My Documents (cont.) Open Documents Click in Title bar Show file and explain actual path C:\User\%username%\Documents

4/21/ :35 AM Demo: My Documents (cont.) Open Computer. Navigate to C:\ Select Tools  Folder Options  Tab View. Select “Show hidden files and folders”. Uncheck “Hide protected operating system files (Recommended)”. Click OK

4/21/ :35 AM Demo: My Documents (cont.) Highlight “Documents and Settings” shortcut. Double click on “Documents and Settings”. Names only valid in fully qualified paths. Click OK

4/21/ :35 AM Demo: My Documents (cont.) Navigate to “C:\Users\%username%” Show “My Documents” All old names are handled in this manner

Help Center Deprecated
4/21/ :35 AM Low Impact Windows Vista 64-Bit Deprecated APIs Help Center Deprecated

4/21/ :35 AM 4/21/ :35 AM 64-bit Support 64-bit version of Windows Vista can run all 32-bit applications with the help of the WOW64 emulator 32-bit user mode drivers will work on the 64-bit version of Windows Vista 16-bit applications, 16-bit installers, and 32-bit kernel mode drivers are not supported 159

4/21/ :35 AM 4/21/ :35 AM 64-bit Support (cont.) All 64-bit drivers have to be digitally signed for Windows Vista. Unsigned drivers not supported and cannot be installed on 64-bit Windows Vista. The digital signature check is done both during installation and driver load time. 160 160

Deprecated Components
4/21/ :35 AM Deprecated Components The following components from earlier Windows releases will not be present in Windows Vista: Kernel mode Printer driver support Microsoft® FrontPage® server extensions. Services for Macintosh D3DRM Web Publishing Wizard NetDDE (optional in XP) GINA

4/21/ :35 AM Help and Support Previous versions of Windows included support for Win Help files (.HLP) Not included in Windows Vista Download available for Win Help support after Vista ships CHM is preferred

4/21/ :35 AM Wrap-up

4/21/ :35 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2017 10:35 AM.

Similar presentations

Presentation on theme: "4/21/2017 10:35 AM."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

4/21/2017 10:35 AM.

Similar presentations

Presentation on theme: "4/21/2017 10:35 AM."— Presentation transcript:

Similar presentations

About project

Feedback