Vista Compatibility Team Blog

Moved

As you might have noticed from the silence, we have moved on. Here are blogs for Vineet, Patrick, Yves and Maarten. We're working on OEM Ready lately and have our hands full.

For the original Vista AppCompat issues, you can keep going to Chris' blog.

Posted Wednesday, June 18, 2008 11:50 PM by VistaCompatTeam | 1 Comments

One of the nice things of being off-site with colleagues is that you learn interesting life enhancing tricks. Vishal taught me the Ninja t-shirt technique. I will never fold a t-shirt the same way again.

Maarten

Posted Thursday, June 07, 2007 9:57 PM by VistaCompatTeam | 0 Comments

Let us Test and Debug Your Application

If you happen to be at Teched (or you know someone who is) we have a room setup to test your application for Vista compatibility issues. You can bring your application and we can troubleshoot it for problems. We have the debug experts from SWAT team and from Application Experience team.

We're in room S329.

Maarten

Posted Tuesday, June 05, 2007 3:24 PM by VistaCompatTeam | 1 Comments

Integrity Level and the ROT

Integrity Levels result in surprising behavior. The other day I was looking at an accessibility application. Since accessibility applications need to be able to access applications that are potentially running with a MIC level of high, there is a setting in the manifest specifically for this purpose called uiAccess=true. If your application has this setting it will get a filtered token and a high MIC level, where normally it would get a filtered token and a medium MIC level.

Enumerating the ROT from an admin application (high MIC unfiltered token) will give me this:

E:\Code\Roguer\Roguer.sln

!DExplore.AppObj.8.0:5820

!{BA018599-1DB3-44F9-83B4-461454C84BF8} ProgID: VisualStudio.DTE.8.0

!{1B2EEDD6-C203-4D04-BD59-78906E3E8AAB} ProgID: VisualStudio.Solution.8.0

!{639F725F-1B2D-4831-A9FD-874847682010} ProgID: DExplore.AppObj.8.0

!VisualStudio.DTE.8.0:2644

Running it from a standard user token (filtered token, medium MIC) will give me

!{000209FF-0000-0000-C000-000000000046} ProgID: Word.Application.12

Document6

Document4

!{0006F03A-0000-0000-C000-000000000046} ProgID: Outlook.Application.12

!{FB50E079-F904-4833-B7C0-309366351F3A}

C:\Program Files\Microsoft Office\Templates\1033\Blog.dotx

Document3

!{000209FE-0000-0000-C000-000000000046} ProgID: Word.Basic.9

The list is completely different. And running it from a uiAccess=true application will give me:

Correct. Nothing. ROT is partitioned by user token and then again by MIC level. No application has registered itself with a filtered token with high IL.

Consequence of this is that accessibility applications need to use an intermediate process with filtered-medium-MIC token to get access to Word or other applications that are registered in the ROT.

Maarten

Posted Monday, June 04, 2007 4:00 PM by VistaCompatTeam | 2 Comments

Signed Binaries in Non-trusted Locations

When you inadvertently copy the complete cmd.exe to your quick launch bar instead of creating a shortcut, you get some interesting behavior on launching it elevated. Instead of good old trusted elevation prompt, we get the untrusted version.

Interesting. Surely the binary hasn't changed when copying it over? Let's check with sigcheck. Here is the original from system32:

C:\Windows\system32>sigcheck cmd.exe
Sigcheck v1.4
Copyright (C) 2004-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\system32\cmd.exe:

Verified: Signed
Signing date: 4:14 AM 11/2/2006
Publisher: Microsoft Corporation
Description: Windows Command Processor
Product: Microsoft« Windows« Operating System
Version: 6.0.6000.16386
File version: 6.0.6000.16386 (vista_rtm.061101-2205)

And the copied version:

C:\Windows\system32>sigcheck "C:\Users\maartenb\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cmd.exe"
Sigcheck v1.4
Copyright (C) 2004-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\users\maartenb\appdata\roaming\microsoft\internet explorer\quick launch\cmd.exe:

Verified: Signed
Signing date: 4:14 AM 11/2/2006
Publisher: Microsoft Corporation
Description: Windows Command Processor
Product: Microsoft« Windows« Operating System
Version: 6.0.6000.16386
File version: 6.0.6000.16386 (vista_rtm.061101-2205)

Sure enough. Same version, same file, both signed by Microsoft. So something else must be going on.

It turns out that Vista only shows the trusted consent dialog if the application is launched from a safe location, in this case System32. Due to the changed probing path (a command line application would first look for dlls in the application's directory), it would be trivial to load a rogue dll instead of a trusted version. The dialog doesn't mention this explicitly but the warning is certainly justified.

Posted Monday, June 04, 2007 3:31 PM by VistaCompatTeam | 1 Comments

Is my Process Virtualized or Redirected?

In some scenarios it might be necessary to know whether a process is actually being redirected or not. A case in point is for example a library that is loaded and needs to know whether the host process and the library have an identical view of the virtualized world. You can use GetTokenInformation with TokenVirtualizationEnabled to find that out.

The same API with TokenElevation instead of TokenVirtualizationEnabled will give you whether you run with an elevated token or not. Note that this does not guarantee you are running as administrator. You might very well be Backup Operator or standard user with a couple of manually added privileges.

Maarten

Posted Tuesday, May 01, 2007 12:49 AM by VistaCompatTeam | 0 Comments

Debugging LSASS

For some reason I had to debug LSASS (Local Security Authority Process) recently. Considering that LSASS is rather involved in the functioning of the system with respect to authorization checks, it is cumbersome to debug. The system deadlocks immediately. Try for example attaching to lsass.exe from WinDbg and click the start button when the debugger is paused. Yep. Nothing.

Consulting with one of our security developer support gurus lead to a quick workaround. Do it remotely.

1) The server (debuggee where LSASS needs to be debugged) is started with the following command: (No need to restart anything)

dbgsrv -t tcp:port=1025

2) On the debugger, start WinDbg as a client with this command:

Windbg -premote tcp:server=<servername>,port=1025 -p <lsass pid>

Thanks Prab.

Maarten

Posted Wednesday, April 25, 2007 8:15 PM by VistaCompatTeam | 0 Comments

Certification Freebie

I had mentioned in a previous post about handy certification tools. If that sparked your interest in getting your app certified, Microsoft is extending the offer for a refund for the cost of verification testing until the end of June. You only get a refund if you pass - so, make sure your app meets the requirements of the test cases. ;-)

Pat

Posted Monday, April 23, 2007 6:49 PM by VistaCompatTeam | 0 Comments

GetCurrentProcess fails on Net 1.1 on Vista

This little snippet compiled with .Net 1.1:

using System;

using System.Diagnostics;

class Program

{

static void Main(string[] args)

{

try

{

Process c = Process.GetCurrentProcess();

Process[] p = Process.GetProcessesByName(c.ProcessName);

}

catch (Exception e)

{

Console.WriteLine(e.Message);

}

will fail on Vista as standard user and hence filtered admin with this error:

{"Couldn't get process information from remote machine."}

Compiling it under 2.0 will get you passed it.

Maarten

Posted Wednesday, April 18, 2007 2:34 AM by VistaCompatTeam | 1 Comments

C2065: 'TOKEN_LINKED_TOKEN' : undeclared identifier

If you get

error C2065: 'TOKEN_LINKED_TOKEN' : undeclared identifier

when you try to compile a VC++ project that needs to get the linked token through GetTokenInformation, you need to get the Microsoft Windows SDK for Windows Vista. This is true for all the new Vista APIs of course. The SDK that shipped with Visual Studio is old and was built prior to Vista's existence.

You need to add the include, bin and lib directories of the platform SDK (default is C:\Program Files\Microsoft SDKs\Windows\v6.0) to Tools\Option\VC++ directories.

Maarten

Posted Wednesday, April 18, 2007 2:15 AM by VistaCompatTeam | 1 Comments

SetThreadPriority from Run key

If you add an application to the Run key in the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run), you'll notice that its threads are kept at Normal priority. You can call SetThreadPriority all day long, but it won't make a difference: the priority of the thread is kept at Normal (to be precise, it is for about a minute or so after which the call to SetThreadPriority(THREAD_PRIORITY_HIGHEST ) will actually succeed in bumping up its priority level).

The upside is that Vista will be responsive quicker to start programs that are initiated by the user. Programs that added themselves to the Run key had a tendency to deem themselves more important than the competition and they would stumble over each other to initialize first. Since an application would be an automatic loser in the elbow race if it kept its priority at Normal, it appeared to start sluggish. By assisting all startup-at-logon applications to play fair, at least the end-user can have a responsive machine quicker.

This also applies to applications added to the Startup folder.

Maarten

Posted Thursday, April 12, 2007 7:21 PM by VistaCompatTeam | 4 Comments

Vista Certification Testing Tools

In the lab we get a lot of questions about the Vista Certification logo program. There are two different logos you can get for your product:

Works With Windows Vista

This one is easy to get and everyone is recommended to go for this logo. Your app needs to pass the 30 minute compatibility check defined in the Application Compatiblity Cookbook.

Certified For Windows Vista

This one requires you to make sure your app passes all the test cases defined for the program and then get your app tested at a testing authority for verification. Even if you are not planning on getting the full certification, we recommend you check out the test cases.

For both programs, you can get all the details at http://www.innovateonvista.com

Getting back to the point of this post... The test cases mention testing tools that are needed. There is a download that bundles up most of the tools and can be downloaded in a single Logo Testing Tools package. There are some handy tools in the package that let you test your app with Restart Manager and inject AV's to test Windows Error Reporting (WER).

Pat

Posted Friday, April 06, 2007 6:54 PM by VistaCompatTeam | 1 Comments

Very informative UAC blog post from Mark Russinovich

In his blog post "PsExec, User Account Control and Security Boundaries" Mark Russinovich shares some insight on the capabilities of UAC in Vista...

..."It should be clear then, that neither UAC elevations nor Protected Mode IE define new Windows security boundaries. Microsoft has been communicating this but I want to make sure that the point is clearly heard."...

http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx

Posted Thursday, February 15, 2007 9:14 PM by VistaCompatTeam | 0 Comments

Internet Explorer caches settings

In the LoRIE doc for developers, it is mentioned that you can register your application as a broker with Internet Explorer by adding entries to:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy

Unfortunately IE doesn't pick those up until IEUser.exe is restarted. You can use RestartManager APIs to cycle both IE and IEUser. Below is a code sample that shows how to accomplish this. Note that for demonstration purposes hardcoded paths are used and error handling is not as robust as it should be.

This will obviously work for other settings that are cached as well.

DWORD dwVal = ERROR_SUCCESS;

DWORD dwSessionHandle = (DWORD)-1;

WCHAR wszSessionKey[CCH_RM_SESSION_KEY+1];

UINT nProcInfo = 100;

UINT nProcInfoNeeded;

DWORD lpdwRebootReason = 0;

//for demo purposes, hardcoded paths are used.

DWORD nFiles = 2;

LPWSTR rgsFiles[] = { L"c:\\program files\\internet explorer\\iexplore.exe",

L"c:\\program files\\internet explorer\\ieuser.exe" };

RM_PROCESS_INFO *rgProcs = new RM_PROCESS_INFO[nProcInfo];

if (NULL == rgProcs)

{

dwVal = ERROR_NOT_ENOUGH_MEMORY;

goto RM_END;

}

// Starting Session

dwVal = RmStartSession(&dwSessionHandle, 0, wszSessionKey);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Register items

dwVal = RmRegisterResources(dwSessionHandle, nFiles, (LPCWSTR*) rgsFiles,

0, NULL, 0, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Getting affected apps

dwVal = RmGetList(dwSessionHandle, &nProcInfoNeeded, &nProcInfo,

rgProcs, &lpdwRebootReason);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Apply filter to shutdown iexplore processes only

dwVal = RmAddFilter(dwSessionHandle, (LPCWSTR) rgsFiles[1],

NULL, NULL, RmNoShutdown);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Shutdown iexplore processes

dwVal = RmShutdown(dwSessionHandle, 0, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Remove previous filter & apply filter to shutdown ieuser only

dwVal = RmRemoveFilter(dwSessionHandle, (LPCWSTR) rgsFiles[1], NULL, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

dwVal = RmAddFilter(dwSessionHandle, (LPCWSTR) rgsFiles[0],

NULL, NULL, RmNoShutdown);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Shutdown ieuser process

dwVal = RmShutdown(dwSessionHandle, 0, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Remove filter applied to ieuser process

dwVal = RmRemoveFilter(dwSessionHandle, (LPCWSTR) rgsFiles[0], NULL, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Apply filter to restart ieuser process only

dwVal = RmAddFilter(dwSessionHandle, (LPCWSTR) rgsFiles[0],

NULL, NULL, RmNoRestart);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Restart ieuser

dwVal = RmRestart(dwSessionHandle, NULL, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Remove previous filter & add filter to restart iexplore only

dwVal = RmRemoveFilter(dwSessionHandle, (LPCWSTR) rgsFiles[0], NULL, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

dwVal = RmAddFilter(dwSessionHandle, (LPCWSTR) rgsFiles[1],

NULL, NULL, RmNoRestart);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

// Restart iexplore

dwVal = RmRestart(dwSessionHandle, NULL, NULL);

if (ERROR_SUCCESS != dwVal)

goto RM_END;

RM_END:

if (NULL != rgProcs)

delete [] rgProcs;

// Clean up session

if (-1 != dwSessionHandle)

RmEndSession(dwSessionHandle);

return dwVal;

Maarten

Posted Wednesday, February 07, 2007 11:07 PM by VistaCompatTeam | 1 Comments

Creating System DSNs on Vista

As stated in the MSDN article that all Keys under HKLM\Software are virtualized, there is still the HKLM\Software\ODBC\ODBC.INI key (For creating System DSNs) that will NOT be virtualized.

The rationale behind this was that – Creating a System DSN would essentially be a task of an Administrator and so when you write to this location as a Standard User you will get an exception as the Registry entry is marked for no virtualization

To view these settings, in the Command prompt type in

REG FLAGS HKLM\Software\ODBC\ODBC.INI

And this will output ->

HKEY_LOCAL_MACHINE\Software\ODBC\ODBC.INI

REG_KEY_DONT_VIRTUALIZE: SET

REG_KEY_DONT_SILENT_FAIL: SET

REG_KEY_RECURSE_FLAG: SET

Vineet

Posted Wednesday, February 07, 2007 10:39 PM by VistaCompatTeam | 0 Comments

Filed under: Vista application compatibility XP port