Friday, 29 August 2008

Microsoft Terminal Services Compatibility Analyzer - Analyzed

As promised, I have spent a little bit of time reviewing/investigating the Microsoft Terminal Server Compatibility Analyzer on a few packages.

I downloaded and installed the TS Compatibility Analyser and attempted to run the application against a few packages on my desktop; Adobe Reader 8, WinZip 10, and Real Player. I chose these applications as they are readily available, are known to work on Terminal Services (though you may not choose to deploy them to a Terminal Services environment)

After the quick installation, I selected C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe and tried to launch the application from within the TS Compatibility Analyser shown here;

As I mentioned in my previous blog, it appears that we can scan for; File Access, Registry Access, INI File Access, Access Tokens, Privilege (I assume elevation requests) , Name Space and Process information.

I was a little disappointed to see that once attempted to launch the application via the Launch button, I was requested to down the Microsoft Application Verifier. Application Verifier is a key component of the Microsoft Application Compatibility toolkit . Microsoft describes the Application Verifier as;

"Application Verifier is a runtime verification tool for unmanaged code that assists in quickly finding subtle programming errors that can be extremely difficult to identify with normal application testing. Application Verifier is designed specifically to detect and help debug memory corruptions and critical security vulnerabilities. It makes it easier to create reliable applications by monitoring an application's interaction with the Windows operating system, profiling its use of objects, the registry, the file system, and Win32 APIs (including heaps, handles, locks, and more). "

Once downloaded and installed, I tried again, this time successfully loaded Acrobat Reader and generated some results.

And some registry analysis

As you can see by the "Tabs" on the image results from the TS CA results, there are other objects and Privilege issues for this sample application that may cause an issue. The more interesting aspect of this analysis is illustrated in the summary overview.

These results are really interesting as they break things down into nice, detailed groups for you. But, I am a little surprised by the issues raised. Acrobat reader works fine under Terminal Services - but these results indicate a compatibility issue.

And, somewhat cryptically, the column titled "Works with Virtualization" (which I assume Virtualization refers to SoftGrid or MAV) give me even more cause for concern. Have a look at the following diagram.

Sure, it makes sense that you should not be able to write to a protected system area, but you should be able to write to your user profile (USERDATA) area.

So, I have the following questions for the Microsoft TS Compatibility Analyser;
  1. How are you detecting the TSAware bit?
  2. What does the "Work with Virtualisation" column really mean?
  3. What algorithms make a YES or a NO in the Virtualization column?
  4. Can we get a list of forbidden API calls for Terminal Services
  5. I know this is a BETA release, but more documentation would be helpful
  6. What files, directories and registry keys does the TSCA think causes compatibility issues?

I will ping the guys from the ACT team at Microsoft and see if I can find out. Watch this space.

References and useful links;

Just for those who have not read my previous posts, the TSCA application can be downloaded from the Microsoft Connect BETA website here:

If you have to Adobe Acrobat running on WTS, there is some documentation from Adobe located here: (watch out: PDF warning)

To download the Application Verifier separately, look here:

And, for some instructions on how to use the MS Application Verifier look here;

1 comment:

Chris Jackson said...

The app should look remarkably familiar if you've used Standard User Analyzer. Works with Virtualization in that tool means that file/registry virtualization fixes it up by redirecting. Same thing here is my guess.