Wednesday 9 December 2009

Patch Tuesday: December 2009

With this December Microsoft Patch Tuesday Security Update, we see six updates relating to the IE, Office, the Windows XP, Server (2003 and 2008) and Windows 7 Operating System. With this release, there are 3 updates rated as CRITICAL and three updates rated as IMPORTANT – all of which are expected by the AOK Patch Impact team to require machine (workstation and server) reboots.
The ChangeBase AOK Patch Impact team has analysed over 1,000 application packages for conflicts with Microsoft Security Updates and potential dependencies, or down-level conflicts.
Based on the results of our AOK Application Compatibility Lab five of the six patches have very limited impact on applications. The one patch that raised a significant number of issues is MS09-072 (Cumulative Security Update for Internet Explorer (976325). With a moderate impact on both the number of applications affected and number of issues raised, the ChangeBASE AOK team recommends particular attention is paid the testing and deployment of the patch MS09-072.

We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following pictures.



MS09-069 Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392



Testing Summary
  • MS09-069 : : Marginal impact and negligible testing profile
  • MS09-070 : : Marginal impact and negligible testing profile
  • MS09-071 : : Marginal impact and negligible testing profile
  • MS09-072 : : MODERATE impact and small testing profile
  • MS09-073 : : Marginal impact and negligible testing profile
  • MS09-074 : : Marginal impact and negligible testing profile


Patch Name
Total
Issues
Matches
Affected
Reboot
Rating
RAG
Microsoft Security Bulletin MS09-069
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-070
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-071
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-072
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-073
<1%
<1%
YES
Critical
Green
Microsoft Security Bulletin MS09-074
<1%
<1%
YES
Critical
Green

Legend:
No Issue
No Issues Detected
Fixable
Potentially fixable application Impact
Serious
Serious Compatibility Issue

Security Update Detailed Summary
MS09-069
: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
Description
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow a denial of service if a remote, authenticated attacker, while communicating through Internet Protocol security (IPsec), sends a specially crafted ISAKMP message to the Local Security Authority Subsystem Service (LSASS) on an affected system.
Payload
Ipsec.sys, Ipsecmon.exe, Netdiag.exe, Oakley.dll, Polagent.dll, Polstore.dll, Rasmans.dll
Impact
Important – Denial of Service

MS09-070
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if an attacker sent a specially crafted HTTP request to an ADFS-enabled Web server. An attacker would need to be an authenticated user in order to exploit either of these vulnerabilities.
Payload
System.web.security.singlesignon.dll, Ifsext.dll, Ifsfilt.dll, Ifsutils.dll, Adfsreg.exe
Impact
Important – Remote Code Execution

MS09-071
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
Description
This security update resolves two privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. Servers using Internet Authentication Service are only affected when using PEAP with MS-CHAP v2 authentication.
Payload
Raschap.dll, Rastls.dll
Impact
Critical – Remote Code Execution

MS09-072
Cumulative Security Update for Internet Explorer (976325)
Description
This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. An ActiveX control built with Microsoft Active Template Library (ATL) headers could also allow remote code execution; this vulnerability has been described in Microsoft Security Advisory 973882 and Microsoft Security Bulletin MS09-035.
Payload
Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Extmgr.dll, Html.iec, Iedw.exe, Ieencode.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Mshtmled.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Tdc.ocx, Urlmon.dll, Wininet.dll, Xpsp3res.dll
Impact
Critical – Remote Code Execution

MS09-073
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
Description
This security update resolves a privately reported vulnerability in Microsoft WordPad and Microsoft Office text converters. The vulnerability could allow remote code execution if a specially crafted Word 97 file is opened in WordPad or Microsoft Office Word. An attacker who successfully exploited this vulnerability could gain the same privileges as the user. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges.
Payload
Html32.cnv, Msconv97.dll, Mswrd6.wpc, Mswrd632.wpc, Mswrd8.wpc, Mswrd832.cnv, Write.wpc, Write32.wpc
Impact
Important – Remote Code Execution

MS09-074
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
Description
This security update resolves a privately reported vulnerability in Microsoft Office Project. The vulnerability could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload
Anlyzts.dll, Atlconv.dll, Mswarp.dll, Pj11od11.dll, Pj11tm11.dll, Pjmsgmgr.dll, Pjmsgsdr.dll, Pjoledb.dll, Pjresc.dll, Pjspool.exe, Prjres.dll, Serconv.dll, Winproj.exe
Impact
Critical – Remote Code Execution


*All results are based on an AOK Application Compatibility Lab’s test portfolio of over 1,000 applications.







Monday 30 November 2009

App-V .NET Managed Code Issue: Fixed!

Instead of my usual litany of woe and rails against all things that don't work to my immediate satisfaction, I thought would post today on something that WAS an issue. And, no longer is a problem.

One of the application compatibility issues that raised an issue prior to the release of App-V 4.5 Cumulative 1 (CU1) is detailed in the following post from Just Zarb

"An application compatibility" problem occurs when an unmanaged executable file (.exe) is statically linked to a managed module (.dll/.lib). "

When the .exe file is unmanaged, sftldr.dll gets loaded just after ntdll.dll, and kernel32.dll file.

After that, if the loader finds any dependent managed module during the implicit loading phase , it tries to validate that image using _CorValidateImage() function of mscoree.dll.

_CorValidateImage() performs the following 2 actions:

                1. Ensures that the code is valid managed code.
                2. Changes the entry point in the image to an entry point in the runtime.

_CorValidateImage() calls all the dllMain() function of modules that got loaded before this managed module, and the dllMain() of sftldr.dll also gets called. 

This may result in the wrong version for desired loading or worse, not loading the required DLL at all. The likely result here is that the application will fail to start.

This problem does not happen when both the .exe file and the dll module are managed. When the .exe file is managed, mscoree.dll module gets loaded before sftldr.dll.

Now, the good news is that this issue has been resolveD and verified by the good folks in the Microsoft Premier Field Engineering (PFE) team with the release of App-V CU1.


See, my blog is not so bad after all...

References:

Justin Zarb's blog (The World Simplified is a Virtual World)

You can find Microsoft's App-V 4.5 CU1 update here:

Read about Microsoft "Managed Execution Process"

Thursday 12 November 2009

Patch Tuesday: November 2009

The November Patch Tuesday update from Microsoft follows the largest patch and security update in Microsoft’s history. This month there are six updates to Office, Active Directory and Microsoft’s Office application suite.
These six updates have a low impact, bar one patch to Excel which may cause compatibility issues for some applications. The main cause for concern here is that Excel is a primary if not essential element to many environments. For example most banking, trading floor and insurance platforms. Therefore any change must be tested rigorously.
Whilst there are few applications in our sample that are affected, the ChangeBASE AOK team recommends that the Excel update (MS09-067) requires particular attention in any environments where there is a significant dependency on this,

We have included a brief snap-shot of some of the results from our AOK Software that demonstrates some of the potential impacts on Microsoft Office deployments with the following picture.



Testing Summary
  • MS09-063 : : Marginal impact and negligible testing profile
  • MS09-064 : : Marginal impact and negligible testing profile
  • MS09-065 : : Marginal impact and negligible testing profile
  • MS09-066 : : Marginal impact and negligible testing profile
  • MS09-067 : : Moderate impact and negligible testing profile
  • MS09-068 : : Marginal impact and negligible testing profile


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS09-063<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-064<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-065<1%<1%YESCriticalGreen
Microsoft Security Bulletin MS09-066<1%<1%YESImportantGreen
Microsoft Security Bulletin MS09-0671%1%YESImportantAmber
Microsoft Security Bulletin MS09-068<1%<1%YESImportantGreen

Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue

Security Update Detailed Summary
MS09-063Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
DescriptionThis security update resolves a privately reported vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI) on the Windows operating system. The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attackers on the local subnet would be able to exploit this vulnerability.
PayloadWsdapi.dll
ImpactCritical – Remote Code Execution

MS09-064Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
DescriptionThis security update resolves a privately reported vulnerability in Microsoft Windows 2000. The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter.
PayloadLlscustom.dll
ImpactCritical – Remote Code Execution

MS09-065Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
DescriptionThis security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow remote code execution if a user viewed content rendered in a specially crafted Embedded OpenType (EOT) font. In a Web-based attack scenario, an attacker would have to host a Web site that contains specially crafted embedded fonts that are used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince the user to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes the user to the attacker's site.
PayloadWin32k.sys, W32ksign.dll
ImpactCritical – Remote Code Execution

MS09-066Vulnerability in Active Directory Could Allow Denial of Service (973309)
DescriptionThis security update resolves a privately reported vulnerability in Active Directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests. This vulnerability only affects domain controllers and systems configured to run ADAM or AD LDS.
PayloadAdamdsa.dll
ImpactImportant – Remote Code Execution

MS09-067Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
DescriptionThis security update resolves several privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadExcel.exe
ImpactImportant – Remote Code Execution

MS09-068Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)
DescriptionThis security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
PayloadWinword.exe
ImpactImportant – Remote Code Execution

Wednesday 11 November 2009

Microsoft TechEd EMEA: A few days in Berlin

It's going to be a super quick post today.

I have been working the Converter Technology (http://www.convertertechnology.com/) stand and the Getronics stands at the Microsoft TechEd exhibition all day and now have to do my day job (in the evening.)

I just thought that I would post some of the images of the stand and include some of the great people working with us.



These chaps are from Converter Technonology who automatically scan for "document" level compatibility issues and fix them... which sounds kinda familiar doesn't it?

Will post properly once I am back in the UK.


Thursday 5 November 2009

MS09-054: IE8 Security Update - Updated

    October 2009 saw the biggest Microsoft security update - both in terms of breadth and depth of patches delivered  and bugs fixed.
    However, we have seen three updates to this October Security update over the past few weeks.
    On October 14, Microsoft offered up a workaround for a problem with MS09-056, then corrected several errors in MS09-062 last week.
    The company also revised an August update, MS09-043, last week to correct a patch-detection error that may have left some corporate users who receive updates via Windows Server Update Services (WSUS) un-patched.
    Now, the Internet Explorer (IE) 8 Patch MS09-054 was updated on November 3rd with a binary level revision of the security files.
    From our last AOK Patch Tuesday assessment, here are the details for this patch.
    MS09-054
    Cumulative Security Update for Internet Explorer (974455)
    Description
    This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
    Payload
    Iecustom.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Browseui.dll, Cdfview.dll, Danim.dll, Dxtmsft.dll, Dxtrans.dll, Iepeers.dll, Inseng.dll, Jsproxy.dll, Mshtml.dll, Msrating.dll, Mstime.dll, Pngfilt.dll, Shdocvw.dll, Shlwapi.dll, Urlmon.dll, Wininet.dll, Iecustom.dll
    Impact
    Critical – Remote Code Execution
    We at the AOK Patch team were pretty concerned about this patch and rated it an AMBER due to the number of application overlaps and the potential for impacts on the target Operating system. We have re-run the reports for this patch and the updated BITS do not materially impact the results. However, the AOK team still recommends that this patch requires extensive testing prior to deployment.
    For reference, I have included the RAG status for all of these patches in this blog posting;
    Patch Name
    Total
    Issues
    Matches
    Affected
    Reboot
    Rating
    RAG
    Security Bulletin MS09-050
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-051
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-052
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-053
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-054
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-055
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-056
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-057
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-058
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-059
    <1%
    <1%
    YES
    Critical
    Green
    Security Bulletin MS09-060
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-061
    1%
    1%
    YES
    Critical
    Amber
    Security Bulletin MS09-062
    11%
    <1%
    YES
    Critical
    Red

    And, for all those not rabidly following the AOK "Language of Life", we use Red,  Amber and Green to colour our world. So, here is a legend for these results.
    Legend:
    No Issue
    No Issues Detected
    Fixable
    Potentially fixable application Impact
    Serious
    Serious Compatibility Issue

Monday 2 November 2009

5x5x5 Migration Issues: App-V 4.x to 4.6

Well,

This is the third part of my by three part blog - and, it looks like I might have to add another piece - meaning  that, this is really the 3rd part of a 4 part blog post ... oops

As mentioned in the previous two postings, we need to get applications working on Windows 7 and App-V: together. Meaning getting an application successfully deployed and running on a App-V client running on top of Windows 7.

This blog posting relates to the challenges facing administrators who have existing App-V packages (client versions 4.1 and 4.2) which were probably sequenced on Windows XP who will need to migrate these packages to the App-V client 4.5. In fact, though the most recent client version of App-V is 4.5 CU1, we really should be planning for clients to deploy to version 4.6, which is expected to be released Microsoft to production soon. Thus, I have tailored our results of the SFT package analysis to take client 4.6 issues into account as well.

With the updated release of Microsoft App-V 4.5 (and also relating to the update CU1 and 4.6 BETA), there has been a number of significant architectural changes that impacted how applications are sequenced. As a result, the sequencing practices are now different for versions for App-V 4.2 and later versions. As included in the release notes App-V 4.5, there are now several core components which may generate application compatibility issues with App-V applications including;

  • .NET Installation Components
  • Microsoft Internet Explorer Components
  • Microsoft MSI Installer Redistributables
  • Core Operating System (OS) components
  • Installation artefacts (settings left-over from MSI Installation processes)

In addition, to these issues, it appears that empty directories (or folders) that are captured as part of the sequencing process are causing the App-V VFS to crash on certain clients. We have not fully analysed this issue yet  - however, I have included the results for our AOK "Empty Directory Check" Plugin for illustrative purposes.




I am really surprised by the results. And, by means of qualifying the results, this is really a preliminary analysis of these App-V SFT file types. The AOK Plugins may need to be refined or seriously modified based on some real empirical evidence of client issues. That said, all of the manual testing of each of these "classes" of issues   did match the AOK Plugin results.

I am going to spend some time analysing these results but it looks like the big issues are .NET and IE integrations issues with a surprisingly high number of SFT packages with empty directories - something that is known to crash the Microsoft App-V client sub-system. Maybe some more thought is required here.

To help out with explaining what we are actually looking for in each App-V SFT file, I have included some brief "snippets" of the AOK Plugin descriptionsincluded in this particular report. Each description should give you an idea of the things that we are looking for in each application package, and the reason why we are looking there.

Darwin Descriptors Registry Check
This AOK Plugin will analyse each selected and loaded application for the following Registry key HKEY_CLASSES_ROOT\extfile\shell\Open\command within each application package. If a Darwin descriptor registry key has been raised, and AMBER Issue will be flagged by the AOK application.

Empty Directory Check
This AOK Plugin will analyse each loaded and selected application package and ensure that the loaded MSI or SFT file does not contain any non system empty directory table entries. This Plug-in will raise an AMBER issue if these types of directories are detected in an application package.

Internet Explorer Integration Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Internet Explorer 6  (IE6) redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.

Known DLL File Check Analysis
This AOK Plugin will analyse loaded and selected application packages for file level entries that match the list of Microsoft Known DLL's. The DLL's contained within this list will not support SxS isolation or any other Microsoft redirection technology. This AOK Plugin will generate AMBER results.

Microsoft .NET Sequenced Component Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Windows .NET redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.  Due to the Operating System and .NET installation requirements, if older versions (.NET 1.X and 2.X) are included in a sequenced package then application runtime issues may arise.

Windows Installer Redistributable Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are included as part of the Microsoft Windows Installer  redistribution package. This Plug-in will raise an AMBER issue if these files are detected in an application package.

Sequencer Registry Exclusion Analysis
This AOK Plugin analyses each loaded and selected application package for file entries that are not fully captured as part of the  Microsoft App-V sequencing process. This Plug-in will raise an AMBER issue if these registry settings are detected in an application package.

The final blog posting in this series will analyse some of the results and attempt to match these results to real world scenarios and possible application compatibility issues.

Thursday 29 October 2009

5x5x5 App-V Application Compatibility Issues: Part 2

As promised in my last blog posting, the focus of this post will be review the results of our analysis on App-V application compatibility issues for Windows 7.

So, just to recap. We are analysing issues for existing App-V application packages that are running fine (i.e. well enough) on Windows XP with the App-V client and now need to be moved over to the Windows 7 desktop platform. The challenge here is trying to determine what sequenced applications under App-V will experience application compatibility issues when run on Windows 7.

So, not all of our standard AOK Windows 7 compatibility tests will be an issue. I have removed our installation logic and MSI Installer Custom Action checks from the results as they do not apply to this sample set as the source packages are not MSI files but Sequenced SFT files

And, here are the Top 5 issues that you might encounter when migrating App-V sequenced packages are moved to Windows 7.




 
As you already know, Microsoft's App-V platform does not solve OS level compatibility issues, but solves application-level conflict issues. Just because an App-V application works great on Windows XP, unfortunately it does not mean that the sequenced package will work on  Windows 7 or Server 2008 platforms.

So, quickly reviewing these results. It looks like the most common issues will be legacy Help File (HLP files) and Hard-Coded References as potential configuration issues and the un-signed driver issues will definitely cause issues on Windows 7 64-bit platforms.

I will do a full review (and some aggregation) of these results in the final post in this series. To give some idea of the ideas behind each report, I have included a brief description of the some of the AOK Plugins that were included in the results.

Legacy Help File Scan
This platform compatibility Plugin scans application packages for Microsoft legacy Help file formats (HLP) and makes them compatible and usable from within Vista and Windows 7.

Hard Coded References Scan
This AOK Plugin analyses each loaded and selected application package for hard coded values of folder paths. Any hard coded paths found that can be represented by an MSI Installer property will be replaced with the property.

Un-Signed Driver Analysis
This AOK Plugin analyses each loaded and selected application package and will identify each driver (DRV or SYS file) contained within the package that does NOT contain file level Signed or Certificate information.    Due to the new requirements for Windows 7, all driver binaries must be digitally signed. If an application is installed on Windows 7 64-bit and it contains unsigned drivers, then the application will fail to load that driver and the application may fail to execute or behave unexpectedly.  

Legacy Control Panel Applet Scan
As part of the platform compatibility scan for Windows Vista, all legacy Control Panel Applets (CPL files)  are highlighted. These highlighted control panel applets should be removed or upgraded to Vista compatible versions.

TCP-IP WFP - IPX-SPX Scan
The Windows Vista networking stack has been completely rewritten. Instead of the dual stack model that exists in Windows XP or Windows Server 2003 (to support IPv4 and IPv6), it implements a new architecture whereby there is a single transport and framing layer that support multiple IP layers.  This means that specific legacy protocols are no longer supported. In this case, the now deprecated SPX/IPX protocol.

Wednesday 28 October 2009

Top 5x5x5 Microsoft App-V Issues

This is going to be a 3-part blog focusing on the some of the application compatibility challenges in getting applications to work on the Microsoft App-V virtualization platform.

The three parts of this rather large blog post will include the following analysis;

  1. The Top-5 application "pure" App-V compatibility issues
  2. The Top-5 application compatibility issues for App-V on Windows 7 clients
  3. The top-5 App-V 4.1 to 4.5 migration issues

There is a lot of analysis going on within ChangeBase with over 5,400 applications in a number of formats in this particular analysis sample. 

As part of this compatibility review we are analysing the following application file formats;

  • Microsoft Setup Executables (EXE's)
  • WinInstall Setup Files
  • Installshield Installation packages (EXE and ISS)
  • Wise Installation packages (WSI, WSE and EXE)
  • MSI Application packages (MSI, MST, MSP)
  • Microsoft App-V files (SFT )

As part of this analysis, we  loaded over 5000 applications into our AOK tool-set and run a number of our Microsoft App-V compatibility reports.

I filtered out the results somewhat and have included the TOP-5 application compatibility issues that we generally experience when packaging or sequencing (the packaging methodology for App-V)  for the App-V platform.

And, here are the results;

Top 5 App-V Compatibility Issues



Note: This distilled report was tuned for the App-V 4.2 deployment environment. Not the most recent release (4.5 CU1 with all public hot fixes). I will generate second table for 4.5  CU1 and 4.6 BETA in the third part of the blog posting.

To give a brief explanation of some of the results I have included some brief descriptions of the reports that were run against this portfolio of over 5000 application packages and installation routines;

No Shortcut Check
This AOK Plugin analyses each selected and loaded application to ensure that each application package contains at least one shortcut. This is required as part of the compatibility requirements for some Virtualised environments.

Non Supported Reboot Requirements
This AOK report analyses each loaded and selected application to identify if a reboot is required. As part of the application packaging process, some applications may require a reboot of the installation machine. Due to the nature of the virtualised environment installation process, some elements of the reboot process may not be captured and under some conditions the process may fail completely.

Hard Coded References Scan
This AOK Plugin analyses each loaded and selected application package for hard coded values of folder paths.

Non Supported Drivers
Due to the nature of the App-V Installation process drivers are not able to be installed in the application bubble. These drivers may also cause application installation and functionality issues for both Citrix and Terminal Services as they rely on Windows 2003 and Windows 2008 server environments.

Non Supported Service Installations
Due to the nature of virtualization technologies, access to the local machine environment is not always viable or available. Machine level services require full access to the machine and may require access to pre-boot operating level services.

If you are wondering about the title, my 5x5x5 view of the world takes into account;

  • App-V Virtualization technologies
  • Microsoft Windows 7 application compatibility issues
  • App-V 4.x to 5.4 migration issues

The next stage of this report should be available in the next few days....


Tuesday 27 October 2009

A useful list of App-V KB Articles


A friend of mine and a App-V specialist has pointed out a number of Microsoft Knowledge Base articles relating to a number of configuration and application compatibility issues with the latest releases of the App-V client and sequencer.

I thought I would distill and publish these KB articles and links in a single place for easy reading (and finding)


App-V RTM Hotfix Rollup 2
 The following issues are fixed in the hotfix package:
  • Empty virtual directories may become inaccessible. This behavior causes later file operations on that virtual directory to fail and to generate the following error message:
File Not Found
  • When you try to run ArcGIS as a virtual application, ArcGIS may stop responding on some systems.
  • When you use Symantec Endpoint Protection, and the Application and Device Control feature is enabled, virtual applications may not start and may generate the following error message:
The application failed to initialize properly (0xc000007b)
  • When you try to run SmarTerm Essentials as a virtual application, SmarTerm Essentials may not start because it cannot validate its license.


App-V RTM Hotfix Rollup 3

The following issues are fixed in the hotfix package:
  • When you add or remove a user from an Active Directory security group that is used to control access to an application, App-V does not correctly publish the application after a domain controller refresh. For example, the user does not see the new application if the following conditions are true:
    • The user is added to a security group.
    • The user is removed from the security group, but the user does not log off and then log back on. In this case, the application is not removed.
  • The Microsoft Application Virtualization for Terminal Services client intermittently generates a 0xA stop error.
  • Empty virtual directories may become inaccessible. Therefore, later file operations on that virtual directory fail. When this problem occurs, you receive the following error message:
File Not Found
  • When you run ArcGIS as a virtual application, ArcGIS stops responding on some systems when you start ArcGIS.
  • When you use Symantec Endpoint Protection with the Application and Device Control feature enabled, virtual applications cannot start. Additionally, you receive the following error message:
The application failed to initialize properly (0xc000007b)
  • When you run SmarTerm Essential as a virtual application, SmarTerm Essential cannot validate its license. Therefore, SmarTerm Essential does not start.



App-V CU1
This cumulative update contains the following changes:
  • Support for Windows 7 Beta and Windows Server 2008 R2 Beta
    App-V 4.5 CU1 addresses compatibility issues with Windows 7 Beta and Windows Server 2008 R2 Beta. Support will be provided for blocking issues that prevent App-V 4.5 CU1 from running in a test environment on pre-RTM versions of Windows 7. This change helps make sure that your virtual applications can run successfully in a test environment in which compatibility between App-V 4.5 Client and Windows 7 Beta is required.

    Note Running App-V 4.5 CU1 on any version of Windows 7 or Windows Server 2008 R2 in a live operating environment is not supported.
  • Improved support for sequencing the Microsoft .NET Framework
    App-V 4.5 CU1 addresses previous issues with sequencing the .NET Framework 3.5 and earlier versions on Windows XP Service Pack 2 (SP2) and later versions.

    Customer feedback and Hotfix rollup
    App-V 4.5 CU1 also includes a rollup of fixes to address issues that have been found in the App-V 4.5 RTM release. This cumulative update includes a combination of known issues and customer feedback from our internal teams, partners, and customers who are using App-V 4.5.
  • In addition to stability improvements, this update addresses the following issues:
    • When you try to set the default value of a registry key by using the REGVALUE OSD element, you receive an error that the OSD file is formatted incorrectly.
    • When you try to open a small application package that has been compressed, it may not start, and you may receive a "0A-00000163" error. Typically, the application package is less than 1 megabyte (MB).
    • When you open a 16-bit application, you cannot access files in the virtual file system. This causes a start failure.


App-V CU1 Hotfix Rollup 1
This Hotfix package addresses the following issue:
  • When you run the German version of Microsoft Application Virtualization 4.5, you cannot add or change attributes in the Open Software Descriptor (OSD) tab.
Note If you have the following issue, apply the Hotfix that is described in KB 969774:

App-V CU1 Hotfix Rollup 2
This hotfix package addresses the following issues:
  • When the Microsoft Application Virtualization 4.5 client tries to perform a DC refresh over HTTP or over HTTPS on an IPv6 network, the DC refresh is not completed successfully.
  • If the %APPDATA% environment variable expands to a UNC path, virtual applications may not always start with application-specific failures.
  • In environments that have a trust relationship and mapped user accounts between Windows Domain and an MIT Kerberos realm, the Microsoft Application Virtualization 4.5 client cannot log on to a publishing server. Additionally, you receive error 8009030C. You can enable this fix by creating the registry value UseMITKerberos.

    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  How to back up and restore the registry in Windows
  1. Start Registry Editor
  2. Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client\Network
  1. On the Edit menu, point to New, and then click DWORD Value.
  2. Type UseMITKerberos, and then press ENTER.
  3. On the Edit menu, click Modify.
  4. Type 1, and then click OK.
  5. Exit Registry Editor.


App-V CU1 Hotfix Rollup 3
This hotfix package addresses the following issues:
  • When the App-V client tries to perform a publishing refresh over HTTP or HTTPS, the publishing refresh is not completed successfully. The publishing refresh is not completed successfully if a package contains pathnames that have Japanese characters. This problem occurs when the App-V client is running a Japanese version of Windows XP and has Internet Explorer 6 installed.
  • When you run a virtual application, Microsoft Access 97 generates error 1008 when Access 97 is moving temporary files.
  • When the Microsoft Application Virtualization 4.5 client tries to perform a publishing refresh over HTTP or over HTTPS on an IPv6 network, the publishing refresh is not completed successfully.
  • If the %APPDATA% environment variable expands to a universal naming conventions (UNC) path, application-specific failures do not always occur when you start virtual applications.
  • In environments that have a trust relationship and a mapped user account between Windows Domain and an MIT Kerberos realm, the Microsoft Application Virtualization 4.5 client cannot log on to a publishing server. Additionally, you receive error 8009030C.

    Note You can resolve this problem by creating the UseMITKerberos registry value.

App-V CU1 Hotfox Rollup 4
This hotfix package addresses the following issues:
  • When you apply a disk quota to the profile directories of an user and when the disk quota is near the limit, the App-V client leaks paged pool memory.
  • When run as a virtual application, a process that calls RegQueryMultipleValues experience unexpected errors or cannot start. For example, you receive error messages when you start or shutdown the Trapeze application and the application does not work correctly.
  • When a App-V client tries to perform a publishing refresh procedure over HTTP or HTTPS, the procedureis not completed successfully. Specifically, the procedure is not completed successfully if a package contains pathnames that have Japanese characters. This problem occurs when the App-V client is running a Japanese version of Windows XP and has Internet Explorer 6 installed.
  • When run as a virtual application, Microsoft Access 97 generates an error message 1008 when Access 97 is moving temporary files.
  • When a Microsoft Application Virtualization 4.5 client tries to perform a publishing refresh procedure over HTTP or over HTTPS on an IPv6 network, the procedure is not completed successfully.
  • When you expand a %APPDATA% environment variable to a universal naming conventions (UNC) path, application-specific failures occur when you start virtual applications.
  • In environments that have a trust relationship and mapped user accounts between a Windows Domain and an MIT Kerberos realm, the Microsoft Application Virtualization 4.5 client cannot log on to a publishing server. Additionally, you receive an error message 8009030C.

App-V CU1 Hotfix Rollup 5
This hotfix package addresses the following issues:
  • It takes significantly longer to stream a package over the RTSPS protocol than to stream a package over the RTSP protocol.
  • When you use TrueCrypt for drive encryption, any attempts to mount an encrypted volume may generate a 0xA stop error.
  • The Microsoft Application Virtualization 4.5 client leaks paged pool memory. This problem occurs when you apply a disk quota to the profile directories of a user and when the disk quota is near the limit. .
  • A virtual application that calls the RegQueryMultipleValues function may experience unexpected errors or fail to start. For example, you receive error messages when you start or shutdown the Trapeze application. Then, the application does not work correctly.
  • When an Application Virtualization 4.5 client tries to perform a publishing refresh procedure over HTTP or over HTTPS, the procedure is not completed successfully. Specifically, the procedure is not completed successfully if a package contains pathnames that have Japanese characters. This problem occurs when the Application Virtualization 4.5 client has Windows Internet Explorer 6 installed and runs a Japanese version of Windows XP.
  • When it is run as a virtual application, Microsoft Office Access 97 generates an error message 1008 when Office Access 97 is moving temporary files.
  • When an Application Virtualization 4.5 client tries to perform a publishing refresh procedure over HTTP or over HTTPS on an IPv6 network, the procedure is not completed successfully.
  • When you expand a %APPDATA% environment variable to a universal naming conventions (UNC) path, application-specific failures occur when you start virtual applications.

Hope you found this as useful as I did.

And, many thanks to Justin Zarb - You can find him at: http://blogs.technet.com/virtualworld/

Thursday 22 October 2009

What Application Compatibility Problem: I mean, specifically...

I was reading a post on the Microsoft TechNet Application Compatibility forum today and noticed a post that reflected how I felt after reading a number of Program Compatibility Assistant (PCA) warnings.

An excerpt of the posting reads;

"I'm testing the Win7 Enterprise edition, and ran into a "known incompatibility" message when installing Norton Ghost 12. Feeling adventuresome (since it runs perfectly well with the RC1 version), I clicked "install anyway", downloaded the latest updates from Symantec (over 200 MB as I recall) and have been successfully running Ghost 12 ever since, just like I've been doing with the RC1 version (Win 7 32 bit version) since May. So my question is WHAT compatibility problem?"

What is the compatibility problem here?

The question was well handled by another poster and moderator on the forum with the following response;

"There are a number of compatibility issues with Ghost 12 & Ghost 14 in Windows7... Creation of additional files/folders backups, control of recovery points deleted, One time virtual conversion to name but a few."
This is good information. Unfortunately, the current application compatibility infrastructure presented by Microsoft's PCA does not currently deliver this kind of useful knowledge. I use the term "Knowledge" as it does not supply enough information to allow you to make a decision.

The current PCA dialog and accompanying information does not give us enough information (should there be an advanced information option) to make a decision. As evidenced by the original issue poster

- he just decided to install anyways and see how things went for him.


You can find the Microsoft Application Compatibility forum here: http://social.technet.microsoft.com/Forums/en/w7itproappcompat

Thanks to Hula_Baluu for the great posting!

Tuesday 20 October 2009

App-V: Ordering is an issue

Still on the path of researching  application compatibility issues for App-V and associated virtualization technologies.

As part of the side-tracking, interesting bits of reading that I have picked on my way past IE6 and .NET installation issues, I have found that Microsoft's Dynamic Suite Composition (DSC) can cause a few issues as well.

The DSC issues in question are very well documented in the TechNet blog on DSC circular dependencies (see references below) and so, I will attempt to distil the three primary issues with DSC and application dependencies.

First, a brief introduction to App-V DSC and how to use it can be found here: 

Briefly, Dynamic Suite Composition is described as;

"Dynamic Suite Composition (DSC) provides a method for administrators to control which virtual applications will be combined to create a unified, virtual working environment for a single application set. To do this, DSC provides a way for the admin to specify mandatory or optional dependencies between separate virtual applications that allows each app to run within the same virtual space, or "bubble" as we call it. When this is used, when the primary virtual application is run on the client it will also launch the dependent virtual application within the same bubble, allowing the combination to run together in the same virtual environment."

The idea of Dynamic Suite Composition is great, as it allows applications to "talk" to each other across their respective virtualization/isolation bubbles. This solves a number of inter-dependency issues with applications like Microsoft Office and Adobe Reader.

Reading from the TechNet blog, the following scenario is illustrated;

"When package A depends on package B, a virtual environment (VE) is created at runtime that contains all the virtual resources from A and B’s packages, and changes to the VE are associated with A’s package when they are saved. When B depends on A, a second VE is created that also contains all the resources from A and B’s packages, but changes to the VE are associated with B’s package.

Now the problems.

  1. With the above scenario you have two Virtual Environments. Which means twice the disk space and associated deployment and management over-heads.
  2. "Bubble" load ordering is important as dependencies need to be loaded in the correct order.
  3. Each will isolated bubble will save it's state individually. Meaning, that you may have shared application access, but user settings and application settings may differ on how you load, and the order you load your application virtualization bubbles.

Maybe its easier just to install the application locally?? If you have to worry about inter-dependencies, load ordering, undetermined application and user settings states, then are we any better of with App-V?

Thankfully, there  is a solution to some of these issues with the Microsoft App-V LOCAL_INTERACTION_ALLOWED Tag.

Referencing from another TechNet blog;

"When local interaction is enabled via an OSD policy, named objects and COM objects are created in the global namespace rather than isolated inside a particular virtual environment. "

This allows the application to fully interact with the local Operating System and allows other App-V virtualization bubbles to fully interact with that bubble.  This neatly solves the some of the conundrum's with isolation, integration and dependency management with App-V.

But be warned, Chris Lord finishes his great blog entry with the following caveat.

"enabling LOCAL_INTERACTION_ALLOWED can introduce application conflicts it is best that you only implement this if absolutely necessary "

So many issues with App-V , ...  so many solutions with App-V, so many issues, so many solutions... And the cycle continues...



References:

How to dynamically suite two packages using App-V 4.5 and DSC

Circular dependencies with Dynamic Suite Composition and App-V 4.5

A Look Under the Covers - The LOCAL_INTERACTION_ALLOWED Tag