As I mentioned in a blog posting a little while ago, I had the opportunity to speak at Microsoft TechDays in Amsterdam. Taking a break from these sessions, I was able to attend Aaron Margosis' session on application compatibility.
I learned a lot from the sessions and took some notes. What I really appreciated was the pragmatic approach to application compatibility that Aaron employed. As a Microsoft consultant, he is on the "sharp-end" of getting applications to work and has probably seen more than his faire share of broken applications. This I feel reflects his broad approach to remediating applications which includes the following;
- Retire the app
- Get an updated version of the app (from vendor or your developers)
- Modify the installer via transforms or post-install scripts
- Let UAC file/Registry virtualization do its magic
- Apply shims
- Change permissions or security policies
- Machine virtualization
We have talked before about changing settings and application rationalization exercises (retire or upgrade the application) and so I wanted to focus on Aaron's thinking on Shims.
In this presentation, he used a slide titled, "What are shims good for?" with the following bullet points; *
- Bad Windows version checks
- Writing to HKCR registry keys at application runtime
- Unnecessary application start-up checks for “am I admin?”
- Writing to WRP-protected keys and files
- Windows thinks your application is an installer
- Some file/registry redirections
From my experience, I would say that shims could be used to resolve these issues but updating the application package directly probably has a more management, traceable approach. However, shims do help with the in-built hard-coded "am I admin" checks and security manifest can't really help here.
Most importantly, Aaron continues with the slide titled, "When are shims important?" and answers with the following notes;
- Source code fix not feasible
- Vendor support not important
I really agree! These are key factors in deciding if and how to fix an application.
Finally, the presentation ends a pragmatic comment on Shims including;
- Not all general purpose shims have the same … “customer love” applied in their creation
- The (shim) tools are … “primitive”
- Shims management not integrated into other management tools (e.g. Group Policy)
- You can do a lot with just the Top 10 shims
- But to becoming a shim ninja takes time and much practice
This is really the 1st time that I have heard some realistic comments about the manageability of shims from Microsoft - This is great stuff, and I would love to hear more from Aaron
*Note: I was talking hand-written notes during the session. I have tried to capture each note accurately - hopefully, there are no glaring mistakes.
No comments:
Post a Comment