Monday 27 July 2009

PCA: The UAC of Windows 7?

There is probably a consensus now (possibly a strong one) that the release of Vista was troubled. The press mercilessly attached the operating system for compatibility issues and performance issues (especially on laptops). Part of the compatibility store for Vista was the much maligned User Account Control (UAC) dialog prompts. Theses "prompts" (dialog boxes asking the user if he or she was "sure" about an intended action) were widely reviled as they perceived as annoying and served little use. For a large percentage of users, once they figured out how to turn UAC off, the did (and rebooted). Simply put, UAC was a good idea, but it's implementation was poorly tuned.

Not technically speaking part of the UAC infrastructure, the Program Compatibility Assistant (PCA) was also introduced in Vista as designed to help resolve compatibility issues when installing applications. Like the UAC dialog security and "permission" prompts, the Program Compatibility Assistant will provide a dialog box to prompt a user if something does not go quite right with an application installation. From what I understand, PCA will play a significant role in application compatibility in Windows 7.

From researching the MSDN articles about Microsoft's PCA it appears that we have the following scenarios where we will see PCA prompts;


  • When a new directory is added under Program Files, and Windows does not detect an entry in the Add/Remove Program (ARP) control panel registry
  • When a user runs a setup program and as a result of the installation "completing", and Windows does not detect an entry in the Add/Remove Program (ARP) control panel registry
  • When a COM object is accessed that is also included in a special "Deprecated Component" register

Specifically, the Microsoft MSN documentation details the following areas where the Program Compatibility Assistant may alert the user;


  • Detecting Failures in Setup Programs
  • Detecting Program Failures under UAC
  • Detecting Program Failures While Trying to Launch Installers
  • Detecting Installers That Need to Be Run as Administrator
  • Detecting Legacy Control Panels That Might Need to Run as Administrator
  • Detecting Program Failures Due to Deprecated Windows Components
  • Detecting Unsigned Drivers on 64-Bit Platforms
  • Informing Users about Compatibility Issues with Known Programs at Startup

Given these wide and diverse scenarios, I expect to see a lot more of the PCA with Windows 7. Now, if we could only determine what application packages might cause PCA issues prior to installation. Hmmmm...

References:

Application Compatibility: Program Compatibility Assistant (PCA)
http://msdn.microsoft.com/en-us/library/bb756937.aspx


Aaron Stebner's WebLog
How to prevent the Program Compatibility Assistant from appearing on Windows Vista
http://blogs.msdn.com/astebner/archive/2007/05/17/2705372.aspx

Tuesday 21 July 2009

Windows 7 Upgrade Paths: Uh Ohhh


Microsoft updated it's documentation on the upgrade paths for Windows 7. The details are contained in a document located here:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e170eba1-5bab-401f-bbf5-00f0ee7fe0fb


This is a pretty key document as it explicitly details what upgrade scenarios are NOT supported including;


  • Windows 95, Windows 98, Windows Millennium Edition, Windows XP, Windows Vista® RTM, Windows Vista Starter, Windows 7 M3, Windows 7 Beta, Windows 7 RC, or Windows 7 IDS
  • Windows NT® Server 4.0, Windows 2000 Server, Windows Server® 2003, Windows Server 2008, or Windows Server 2008 R2
  • Cross-architecture in-place upgrades (for example, x86 to x64) are not supported.
  • Cross-language in-place upgrades (for example, en-us to de-de) are not supported.
  • Cross-SKU upgrades (for example, Windows 7 N to Windows 7 K) are not supported.
  • Upgrades from Windows Vista to Windows N, Windows K, Windows KN, or Windows E are not supported.
  • Cross-build type in-place upgrades are not supported.
  • Pre-release in-place upgrades across milestones (for example, Windows 7 RC to Windows 7 RTM) are not supported.

And, hidden right in the middle (where I try put things that I don't want people to find) is Windows XP. Ok folks, as part of the BETA briefing of Windows 7, we were told that there "might" not be an upgrade path for Windows 7 from XP. This was caused a bit of a stink - and, it looks like "might not" has become "definitely not".

I don't think that this will affect corporates/enterprises in a big way, but the 5000 or mid-sized enterprises that Microsoft targets are typically consumers of a "upgrade" methodology rather than a clean install (generally with a new machine). We will have to see what this means in the industry, but I could see that the lack of an upgrade path from Windows XP could be a big issue.
Oh, and you might have guessed it, Windows N is not a supported upgrade path as attempting to compute this result set would have generated a NULL data-set and a biological equivalent of a divide by zero error.

Wednesday 15 July 2009

Patch Tuesday: Microsoft Security Update for July

This is a moderate update from Microsoft for the July Microsoft Patch Tuesday Security release. This month includes six patches, three rated Critical, and three rated as Important.

After loading the ChangeBASE AOK application testing portfolio into an AOK Patch Impact database, all six patches were tested for application level issues and in addition; application dependencies. For this month, all of the six Microsoft Security Updates (MS09-028 to MS09-033) raised very few or no application level or dependency level issues with the AOK Application Test portfolio. Thus, these six patches were rated as Green.

Given the very low numbers of issues for these six security updates, the ChangeBASE AOK team recommends that all these patches are rapidly deployed to a staging environment and then subsequently into Production.

The ChangeBASE AOK team recommends that with all changes to an environment basic UAT testing is performed on all business critical applications. However, for the six July Microsoft Security updates marked as Green, only marginal build level testing should be required.

Here is a sample report extract from one of the few applications in the AOK ChangeBASE Application Test Portfolio that raised a number of dependency level issues with the MS09-032 Security Update.

img

Testing Summary
  • MS09-028: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-029: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-030: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-031: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-032: Marginal Impact (both Package level and dependencies) detected across portfolio
  • MS09-033: Marginal Impact (both Package level and dependencies) detected across portfolio


Patch NameTotal
Issues
Matches
Affected
RebootRatingRAG
Microsoft Security Bulletin MS09-028 0 <1%YESCritical Critical
Microsoft Security Bulletin MS09-029 3 <1%YESCritical Critical
Microsoft Security Bulletin MS09-030 2 <1%YESCritical Critical
Microsoft Security Bulletin MS09-031 0 <1%YESImportantImportant
Microsoft Security Bulletin MS09-03216 <1%YESImportantImportant
Microsoft Security Bulletin MS09-033 0 <1%YESImportantImportant


Legend:
No IssueNo Issues Detected
FixablePotentially fixable application Impact
SeriousSerious Compatibility Issue


Security Update Detailed Summary
MS09-028Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
Description This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Quartz.dll
Impact Critical

MS09-029Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
Description This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Fontsub.dll, T2embed.dll
Impact Critical

MS09-030Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516).
Description This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload Morph9.dll, Mspub.exe, Prtf9.dll, Ptxt9.dll, Pubconv.dll, Pubtrap.dll
ImpactCritical

MS09-031Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953).
Description This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
Payload Authdflt.dll, Comphp.dll, Complp.dll, Cookieauthfilter.dll, Diffserv.dll, Fweng.sys, Httpfilter.dll, Linktranslation.dll, Msfpc.dll, Msfpccom.dll, Msfpcsnp.dll, Msfpcui.dll, Mspadmin.exe, Ratlib.dll, Socksflt.dll, W3filter.dll, W3prefch.exe, Wploadbalancer.dll, Wspsrv.exe.
ImpactImportant

MS09-032Cumulative Security Update of ActiveX Kill Bits (973346).
Description This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Payload No binary files included. Only CLSID kill bits for specific COM objects.
ImpactImportant

MS09-033Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856).
Description This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights..
Payload VMM.sys.
ImpactImportant

c. 800 applications were tested against these patches using the ChangeBASE ACL (Application Compatibility Lab)

Monday 13 July 2009

Microsoft Application Compatibility List - Updated

OK, another short post today, but at least I point out that the ChangeBase team will be delivering the Patch Impact Assessment for July tomorrow - so, watch this space.


I wanted to mention that Microsoft has updated it's spreadsheet list of applications that either have known compatibility issues, are supported or have free/paid upgrade options.

The list contains information on 8785applications which have been allocated into the following Windows Vista specific compatibility categories:


  • “Certified for/Works With Windows Vista” means that the application has earned the “Certified for Windows Vista”
  • "Compatible” means that the application has been reported by the application manufacturer as compatible with, or supported on, Windows Vista.
  • “Not Compatible” means the application has been reported by the application manufacturer as not compatible with, or supported on, Windows Vista.
  • “Free Update Required” means the application has been reported by the application manufacturer as needing a free upgrade from the application manufacturer to ensure that a product is compatible with, or supported on, Windows Vista.
  • “Paid Update Required” means the application has been reported by the application manufacturer as needing a fee-based upgrade from the application manufacturer to ensure that a product is compatible with, or supported on, Windows Vista.
  • “Unknown” means that no information is available from the application manufacturer about whether the product is compatible with, or supported on, Windows Vista.


After creating a quick and dirty XL pivot table, I was able to generate the following summary results;


32-bit Windows Vista Compatibility Status

Total

Certified for Windows Vista

656

Compatible

5699

Free Update Required

177

Not Compatible

564

Paid Update Required

312

Works with Windows Vista

1377

Grand Total

8785


There is also mention of 32-bit and 64-bit support. At present, there does not seem to be any references to Windows 7 or Server 2008 R2. As this XLS list is updated monthly, we will see a Windows 7 update when Windows 7 hits RTM later this month.

Just a side note though, the number of "certified for Windows Vista" applications is incredibly small - especially after years of Vista's production release.


The Microsoft Application Compatibility List can be found here:


http://www.microsoft.com/downloads/details.aspx?familyid=9DF23606-7276-4CE2-8993-143E101DDBCD&displaylang=en


And further references on application compatibility and the Windows Logo Program can be found here:


Windows Vista Compatibility Center: http://www.microsoft.com/windows/compatibility

Windows Vista Logod Product List for Hardware: http://winqual.microsoft.com/hcl/Default.aspx

Certified for Windows Vista Software List: https://winqual.microsoft.com/member/softwarelogo/certifiedlist.aspx

Works with Windows Vista Software List: https://winqual.microsoft.com/member/softwarelogo/workswithlist.aspx

Windows Vista TechCenter: http://technet.microsoft.com/en-us/windows/aa904820.aspx

Wednesday 8 July 2009

Microsoft Asset and Planning Solution Accelerator

Well it has been a little while now since I have updated my blog. Apologies for that - the momentum of work has really pushed me away from the regular updates that I would like to deliver.

There is a number of new tools that I have been "playing" with over the past few weeks. One of the more interesting updates to the Microsoft Application compatibility tool-sets is the Microsoft Asset and Planning (MAP) Solution Accelerator.

Microsoft Solution Accelerators are generally a collection of tools and documentation that attempts to address a particular issue; such as migration to a new platform, Office compatibility or, in the case of the MAP tool-set, to determine which hardware is suitable for Windows 7. Other Microsoft Solution Accelerators that come to mind include;


  • Business Desktop Deployment (the infamous BDD)
  • Microsoft Assessment and Planning Toolkit 3.2
  • Microsoft Deployment Toolkit 2008
  • Windows Vista Security Compliance Management Toolkit
  • 2007 Microsoft Office Security Compliance Management Toolkit
  • Data Encryption Toolkit for Mobile PCs
  • Security Compliance Management Toolkit series


The complete list of Solution Accelerators can be found here: http://technet.microsoft.com/en-us/solutionaccelerators/default.aspx

The Microsoft Asset and Planning tool-kit contains a huge amount of desktop deployment documentation and once installed (requires SQL Express) is able to automatically (and agentlessly) scan your network for computer hardware information. This information is then compiled into some great reports. In addition, there are some really good proposal templates ("starters for 10 ") that should get you going in your effort to determine which machines (servers, desktops and virtual machines) are ready for Vista/W7 and what particular deficiencies or components need to be updated or upgraded.

The link to the MAP portion of the Microsoft Connect site can be found here.

https://connect.microsoft.com/Downloads/DownloadDetails.aspx?SiteID=297&DownloadID=18223