Compatibility and Compatibility and Interoperability RequirementsInteroperability Requirements

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Compatibility and Interoperability Requirements• Support x64 Versions • Sign files and drivers• Perform version checking properly• Support concurrent user sessions• Avoid loading services and drivers in

safe mode• Follow anti-malware policies

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Support for x64 Versions

• No 16-bit code or components• x64 versions of drivers• Application setup detects and installs

proper drivers and components• WOW64—Not necessary to run application

natively• Acceptable to remove nonessential

features • 32- and 64-bit COM servers communicate

with 64- and 32-bit clients

WOW64

• Windows-on-Windows 64-bit• Handles differences between 32-bit

and 64-bit versions of the Windows operating system

• Capable of running 32-bit applications

• Included on all 64-bit versions of the Windows operating system

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Signing Files

• Ensures files have not been tampered with

• All executable files must be signed with an Authenticode certificate

• Code-signing certificates are available from several vendors

• Use the SignTool in the Windows SDK to sign files

Signing Drivers

• Malicious software drivers affect stability and security

• Driver binaries loaded at boot time contain embedded signatures

• Microsoft signature for kernel-mode drivers through WHQL or DRS program

• 64-bit versions of Windows Vista will not load unsigned drivers

• Administrator privilege is required to install unsigned kernel-mode components

Creating Test Certificates

• Need only one MakeCert test certificate per computer

• Certificate store added to Windows managed list

• Install in test computer’s Trusted Root Certification Authorities and Trusted Publishers certificate stores

MakeCert –r –pe –ss TestCertStoreName –n “CN=CertName” CertFileName.cer

Delay Signing

• Developers require public key • Defer signing until shipping • Use delayed signing at build time

– Reserves space in PE for strong name signature

Delay Signing Process

• Obtain .snk file– Created using sn.exe

• Annotate with custom attributes:– AssemblyKeyFileAttribute– AssemblyDelaySignAttribute

• Turn off signature verification

[assembly:AssemblyKeyFileAttribute("myKey.snk")] [assembly:AssemblyDelaySignAttribute(true)]

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Version Checking

• Allows application to be used in future versions– Check for ≥ desired version number– Do not check CurrentVersion in registry– If EULA prohibits use on future operating

systems, fail gracefully

• GetVersionEx– Version-checking API

• Check for capabilities rather than version– Windows build team recommendation

• VerifyVersionInfo• Environment.Version property

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user

sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Fast User Switching

• Multiple users can log on• Switches quickly between open

accounts• Does not change application state• Uses Terminal Services technology

FUS Application Best Practices (1)

• Test application under FUS• Implement true profile separation• Register for notification of a user

switch• Be aware of other running instances

FUS Application Best Practices (2)

• Applications must allow multiple sessions unless prevented by architecture

• Includes Remote Desktop Connection sessions

• If not supported, alert user and write to Windows NT event log

• 3D graphics applications– Not required to work over RDC – User alerted on failure

• Sound in another user session inaudible in current session

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Safe Mode

• Enables users to diagnose and repair Windows configuration

• Drivers and services should not run unless needed for:– Basic operations– Diagnostic purposes– Recovery purposes

Safe Mode Registry Keys

• If set, drivers and services run in safe mode without any errors

• Minimal and network registry keys

• Any use of these keys must be listed in the logo documentation

HKLM\System\CurrentControlSet\ Control\SafeBoot\MinimalHKLM\System\CurrentControlSet\ Control\SafeBoot\Network

Safe Mode Registry Safe Mode Registry SettingsSettings

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware

policies• Compatibility and interoperability

test cases

Anti-Malware

• Applications MUST meet privacy guidelines

• You risk losing logo certification if your application is identified as malware or spyware

• Anti-Spyware Coalition– 40-plus member organizations– Includes Microsoft

Agenda

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and

interoperability test cases

Compatibility and Interoperability Test Cases (1)

• Verify application installer:– Does not have a 16-bit installer– Does not use or rely on 16-bit code or

components– Does not attempt to install any non-64-

bit drivers on x64 versions of the Windows operating system regardless of whether application is a Win32 application or is native to 64-bit

Compatibility and Interoperability Test Cases (2)• Verify executable files and other files

installed by the application are signed

• Verify all kernel-mode drivers installed by the application are signed

• Verify application properly checks for operating system version

• Verify application launches and runs properly using Fast User Switching

Compatibility and Interoperability Test Cases (3)• Verify application launches and run

properly using Remote Desktop• Verify drivers and services start in

safe mode

Summary

• Compatibility and interoperability requirements

• Support for x64 versions • Signing files and drivers• Version checking• Support for concurrent user sessions• Safe mode• Support for anti-malware policies• Compatibility and interoperability

test cases

Additional Resources

• WOW64 implementation detailshttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/wow64_implementation_details.asp

• Delay signinghttp://blogs.msdn.com/shawnfa/archive/2004/03/17/91575.aspx

• Fast User Switchinghttp://support.microsoft.com/kb/294737/en-us

• Anti-malwarehttp://www.antispywarecoalition.org/