Debugging Application Compatibility Issues in Windows Vista


Some applications designed to run on Windows XP do not run correctly unless the user is an administrator. Many of these applications will run correctly on Windows Vista because of application virtualization. However, virtualization is a short-term fix, and it only redirects some registry and file system input/output (I/O); it doesn’t solve the real problem of the application being written poorly in the first place. To be honest, detecting why an application fails to run correctly can be relatively difficult because it requires a good deal of expertise to read all the event logs and error messages. Luckily, there’s a tool available, named the Standard User Analyzer (Microsoft 2006d), to make debugging your applications much easier.

When you test your application, the Standard User Analyzer will launch the application, monitor its actions, and wait for the application to close. The tool then generates a log for the application that contains eight sections as described next.

File Warnings

File warnings show file system access issues, such as trying to write to the \Windows directory. In general, file I/O issues can be fixed by writing to user-writable directories, such as anything under %userprofile%.

Registry Warnings

Registry warnings show system registry access issues, such as trying to write to any portion of HKLM. These issues can be fixed by writing to HKCU.

INI Warnings

INI warnings show issues using WriteProfileXXX, which were originally used for 16-bit Windows applications, but are still used in some applications today. Calls to WriteProfileXXX and WritePrivateProfileXXX should be replaced with modern configuration functions, such as the registry APIs. You can also remedy profile function issues by using the IniFileMapping registry settings (Margosis 2006).

Token Warnings

Token warnings show token checking issues, such as analyzing a process token to determine group membership. It is generally deemed bad practice to analyze a user token to determine access policy. Rather, you should rely on the operating system to perform standard access checks when it accesses resources.

Privilege Warnings

Privilege warnings show privilege issues, such as enabling the Debug Privilege, which is normally only accessible to administrators. Privilege issues are harder to fix, because chances are good your application needs the privilege or privileges to operate correctly. If this is the case, then your application is probably a good candidate to break into parts–where one or more components perform the privileged operations and you launch these components through a COM moniker or an elevated process.

Name Space Warnings

Name space warnings show issues that relate to an application creating system-wide objects, such as events and shared memory. The most common error is calling CreateFileMap-ping("Global\\objectname") because by default only administrators and service accounts can create global objects. The easiest fix is to remove the “Global” reference.

Other Objects Warnings

Other objects warnings show issues relating to non-file and non-registry objects, such as attempting to open the Service Configuration Manager (SCM) for all access with a call to OpenSCManager(...,SC_MANAGER_ALL_ACCESS).

Process Warnings

If you call CreateProcess or CreateProcessAsUser on an executable that is manifested as RequireAdministrator or is flagged as an installer by Vista, your code will receive an ERROR_ELEVATION_REQUIRED (740) error. ShellExecute will behave as you expect and prompt for elevation. As mentioned earlier in this chapter, ShellExecute allows you to define a runas verb, which will prompt for elevation.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net