Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Top 10 Application Compatibility Issues that still affect Windows XP to Windows 8 Migration

leave a comment »

RAG - RApril 8, 2014 marks the end of Windows XP Support. According to Microsoft:

It means you should take action. After April 8, 2014, there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

One of the first things you will do to address your Windows XP to Windows 8 Migration is to test your current applications for compatibility to the planned new Windows client platform. I have compiled a list of the Top 10 Issues that will, and still, affect Windows 8 deployment in your organization. I used Citrix AppDNA 6.3 Application Compatibility Software to gather information based on 35 randomly selected apps that run on Windows XP. Note that I have deliberately omitted the remediation actions for most of these issues, and only included those commonly known and obvious ones.

These issues don’t just affect migration to a new Windows client platform. Companies currently on Windows XP and are deploying Citrix XenApp or Citrix XenDesktop will sooner or later encounter these issues, and more.  For XenApp 6.5, we need to ensure that the application runs on Windows Server 2008 R2 (which is 64-bit adding another layer of compatibility issues not addressed in this article), as well as have the ability to run in a remote desktop/TS capacity. For XenDesktop, we need to consider that the application should be able to run on the target Windows platform that will be used and if this platform will be 64-bit.

And here they are:

# 10 – .NET 3.5 Framework Dependency

.NET 3.5 Framework is not available in Windows 8 by default, and applications that require this will not be installed, or if installed successfully, not function on Windows 8 unless installed prior to the application or is redistributed with the application installer.

For more information, check out this MSDN article .NET Framework 4.5 is default and .NET 3.5 is optional http://msdn.microsoft.com/en-us/library/windows/desktop/hh848079(v=vs.85).aspx

# 9 – VideoPortInt10

The VideoPortInt10 function performs the equivalent of the MS-DOS INT10 function. Some legacy drivers use this function to communicate with the system BIOS for example, to change the video mode. This is no longer supported in the Windows 8 Device Driver Model (WDDM).

# 8 – Attempting to access protected registry keys

During installation, some applications designed for Windows XP attempt to write to certain registry keys that are already protected in Windows 8. Only installers with the TrustedInstaller status can write to these protected locations, but this is limited to certain Microsoft installers like Windows Update.

Elevating privileges may provide a quick remedy to this issue, but ensure that UAC prompts are suppressed as well.

# 7 – Session 0 Isolation: installing an interactive service

In Windows XP and earlier, Windows services and applications run in the same session as the one who first logged into Windows XP. This is called Session 0, and services and applications running together in the same session poses a serious security risk since services run with elevated privileges while user apps run with the user security context. These services become targets for malicious code that intends to hijack them to gain their elevated privileges. In Windows Vista onwards, only the services are allowed to run in Session 0, and user applications run in subsequent sessions, e.g., Session 1, Session 2, etc.

The problem therein lies when a supposedly interactive application running as a service (running in Session 0) presents a UI to its user. The user will not be able to see the UI he/she does not have access to Session 0. The application would appear as hanged because it will indefinitely wait for the user reply which will never come because the user did not see the prompt.

More information on Session 0 can be found in this MSDN article Session 0 Isolation http://blogs.windows.com/windows/archive/b/developers/archive/2009/10/01/session-0-isolation.aspx

# 6 – Unsigned Kernel Mode Drivers

In Windows 8 Secure Boot feature enabled as well as 64-bit implementations, the kernel is locked preventing malware to be introduced via rootkits attempting to go around Windows OS security requirements. This affects kernel mode drivers, not user mode drivers.

To be able to properly function, kernel mode drivers need to support the Unified Extensible Firmware Interface (UEFI) Secure Boot, which mandates that kernel mode drivers be signed by a trusted certification authority (CA).

More information can be found in this MSDN article http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062(v=vs.85).aspx

# 5 – Operating System Version prevents installation launch

The installation routine/MSI package will not install because it indicated a launch condition that requires one or more Windows versions which do not include Windows 8. The simple solution to this issue is the Version Lie shim or modify the installation to remove the OS version checking. Though the remediation is simple, this issue is still a Red because application installation will not continue until remediation is performed.

# 4 – User Account Control: Custom Action in MSI launches known administrative executable

Microsoft Installer (MSI) packages always run in the System context with administrative privileges that allow them to install apps, make changes to registry, etc. However, any custom action that the MSI launches does not inherit those privileges, and will fail during launch.

# 3 – User Account Control: Calling Windows administrative functions without requesting administrative privileges

We really love UAC so much that we have two of them! Calling administrative functions will cause UAC to prompt even though we may already be logged on with administrative credentials. If not logged on with administrative credentials, then UAC will prompt for administrative credentials. Either way UAC will still prompt, and since Windows XP does not have UAC yet, an application written for Windows XP is therefore not designed to handle UAC prompts.

For more information on User Account Control, go to http://msdn.microsoft.com/en-us/library/bb530410.aspx

# 2 – Setting the Color Depth

The Desktop Windows Manager (DWM), previously known as the Desktop Compositing Engine (DCE) is used in desktop composition. In Windows Vista and Windows 7, only themes utilizing AERO Glass use DWM, thereby only these themes can use experiences that use desktop composition like Windows Flip, thumbnail view, etc. In Windows 8, desktop composition is available for all themes to simplify coding. DWM requires that color depth set to 32 bits per pixel, and any application calling APIs that attempt to change this will not work as expected.

For more information on the Desktop Windows Manager, check out this MSDN article Desktop Windows Manager is always on http://msdn.microsoft.com/en-us/library/windows/desktop/hh848042(v=vs.85).aspx

# 1 – GINA

Well, she’s still there, and we did choose applications that run on Windows XP didn’t we?  Even though the Graphical Identification and Authentication (GINA) and its corresponding APIs had been deprecated since Windows Vista, organizations that still have a high usage of Windows XP may rely on applications that provide authentication services like Single Sign On, or applications that authenticate from the Windows logon that run on Windows XP. As such they require GINA, and these applications will not run or may behave differently on Windows 8.

Applying a shim, even though it may be available, may not provide the expected outcome since the shim will just ignore any GINA API calls. I mean, authentication is a must for the application to run, right? Ignore authentication, and the application will wait forever until authentication and subsequent authorization is addressed.

Personally, if it’s an SSO or an application that customizes/uses the Windows logon dialog box to authenticate, I don’t bother testing at all. Warning though: don’t mistake GINA (key: it involves the logon UI) with apps that rely on Kerberos or NTLM to authenticate. Because these may run, but their ultimate outcome depends on whether you Active Directory infrastructure is properly configured or if NTLM is still in use should the app require it.

Go try!

Go try out this very interesting feature and see the power of Citrix AppDNA! Download your FREE copy of Citrix AppDNA from http://www.citrix.com/products/appdna/overview.html. This free version is a fully functional copy of Citrix AppDNA that allows for UNLIMITED application imports, and detailed remediation reports for 5 applications.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: