Finding solutions to application incompatibility in Windows Vista

Danielle Ruest and Nelson Ruest
Danielle Ruest
Danielle Ruest
Although the adoption of Windows Vista may be lagging behind Microsoft's expectations, there is no doubt that people will be moving eventually to this powerful platform. Making the switch can be easier with a little preparation.

A major roadblock to adoption in the minds of IT mangers is the lack of a service pack. This will soon be resolved as Microsoft releases SP1 in early 2008. Another is the lack of application compatibility, but there are some specific changes that affect how applications work on this new environment.

Nelson Ruest, Contributor
Nelson Ruest
One of those key areas is security. There are a number of changes in the way Windows Vista behaves and in the way applications run in Vista based on Microsoft's new security model. For example, User Account Control (UAC), which automatically runs every process in standard user mode, has a direct impact on most applications. It grants each user a standard user token with low-level access rights. Each time a process requires administrative access, it queries the user to see if it can be granted.

More on Windows Vista migration
Avoiding software conflicts in a Windows Vista migration

Troubleshoot your Windows Vista woes with your peers at ITKnowledge Exchange.
Of course, if you have access to an administrative account, you can determine whether or not you wish to grant access. But problems arise -- sometimes major problems -- when you don't have these elevated access rights. Because of UAC, applications must be well behaved and write in user-only locations.

Another significant security change is the introduction of Windows Resource Protection (WRP), which protects key areas of the registry and the Windows file system. If applications modify these areas, then they will fail when you try to run them.

Vista also introduces a significantly different firewall. The Vista Firewall is on by default and may affect how applications that need access to external connections may work on this new platform.

But among the most significant changes in security is the modification of the logon process. In previous versions of Windows, Microsoft relied on the Graphical Interface for Network Authentication, or GINA. In Vista, Microsoft has moved to the Credential Manager and has completely removed the GINA. This means that any application that is integrated to the logon process must be completely revamped so that it can work with Vista.

These are only a few of the changes that Microsoft has introduced in Vista. In short, every application you run must be evaluated for compatibility with Vista. Use the following table to review how security components will change the way your applications work:

Programmatic changeDescriptionSolution
User Account Control Runs all processes with a standard user token. Applications that require elevated rights will fail unless they are run as Administrator.
  • Vista's virtualization of both file and registry automatically redirects most application components to user-writable areas of the system.

  • Applications can be virtualized through third-party tools.

  • Applications can be supplemented with tools that provide elevated access rights on an as-needed basis.
    • Windows Resource Protection Protect both the file system and the registry from unauthorized changes. Applications that write to protected areas of the registry or the Windows folder structure will fail.
  • Runs application in appropriate compatibility mode.

  • Corrects the application if you have access to the source code.

  • Relies on commercial application compatibility mitigation tools
    • Vista Firewall Relies on the Windows Filtering Platform, which filters at several layers in the networking stack for better system protection. Applications that cannot take into account firewall restrictions will fail.
  • Makes sure you provide specific exclusions for the applications in the firewall.
    • Credential Manager Vista now uses the Credential Manager for all logons. Applications that do not take this into account will fail.
  • All third-party logon modules must be updated to Vista compatible versions.

    • You can test all applications and prepare them for Vista, but consider using application virtualization. It does away with these security issues in one fell swoop. To learn more about application virtualization, take a look at the Application Virtualization: Ending DLL Hell once and for all webcast.

    Moving to application virtualization is the easiest strategy for a Vista migration, and it gives the best return on investment when it comes to application lifecycle management. Keep this in mind when you prepare your own path toward a Vista migration.

    Danielle Ruest and Nelson Ruest are IT professionals specializing in systems administration, migration planning, software management and architecture design. Danielle is a Microsoft MVP in virtualization, and Nelson is a Microsoft MVP in Windows Server. They are authors of several books about Windows and are currently working on the Definitive Guide to Vista Migrationfor Realtime Publishers as well as the Complete Reference to Windows Server 2008 for McGraw-Hill Osborne.

    This was first published in January 2008

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.

      Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

      Back to top