Bhall

I am performing the following steps for the Certified for Windows Vista Test Case 20

1. Open AppVerifier 3.22.

2. Attach application install executable to AppVerifier including msiexe.exe.

a. Enable the LuaPriv check

3. Install application

4. Once install is complete, view AppVerifier Install Logs.

a. Search logs for LuaPriv

5. For each LuaPriv Error:

a. Check Error to ensure the application did not attempt to write to or replace any WRP Registry Key or Windows System File.

Make note of any WRP Registry Key or Windows System File that the application attempted to write to or replace.

From the generated XML file you are supposed to look for any notification with severity="error"

Of all the severity="error" how do you identify which of these notifications are attempts to write or replace a WRP key or Windows System File

An example of each error would be ideal if possible.



Re: Application Compatibility for Windows Vista WRP resource

Oliver Lundt - MSFT

If you are only checking for "LuaPriv" then yes, all errors are most likely WRP and/or will have a permission issue. Post some of your error logs for suggestions on how to midigate and resolve the error.




Re: Application Compatibility for Windows Vista WRP resource

atekant

I am not the originator of this thread but am stuck with the same issue.

I am using a plain msi file generated by VS2005, and I have over 250 LuaPriv errors. Yes, they look like trying to access files and registry keys, but I don't know how to control all these.

When run, this msi asks for admin password, but does not bring up any WRP dialogs.

Some sample entries:

<avrf:logEntry Time="2006-12-15 : 02:45:27" LayerName="LuaPriv" StopCode="0x3326" Severity="Error">
<avrf:message>The application performed a hard administrator check.</avrf:message>
<avrf:formatmessage>Called CheckTokenMembership against trusted entity &apos;NT AUTHORITY\SYSTEM&apos; (not present)</avrf:formatmessage>
[This one looks OK ]

<avrf:logEntry Time="2006-12-15 : 02:45:27" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>OpenFileMappingW: Section (\Sessions\2\BaseNamedObjects\windows_shell_global_counters) only grants requested &apos;READ_CONTROL&apos; to &apos;NT AUTHORITY\SYSTEM&apos;</avrf:formatmessage>
[This one is reading from something. OK ]

<avrf:logEntry Time="2006-12-15 : 02:45:27" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>CreateFileW: File (\Device\NamedPipe\wkssvc) only grants requested &apos;FILE_APPEND_DATA&apos; to &apos;NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE&apos;</avrf:formatmessage>
[This one is writing to a pipe. OK ]

<avrf:logEntry Time="2006-12-15 : 02:45:35" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>RegCreateKeyExW: Key (\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT) only grants requested &apos;KEY_SET_VALUE&apos; to &apos;BUILTIN\Administrators, NT AUTHORITY\SYSTEM&apos;</avrf:formatmessage>
[This one is writing to the registry. OK There are over a hundred of similar errors, with different subkeys]

<avrf:logEntry Time="2006-12-15 : 02:45:53" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>CreateFileW: File (\Device\HarddiskVolume1\Windows\inf\setupapi.app.log) only grants requested &apos;FILE_WRITE_DATA&apos; to &apos;NT AUTHORITY\SYSTEM, BUILTIN\Administrators&apos;</avrf:formatmessage>
[This one is writing to a file. Doesn't look like a protected file. But is the inf folder protected ]






Re: Application Compatibility for Windows Vista WRP resource

Bhall

Here is what I have been informed of that should help out. I understand it will be a time consuming task, but at least it can be resolved with confidence.

if the ¡°Severity=Error¡± is searched and you get an Access Denied as the reason, you will need to look up that key on MSDN, if it is a published WRP registry key they will list it. There are some WRP keys that are not published, those they will have to manually go to the key and verify permissions, if only the ADMINISTRATOR has rights (not SYSTEM, USERS¡­etc¡­but only ADMINISTRATOR) then it is probably a non published protected registry key. Please Note, not all Access Denied registry entries will constitute failing the test case, because not all Access Denied messages are a result of accessing a WRP key, it could be a result of invalid hooking of the key¡­.they will have to investigate that. The other is if the ¡°Severity=Error¡± indicates a replacement failure of a WRP File (such as kernel32.dll) it will indicate that the file was unable to be replaced.





Re: Application Compatibility for Windows Vista WRP resource

Matthew Braun - MSFT

Hello atekant,

See answers inline:

<avrf:logEntry Time="2006-12-15 : 02:45:27" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>OpenFileMappingW: Section (\Sessions\2\BaseNamedObjects\windows_shell_global_counters) only grants requested &apos;READ_CONTROL&apos; to &apos;NT AUTHORITY\SYSTEM&apos;</avrf:formatmessage>
[This one is reading from something. OK ]

Seems you are reading from a global shell counter, which requires a process to be run within a SYSTEM context to be able to access

<avrf:logEntry Time="2006-12-15 : 02:45:27" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>CreateFileW: File (\Device\NamedPipe\wkssvc) only grants requested &apos;FILE_APPEND_DATA&apos; to &apos;NT AUTHORITY\SYSTEM, NT AUTHORITY\LOCAL SERVICE&apos;</avrf:formatmessage>
[This one is writing to a pipe. OK ]

This looks like a session 0 isolation issue, please ensure you are following the recomended client/server communications listed in the Application Compatibility Cookbook

<avrf:logEntry Time="2006-12-15 : 02:45:35" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>RegCreateKeyExW: Key (\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT) only grants requested &apos;KEY_SET_VALUE&apos; to &apos;BUILTIN\Administrators, NT AUTHORITY\SYSTEM&apos;</avrf:formatmessage>
[This one is writing to the registry. OK There are over a hundred of similar errors, with different subkeys]

Please check the WRP lists to see if the keys you are accessing have read/write privleges

<avrf:logEntry Time="2006-12-15 : 02:45:53" LayerName="LuaPriv" StopCode="0x331B" Severity="Error">
<avrf:message>Access was restricted to trusted users only.</avrf:message>
<avrf:formatmessage>CreateFileW: File (\Device\HarddiskVolume1\Windows\inf\setupapi.app.log) only grants requested &apos;FILE_WRITE_DATA&apos; to &apos;NT AUTHORITY\SYSTEM, BUILTIN\Administrators&apos;</avrf:formatmessage>
[This one is writing to a file. Doesn't look like a protected file. But is the inf folder protected ]

The inf directory seems to be protected by WRP (Administrators has 'Special Permissions')

Thanks!

Matthew Braun






Re: Application Compatibility for Windows Vista WRP resource

atekant

OK, so I have established that some keys and files which should not be touched are being touched.

Now, this is a VS2005 setup project, with no custom actions, etc. Just drop the files to the project, set the Programs shortcut, and add a EULA.
I don't have the faintest idea why these keys and files are being accessed, and what to do to stop it, and whether the setup would still work if I figured out a way to do so.
I am pretty sure these are not my doing.

Under these conditions, I think this test case is problematic. As long as the setup is successful, and the WRP resources are properly protected without causing errors, I don't understand the reasoning behind failing this test, especially in such a case that one has no control over what the setup is doing.

Either way, has anyone figured out a way to pass this test with a VS2005 setup

Argun Tekant





Re: Application Compatibility for Windows Vista WRP resource

Oliver Lundt - MSFT

Can you post the keys that are getting touched and will try to recreate and look for the same in my demo msi project.




Re: Application Compatibility for Windows Vista WRP resource

atekant

Here are the keys being touched:

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPublisher
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot
\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root
\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Looks like they are all some sort of Certificates related. The WinSock2 must be there because one of the files I have uses wininet

Also being touched (with error) is the folder: \Device\HarddiskVolume1\Windows\inf
and the file: \Device\HarddiskVolume1\Windows\inf\setupapi.app.log

The log file looks innocent, but the inf folder is WRP






Re: Application Compatibility for Windows Vista WRP resource

RexH

Dear Bhall,

So we only need to pay attention to the "Access Denied" errors
I am getting errors like these:

"The application performed a hard administrator check."

"Access was restricted to trusted users only."

"Requested a security-relevant privilege."

Are they ok to have then

Thanks






Re: Application Compatibility for Windows Vista WRP resource

wesneon

Hi,

I found a set of informative slides re. WRP at:

http://devreadiness.org/files/134/download.aspx

Hope it helps.

Wes




Re: Application Compatibility for Windows Vista WRP resource

Bhall

So I spent some time and figured this out. I also wrote a simple console app that reads in your xml logs and identifies any WRP key and file violations. You can read about it and download it here.

http://www.dthall.com/wrp.html





Re: Application Compatibility for Windows Vista WRP resource

Sakil

Hi,

I had checked my application using WRP Indentifier.

It shows me that There is NO registry Key or File WRP viaolation.

So, Does it mean that My application passes Testcase 20





Re: Application Compatibility for Windows Vista WRP resource

Bhall

Yep, should be a pass. Most applications that have certified to date have not failed this test case.



Re: Application Compatibility for Windows Vista WRP resource

mahalax

Hi Bhall,

I tried installing the WRP Identifier app from http://www.dthall.com/publish.htm, but since we are behind a firewall, it is not getting installed. Can you please post the installable at the site which we can download and use.

Thanks.






Re: Application Compatibility for Windows Vista WRP resource

Bhall

please check again, I've loaded up a zip file for you to download.