Libraries, UAC, WRP: Windows 7 AppCompat Series

In this Last part of the AppCompat Series we will look at the Core OS changes which Windows 7 has undergone and how that can affect your applications. We will discuss on areas like UAC (User Account Control), WRP (Windows Resource Protection), Libraries, Removal of Live Gallery applications from the OS and the importance of porting applications for 64-bit architectures.  We will also see on how these issues can be handled.

UAC (User Account Control)

UAC is a security feature that was firstly presented in Windows Vista., and now in Windows 7. UAC enables the user to run as standard user, and elevate only when an administrative operation is performed. The operating system has a File and Registry Virtualization capabilities, through which the system-wide file system (even to the root drive, for eg: C:\) and Registry writes are automatically and silently redirected to per-user locations (VirtualStore) that won’t harm the wider system. This ensures that, the machine is secured and stable.

You can watch these videos to understand these below,

There could be some issues because of this to the existing applications, Like, Custom installers and updaters need administrator privileges to install. The application does unnecessary administrator checks or administrative actions. Also, if there is a custom method written in the app which writes to file or registry locations that are not virtualized there could be an issue of non-functionality.

Mitigation is to apply some common shims like Virtualization shims and ForceAdminAccess shims. To learn how to apply shims, refer Part 1. Applications needing to run as administrator should manifested (if you are the author) or use RunAsAdmin or RunAsHighestAvailable. If this doesn’t solve, as a last resort, relax ACL’s on files and folders (not a best case solution)

Removal of Windows Live Gallery Applications

Windows Mail utility (Outlook  Express) and Movie Maker have been deprecated from Windows 7.

Which means CoStartOutlookExpress API is disabled. Also other software like Messenger, Address Book, Photo Gallery, and Movie Maker are deprecated. All entry points to Windows Mail and Contacts (for example, Start Menu, user-created Shortcuts, Start -> Run, etc.) are removed or disabled. File types (.eml, .nws, .contact, .group, .wab, .p7c, .vfc, etc.) will need to be associated with other applications

A simple Mitigation is to Install Windows Live applications( or applications of your choice.

Developers, remove application calls to API CoStartOutlookExpress or any other API calling Windows Mail.

File Libraries

Libraries are the primary entry points to user data in Windows 7. They are the natural evolution from the user’s Known Folders, including those for documents, pictures, music, and videos. A Library is a user-defined collection of content that represents the user’s data independently from the folder hierarchy. Libraries provide a centralized folder-like experience for file storage, search, and access across multiple locations, both local and remote. The Documents Library is the default location of common file dialogs. The Library is itself a file, and not a folder. Path manipulations can result in errors. GetFolder() returns a file

IFileDialog->GetFolder() +

IFileDialog->GetFilename() breaks with libraries

Mitigation for your existing applications should be that, when using IFileDialog, you must use GetResult method in conjunction with the shell APIs instead of manipulating the folder path directly.

To Learn more on Libraries – Read the Windows Team Blog here

Windows Resource Protection (WRP)

We all know that, Windows XP and earlier versions of Windows protect system related files.  This process was called Windows File Protection (WFP).  These protected files were saved in C:\Windows\System32\dllcache. In Windows Vista and Windows 7, the security is spread even to registries and folders as well.  Hence, this technology is called Windows Resource Protection (WRP). WRP components are saved in C:\Windows\winSxS folder. Application installers that attempt to replace, modify, or delete OS files and/or registry keys that are protected will fail with an access denied error message because the resource could not be updated.

A simple Mitigation is to apply shims for WRP issues. See Part 1, to understand how to create a new shim. IT Pros should never repackage Microsoft redistributables (Use the Microsoft provided redistributable package instead).

Developers should not write any resources to system files and registry keys (if possible, use User profiles folders and HKCU)

64 Bit Applications

Windows Vista and newer operating systems fully support the 64-bit architecture processors from AMD and Intel. The 64-bit version of Windows Vista can run all 32-bit applications with the help of the WOW64 emulator.  Applications or components that use 16-bit executables, 16-bit installers or 32-bit kernel drivers will either fail to start or will function improperly on a 64-bit edition of Windows Vista.

Mitigations for this issue is to remove all 16-bit components, and Port 16-bit installers to 32-bit or 64-bit installers. Also it’s important to ensure that all 64-bit drivers are digitally signed.

This completes the AppCompat Series. This series of posts covered information on how the core changes of Windows 7 will affect the Day-to-Day applications. We also saw methods to mitigate the issues from the basic viewpoint of Developers, IT Pros and End-Users.  I will cover a lot more on critical issues as individual posts in the future. I would also recommend Chris jackon’s blog for high level information on Application Compatiblilty.

To get the list of the Applications which are compatible on Windows 7, check this sheet.

For More Compatibility articles, Check here –

The Complete Application Compatibility Series


13 responses to “Libraries, UAC, WRP: Windows 7 AppCompat Series”

  1. msigeek Avatar

    4 modes of UAC in Windows 7

    High: Vista equivalent
    Prompts for: all elevations
    Prompts on: secure desktop

    Medium: default
    Prompts for: non-Windows elevations
    Windows means:
    Signed by Windows certificate
    In secure location
    Doesn’t accept control command-line (e.g. cmd.exe)
    Prompts on: secure desktop

    Prompts for: non-Windows elevations
    Prompts on: standard desktop
    Avoids black flash and user can interact with desktop
    Possible appcompat issues with 3rd-party accessibility applications

    Off: UAC off
    No Protected Mode IE
    No file system or registry virtualization

  2. Ankit Avatar

    thanks for information on “User Account Control”, I was looking for it for long time.

    1. Vijay Avatar

      Thanks Ankit. Good to hear that, this article was useful.

  3. Ankit Avatar

    you know few days back, I was searching for what “C:\Windows\winSxS” folder meant for? As, it contains files over 4Gb and take much space.

    1. Vijay Avatar

      Then I would recommend you read this as well on WinSxS –

Leave a Reply

Your email address will not be published. Required fields are marked *