Saturday, January 12, 2008

Big changes

In almost every Windows OS release so far, we've changed something major in the OS subsystems, to improve the Windows infrastructure. And that generally screws up application or driver compatibility:

Windows 95
Long file names - Application developers had to fix their applications to support long file names. (A good thing, though: What is in 1NTINPRS.AVI?)

Windows NT
Driver developers had to write drivers for a new driver framework because of the hardware abstraction layer. Actually, most of them just stayed away, and supported Win9x only.

Windows 2000
A major annoyance for driver developers, who could ignore the NT driver models up to this point. Win2k ran on NTFS, and had locked-down permissions - developers couldn't install their application's files in \windows\system anymore.

We were telling corporations to set up their users as non-admins on their machines, and for the first time, corporate users in were logging in without admin rights, breaking all sorts of enterprise apps.

Consumers just sailed past, on to:

Windows XP
Installed on NTFS on default - breaking lots of applications that were used to the wide-open, unsecured world of FAT32.
We were telling the dads (or moms) of the world to run as administrator, and set up non-administrator accounts for everybody else in the household. Pretty much nobody did that - they all just logged on as Administrator. A situation that almost every bit of spyware exploited.

Which brings us to the OS everybody loves to hate (that isn't actually that bad) - the fustercluck known as:

Windows Vista
This time round, punch-drunk from all our security issues, the Windows team said: Fuck it, let's just lock it all down:

AUC: All your applications will run as non-administrator, even if you have an administrator account. No excuses. We've been telling you that you should do this since 1999.

A new graphics driver infrastructure: We had to protect the system from video driver crashes, as graphics card companies care only about performance, not stability.

Session 0 Isolation: No system service can directly create a UI. Lots of drivers and antivirus apps broke, but we fixed up a major security design flaw in Windows.

At this point, I can't think of any subsystem in Windows that needs a major change. *

Of course, with every new Windows release, subsystems are tuned up and cleaned up, but as far as I can see, it does not seem like there is a major bit of architecture that we need to change radically (as far as you application and driver developers are concerned). 

And that would be a good thing - your applications and drivers should then hopefully just keep on working in Windows 7. (And it does seem that we got bit in the ass a bit too hard with all the Vista appcompat issues.)

*as far as I can see. Who knows, a SuperUAC might be in the works. They might remove all security feature from the OS. They might make the UAC prompt pop up every five minutes. They might require driver writers to rewrite their drivers in Cobol.

47 comments:

Chad Myers said...

Vista's UAC is a reaction, not guidance. It's a reaction to the poor handling and enablement by Microsoft Marketing of poor practices all these years. Microsoft didn't REALLY take Security until the S3+1 initiatives which were mid-XP (SP2). So I think you're being disingenuous when you say that MSFT 'told' vendors, it was more like 'Please do this, but if you don't want to, it's ok as long as you sign exclusive deals with us, KKTHX!'

MSFT takes the lion share of the blame for poor security focus all these years, and then an half-assed, quasi-aborted bolt-on effort that is UAC.

Microsoft needs to take a stand at some point. UAC is half-way. When you say LOCK IT DOWN, they really need to LOCK IT DOWN, as in applications break and Microsoft Marketing should spend their time educating the customers about the shoddy programming of ISVs and IHV's. They also should be spending more time educating the legion of VB6/VB.NET developers they created out there who have no clue what a privilege token is.

If they start doing that, then I know they're serious. UAC is a token gesture to security, but not a real effort towards locking Windows down.

tuxplorer said...

Now only if MS had shipped all OSes with the default account that is configured/created to run as User and the admin account hidden. Poor home users were subject to 98 and Me. :) And today, I haven't seen many developers writing drivers using Windows Driver Foundation. Btw, what IS in 1NTINPRS.AVI?

Adam said...

BS on the idea that Microsoft told people to set up on administrator account for Mom/Dad and the rest as regular users.

In the XP install, you get 5 boxes for entering users. Each of which gets created as an administrator, doesn't it?

Unknown said...

the registry hasn't changed in a while - perhaps it time for it to go!

;)

bluvg said...

Lots of folks (devs, mostly) are clamoring for the death of the registry, but I think this is exceptionally short-sighted. The registry isn't a bad idea itself, it's just a good idea badly-implemented (or perhaps abused, or simply needs updating). For example, look at how well-received Group Policy is. Group Policy would be near impossible without the registry (in reality). Don't throw out the baby with the bathwater... going back to .config/.ini files is not the way of the future. But yes, the registry is definitely a subsystem that could be revamped in a major way, and you can bet that would be a HUGE selling feature of a new version of Windows.

Gamlor said...

Well there is one little thing which isn't improved in vista. The explorer.exe is the "major"-shell-process and it crashes a lot. Well you can have two instances of it, one for the "Windows-Explorer" and one for the rest of the shell. But it still crashes too often, mainly because a lot of third-party-apps "load"-stuff into the explorer-process. If it crashes, you don't really know, if it maybe the fault of an third-party-app.

On my XP and on my Vista-Masching, explorer.exe crashes several-time for sure =(.

Viking said...

So you're perfectly content with how Windows drivers work? Just love the clean design of WDM with the layer on top of KMDF and UMDF?

As you keep mentioning Apple, how do YOU think it stacks up with OS X's IOKit and user mode driver facilities?

Do you think Windows' approach to 64bit with LLP leaves nothing to be desired?

You're perfectly happy with the kitchen sink, umm i mean windows registry?
Think it's a worth-while tradeoff to gain record level settings-security and supposed speed benifits, for the cost of resultingly horrible roaming profiles, corruption==no-more-windows, windows-progressively-slows-down-syndrome (wasn't it meant to improve speed?), mem hog, etc?

Just wondering mister windows dev.

tuxplorer said...

Microsoft COULD do something clever about the registry with SoftGrid. They need to adapt it somehow to a standalone desktop.

Viking said...

someone - correct me if i'm wrong but doesn't softgrid simply tie application created registry entries to applications by providing the application with a doctored view of the registry.

Last i looked at Softgrid and Citrix' me-too, it seemed a bit problematic for general purpose solutions. for a start Citrix' AIE / AppStreaming stores all this in the user's reg hive - brilliant... :)

I agree that redirecting machine reg entries to user entries seamlessly is useful, and i think Vista does that in some circumstances - Soma; thoughts?

It also masks another problem which is permissions or the app feeling the need to write to a bunch of other reg entries that conflict with other apps.

BUT, it doesn't fix the fundamental issues with the registry - it just masks a few of them in a most un-elegant way.

Anonymous said...

Dude... WHERE do you work?

With all the work being done to reorg the kernel-mode stuff in Win7, and you're all "I can't think of any subsystem in Windows that needs a major change"??!? What do you call all the reshuffling and changing of those kernel-mode APIs then?

Ross said...

I'm quite impressed by your ability to say with a straight face that the new graphics driver infrastructure was meant to protect the system from video driver crashes. If that were true, it would have been done in Windows 3.1, where video driver crashes began to become annoying. No, the new GDI is for a different kind of protection: to protect Hollywood from ripping. Which reminds me of a third kind of protection: the money you pay to the local hoods so's your restaurant doesn't get torched.

tuxplorer said...

yes viking SoftGrid in its current state does that. What I meant was adapting/changing it to fit a single desktop. basically they now have a full desktop app virtualization technology in softgrid, they can put it to clever use.

Soma said...

Adam's comment:
BS on the idea that Microsoft told people to set up on administrator account for Mom/Dad and the rest as regular users.

In the XP install, you get 5 boxes for entering users. Each of which gets created as an administrator, doesn't it?


Yep, that's sadly true. Good point. We should not have done that, but XP came out in 2001, and we were (I'm guessing) more concerned about all the 9x applications we'd be breaking by creating new users as non-admins.

Fastforward to 2004: Vista is late, and spyware is infecting a huge number of Windows XP machines. I remember a lot of articles on MSN.com and other consumer-focused microsoft.com pages about the dangers of running as administrator. With step-by-step guides showing users how to demote their kids to non-admin users.

It was a pretty inelegant solution to the problem, obviously.

Viking said...

can't resist being a smart-arse at this point:

fast forward to 2004 and the Winxp-SP2 (aka winxp trustworthy computing edition) install still does the same thing.

Secure by design, secure in deployment, secure by... um? could someone refresh my memory, please...?

Steve said...

What! No Windows ME?

Eric said...

@ross:

Read up on the new graphics driver system. It prevents graphics driver crashes from crashing the entire computer by putting most of the driver in user-space. I think it allows drivers to be updated without a system restart, something the lazy-ass graphics companies fail to exploit. Yes it includes the ridiculous DRM stuff but that's not the only change.

omega said...

Let's not forget the significant amount of system resources Vista eats up for...what?

I wish there was some way to see the difference in overall system resource use to accomplish a single task.

The same API call to create and display a window with a button in XP chew up way more in Vista. How can you tell? Because when all the theatric UI perks are disabled, Vista is slow.

Computers don't get faster just for the OS to gobble up the horsepower!

As already stated, bolt-on is the best way to describe Vista. It was a ham-fisted attempt to make new with old all in user space.

Dean said...

Why can't UAC be fixed? It ought to keep an encrypted, per-user list of apps that that user has allowed, with file hashes, so that repeated approvals aren't required, just like client-side firewalls do, with a checkbox to provide a "remember this action" option. Is there a fundamental problem with this that I am missing?

Dean said...

Why can't UAC be fixed?? It needs to keep a per-user, encrypted list of previously-allowed apps, with file hashes, so repeated execution can bypass UAC. First use presents a "remember this action" option, just like good client-side firewalls. Is there a fundamental problem with this I am missing?

Hescominsoon said...

Activex is still the major security weakneess. The ability to run apps from the browser as ring 1 or zero is still being exploited in vista.

Anonymous said...

3cell Battery for Dell Latitude X1 T6840 312-0342 Y6457 laptop battery
New Dell Inspiron B130 1300 b120 Battery 312-0416 56whr laptop battery
Gateway M360 M460 M680 8-Cell Notebook Battery 6500949 laptop battery
New Battery for HP M2000 Series DV1000 DV4000 laptop battery
Battery For HP F2019 F2019A F2019B 6000 VT6200 XT6200 laptop battery
Battery For HP HSTNN-IB04 346970-001 HSTNN-DB02 DP399A laptop battery

New F1739A Battery For HP XE XE2 Pavilion N3000 N3490 laptop battery
New Battery For HP Pavilion ZT1000 F2299A F3172B F3172A laptop battery
IBM THINKPAD 600 600A 600D 600E 600X 02K7018 BATTERY laptop battery
Battery for Gateway Solo M500 M505 Medion MD2900 MD6179 laptop battery
Battery Fit Toshiba PA3382U-1BRS PA3384U-1BRS laptop battery
Battery for Toshiba M30X M35X M40X PA3395U-1BRS PA3421U laptop battery

Genuine TOSHIBA PA3465U-1BRS Laptop Battery PABAS069 laptop battery
battery for solo 9300 6500358 GT-6300L laptop battery

Anonymous said...

一戸建て

Anonymous said...

一戸建て

Hoppp said...

キッザニア プロアクティブ
スリムビューティハウス ファンケル
スリムビューティハウス ミスパリ

Medikal

Anonymous said...

結婚式
引越
出会い系
ドロップシッピング
FX
格安航空券
復縁
為替
FX
インプラント
外為
豊胸
ローン
Toefl

Anonymous said...

復縁屋情報サービス - 復縁屋・レディス秘密探偵社復縁で元恋人や元夫婦の関係を取り戻します。レディス秘密探偵社の復縁は、あなたの心の願いをかなえます!復縁屋・レディス秘密探偵社におまかせください。復縁工作,探偵,探偵社,レディス秘密探偵社

Anonymous said...

专业的翻译公司,知名深圳翻译公司

广州翻译公司
上海翻译公司,东莞翻译公司国内同声翻译(同声传译)领域领头军!同声传译(同传)是国际会议通常使用的翻译方式, 翻译人员进入隔音间里

,通过耳机接听发言人的声音再将其翻译给听众。这种形式的翻译方式需要较为复杂的

设备以及非常专业的翻译人员,但能节省大量的时间。优质翻译公司译佰

翻译公司
能提供同传深圳德语翻译深圳俄语翻译深圳韩语翻译等数种同传语言,培养一批商务口译人员,多年以来,

译佰同声翻译在同声传译(同传)领域积累了丰富

的业务经验,能提供从专业同声翻译、译员培训到同传设备安装租售业务等一整

套国际会议同传服务,深圳翻译公司,专业深圳英语翻译 深圳日语翻译深圳法语翻译

Anonymous said...

クレジットカード現金化とは、キャッシング枠を枠一杯利用済みで、さらに現金を必要としている方を狙った、アンダーグラウンドなサービスです。
ク レジットカードには、通常、ショッピング専用のショッピング枠と、キャッシング専用のキャッシング枠が存在しています。キャッシング枠を目一杯利用してい ると、当然ながら、カードで現金を借りることが出来なくなります。ショッピングは可能な状態ですが、そのショッピング枠だと、利用用途や利用場所に制限が 生まれます。

ecndn said...

sharing for thanks.. i wish the successfrom now on writing

film izle

Anonymous said...

Interesting post ToM. You said, “it uses and alters the shot material of Brando without his consent or creative consultation.” That might be somewhat difficult due to Brando’s being dead.



E

stetik




Estetik

Anonymous said...

seo対策を行うメリット効果的な集客&顧客獲得が出来ます!SEO対策は、いわば、ユーザーの羅針盤。その羅針盤が、あなたのホームページを示すことで、あなたのホームページには多くの訪問者が訪れます。コンバージョン率が非常に高いです!
seo対策で必要なのは、初期費用と月額費用のみ。バナー広告・メール広告などの広告手段とは違い、クリックや成約に対して課金されることがありません。そのため、長期的に見ると、非常に費用対効果に優れた集客率があると言えます。
企業の知名度&信頼度をアップします!ユーザーの80%は、検索エンジンで上位表示されるホームページ(企業)に好印象を持っていると言われています。そのため、上位表示される企業をその業界の主要な企業として認識する傾向があります。

Anonymous said...

不動産投資
不動産
格安 名刺
賃貸
名刺作成
価格
名刺 激安
価格比較

Anonymous said...

Clam AntiVirus (ClamAV), is a free antivirus software toolkit for Windows and Unix-like. Both ClamAV and its updates are made available free of charge which makes it my favorite. Thank you estetik,burun estetiği, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik, estetik

Unknown said...

http://www.hzygzs.com/contact 杭州装饰公司
http://www.hzygzs.com/about 杭州装饰公司
http://www.hzygzs.com/news 杭州装饰公司
http://www.hzygzs.com/ 杭州办公室装修
http://www.youither.com/pro/pro-cn.asp
http://www.youither.com/pro/pro-bee3-cn.asp
http://www.youither.com/pro/bee2.asp
http://www.youither.com
http://www.youither.com/pro/aloe.asp
http://www.hzygzs.com/case 杭州装修公司
http://www.hzygzs.com/messages 杭州装修公司
http://www.yixinvalve.com.cn
http://www.hzygzs.com/ 杭州店面装修
http://www.yixinvalve.com.cn ball valve球阀
http://www.linlidq.com ATS
http://www.whdq.net 气动
http://www.htbzj.net 标准件
http://www.led-lt.com LED,苏州LED,上海LED,北京LED
http://www.smilestudio.cn 网站建设,网站推广
http://www.xinjusy.com 苏州装修公司,苏州装饰公司
http://www.atsesj.com ATS
http://www.x-qun.com 芯片
http://www.youither.com/pro/bee2.asp 蜂王浆
http://www.youither.com/pro/aloe.asp 芦荟
http://www.youither.com/pro/pro-bee3-cn.asp 蜂胶
http://www.yixinvalve.com.cn/Products/View/1053valve.html ball valve球阀
http://www.yixinvalve.com.cn gate valve闸阀
http://www.yixinvalve.com.cn angle valve角阀
http://www.yixinvalve.com.cn/Products/View/3004valve.html bibcock水嘴
http://www.yixinvalve.com.cn tap
http://www.yixinvalve.com.cn/Products/View/4003valve.html Check valve
http://www.yixinvalve.com.cn/Products/View/5075valve.html hot-water heating
http://www.yixinvalve.com.cn/Products/View/5071valve.html fittings

Anonymous said...

---------------------------------------------------------------------------
Nice day, Nice feeling.....

Ramazan Yaşar said...

thanks.
Sac Ekimi
Burun Etetigi
Estetik

Anonymous said...

WoW Accountbuy wow gold,wow power leveling,Cheap WoW Accountwow gold,Hudson, Dunn declare free agencyworld of warcraft gold,cheap wow gold,world of warcraft power leveling,world of warcraft gold,buy wow gold,Buy WoW Accountbuy wow gold,wow power leveling,ffxi gil,ffxi gil,world of warcraft power leveling,World of Warcraft Account,sell wow gold,wow power level,wow gold for sale,power leveling,,wow power level,WoW Accounts for Sale, faith and creditwow gold for sale,power levelingwow power level,buy cheap wow gold.Goldho

Anonymous said...

吉原 ソープ
デリヘル
熟女
デリバリーヘルス
品川デリヘル
横浜デリヘル
デリヘル
横浜デリヘル
アダルト
アダルト動画
出会い
出会い

Anonymous said...

個別指導塾
幼児教室
個別指導塾
幼児教室

Anonymous said...

愛車
音楽のある生活

Unknown said...

thanks you so much.

sinema bursa

yanhong said...

If you need (or want) a computer that’s easy to take along,you can see it fromhp dp399a battery,whcih offer the longlife and consistently reliable performance you need to get the most out of your notebook.

yanhong said...

Do You Want a hp f2299a battery?You can still get a brand new hp f2299a battery from our company.Just tell your friends to buy, Details of products are posted here:hp f2299a battery.

yanhong said...

If you need (or want) a computer that’s easy to take along,you can see it from hp f3172b battery whcih offer the longlife and consistently reliable performance you need to get the most out of your notebook .

cenghan said...

MSFT takes the lion share of the blame for poor security focus all these years, and then an half-assed, quasi-aborted bolt-on effort that is UAC.
film izle
film izle
film izle
çizgi film izle
anime izle
erotik film izle

trhikaye said...

seks hikayeleri

sikiş hikayesi

beylikduzu escort

escort bayan

atakoy escort

trhikaye said...

escort bayan

istanbul escort

atakoy escort

escort atakoy