Geek School: Learning Windows 7 – Managing Applications

Have you ever wondered why your favorite game from Windows 95 just doesn’t seem to run on Windows 7 but other applications do? Well we have the answer for you, as well as a few solutions for how to fix it.

Be sure to check out the previous articles in this Geek School series on Windows 7:

And stay tuned for the rest of the series, as we have many more articles over the next few weeks.

Why Do Applications Become Incompatible ?

One of the most common reasons is a Windows feature called Windows File Protection which first appeared in Windows Vista. Windows File Protection, as the name implies, protects core system files from being replaced. It does this by modifying the security ACL on the file to give only the TrustedInstaller user full access to the file, which ensures that only programs like Windows Updates can replace and edit the file. In Windows 7 the feature was renamed to Windows Resource Protection.

Security enhancements also play a big part in application incompatibility, most notoriously because of UAC (User Account Control), which did not exist in Windows prior to Vista. Similarly, the directory structure, most notably around User Profiles, changed in Windows Vista and broke many applications that were designed for the pre-longhorn area. To try and fix the situation they implemented symbolic links (sometimes called Junction Points in older versions of Windows) that redirected the old locations to the new ones.

Making Applications Compatible

Just because an application is incompatible with your operating system doesn’t mean you can’t coerce it to run. The first thing you will want to do is identify if  an app is incompatible with Windows 7. To do this, open Control Panel and click on the Programs category. Here you will see a Run programs made for previous version of Windows hyperlink. Click on it.

image

Then expand advanced and deselect the option to automatically fix errors, then click next.

image

Now click browse and find the file you are trying to run, then click next.

image

When the scan is done, view the detailed information.

image

Here you will see the issues found. As you can see the messages aren’t always that helpful, but at least you now know your application is going to have trouble running.

image

Using Compatibility Mode

If the application you are trying to run was specifically designed for a previous version of Windows, you can try and mimic the older environment using compatibility mode. To do this, right click on the program you want to run and select properties from the context menu.

image

Then switch over to the compatibility tab.

image

Here you will be able to set the operating system environment. You can do this by selecting the checkbox and choosing the operating system from the drop down.

image

Using the Application Compatibility Toolkit

The full power of the Application Compatibility Toolkit is out of the scope of this article, but there is one tool that you need to know about. The Internet Explorer Compatibility Test Tool allows you to test your local intranet sites for compatibility with the up and coming release of Internet Explorer. To get started go ahead and launch it.

image

Then click on the enable button.

image

Now open Internet Explorer, and the first thing you will notice is a little clipboard in the status bar. If you click on it you will get a message box explaining that the browser is busy being used to evaluate compatibility. All you need to do is go about browsing your webpages as you normally would. Once you are done, close Internet Explorer.

image

Below you can see the issues the tool found with the webpages I browsed. You can now save the report and send it off to the developers.

image

Application Restrictions

Now that we have managing applications that we want to run out of the way, let’s take a look at managing applications we don’t want to run. One of the methods we can use to restrict the software running in our environments is using a software restriction policy, also known as an SRP. While this is normally done through Active Directory and Group Policy, we will set up an SRP on our local machine.

Software restriction policies are applied to machines and not to users. In order to create a policy open the Group Policy Management Editor and navigate to:

Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

image

The first thing you need to do is actually create a policy by right clicking and choosing New Software Restriction Policies.

image

Then head into Security Levels. There are 3 security levels.

  • Disallowed – No software runs by default, only software you explicitly allow can run.
  • Basic User – Allows all software that doesn’t require admin privileges to run.
  • Unrestricted – All software runs, except software that you explicitly deny.

Then right click on Unrestricted and make it the default.

image

Now we need to switch over to the rules section and add a new rule. There are 4 kinds of rules.

  • Hash – Checks an executable against a list of banned hashes
  • Certificate – Uses digital certificates to stop applications from running
  • Path – Bans applications based on a fully qualified path
  • Zone – Uses alternate data streams to view where the file was downloaded from, and bans it banned on this information.

For this example a hash rule will do just fine.

image

Then click the Browse button and select:

C:\Windows\System32\mspaint.exe

image

Once you have applied the rule, try to launch Paint.

image

Stopping Applications From Just Starting Up

One of the most common methods used by script kiddie virus developers is to make malicious code automatically execute at startup. One easy way to manage startup items is using a utility called MSConfig. To launch it press the Windows + R keyboard combination to bring up a run box then type msconfig and hit enter.

image

When MSConfig opens, switch over to the Startup tab. Here you can easily disable programs that are starting up automatically by unchecking them.

image

Recently though, developers have found ways to hide items from MSConfig and have them only appear in the registry. There is two locations in the registry where Windows allows you to add startup items:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The difference being that entries in the HKEY_LOCAL_MACHINE hive are executed for all users on the machine while entries in HKEY_CURRENT_USER are only executed for the current user.

 Homework

Be sure to stay tuned for our next Geek School article on Monday, where we’ll cover how to manage IE settings from the administrator point of view.

If you have any questions you can tweet me @taybgibb, or just leave a comment.

Taylor Gibb is a Microsoft MVP and all round geek, he loves everything from Windows 8 to Windows Server 2012 and even C# and PowerShell. You can also follow him on Google+