Windows 8 Integration: Difference between revisions

 
(47 intermediate revisions by 5 users not shown)
Line 15: Line 15:
** Instructions on creating a bootable USB key [http://social.msdn.microsoft.com/Forums/en-US/windowsdeveloperpreviewgeneral/thread/661d46c3-f6b9-41a4-a696-9d8c225208b6 HERE]
** Instructions on creating a bootable USB key [http://social.msdn.microsoft.com/Forums/en-US/windowsdeveloperpreviewgeneral/thread/661d46c3-f6b9-41a4-a696-9d8c225208b6 HERE]


== Internet Explorer 10 ==
== Windows Store and Certification ==
 
* [http://blogs.msdn.com/b/windowsstore/archive/2011/12/06/announcing-the-new-windows-store.aspx Store announcements and documentation]
* Misc. observations:
** [http://msdn.microsoft.com/en-us/library/windows/apps/hh694083.aspx Store Policy for Apps]
** Metro instance loads WinRT dlls (Windows.UI.dll, Windows.UI.Immersive.dll) but aside from this, same executable, linked to the same standard libraries for both Metro and Desktop instances.
** [http://social.msdn.microsoft.com/Forums/en-us/windowsstore/threads Store Discussion Forum]
** Unlike standard Metro apps, IE runs in the desktop configuration (medium integrity parent process, multiple low integrity children).
** [http://blogs.msdn.com/b/ie/archive/2011/10/20/connect-your-web-site-to-your-windows-8-app.aspx Advertising apps from within IE10 Metro]
** IE can be suspended according to PE.
* <b>Big question</b>: would there be licensing and certification issues similar to iOS?
** Security related arguments for a single browser within Metro fall flat considering Metro IE does not appear to be running within the sandbox.
 
== Windows Store ==
 
* Big question: would there be licensing and certification issues similar to iOS?
** <i>"Store policy and various runtime restrictions automatically exclude certain types of apps, which can only be implemented as desktop apps."</i> ([http://msdn.microsoft.com/en-us/library/windows/apps/hh464912%28v=vs.85%29.aspx link])
** <i>"Store policy and various runtime restrictions automatically exclude certain types of apps, which can only be implemented as desktop apps."</i> ([http://msdn.microsoft.com/en-us/library/windows/apps/hh464912%28v=vs.85%29.aspx link])
* Automatic updating - working within the confines of Microsoft's update mechanism
* Automatic updating - working within the confines of Microsoft's update mechanism
Line 76: Line 71:


* Subset of Direct2D, Direct3D, DirectWrite drawing apis supported. [http://msdn.microsoft.com/en-us/library/windows/apps/br205756%28v=VS.85%29.aspx Link]
* Subset of Direct2D, Direct3D, DirectWrite drawing apis supported. [http://msdn.microsoft.com/en-us/library/windows/apps/br205756%28v=VS.85%29.aspx Link]
** It looks like D3D is v11 only based on the naming of the APIs in the above-linked document and the the MSFT employee's response [http://social.msdn.microsoft.com/Forums/en-US/wingameswithdirectx/thread/d16bd98b-1872-4775-aafd-2de8ff6a970a here], and the 4:40ish mark of [http://channel9.msdn.com/Events/BUILD/BUILD2011/PLAT-766T this video].


==== Networking ====
==== Networking ====
Line 85: Line 81:


* Most of this info comes from this [http://channel9.msdn.com/Events/BUILD/BUILD2011/APP-409T video on Metro app suspension]
* Most of this info comes from this [http://channel9.msdn.com/Events/BUILD/BUILD2011/APP-409T video on Metro app suspension]
* More available here: [http://blogs.msdn.com/b/b8/archive/2012/02/07/improving-power-efficiency-for-applications.aspx Improving power efficiency for applications]
* There is no multi-tasking of Metro apps: Only one app runs unsuspended at a time, apps are suspended when not in foreground  
* There is no multi-tasking of Metro apps: Only one app runs unsuspended at a time, apps are suspended when not in foreground  
* Desktop is treated as one app; all other Metro apps are suspended when desktop is active  
* Desktop is treated as one app; all other Metro apps are suspended when desktop is active  
Line 145: Line 142:


=== Contracts ===
=== Contracts ===
 
[http://msdn.microsoft.com/en-us/library/windows/apps/hh464906.aspx MSDN Contracts]
* There is a new concept called contracts for interconnection/sharing with different metro apps.  
* There is a new concept called contracts for interconnection/sharing with different metro apps.  
* Implementing contracts provides more integration with the OS (e.g. with the "charms" toolbar)
* Implementing contracts provides more integration with the OS (e.g. with the "charms" toolbar)
Line 165: Line 162:


On Windows 8, IE10 is both a metro app and as a regular desktop application. When run as a metro app it does things that are known to be off-limits for metro applications. This section details what we know so far about IE10 that is unexpected from a metro app.
On Windows 8, IE10 is both a metro app and as a regular desktop application. When run as a metro app it does things that are known to be off-limits for metro applications. This section details what we know so far about IE10 that is unexpected from a metro app.
=== Observations ===
* Metro instance loads WinRT dlls (Windows.UI.dll, Windows.UI.Immersive.dll) but aside from this, same executable, linked to the same standard libraries for both Metro and Desktop instances.
* Unlike standard Metro apps, IE runs in the desktop configuration (medium integrity parent process, multiple low integrity children).
* IE can be suspended according to PE.
* Security related arguments for a single browser within Metro fall flat considering Metro IE does not appear to be running within the sandbox.
=== Process Exploration and Security ===


The following investigation was done with Windows 8 build 8102 and Process Explorer of 9/20.
The following investigation was done with Windows 8 build 8102 and Process Explorer of 9/20.
Line 170: Line 176:
The image is a screenshot of the latest process explorer. The tree in the far left column is the process tree, with child processes indented from their parents. The second column is their process id, denoted as <pid> in what follows.
The image is a screenshot of the latest process explorer. The tree in the far left column is the process tree, with child processes indented from their parents. The second column is their process id, denoted as <pid> in what follows.


[[File:Win8_prosexp_01.png]]
[[File:Win8_prosexp_01.png|200px|thumb|center|Process Explorer screenshot]]


It seems all metro processes are children from one single svchost.exe in this case <700>, which seems is some kind of souped up DCOM launcher. This makes sense because a lot of the machinery of Metro has been borrowed from COM. As its children, you can see a bunch of Metro apps. Here we have IE10 <4960>, Remote desktop client <5020>, Copper (a 3D game) <5112> and Labyrinth <3524>. Copper seems to be a native c/c++ metro app while Labyrinth seems to be an html5 app.
It seems all metro processes are children from one single svchost.exe in this case <700>, which seems is some kind of souped up DCOM launcher. This makes sense because a lot of the machinery of Metro has been borrowed from COM. As its children, you can see a bunch of Metro apps. Here we have IE10 <4960>, Remote desktop client <5020>, Copper (a 3D game) <5112> and Labyrinth <3524>. Copper seems to be a native c/c++ metro app while Labyrinth seems to be an html5 app.
Line 178: Line 184:
We shall limit the rest of the analysis to Copper and to IE because they are the closest to our scenario, but most of that follows will also apply to html5 or C# metro apps as well.
We shall limit the rest of the analysis to Copper and to IE because they are the closest to our scenario, but most of that follows will also apply to html5 or C# metro apps as well.


As it can be seen in the integrity column, all metro apps except IE10 (and its child) run in the AppContainer integrity level which is new to windows. Very little is known about it except that it is engraved in the process token itself. As a medium integrity IE10 can do anything it pleases and it does not require the broker to do file access. For example, If the broker <2784> is terminated, one can still use IE10 without a problem. However, When Copper tries to save the process in the current level it crashes. Upon restarting Copper the broker was automatically launched again.
As it can be seen in the integrity column, all metro apps except IE10 (and its child) run in the AppContainer integrity level which is new to Windows 8. Very little is known about it except that it is engraved in the process token itself. As a medium integrity process, IE10 can do anything it pleases and it does not require the broker to do file access. For example, If the broker <2784> is terminated, one can still use IE10 without a problem. However, When Copper, running at AppContainer integrity, tries to save the process in the current level it crashes. Upon restarting Copper, the broker was automatically launched again.
 
In Windows Vista and Windows 7, all applications run are by default run with medium integrity.  An application that is elevated from a UAC prompt is run at high integrity.
 
Another difference is that named kernel objects of an AppContainer process are in a different namespace. For example, in this case the regular 'interactive user' session is session 3 so a regular named object 'Foo' from a traditional desktop application will be "\Sessions\3\BaseNamedObjects\Foo" which is what we see for IE10, while for metro apps it would be:
 
"\Sessions\3\AppContainerNamedObjects\S-1-15-2-wwwwwwww-xxxxxxxx-yyyyyyyy-zzzzzzzz\Foo
 
Were w,x,y,z are are part of a unique SID which is neither the interactive user SID or the user logon SID. In fact, it seems to be some kind of per-application id.
 
The significance of that is that a good chunk of IPC mechanics become really cumbersome to bootstrap without being able from one process to create a pipe, semaphore, event, or sharedmem and from the other open it by name.
 
== 3rd Party Browser Requirements ==
 
--
These issues for x86 systems have been mitigated by the new <strong>Metro enabled desktop browser model</strong> released by Microsoft. [http://msdn.microsoft.com/en-us/library/windows/apps/hh465413.aspx spec link]
--
 
In general, browser vendors would prefer access to the system similar to that of Internet Explorer 10. From all outward appearances IE is currently able to bypass security restrictions of the Metro sandbox by running as a medium integrity process, effectively running as a standard Windows desktop application with additional extensions which allow it to latch into the Metro interface.
 
Vendors feel changes should be made to the current restrictions which will facilitate the ability of 3rd parties to compete with Microsoft's products in this new environment. The following section describes some of the areas or changes various 3rd party browser vendors need in order to provide a compelling browser experience within the Metro interface.
 
=== Memory allocation and sharing ===
 
(VirtualAlloc / HeapAlloc and friends)
 
<b>Memory execution</b> - Virtual* / Heap* apis are necessary for allocating executable memory (JIT). We have been successful in allocating memory using CreateFileMapping/MapViewOfFileEx, but based on comments by ms employees [1,2] it appears applications that attempt to do this will not pass Windows Store certification.
 
<b>Shared memory</b> - While it appears DuplicateHandle is available and passes validation, without an approved method of allocating shared memory, process creation and pipes for communication memory can not be shared between processes.
 
=== Pipes ===
 
(CreateNamedPipe, ConnectNamedPipe, DisconnectNamedPipe)
 
<b>IPC</b> - None of the current pipe apis passes validation. According to ms employee comments no IPC type mechanisms are currently accepted [3].
 
=== Processes ===
 
CreateProcess* api calls do not pass validation.
 
=== Links ===
 
* [1] [http://stackoverflow.com/questions/7473202/dynamic-code-execution-on-winrt-in-windows-8-either-c-or-net-c Larry Osterman and Steve Rowe comments on dynamic code execution via StackOverflow]
* [2] [http://social.msdn.microsoft.com/Forums/en-US/winappswithnativecode/thread/aad27744-f09f-44b3-a73d-cbcee93f4805 Osterman's short answer on VirtualAlloc]
* [3] [http://blogs.msdn.com/b/larryosterman/archive/2011/09/16/what-has-larry-been-doing-for-two-years-and-why-has-the-blog-been-dark-for-so-long.aspx Osterman's comments on IPC]
* [http://stackoverflow.com/questions/7465517/how-can-a-metro-app-in-windows-8-communicate-with-a-backend-desktop-app-on-the-s comments by Pavel Minaev on pipes, sockets, and shared memory via StackOverflow]
 
=== Questions ===
 
* Is there added overhead in going through WinRT networking APIs compared to more direct socket calls? Networking looks doable but there are concerns about a performance disadvantage.


== Hardware Configurations ==
== Hardware Configurations ==


Everyone working in this area needs hardware. MSDN says "any win7 hardware should work?  [http://blogs.msdn.com/b/b8/archive/2011/09/13/experiencing-windows-8-touch-on-windows-7-hardware.aspx Here's what MS has to say] What do we have experience with or recommend?
Everyone working in this area needs hardware. MSDN says "any win7 hardware should work?  [http://blogs.msdn.com/b/b8/archive/2011/09/13/experiencing-windows-8-touch-on-windows-7-hardware.aspx Here's what MS has to say]  


Computers and peripherals that work well with Windows 8.
What do we have experience with or recommend?
 
Computers and peripherals that work well with Windows 8:


* HP TouchSmart 9300 Elite
* HP TouchSmart 9300 Elite
Line 190: Line 247:
** Beefy enough to build code on it
** Beefy enough to build code on it
** Not very portable
** Not very portable
* Samsung Series 7 Tablets
** Relatively solid "classic" and "metro" performance.
** Finger and stylus touch inputs.
** Bulkier than android and ios tablets.


* Mozilla has purchased some Samsung Series 7 tablets. {{bug|695918}} Will update once we try to get the DP installed.
Computers and peripherals that DONT work well with Windows 8:
 
Computers and peripherals that DONT work well with Windows 8.


* Wacom Bamboo tablet
* Wacom Bamboo tablet
Confirmed users
1,982

edits