Lesson 1: Application Compatibility CHAPTER 5 263
FIGURE 5-5 The Internet Explorer Compatibility Test Tool
Setup Analysis Tool
The Setup Analysis Tool monitors the actions taken by application installers and can detect
the following compatibility issues:
n
Installation of kernel mode drivers
n
Installation of 16-bit components
n
Installation of Graphical Identification and Authentication dynamic-link libraries (DLLs)
n
Modification of files or registry keys that are guarded by Windows Resource Protection
(WRP)
To perform an analysis, open the Setup Analysis Tool and type in the location of the setup
file that you want to analyze. The Setup Analysis Tool runs the setup command and profiles
the installation procedure to determine what issues might exist.
Standard User Analyzer
The Standard User Analyzer, shown in Figure 5-6, allows you to test applications to determine
if they might have compatibility issues caused by User Account Control. The Standard User
Analyzer provides data about problematic files and APIs, registry keys, .ini files, tokens,
privileges, namespaces, processes, and other related items that the application uses that
might cause problems when running on a computer with Windows 7 installed. To use the
Standard User Analyzer, start the tool, specify the target application, and then click Launch.
2 6 4 CHAPTER 5 Managing Applications
The application attempts to start, and the Standard User Analyzer profiles how it interacts
with the Windows 7 environment.
FIGURE 5-6 Standard User Analyzer
More Info ACT
For more information about the ACT, consult the following TechNet Magazine article:
/>Application Compatibility Diagnostics Policies

There are six application compatibility related group policies that influence how Windows 7
responds when it encounters an application compatibility problem. These policies are located
in the Computer Configuration\Administrative Templates\System\Troubleshooting and
Diagnostics\Application Compatibility Diagnostics node of a Group Policy Object (GPO). These
policies are shown in Figure 5-7.
FIGURE 5-7 Application compatibility diagnostics policies
Lesson 1: Application Compatibility CHAPTER 5 265
The policies have the following functions:
n
Notify Blocked Drivers When enabled, Windows notifies the user when a driver is
blocked due to compatibility issues.
n
Detect Application Failures Caused By Deprecated COM Objects When enabled,
Windows notifies the user if a program attempts to create a COM object that is not
supported by Windows 7.
n
Detect Application Failures Caused By Deprecated Windows DLLs When enabled,
Windows notifies the user if a program tries to load Windows DLLs that are not
supported by Windows 7.
n
Detect Application Install Failures When enabled, application installer failures are
detected and the user is presented with the option to restart the installation process
using application compatibility mode.
n
Detect Application Installers That Need To Be Run As Administrator When enabled,
application installations that fail because they need to be run as an administrator can
be restarted with the Run As Administrator option.
n
Detect Applications Unable To Launch Installers Under UAC This setting is similar to
the previous one except that instead of running as an administrator, the user receives

a User Account Control prompt to elevate privileges when the installation of an
application fails.
If you do not configure these policies, the default Windows 7 setting is to notify the user
that the failure has occurred and, in some instances, to start the Program Compatibility
Troubleshooter. In environments where users are not able to resolve application compatibility
issues by themselves, administrators often disable these notifications because there is little
reason to notify a user of the reason for the failure if the user is unable to resolve the problem
causing the failure.
Windows XP Mode for Windows 7
Windows XP Mode is a downloadable compatibility option that is available for the Professional,
Enterprise, and Ultimate editions of Windows 7. Windows XP Mode uses the latest version
of Microsoft Virtual PC to allow you to run an installation of Windows XP virtually under
Windows 7. The difference between Windows XP Mode and other operating system
virtualization solutions is that all applications that you install on the Windows XP Mode client will
be available automatically on the Windows 7 host computer. For example, if you install Microsoft
Office 2000 on the Windows XP Mode client, the shortcuts for the Office 2000 applications
become available on the Windows 7 Start menu. When you run an application, it starts in its
own separate window as any other application does. From the perspective of the user, this
means that applications appear as though they are executing directly within Windows 7.
Windows XP Mode requires a processor that supports hardware virtualization using either
the AMD-V or Intel VT options. Most processors have this option disabled by default; to
enable it, you must do so from the computer’s BIOS. After the setting has been configured,
2 6 6 CHAPTER 5 Managing Applications
it is necessary to turn the computer off completely. The setting is not enabled if you perform
a warm reboot after configuring BIOS. As 256 MB of RAM must be allocated to the Windows
XP Mode client, the computer running Windows 7 on which you deploy Windows XP Mode
requires a minimum of 2 GB of RAM, which is more than the 1 GB of RAM Windows 7
hardware requirement.
To install applications that are not compatible with Windows 7, you must start the Windows
XP Mode client from the Windows Virtual PC folder of the Start menu. After you have installed

the application, you can then start it from the Virtual Windows XP Applications folder of the
Start menu. You can also copy items from this folder to the desktop or to the Taskbar to start
them directly as you would any other program installed on a computer running Windows 7.
When you start an application installed on Virtual XP directly from the Start menu in Windows 7,
the Virtual Windows XP operating system is shut down, as shown in Figure 5-8.
FIGURE 5-8 Virtual XP shut down to run application
Windows XP Mode provides an x86 version of Windows XP Professional SP3. Windows
Virtual PC does not support x64 virtual clients, which means that you cannot use Windows XP
Mode or Virtual PC as a compatibility solution for x64 applications. Because the application is
not executing natively within Windows 7, there will be some performance overhead to using
an application through Windows XP Mode.
You should consider Windows XP Mode as a compatibility option of last resort. This is
because it requires significantly more system resources to use than the built-in or custom
compatibility modes. Another drawback to Windows XP Mode is that it requires administrators
to manage and maintain the Windows XP virtual client as they would any other client desktop
computer in their organization. This means that you need to keep the Windows XP virtual client
up to date with updates even though the people using the computer will not be accessing the
Windows XP operating system directly.
eXaM tIP
An application that functions well on a computer that has Windows XP SP3 installed, but
which does not run normally on Windows 7, might run without a problem if you configure
it to use the Windows XP SP3 compatibility mode.
Lesson 1: Application Compatibility CHAPTER 5 267
Practice Windows 7 Compatibility
In this practice, you investigate Windows 7 compatibility options for an application that you
have downloaded from the Internet.
exercise Configuring Compatibility Options for Process Explorer
In this exercise, you explore the compatibility options for an application and verify that
an application is digitally signed. Although Process Explorer functions without problems
in Windows 7, you need to obtain an application that is not included with Windows 7 to

configure compatibility options. It is not possible to configure compatibility options for an
application that is included within Windows 7, such as Calc.exe or Solitaire.exe.
1. If you are not logged on already, log on to computer Canberra using the Kim_Akers
user account. If you have not already downloaded the file ProcessExplorer.zip to the
desktop from Microsoft’s Web site, do so now.
2. Right-click ProcessExplorer.zip and then choose Extract All. This opens the Extract
Compressed (Zipped) Folders Wizard. Accept the default folder location and settings
and then click Extract.
3. Right-click the Procexp.exe application and then choose Properties. Click the Digital
Signatures, select Microsoft Corporation, and then click Details. Verify that the
application is digitally signed by Microsoft, as shown in Figure 5-9. Click OK to close
the Digital Signature Details dialog box.
FIGURE 5-9 Verify the digital signature
4. Click the Compatibility tab. Under Compatibility Mode, select the Run This Program In
Compatibility Mode For check box and use the drop-down menu to select Windows
Vista (Service Pack 2).
2 6 8 CHAPTER 5 Managing Applications
5. Select the Disable Desktop Composition check box and then select the Run This
program As An Administrator check box, as shown in Figure 5-10. Click OK.
FIGURE 5-10 Configuring application compatibility
6. Double-click procexp.exe. You should be confronted by a User Account Control dialog
box that warns you that the following program may make changes to your computer,
the program name, and the origin of the file, as shown in Figure 5-11. Click Yes.
FIGURE 5-11 User Account Control prompt for Process Explorer
Lesson 1: Application Compatibility CHAPTER 5 269
7. In the Process Explorer License Agreement dialog box, click Agree. Process Explorer
does not execute with these compatibility settings. Click Close The Program.
8. Right-click Procexp.exe and choose Properties. Click the Compatibility tab and then
clear the Run This Program In Compatibility Mode, Disable Desktop Composition, and
Run This Program As An Administrator check boxes. Click OK.

9. Double-click Procexp.exe. Click Run if prompted by the Open File–Security Warning
dialog box.
10. Verify that the application executes properly and then close the application.
Lesson Summary
n
You can run the Program Compatibility troubleshooter to diagnose common
application compatibility issues.
n
Windows 7 has several compatibility modes that allow the majority of existing software
to execute on it.
n
The ACT contains several tools that allow you to analyze potential compatibility
problems prior to deploying Windows 7 in your organization.
n
You can use the Compatibility Administrator to search for existing compatibility fixes
and compatibility modes that have already been developed for popular applications.
n
You can use the Internet Explorer Compatibility Test Tool to check existing Web sites
and applications for compatibility problems that might exist when Internet Explorer 8
is used as a browser.
n
Windows XP Mode allows you to run applications through a virtualized instance of
Windows XP that runs on Windows 7 Professional, Ultimate, or Enterprise edition.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Application Compatibility.” The questions are also available on the companion DVD if you
prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct or
incorrect are located in the “Answers” section at the end of the book.

1. You are planning to migrate all the computers in your organization to Windows 7
Professional. Your organization has several applications that are installed on computers
running Windows XP Professional. You are unable to install these applications on
computers running Windows 7 due to compatibility problems. You are unable to
configure a custom compatibility mode to support these applications using the ACT.
2 7 0 CHAPTER 5 Managing Applications
Which of the following solutions could you implement to deploy these mission-critical
applications on the computers running Windows 7?
a. Install the Window XP Mode feature. Install the application under Windows XP.
B. Create a custom compatibility fix for the application using the ACT.
c. Create a shim for the application using the ACT.
D. Configure the application installer to run in Windows XP Professional SP2
compatibility mode.
2. Which of the following compatibility modes would you configure for an application
that works on computers running Microsoft Windows 2000 Professional but does not
work on computers running Windows XP?
a. Windows 98 / Windows Me
B. Windows NT 4.0 (Service Pack 5)
c. Windows XP (Service Pack 2)
D. Windows 2000
3. Which of the following file types does the Windows 7 Program Compatibility
troubleshooter application work with?
a. .cab files
B. .exe files
c. .msi files
D. .zip files
4. An application used by the administrators in your organization is not configured to
prompt for elevation when it is run. Which of the following compatibility options could
you configure for the application to ensure that users with administrative privileges are
always prompted when they execute the application?

a. Configure the application to run in Windows XP (Service Pack 3) compatibility
mode.
B. Enable the Run In 256 Colors compatibility option.
c. Enable the Run This Program As An Administrator compatibility option.
D. Enable the Disable Desktop Composition compatibility option.
5. Your organization’s internal Web site was designed several years ago, when all client
computers were running Windows XP and Microsoft Internet Explorer 6. You want to
verify that your organization’s internal Web site displays correctly when you migrate
all users to computers running Windows 7. Which of the following tools can you use to
accomplish this goal?
a. Internet Explorer Administration Kit (IEAK)
B. Application Compatibility Toolkit (ACT)
c. Windows Automated Installation Kit (Windows AIK)
D. Microsoft Deployment Toolkit (MDT)
Lesson 2: Managing AppLocker and Software Restriction Policies CHAPTER 5 271
Lesson 2: Managing AppLocker
and Software Restriction Policies
Occasionally it might be necessary to limit the applications that users can run on a computer.
You might want to block a specific application from running, or you might want to ensure
that only applications that are on an approved list function on your organization’s network.
There are two different technologies that you can use with computers running Windows 7
to restrict the execution of applications: AppLocker and Software Restriction Policies. You
manage AppLocker and Software Restriction Policies through Group Policy. You can use these
technologies to restrict programs, installation files, scripts, and even DLL libraries. In this
lesson, you learn the differences between the two technologies and the situations in which
you would choose to deploy one technology over the other.
After this lesson, you will be able to:
n
Configure Software Restriction Policies to restrict the execution of applications.
n

Configure AppLocker policies to restrict the execution of applications, installers,
and scripts.
Estimated lesson time: 50 minutes
Software Restriction Policies
Software Restriction Policies is a technology available to clients running Windows 7 that is
available in Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.
You manage Software Restriction Policies through Group Policy. You can find Software
Restriction Policies in the Computer Configuration\Windows Settings\Security Settings\
Software Restriction Policies node of a group policy. When you use Software Restriction
Policies, you use the Unrestricted setting to allow an application to execute and the
Disallowed setting to block an application from executing.
note CONTROLLING APPLICATIONS THROUGH PERMISSIONS
Although it is possible to restrict the execution of an application on the basis of NTFS
permissions, configuring the NTFS permissions for a large number of applications on
a large number of computers requires significant administrative effort.
You can achieve many of the same application restriction objectives with Software
Restriction Policies that you can with AppLocker policies. The advantage of Software
Restriction Policies over AppLocker policies is that Software Restriction Policies can apply
to computers running Windows XP and Windows Vista, as well as to computers running
Windows 7 editions that do not support AppLocker. The disadvantage of Software Restriction
Policies is that all rules must be created manually because there are no built-in wizards to
2 7 2 CHAPTER 5 Managing Applications
simplify the process of rule creation. You learn more about AppLocker policies later in this
lesson.
Software Restriction Policies are applied in a particular order, with the more explicit rule
types overriding more general rule types. The order of precedence from most specific (hash)
to least specific (default) is as follows:
1. Hash rules
2. Certificate rules
3. Path rules

4. Zone rules
5. Default rules
If two conflicting rules with different security levels are established for the same program,
the most specific rule takes precedence. For example, a hash rule that sets a particular
application to Unrestricted overrides a path rule that sets a particular application to
Disallowed. This is different from AppLocker policies, which do not use precedence rules and
where a block in any rule type always overrides any allow rule.
note APPLOCKER OVERRIDES SOFTWARE RESTRICTION POLICIES
In environments that use both Software Restriction Policies and AppLocker, AppLocker
policies take precedence. If you have an AppLocker policy that specifically allows an
application that is blocked by a Software Restriction Policy, the application executes.
Security Levels and Default Rules
The Security Levels node allows you to set the Software Restriction Policies default rule. The
default rule applies when no other Software Restriction Policy matches an application. You
can enable only one default rule at a time. The three default rules, shown in Figure 5-12, are:
n
Disallowed When this rule is set, users are unable to execute an application if the
application is not allowed by an existing Software Restriction Policy.
n
Basic User When this rule is set, users are able to execute applications so long as
those applications do not require administrative access rights. Users are able to access
applications that require administrative access rights only if a rule has been created
that covers that application.
n
Unrestricted When this rule is set as the default rule, a user is able to execute an
application unless an existing Software Restriction Policy blocks that application.
If you are working on an allow list of applications, you would configure the disallowed
default rule. This ensures that any application that is not specifically allowed cannot run.
If you just want to block a couple of troublesome applications but do not want to go to the
trouble of creating a rule for all the applications used in your environment, you should set the

Unrestricted default rule. This allows any application to run unless you explicitly block it.