Best Practice: Use GPO to Disable PCA and UAC Virtualization for Testing Software Developed for Windows 7 Print E-mail
General
Written by Darwin Sanoy   
Wednesday, September 7, 2011 4:23pm

For software developers on Windows 7, Program Compatibility Assistant (PCA) and UAC Virtualization may mask application problems that should be fixed in the source code.  IT professionals supporting software developers should consider disabling these settings for computers and user ids that are used to test software.

An important note right up front: There is a dedicated policy to Disable ONLY UAC Virtualization - disabling all of UAC affects many other aspects of Windows security - this article is not advocating complete disablement of UAC.

The topics in this article are taught with samples and exercises in our course Win7 Application Compatibility Engineer (ENG-60).

Approach to Win XP to Windows 7 Migration
Some companies will be taking a replacement lifecycle approach to introducing Windows 7.  In these cases software development may continue on the Windows XP platform while making minor adjustments to ensure Windows 7 compatibility.  Under this approach, it may be advantageous to purposely rely on PCA and UAC Virtualization until the development team is ready to tackle making the software natively Windows 7 compatible.  While commerical software developers may choose to detect the platform and accomodate the platform internally, corporate in-house developers may prefer to cleanly cut over deveopment to a Windows 7 primary target when the majority of company desktops are Windows 7.  If your organization wishes to take this approach, there should be a defined and agreed percentage of Windows 7 deployment that determines when developers are expected to make Windows 7 their primary target.

At the point at which developers are expected to target Windows 7, PCA and UAC Virtualization can be disabled on development test machines.

User Experience on Windows 7 Before Developers Target Windows 7
A handy trick (which we cover in "Win7 Application Compatibility Engineer (ENG-60)") is to install the registry entries made by PCA during the software installation.  This prevents PCA from popping up - given a more professional user expereience and preventing the end user from making the incorrect choice on the PCA dialog. 

Program Compatibility Assistant (PCA) has at least two ways in which it can mask development issues.  The first is that unless the "cancel" button is clicked each time it is presented - a marker will be put in the registry to not evaluate the same EXE again.  If "Reinstall using recommended settings" is clicked, then a shim layer will also be configured in the registry and used in every subsequent run of the application.  Either of these steps can result in the developer unwittingly leaving things in their software code that should be fixed.

However, PCA will also automatically place some shims in - the only answer on the prompt is "OK".  In these cases the shim is automatically inserted and most developers will not know how to remove it.

You may configure this by the group policy setting, registry key or service configuration shown here:

GPO: Computer Configuration [OR User Configuration] > Administrative Templates > Windows Components > Application Compatibility > Turn off Program Compatibility Assistant = Disable

Registry: HKLM [or HKCU]\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisablePCA REG_DWORD: 1

Services: Disable "Program Compatiblity Assistant Service"

UAC Virtualization is not supposed to be relied upon when software is being refactored for Windows 7.  When software is refactored for Windows 7 it should include a security section in an internal manifest (as well as a compatiblity section).  In most cases the manifested security level with be "asInvoker".  The presence of a security manifest disables UAC Virtualization for the one application.  However, if developers are unaware of this requirement, disabling UAC Virtualization on test machines will ensure that applications attempting to write back to their own Program Files folder or HKLM\Software registry key will generate an error, rather than a silent virtualization.

You may configure this by the group policy setting or registry key shown here:

GPO: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > User Account Control: Virtualize file and registry write failures to per-user locations = Disable

Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization REG_DWORD: 0

 

Add comment


Security code
Refresh