Creating Application Compatibility Fixes

You can use this article to learn how to troubleshoot applications in your organization that do not run properly for standard users on Windows Vista®. Information technology (IT) administrators might encounter problems in their organizations when they upgrade to Windows Vista if they have applications installed in their organization that are not Windows Vista compatible. We have created this article to demonstrate a straightforward way for you to troubleshoot applications for application compatibility and then create compatibility fixes for those applications that will not work properly for standard users on Windows Vista.

Why Standard Users for Windows Vista?

Limiting the privilege level of users in your organization:

  • Helps prevent intentional or unintentional unauthorized access or deletion of important system files and folders.
  • Mitigates the impact of malicious software that might try to trick the user into installing it.
  • Lowers your total cost of ownership by reducing administrative repair tasks, such as restoring deleted system files or uninstalling malicious software.

In Windows Vista, a standard user account is a non-administrative account with limited privilege. Standard users cannot install applications (unless they are per-user applications that install to their profiles) and cannot make system-wide changes that affect overall security. Members of the Windows Vista Users group are standard users. The standard user account type on Windows Vista provides the limited set of permissions needed for most non-administrative application scenarios.

Why Do Some Applications Not Work for Standard Users?

Some applications perform one or more well-known actions that cause compatibility problems when they run on Windows Vista with standard user permissions. Some of these problems are addressed in Windows Vista with virtualization and other workarounds. However, some of these well-known actions require that you implement specific workarounds that the system does not do automatically.

Applications that do not work properly for standard users often:

  • Check whether the user is an administrator when they are started and fail if the user is not an administrator. (Often, the application does not truly require the user to be an administrator.)
  • Write to protected areas of the system, including Program Files, while they are running. Applications should store per-user data, such as specific configuration settings, in the user's profile.

Some application tasks truly are administrative tasks and must, therefore, be performed by an administrator. However, application features that should not require administrative permissions are often implemented in such as way that administrative level permissions are required. For example, an application might write some log data to a log file in the root folder of the system drive. When this is done, the IT administrators are often forced to make their users administrators on the computer to be able to run the application. This violates the principle of least privilege and creates greater potential for malicious code to be executed from an administrative account, and thereby causes greater damage to the system and to user data.

To help administrators and developers limit users to standard user accounts, Windows Vista includes User Account Control (UAC). One function of UAC is to provide remedies for some well-known application implementations that prevent applications from running as standard users. However, some application implementations require remedies that are not enabled by default in Windows Vista. The purpose of this paper is to explain the steps that you can use to diagnose whether an application in your organization does not run properly for standard users and, when possible, to identify one of several available software packages (application compatibility fixes) to enable the application to run as a standard user.

Note

UAC also notifies users that are running as administrators when an application is preparing to perform an administrative action. UAC then asks the administrator user to approve the action. For more information about UAC, see Understanding and Configuring User Account Control on Windows Vista (https://go.microsoft.com/fwlink/?LinkId=91589).

Troubleshooting the Application for Standard User Problems

You can use the following steps to troubleshoot your application if it fails to run for standard users, or if it runs poorly while running as a standard user.

  1. Verify that the application is not an administrative application
  2. Check with the vendor or developer
  3. Verify a standard user compatibility issue
  4. Install the application-wide standard user compatibility fixes
  5. Modify the application's installation folder permissions
  6. Standard User Analyzer
  7. Contact the developer

Step 1: Verify that the application is not an administrative application

Some programs are designed to perform legitimate administrative actions and require administrative permissions. The following types of applications often require administrative permissions.

  • Applications that install or manage software on a computer

  • Tools that manage system resources

    Note

    Because these tools modify the entire system, they should be used only by users you trust to have full control of the computer.

Before you troubleshoot the application further, determine whether the vendor or developer originally designed the application to be run only by administrators. If this is the case, you do not need to create an application compatibility fix, because the application is not intended to be used by standard users.

Step 2: Check with the vendor or developer

If you believe that the application should work for standard users, you should check with the application vendor or developer. The application vendor or developer is usually best able to tell you whether the application has any problems or limitations when running as a standard user, or if an application update is available.

Step 3: Verify a standard user compatibility issue

If the application vendor or developer does not have an update for the application, you should verify that the application compatibility problem is specific to standard users and is not a general Windows Vista compatibility problem. To determine this, try to run the application as an administrator.

To run a program as an administrator

  1. Click the Start button, point to All Programs, and then click the folder for the program you want to run.

  2. Right-click the program, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

If the application continues to display the same problems that you experienced when you ran it as a standard user, the compatibility problem is most likely a general Windows Vista compatibility problem and not the result of a standard user compatibility problem. For more information about troubleshooting and resolving general Windows Vista compatibility problems, see the Application Compatibility Cookbook (https://go.microsoft.com/fwlink/?LinkId=91592).

If the application successfully runs as an administrator, but not as a standard user, then the problem is most likely related to running in a lower-privilege standard user account. Contact the software vendor or developer again to inquire about an update, before you progress to step four. Alerting the vendor to a standard application compatibility problem that you have discovered provides the vendor with valuable information for creating a software update.

Important

Some applications perform configuration tasks the first time that they are run after installation. These tasks often require administrative privileges. We recommend that you run the application as a standard user after you run the application as an administrator, to ensure that the problem was not a first-run configuration problem. If the application works properly as a standard user after you have run it as an administrator, you can continue to run the application as a standard user and do not have to install an application compatibility fix.

Note

In some rare cases, Windows might notify you that the application must be run as an administrator. This is due to Windows Vista heuristics that are used to determine if the application installs software. These heuristics might incorrectly identify an application as a software installer, which requires administrative privileges. For example, if the application is named setup.exe, Windows Vista will likely identify the application as an application that installs software and that, therefore, must be run as an administrator. If you believe Windows Vista heuristics mistakenly identified the application as a software installer, you can identify it as a non-installation application by using the SpecificNonInstaller application compatibility fix. For more information about how to apply this application compatibility fix, see Applying a Standard User Compatibility Fix.

Step 4: Install the application-wide standard user compatibility fixes

You use application-wide application compatibility fixes to resolve standard user compatibility problems for applications on Windows Vista.

The following compatibility fixes modify behavior of the application in ways that address common standard user compatibility problems.

The name that is given here for each compatibility fix corresponds to the name of the compatibility fix visible in Compatibility Administrator on the Compatibility Fixes page of the Create new Application Fix wizard.

Application-wide application compatibility fixes

Fix Description

ForceAdminAccess

Resolves issues that an application might encounter using various application program interface (API) calls to verify if the current user is part of the Administrators group.

ElevateCreateProcess

Resolves the CreateProcess ERROR_ELEVATION_REQUIRED error by running the application as an administrator. If you apply this compatibility fix, Windows Vista will display a User Account Control dialog box and require the standard user to provide the user name and password for an administrator account on the local computer.

VirtualizeDeleteFile

Virtualizes the DeleteFile calls that the application makes and hooks other file APIs to ensure that the virtualization of the file is deleted.

LocalMappedObject

Forces all global named file mapping objects into the local namespace.

VirtualizeHKCRLite

Virtualizes HKCR write accesses to the per-user view under the HKEY_CURRENT_USER\Software\Classes key. This compatibility fix has a smaller footprint and better performance than the VIRTUALIZEHKCR command in VirtualRegistry.

VirtualizeRegisterTypeLib

Converts attempts to register a type library to the per-user API equivalent.

If the above compatibility fixes do not work when tried independently, then try all of them on the application together.

Important

Each compatibility fix that you install will change the system behavior for the targeted application. As a result, it is possible that a compatibility fix might introduce a separate compatibility problem for that application. Therefore, you should install only the compatibility fixes that are required for the application to run.

You can determine which compatibility fixes your application requires in two ways: by using the Standard User Analyzer, or by testing fixes manually.

Run the Standard User Analyzer

The Standard User Analyzer can help you determine which compatibility fixes are needed. For more information about using the Standard User Analyzer, see Step 6: Use the Standard User Analyzer.

Test fixes manually

You can also test application compatibility fixes by applying each compatibility fix one at a time in a test environment until the application works properly as a standard user. The application might require more than one compatibility fix. If the application does not work properly as a standard user after you have tried all of the fixes individually, apply all of the application-wide compatibility fixes together. To install each compatibility fix, see Applying a Standard User Compatibility Fix.

Some applications might give you information that helps you identify which compatibility fix has to be installed. For example, an application that checks to verify that it is running as an administrator, but that has no technical or business compulsion to run as an administrator, might prompt you with an error dialog box that states that the application must be run as an administrator. You might also find this information in an application log file. You can fix this type of application by using the ForceAdminAccess application compatibility fixes. These are shown in the table above.

Step 5: Modify the application’s installation folder permissions

Applications commonly fail to run correctly for standard users because they write data to files in the application installation folder in Program Files. Because standard users do not have write permission to the Program Files folder or to its subfolders, the application cannot write to the folders and will fail when writing to a file in this folder while running as a standard user.

You can verify whether the compatibility problem is caused by the application trying to write to Program Files by temporarily editing the access control list (ACL) on the application's installation folder under Program Files.

To test the application for access to Program Files

  1. Click the Start button, point to All Programs, click Accessories, and then click Windows Explorer.

  2. In Windows Explorer, click the Program Files folder, and then locate the installation folder for the application that you are testing.

  3. Right-click the installation folder, and then click Properties.

  4. In the Properties dialog box, click the Security tab, and then click Edit.

  5. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  6. In the Select Users, Computers, or Groups dialog box, enter the name of the standard user account that you are using to test the application, click Check Names to verify that you entered the account name properly, and then click OK.

  7. On the Security tab, ensure that the standard user account is selected, select Full Control, and then click OK twice.

  8. Run the application as a standard user.

If the application runs correctly, you might be able to resolve the standard user compatibility problem by editing one or more of the file or folder permissions of the application. However, modifying permissions on a file or folder might introduce a security risk to application data or to the system.

We strongly recommend that you determine which files or folders standard users need to access for the application, in order to limit the security risk of giving standard users excessive permissions. One way that you can effectively monitor the application's read and write activity is with the Standard User Analyzer. The Standard User Analyzer is part of the Application Compatibility Toolkit 5.0 (https://go.microsoft.com/fwlink/?LinkId=81696) .

After you have determined for which files and folders you need to edit the ACLs, you should decide whether it is acceptable to allow standard users to have these permissions. Typically, when file permissions are the cause of a standard user compatibility issue, write permissions are needed to enable standard users to run the application. Whether it is acceptable to give standard users write permission to a file or folder is a determination that is unique to each application, and to each file or folder. In some cases, such as where write permissions are needed to an executable file, giving standard users write permission can introduce unacceptable security risk. In other cases, such as where write permissions are needed to a debug log file, giving standard users write permissions might be acceptable.

Important

We recommend that you contact the application developer if you do not fully understand the security risk of granting standard users any additional permission for an application's files.

Step 6: Use the Standard User Analyzer

You might be able to resolve the compatibility problem by applying one of several other compatibility fixes, if you have determined all of the following:

  • The problem is caused by running in a lower-privilege standard user account.
  • The problem is not resolved by applying one or more of the application-wide compatibility fixes shown in step three.
  • The problem is not resolved by granting standard users access to the application's files, as shown in step five.

These other compatibility fixes modify application settings more specifically to allow it to run as a standard user. You can apply these resource-specific compatibility fixes only if you know to which resources you must apply them.

You analyze the application in depth to identify the specific application resources that need to be modified by an application fix. These resources, such as the location of files or registry data, might not be easily discoverable. As a result, you might need help from someone experienced with application development and debugging to identify these resources. You can also use the Standard User Analyzer to analyze the application for standard user compatibility problems. The Standard User Analyzer is part of the Application Compatibility Toolkit 5.0 (https://go.microsoft.com/fwlink/?LinkId=81696).

For information about how to use the Standard User Analyzer to identify compatibility problems and application resources, see the "Using the Application Compatibility Toolkit 4.1 and the Standard User Analyzer to Create Application Fixes" section in Understanding and Configuring User Account Control in Windows Vista (https://go.microsoft.com/fwlink/?LinkId=91589).

If none of the previous steps has resolved your problem, see step 7.

Step 7: Contact the developer

Some applications perform actions for which no compatibility fix exists, or for which no compatibility fix can be created (without compromising system security). Applications that do not perform administrative actions should not require administrative permissions. If the standard user compatibility problem is not fixed after you have applied all of the application-wide compatibility fixes, then the application might be performing an action for which no compatibility fix can be identified with the tools in this document.

At this point, you must contact the application developer. The developer might know if one of the compatibility fixes that target specific application resources can mitigate the problem. If no compatibility fix exists, or if no compatibility fix can be designed without compromising system security, then the application developer or vendor might be able to provide a custom solution or tell you when an updated version of the application that works with standard user permissions will be available.

Example: Troubleshooting a standard user compatibility problem

In this section, we show you how to troubleshoot a standard user compatibility problem using an application that behaves poorly when run with standard user permissions. This particular application, DemoApp.exe, will programmatically check to see if the calling user is an administrator and if not will report an error and exit. (This is a common standard user compatibility bug.) Figure 1 shows the output of the DemoApp application when run as a standard user.

04a242b0-89fb-46ac-9139-35b8fb8baf29

To try to resolve this problem, we will apply the application-wide standard user compatibility fixes, as described in Step 4: Install the Application Wide Standard User Compatibility Fixes.

Applying a Standard User Compatibility Fix

After you identify the compatibility fixes that are required to address the standard user compatibility issue, you must create a compatibility fix database. A compatibility fix database maintains information about the application that is required by each compatibility fix that needs to be applied. You also can use a compatibility fix database to deploy compatibility fixes across multiple machines. To create a compatibility fix database, you can use the Compatibility Administrator application. The Compatibility Administrator tool is part of the Application Compatibility Toolkit (https://go.microsoft.com/fwlink/?LinkId=81696). Figure 2 shows Compatibility Administrator when you first open it.

920f9c32-e662-48ad-8058-df4ea5295b6d

Note

You can use Compatibility Administrator to create and configure a compatibility fix database for application compatibility problems outside of standard user application compatibility problems. This article does not show you how to fix other application compatibility problems, such as display problems. For more information about how to create compatibility fix databases for other compatibility problems, see the Application Compatibility Toolkit (https://go.microsoft.com/fwlink/?LinkId=81696).

Create a compatibility fix database

Before you select specific application compatibility fixes, you must create a new compatibility fix database.

To create a compatibility fix database

  1. Click the Start button, point to All Programs, click Microsoft Application Compatibility Toolkit 5.0, right-click Compatibility Administrator, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In Compatibility Administrator, right-click Custom Databases, and then click New.

    This creates a new application compatibility database and assigns it a default name, such as New Database(2) [Untitled_2]. To change the name, right-click the database node, and then click Rename.

Figure 3 shows a newly created application compatibility database called New Database(2) [Untitled_2].

a84b91b0-9d97-49e6-a688-2d000e446341

Create a standard user compatibility fix

After you create a new compatibility fix database, you must add a standard user compatibility fix to the database.

To create a standard user compatibility fix

  1. In Compatibility Administrator, right-click the new compatibility fix database, point to Create New, and then click Application Fix.

    The Create new Application Fix wizard opens.

  2. On the Program Information page, enter the name of the application that you are fixing, the vendor of the application (if known), and the location of the program's executable file. Click Next.

    Figure 4 shows the Program Information page with sample data.

    7fd9efaf-c471-4426-aa06-b84802a3961a

  3. On the Compatibility Mode page, select the operating system mode and specific compatibility modes for the application. If your application does not require a compatibility mode, select None. Click Next.

    Important

    While compatibility modes are typically not used to fix a standard user compatibility problem, a particular application might require a compatibility mode compatibility fix in addition to a standard user compatibility fix. See Applying a Standard User Compatibility Fix for more information on compatibility modes.

    859b8560-ce0b-41b8-b15a-13db1f1bbbdb

  4. On the Compatibility Fixes page, select each compatibility fix that you wish to apply to try to mitigate the application’s standard user compatibility problem, and then click Next.

    342746c1-3e1d-459d-9281-3ecbbf240add

  5. On the Matching Information page, select the attributes of the application that can be used to identify the application uniquely, and then click Finish.

    This action enumerates the attributes of the application that the operating system will verify when it checks whether a compatibility fix is to be applied.

    Note

    The more attributes you select, the more precisely the operating system can identify the application. If you specify multiple specific attributes for the application, it is less likely that the application compatibility fix can be used for an application for which it does not apply. Be careful to use attributes of the application that will not change over time.

    7841b533-8f83-4ab1-86e5-c7fdab359863

  6. After you complete the wizard, the fix is added in the left pane under the new database that you created, as shown in Figure 8.

    4f310102-7af3-4bc7-b68b-1930e2407ff6

  7. If more applications require that compatibility fixes be applied, then you can add them to this database by creating a new application fix within this database, or you can create a separate database for the other application. To add compatibility fixes to this database, follow the same steps as above.

    Generally, you should use the same compatibility fix database for multiple applications, if you believe the applications will always be deployed together. If the applications are deployed separately, then you should use separate compatibility fix databases.

    Note

    If you think that you made an error anywhere in the Create new Application Fix wizard, you can delete the application fix that you created and start again. To delete an application fix, right-click the Applications node or the application fix node (called DemoApp in Figure 8), and then click Delete.

  8. Select the database that you created, and then click Save in the File menu.

    This database is called New Database (2) [Untitled_2] in figure 8.

    You must provide both a file name and a database name. In the DemoApp example, we saved the database and file as DemoAppFixDB.

    The compatibility fix database will be saved in the specified folder with the given filename and an .sdb extension. Figure 9 shows the saved and renamed compatibility fix database.

    28cf1699-53b7-42e7-9b52-a6b2b2506e23

Install a compatibility fix database

After you create an application compatibility database, you must install it for Windows Vista.

To install the application compatibility fix

  1. In Compatibility Administrator, right-click the compatibility database that you created, and then click Install.

  2. This database is called DemoAppFixDB in Figure 9.

    Note

    If you have not saved the database, Compatibility Administrator will prompt you to save before installing the database.

  3. In the Compatibility Administrator dialog box, click OK.

The compatibility fix is now installed, and the application fix is active. For our example application, DemoApp.exe, the ForceAdminAccess compatibility fix notifies the application that it is running as an administrator, even though it is not. This fix allows the application to run successfully as a standard user. Figure 10 shows DemoApp.exe running with the compatibility fix installed.

75497eef-fbbc-4c39-b56c-5e685e3544ce

Deployment of Compatibility fix Databases with SDBInst

You can use three methods to install compatibility fix databases on computers in your organization:

  • Systems management
  • Network share
  • Group Policy script

Systems management

You can install a compatibility fix database on one computer at a time, or you can use systems management software, such as Microsoft Systems Management Server (SMS), to deploy the compatibility fix database to multiple computers at once and then run the Windows Vista SDBInst.exe command-line tool to install the database.

Note

The default location of SDBInst.exe is %SystemDrive%\Windows\System32\SDBInst.exe.

Network share

You can place the compatibility fix database on a network share and use Group Policy to apply a logon script to each computer that runs SDBInst.exe by specifying the UNC path to the compatibility fix database .sdb file.

You can use the following parameters with the SDBInst.exe tool to install compatibility fix databases using the command-line or a script:

SDBInst –p*<Path to .sdb File>*

Group Policy script

You can create installation scripts and deploy them to the computers in your organization using Group Policy. For more information about how to create the installation scripts, see the “Deploying Application Compatibility Fixes with Group Policy” section in Understanding and Configuring User Account Control in Windows Vista (https://go.microsoft.com/fwlink/?LinkId=91589).