T001 - Known Compatibility Issues at Startup (AppHelp)

Description: RayQC Advanced scans the package for the presence of applications that may trigger Application Help Dialog (AppHelp) when the program is being installed or run for the first time.

Background: Certain applications are known to cause issues or not even starting on modern operating systems. Windows contains a predefined list of software known to have compatibility issues and warns or prevents user from starting the application. The list of such applications is stored in a central compatibility database, and the dialog shown to the user is known as Application Help (AppHelp).

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/bb756937.aspx

Manual Remediation: Contact the manufacturer to obtain compatible software.

T002 - Deprecated Windows Features

Description: RayQC Advanced scans the MSI package for the presence of deprecated features: embedded installations of another MSI packages (Custom Actions type 7, 23, 39), NETDDE-dependencies in registry, deprecated proxy configuration component ProxyCfg.exe and Windows Library files.

Background: Certain features present in previous versions of Windows systems are officially deprecated by Microsoft. This means they are provided as-is. These features may be still working, but there is no guarantee they will function correctly or at all after any update or security patch. Usually, there is a replacement technology that should be used in favor of deprecated features.

More Information: http://msdn.microsoft.com/en-us/library/aa368010%28v=VS.85%29.aspx

http://msdn.microsoft.com/en-us/library/bb756977.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384069(v=vs.85).aspx

Manual Remediation: Do not use use Custom Actions type 7, 23 and 39 anymore. Dependencies and prerequisites have to be installed and managed by the deployment tool or external setup wrapper. The deprecated components have to be replaced. Contact the manufacturer to obtain compatible software.

T003 - Obsolete Windows Features

Description: RayQC Advanced scans the MSI package for a presence of deprecated MSGina technology, as well as for a presence of file extensions, for which the handling application has been obsoleted.

Background: Certain features present in previous versions of Windows systems are officially marked as obsolete by Microsoft. This means they are not supported anymore and any functionality relying on them is likely to fail to operate. Usually, there is a replacement technology that should be used in favor of deprecated features.

More Information: http://msdn.microsoft.com/en-us/library/bb756900.aspx

http://technet.microsoft.com/en-en/library/ee681703(v=ws.10).aspx

Manual Remediation: Contact the manufacturer to obtain compatible software. Self-developed software using the MSGina.dll should be re-engineered and use the Credential Providers model. Obsolete extensions should not be used in MSI installer packages.

T004 - Windows Shell and User Experience Changes

Description: RayQC Advanced scans the MSI package for a presence of shortcuts created in Quick Launch and subfolders of the SendTo folder. Additionally, start menu shortcuts pointing to non-executable files will be detected. Finally, RayQC Advanced scans the MSI package for a presence of Windows Gadgets.

Background: Each version of Microsoft Windows system introduces enhancements and changes of the user experience in the way Windows Shell is working and organizing files, shortcuts, context menu actions etc. Certain aspects of the user experience vary between newer version of Windows, with the introduction of Modern Start Screen being a notable example. There is a different handling for certain behaviors that were possible before. For example, the new Start Screen does not pin non-executable files by default, and due to the deprecated tree-like structure certain shortcuts names may be duplicated and thus confusing. Another example are shortcuts placed in subfolders of the SendTo folder, which are not displayed anymore. Finally, features like Quick Launch Bar and Windows Deskop Gadgets layer are not present anymore.

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/cc144179(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/jj584985(v=vs.85).aspx

Manual Remediation: Avoid deploying shortcuts to Quick Launch location and to subfolders of SendTo folder. Migrate to the Modern application to allow pinning ups and running them in a gadget-mode. Rename Start menu shortcuts to unequivocally express their purpose and associated action, instead of using generic names like "Readme" or "Help". Non-executable files should be manually pinned by the logged on user.

T005 - Unsupported Windows Components

Description: RayQC Advanced scans the MSI package for a presence of applications using DHTML control and for the presence of 32-bit .hlp files.

Background: Certain functionalities and components present in Windows XP and previous systems are not anymore part of the standard OS image. Since then Microsoft offers them as downloadable add-ons wich restore the missing functionality. On a standard system however, missing handlers/opening applications may cause runtime exceptions or other warnings. Typical examples of such components are viewers for 32-bit .hlp files, missing DHTLM editor controls and so on.

More Information: http://support.microsoft.com/kb/917607 http://msdn.microsoft.com/en-us/library/aa663363.aspx

Manual Remediation: Contact the manufacturer to obtain compatible software. You may also install the missing components - the update KB917607 restores the ability to view 32-bit .hlp files, and the redistributable installer DHTMLEd.msi from Microsoft installs the missing DHTML control.

T006 - .NET Framework Compatibility

Description: RayQC Advanced scans the MSI package for a presence of applications using .NET Framework 1.0, 1.1, 2.0, 3.0 or 3.5.

Background: Since Windows 7, .NET Framework 1.0 and 1.1 are not supported. Although it may be possible to deploy deprecated .NET components, there is no support for these configurations provided by Microsoft. Additionally .NET Framework 2.0, 3.0 and 3.5 is not included in the default configuration of Windows 8 and later operating systems, so applications that require one of these frameworks might trigger a request for installing the necessary files.

More Information: http://support.microsoft.com/kb/2489698

Manual Remediation: Contact the manufacturer to obtain compatible software. Self-developed software should be converted to .NET Framework 4.5.

T007 - Conditional Installation and Execution

Description: RayQC Advanced scans the MSI package for a presence of conditions that vary based on the value of properties: VersionNT, VersionNT64, WindowsBuild and ServicePackLevel. Additionally, the content of the package is scanned for the usage of AdminUser and Privileged properties in Launch Conditions and components condition to verify they will not cause issues with permission elevation. Merge modules, 16-bit components and certain conditions may neutralize otherwise failing conditions.

Background: Number of MSI properties like VersionNT, VersionNT64, ServicePackLevel etc. can be used to conditionally control the flow of installation and set of features/components/policies to be installed. Software vendors use them frequently in critical places like LaunchConditions, conditions for components and Custom Actions, conditional security policies and many more. When a new version of Operating System is introduced, these conditions have to be reviewed, because they may generate false warnings even though the software is functioning correctly. Another source of issues are two distinctive MSI properties Privileged and AdminUser. Because of late elevation, since Windows Vista values of these properties are spoofed when evaluating LaunchConditions. This may produce unexpected results with packages designed for previous operating systems.

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/aa370556(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa369752(v=vs.85).aspx

Manual Remediation: Review all rows containing conditions that exclude the current operating system. Should the given component/action be required and function correctly on Windows Server 2012 R2, rewrite the condition so that it evaluates to true or remove it to always install the questionable resource. Do not use AdminUser property, because it may impact installation flows that elevate at some later point of installation. Legacy distinction between Privileged and AdminUser property can be restored by using the MSIREALADMINDETECTION property.

T008 - Deprecated and Obsolete API Calls

Description: RayQC Advanced scans the MSI package for a presence of API calls that are deprecated or obsolete. Internal database is used to assess each API call being used.

Background: Certain APIs present in previous versions of Microsoft Windows are now officially deprecated or obsoleted by Microsoft. Obsolete APIs may not work anymore, or their behavior may be different leading to unexpected results. The deprecated APIs may be still working, but there is no guarantee they will function correctly or at all after any update or security patch. Usually, there is a replacement API that should be used in favor of deprecated or obsolete API call.

More Information: None available.

Manual Remediation: Contact the manufacturer to obtain compatible software. Self-developed software should not use obsolete functions anymore and switch to replacements as described by Microsoft in Microsoft SDK Updates.

T009 - Hard-Coded Resources and System Paths

Description: RayQC Advanced scans the MSI package for a usage of changed or obsolete junction points in INI files, registry entries, services, shortcuts, environment variables and custom actions.

Background: Since Microsoft Windows Vista, standard locations where user and system data are stored have been changed. For example, the root folder for user data was called "Documents and Settings" in Windows XP, but since Windows Vista its name is "Users". To provide a backward compatibility, junction points are used to reroute the calls from old, incorrect locations to the new, proper ones. A package that runs on various target systems should not rely on hardcoded paths, because they may be not valid anymore or for a given system language.

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/bb968829(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa368977(v=vs.85).aspx

Manual Remediation: Hard-coded paths should not be used. Replace them with MSI properties using formatted syntax. If no predefined property exists, the path should be exposed via custom MSI property so that it can be adjusted on demand from command-line / MST transform.

T010 - Mismatched Target Architecture

Description: RayQC Advanced scans the MSI package for the presence of executables (16/32/64-bit) that are not compatible with Windows Server 2012 R2 32-bit platform

Background: Some software is intended to run only in 32-bit or 64-bit operating systems. 16-bit executables are not supported on modern platforms, and 64-bit Microsoft Windows can correctly emulate 32-bit applications. If the MSI package is missing a correct Launch Condition it may try to install executables that are not designed for the current platform architecture. Attempting to launch such executable might result in an error message that the file is not a valid Win32 application. Additionally, attempting to run 16-bit code may result in a warning message informing that an extra Windows Feature is required.

More Information: http://support.microsoft.com/kb/282423/en-us

Manual Remediation: Contact the manufacturer to obtain compatible software. Reenginer self-developed software by replacing 16-bit executables with appropriate 32- or 64-bit code. Use Launch Conditions and component conditions to control to which platform software and its parts are deployed.

T011 - Driver Issues

Description: RayQC Advanced scans the MSI package for the presence of drivers containing no valid signature or not matching the target platform.

Background: Since Windows Vista 64-bit, all drivers have to be signed. Signed driver contains an extra digital signature used to validate the source and content of the driver package. Any unauthorized change in the driver package invalidates the signature. If an unsigned driver or a driver with invalid signature is attempted to be installed, Windows refuses the installation. Likewise, each driver has to match the target platform, which means that 64-bit systems require 64-bit drivers.

More Information: http://msdn.microsoft.com/en-us/library/bb756937.aspx

Manual Remediation: Contact the manufacturer to obtain compatible driver. Use WDK (Windows Driver Kit) to sign self-developed driver packages.

T012 - Installation Package Design Issues

Description: RayQC Advanced scans the MSI package for the presence of common installation design issues that may cause troubles during installation or using of software. The context of Custom Actions is scanned for the presence of deferred custom actions running in user-context, as well as system-wide actions running in immediate mode. The presence of conflicting permissions tables preventing the installation is detected as well. Additionally, invalid combinations of user- and machine-data in a single component and invalid identifiers are reported.

Background: Microsoft recommends several best-practices approaches for MSI setup designers. They ensure that the package is deployed correctly in various scenarios and various operating systems. By following the guidelines many compatibility issues introduced by a new security model in Windows Vista can be avoided.

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/aa368268%28v=vs.85%29.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa368268(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/dd408053(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/6397xx85(v=vs.80).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa368994%28v=vs.85%29.aspx

Manual Remediation: Adjust the package content so that it complies to the best practices of Windows Installer. Do not mix per-machine and per-user data in a single component. Use valid identifiers for components. Make sure all custom actions are running in a valid context - all actions making system changes must be deferred in execution. Do not use both LockPermissions and MsiLockPermissionsEx tables at once.

T013 - Conflicts with Protected Windows Resources (WRP)

Description: RayQC Advanced scans the MSI package for the presence of files and registry keys that belong to the Windows Resource Protection list.

Background: Windows Resource Protection (WRP) prevents the modification of essential system resources (files, folders and registry keys). Windows Installer silently ignores any attempt to update or modify them, any other software trying to do it may fail. These kinds of resources may be only updated by Microsoft-provided redistributable packages. During the installation, if Windows Installer logging is enabled, a warning may be shown for each operation that was ignored because of the WRP protection.

More Information: http://msdn.microsoft.com/en-us/library/bb756998.aspx

Manual Remediation: Assess whether the conflicting resources are actually needed, and if not remove them from the MSI package. If a given resource is needed and the original system one cannot be used, consider re-engineering the application or use any virtualization technique to override the resource.

T014 - Missing or Invalid Signatures

Description: RayQC Advanced scans the MSI package for the presence of unsigned executable files (.exe, .dll, .ocx). Additionally, the package itself and CAB files are also scanned.

Background: According to the set of best practices by Microsoft, all exercutable files deployed by an installation package and the installation package itself should be digitally signed with a certificate issued by a Trusted Publisher. When attempting to run an unsigned executable, Windows prompts the user for authorization. Similarly, attempting to install an unsigned MSI package also shows the Windows prompt.

More Information: http://technet.microsoft.com/en-us/library/cc962053.aspx

Manual Remediation: Contact the manufacturer to obtain signed executables and installers. Use WDK (Windows Driver Kit) to sign self-developed executables and packages.

T015 - Security and User Access Control Issues

Description: RayQC Advanced scans the MSI package for the presence of issues that may fail to work due to the security features. The executable files are scanned for the presence of correct manifestation. Direct calls to rundll32 are reported, because the UAC prompt hides the actual calling module when rundll32 is executed. Interactive sevices running in session 0 are detected, as well as MMC snap-ins that are not DEP-aware. Finally, setups, updaters and uninstallers are detecteded and checked for the presence of their UAC awareness.

Background: Session 0 isolation and Data Execution Prevention (DEP) are examples of security improvements introduced to prevent malicious software from compromising the security of the operating systems. They provide a separation between interactive user sessions and non-interactive session 0 devoted for services, and prevent execution of code from non-executable memory region. Modern software has to comply to these restrictions in order to function correctly on Windows Server 2012 R2. Another security issue present in Windows operating system is User Account Control (UAC). When an executable file requires additional non-standard permissions, the UAC elevation dialog prompts for confirmation or for correct credentials. The UAC prompt contains information about calling application, manufacturer and the source. Certain applications, like self-updaters, setups and other requiring higher privileges must be aware of the elevation, and use manifests to correctly inform the system about required execution permissions.

More Information: http://msdn.microsoft.com/en-us/windows/hardware/gg463353

http://msdn.microsoft.com/en-us/library/bb963893.aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85).aspx

http://technet.microsoft.com/en-us/library/cc709628%28WS.10%29.aspx

http://technet.microsoft.com/en-us/library/cc709628%28WS.10%29.aspx

Manual Remediation: Contact the manufacturer to obtain software that complies to the security features of Microsoft Windows. For each unmanifested executable file, create a manifest, and set the required privileges to "asInvoker" for applications not requiring them, and "requireAdministrator" or "highestAvailable" for others. If the manifest cannot be corrected, a shim database has to be used to specify the desired privilege level.

T016 - Missing Application Manifest or Insufficient Execution Policy

Description: RayQC Advanced scans the MSI package for the presence of executable files (.exe, .cpl) that do not contain the manifest, or that are not aware of Windows Server 2012 R2 in the list of supported operating systems in their manifest files.

Background: Since Windows Vista, all applications run by default with standard user privileges. This is also true when the current user is a member of Administrators group. Application that used to work on previous versions of Windows may fail to work, as no elevation will take place. In order to require higher permissions, each executable or control panel applications has to contain a manifest file - a simple .XML file informing the operating system how to handle the given program.

More Information: http://msdn.microsoft.com/en-us/library/Aa480152%23appcomp_topic30.com#appcomp_topic4

http://msdn.microsoft.com/en-us/library/hh848036%28v=vs.85%29.aspx

Manual Remediation: Create a manifest file for each executable. To manifest a control panel application (.cpl) create an executable wrapper with embedded manifest. Use the SupportedOS section in the manifest to define the list of supported operating systems.

T017 - Incomplete Reboot Handling

Description: RayQC Advanced scans the MSI package for the absence of a proper launch condition preventing the installation if a reboot is pending. Additionally, absence of "Files in use" dialog is detected. Presence of ForceReboot action is also detected and reported.

Background: Windows Installer supports natively various set of features and actions related to the reboot handling. They include for example the ability to show list of used/locked files, forcing or skipping the reboot and determining the installation state by the related MSI properties. Several aspects have to be considered so that the reboot handling works as expected.

More Information: http://msdn.microsoft.com/en-us/library/windows/desktop/aa368607(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa370492(v=vs.85).aspx

http://msdn.microsoft.com/en-us/library/windows/desktop/aa370379(v=vs.85).aspx

Manual Remediation: Add the MSIRMFilesInUse dialog to the dialog sequence if it is missing. Remove ForceReboot action from the sequence, reboots are handled automatically by MSI. In order to ensure the package is not installed when any reboot is pending, append the "NOT MsiSystemRebootPending" condition to the Launch Condition list.

T018 - Protected Mode (Internet Explorer)

Description: RayQC Advanced scans the MSI package for the presence of registry entries that disable Protected Mode.

Background: As a result of security changes introduced in Windows Vista, Internet Explorer runs now in a isolated mode called "Protected mode" by default. While it limits potential damages malware application can cause, it also prevents web-applications running in Internet Explorer from writing directly to disk while in Internet or Intranet zone. Internet Explorer warns when web-application tries to run certain software programs or write to protected areas.

More Information: http://msdn.microsoft.com/en-us/library/bb756991.aspx

Manual Remediation: Contact the manufacturer to obtain compatible software. Re-engineer self-developed software so that it runs correctly under Protected Mode, or add the required website(s) to the list of trusted sites.