When we install Apache openoffice there is a dialog will let you choose install this application for "all users" or "only for me". If we choose "for all users" I think these register string will be fine. If we choose "only for me", should we still write the register string to HKLM, is it a better way that write the register string to the current user ?
2012/7/5 Liu Da Li <wawal...@gmail.com> > From the windows certification toolkit test result, we find that there is > a section named"Single user registry check" > It said: > > Warning: The single user registry test detected the following errors: > Registry key > [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{51071D66-D034-4239-94E0-723FCA10B6FE}] > was modified during installation. > Registry key > [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{51071D66-D034-4239-94E0-723FCA10B6FE}] > AuthorizedCDFPrefix=String: was modified during installation. > > Registry key > [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{51071D66-D034-4239-94E0-723FCA10B6FE}] > VersionMinor=DWord:4 was modified during installation. > Registry key > [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{51071D66-D034-4239-94E0-723FCA10B6FE}] > WindowsInstaller=DWord:1 was modified during installation. > Impact if not fixed: The application is available to all users of the > machine. > How to fix: In a Per user installation, should not create or modify > machine wide registry entries (HKLM). > > > > > > 2012/6/28 Rob Weir <robw...@apache.org> > >> On Thu, Jun 28, 2012 at 4:02 AM, Liu Da Li <wawal...@gmail.com> wrote: >> > For issue 2. >> >>> - Issue 2. Test for "Section 4 Apps must adhere to system restart >> >> > manager messages" is failed. Bugzilla ID 119947 link: >> >> > <https://issues.apache.org/ooo/show_bug.cgi?id=119947> >> > It seems that we handle these system restart manager messages in a right >> > way. >> > Anyone can have a double check on this? >> >> This would be good to test. A good test case would be to have a new >> document, or a document with unsaved changes in it. If we get the >> system restart message, what do we do? Windows guidelines are that we >> shut down within 30 seconds. So we can't popup a "Do you want to >> save?" dialog indefinitely. >> >> The scenario Microsoft is thinking of is something like this: A user >> leaves their machine on at work, and then goes on vacation. A big >> security problem is found in Windows and a virus is spreading all over >> the world. Microsoft has a fix that they push out to all machines via >> their update mechanism. But they cannot apply it on this machine >> because they need to force a reboot. But applications are refusing to >> shut down cleanly. That's the scenario we should consider. >> >> I wonder if this should use the existing document restore mechanism >> that OpenOffice has to recover from a crash? >> >> -Rob >> >> >> >> > Here is the codes in main\vcl\win\source\window\salframe.cxx. >> > >> > ...... >> > LRESULT CALLBACK SalFrameWndProc( HWND hWnd, UINT nMsg, WPARAM wParam, >> > LPARAM lParam, int& rDef ) >> > { >> > ...... >> > case WM_QUERYENDSESSION: >> > if( !bInQueryEnd ) >> > { >> > // handle queryendsession only once >> > bInQueryEnd = TRUE; >> > nRet = !ImplHandleShutDownMsg( hWnd ); >> > rDef = FALSE; >> > >> > // Issue #16314#: ImplHandleShutDownMsg >> causes a PostMessage in >> > case of allowing shutdown. >> > // This posted message was never >> processed and cause Windows XP to >> > hang after log off >> > // if there are multiple sessions and >> the current session wasn't >> > the first one started. >> > // So if shutdown is allowed we assume >> that a post message was >> > done and retrieve all >> > // messages in the message queue and >> dispatch them before we >> > return control to the system. >> > >> > if ( nRet ) >> > { >> > MSG msg; >> > >> > while( PeekMessage( &msg, NULL, >> 0, 0, PM_REMOVE ) ) >> > { >> > DispatchMessage( &msg ); >> > } >> > } >> > } >> > else >> > { >> > ImplSalYieldMutexAcquireWithWait(); >> > ImplSalYieldMutexRelease(); >> > rDef = TRUE; >> > } >> > break; >> > >> > case WM_ENDSESSION: >> > if( !wParam ) >> > bInQueryEnd = FALSE; // no shutdown: >> allow query again >> > nRet = FALSE; >> > rDef = FALSE; >> > break; >> > ...... >> > >> > >> > >> > >> > 2012/6/15 Huaidong Qiu <qiuhuaid...@gmail.com> >> > >> >> About the fonts AOO installed into the system font directory, I did >> some >> >> verification on Windwos XP. >> >> >> >> 1. AOO archive package packs those font inside the package, you can >> find >> >> them here Basis\share\fonts\truetype. >> >> >> >> 2. Install AOO, then remove one of the fonts AOO >> >> installed, Arimo-Bold.ttf, Arimo-BoldItalic.ttf, Arimo-Italic.ttf, >> >> Arimo-Regular.ttf, >> >> from the system font directory. Open installed AOO, the font name >> >> disappears from the font list of AOO. >> >> >> >> 3.Copy directory Basis\share\fonts\truetype from archive package to >> the >> >> install directory. Open installed AOO, the font name come back. >> >> >> >> So I think we can pack the needed fonts into the installer package >> >> as archive package did. Then we can safely remove those fonts from the >> >> install directory without affect other applications. >> >> >> >> Any ideas? >> >> >> >> >> >> On Thu, Jun 14, 2012 at 4:06 PM, Lin Yuan <yuanlin....@gmail.com> >> wrote: >> >> >> >> > About issue5 that support multiple user sessions, as tested by Yan >> Ji >> >> on a >> >> > Windows 2008 server. When allow one user to remote log in with >> multiple >> >> > sessions, AOO 3.4 is not stable and will crash after some operations. >> >> > >> >> > To support multiple sessions for one user, I thinkonly rearchitect >> >> single >> >> > IPC to TS session managment is not enough. If allow multiple AOO >> >> instances >> >> > can be run isolated for one user, the data in user directory must be >> >> > synchronized correctly for those AOO instances as they all share the >> same >> >> > user directory. The data may inlucde extensions, .xcu and other >> >> > configuration files. So I think the simplest way to be able to >> >> cetifiacted >> >> > with Windows 8 in this section is do below thing mentioned in >> >> Certification >> >> > requirements for Windows 8 >> >> > >> >> > "If an app does not support multiple user sessions or remote access, >> it >> >> > must clearly state this when launched from this kind of session" >> >> > >> >> > That is, when AOO launched, check if there is another AOO instance >> in a >> >> > different TS session but for the same user. If does, popup a warning >> >> dialog >> >> > and exit. >> >> > >> >> > >> >> > >> >> > >> >> > 2012/6/12 Liu Da Li <wawal...@gmail.com> >> >> > >> >> > > I have create five items on Bugzilla to track these issue. >> >> > > >> >> > > - Issue 1. Test for "Section 3 Apps support Windows security >> >> features" >> >> > > is failed.Bugzilla ID 119946 link: >> >> > > [4]<https://issues.apache.org/ooo/show_bug.cgi?id=119946> >> >> > > >> >> > > >> >> > > - Issue 2. Test for "Section 4 Apps must adhere to system restart >> >> > > manager messages" is failed. Bugzilla ID 119947 link: >> >> > > [5]<https://issues.apache.org/ooo/show_bug.cgi?id=119947> >> >> > > >> >> > > >> >> > > - Issue 3. Test for "Section 5 Apps must support a clean, >> reversible >> >> > > installation" is failed. Bugzilla ID 119948 link: >> >> > > [6]<https://issues.apache.org/ooo/show_bug.cgi?id=119948> >> >> > > >> >> > > >> >> > > - Issue 4. Test for "Section 6 Apps must digitally sign files and >> >> > > drivers" is failed.Bugzilla ID 119949 link: >> >> > > [7]<https://issues.apache.org/ooo/show_bug.cgi?id=119949> >> >> > > >> >> > > >> >> > > - Issue 5. Test for "Section 11 Apps must support multi-user >> >> sessions" >> >> > > is not tested by Windows App Certification Kit.Bugzilla ID 119950 >> >> link: >> >> > > [8] <https://issues.apache.org/ooo/show_bug.cgi?id=119950> >> >> > > >> >> > > Anyone please help to check them, confirm them and fix them. >> >> > > >> >> > > 2012/6/12 XiuLi Xu <susan.dongd...@gmail.com> >> >> > > >> >> > > > Hi All, >> >> > > > >> >> > > > I upload the detailed test result and Windows 8 related links in >> the >> >> > wiki >> >> > > > document, Windows App Certification Kit Test Results for Apache >> >> > > OpenOffice >> >> > > > 3.4< >> >> > > > >> >> > > >> >> > >> >> >> http://wiki.services.openoffice.org/wiki/Documentation/Windows_App_Certification_Kit_-_Test_Results_for_Apache_OpenOffice_3.4 >> >> > > > > >> >> > > > >> >> > > > >> >> > > > On Mon, Jun 11, 2012 at 2:48 PM, Liu Da Li <wawal...@gmail.com> >> >> wrote: >> >> > > > >> >> > > > > There are so many items in the Windows 8 certification list, I >> try >> >> to >> >> > > go >> >> > > > > through it and find that there is maybe about 43 TODO items >> for us >> >> to >> >> > > do >> >> > > > > the certification. Most of the TODO items are just a >> verification >> >> > > jobs, >> >> > > > > but some code change jobs maybe are need to do for the sections >> >> > > 4.1,5.1, >> >> > > > > 9.1, 10.2,11.7. >> >> > > > > I have try to verify some items, the result be marked at green. >> >> > > > > Herbert1 also go through the list, I put his result at the end >> of >> >> > each >> >> > > > > section. >> >> > > > > >> >> > > > > Items which maybe need to change some codes >> >> > > > > ------------------------------------------------ >> >> > > > > 4.1 Your app must handle critical shutdowns appropriately >> >> > > > > In a critical shutdown, apps that return FALSE to >> >> WM_QUERYENDSESSION >> >> > > will >> >> > > > > be sent WM_ENDSESSION and closed, while those that time out in >> >> > response >> >> > > > to >> >> > > > > WM_QUERYENDSESSION will be terminated. . >> >> > > > > 5.1 Your app must properly implement a clean, reversible >> >> installation >> >> > > > > If the installation fails, the app should be able to roll it >> back >> >> and >> >> > > > > restore the machine to its previous state. >> >> > > > > 9.1 Your app must have a manifest that defines execution >> levels and >> >> > > tells >> >> > > > > the operating system what privileges the app requires in order >> to >> >> run >> >> > > > > The app manifest marking only applies to EXEs, not DLLs. This >> is >> >> > > because >> >> > > > > UAC does not inspect DLLs during process creation. It is also >> worth >> >> > > > noting >> >> > > > > that UAC rules do not apply to Windows Services. The manifest >> can >> >> be >> >> > > > either >> >> > > > > embedded or external. >> >> > > > > To create a manifest, create a file with the name >> >> > > <app_name>.exe.manifest >> >> > > > > and store it in the same directory as the EXE. Note that any >> >> external >> >> > > > > manifest is ignored if the app has an internal manifest. For >> >> example: >> >> > > > > <requestedExecutionLevel level=""asInvoker | highestAvailable >> | >> >> > > > > requireAdministrator"" uiAccess=""true|false""/> >> >> > > > > 10.2 Your app must avoid starting automatically on startup >> >> > > > > For example, your app should not set any of the following; >> >> > > > > Registry run keys HKLM and, or HKCU under >> >> > > > > Software\Microsoft\Windows\CurrentVersion >> >> > > > > Registry run keys HKLM, and or HKCU under >> >> > > > > Software\Wow6432Node\Microsoft\windows\CurrentVersion >> >> > > > > Start Menu AllPrograms > STARTUP >> >> > > > > 11.7 Your app must check other terminal service (TS) sessions >> for >> >> > > > existing >> >> > > > > instances of the app >> >> > > > > Note: If an app does not support multiple user sessions or >> remote >> >> > > access, >> >> > > > > it must clearly state this when launched from this kind of >> session. >> >> > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> >> >> ------------------------------------------------------------------------------------------ >> >> > > > > Full TODO items. >> >> > > > > >> >> > > > > 1. Apps are compatible and resilient >> >> > > > > 1.1 Your app must not take a dependency on Windows >> compatibility >> >> > modes, >> >> > > > > AppHelp message, and or any other compatibility fixes >> >> > > > > TODO 1.1 : Need verification , don't depend. >> >> > > > > 1.2 Your app must not take a dependency on the VB6 runtime >> >> > > > > TODO 1.2 : Need verification , don't depend. >> >> > > > > 1.3 Your app must not load arbitrary DLLs to intercept Win32 >> API >> >> > calls >> >> > > > > using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows >> >> > > > > AppInit_dlls. >> >> > > > > TODO 1.3 : Need verification , don't load. >> >> > > > > Herbert1: Win8 Cert Section 1 : ok >> >> > > > > >> >> > > > > 2. Apps must adhere to Windows Security Best Practices >> >> > > > > 2.1 Your app must use strong and appropriate ACLs to secure >> >> > executable >> >> > > > > files >> >> > > > > TODO 2.1 : Need verification >> >> > > > > 2.2 Your app must use strong and appropriate ACLs to secure >> >> > directories >> >> > > > > TODO 2.2 : Need verification >> >> > > > > 2.3 Your app must use strong and appropriate ACLs to secure >> >> registry >> >> > > keys >> >> > > > > TODO 2.3 : Need verification >> >> > > > > 2.4 Your app must use strong and appropriate ACLs to secure >> >> > directories >> >> > > > > that contain objects >> >> > > > > TODO 2.4 : Need verification >> >> > > > > 2.5 Your app must reduce non-administrator access to services >> that >> >> > are >> >> > > > > vulnerable to tampering >> >> > > > > TODO 2.5 : Need verification >> >> > > > > 2.6 Your app must prevent services with fast restarts from >> >> restarting >> >> > > > more >> >> > > > > than twice every 24 hours >> >> > > > > TODO 2.6 : Need verification >> >> > > > > Herbert1: Win8 Cert Section 2 : if the MSI based installer >> does it >> >> it >> >> > > is >> >> > > > > fine,we are using nsis-2.46 for building the MSI package but >> >> Windows >> >> > > > itself >> >> > > > > does the installation of the MSI packages >> >> > > > > >> >> > > > > 3. Apps support Windows security features >> >> > > > > 3.1 Your app must not use AllowPartiallyTrustedCallersAttribute >> >> > (APTCA) >> >> > > > to >> >> > > > > ensure secure access to strong-named assemblies >> >> > > > > TODO 3.1 : Need verification, >> >> > > > > 3.2 Your app must be compiled using the /SafeSEH flag to ensure >> >> safe >> >> > > > > exceptions handling >> >> > > > > TODO 3.2 : Need verification, we use it >> >> > > > > 3.3 Your app must be compiled using the /NXCOMPAT flag to >> prevent >> >> > data >> >> > > > > execution >> >> > > > > TODO 3.3 : Need verification, we use it >> >> > > > > 3.4 Your app must be compiled using the /DYNAMICBASE flag for >> >> address >> >> > > > space >> >> > > > > layout randomization (ASLR) >> >> > > > > TODO 3.4 : Need verification, we use it >> >> > > > > 3.5 Your app must not Read/Write Shared PE Sections >> >> > > > > TODO 3.5 : Need verification, >> >> > > > > Herbert1: Win8 Cert Section 3 : we are running with SafeSEH, >> >> > NXCOMPAT, >> >> > > > > DYNAMICBASE, but the libraries we ship have to be modified to >> use >> >> > these >> >> > > > > flags too,I'm almost certain that we don't use APTCA,I'm not so >> >> sure >> >> > > > about >> >> > > > > the RW PW Sections, but I guess we do not have any. >> >> > > > > >> >> > > > > 4. Apps must adhere to system restart manager messages >> >> > > > > 4.1 Your app must handle critical shutdowns appropriately >> >> > > > > TODO 4.1 : Need verification, >> >> > > > > 4.2 A GUI app must return TRUE immediately in preparation for a >> >> > restart >> >> > > > > TODO 4.2 : Need verification, we do >> >> > > > > 4.3 Your app must return 0 within 30 seconds and shut down >> >> > > > > TODO 4.3 : Need verification,we do >> >> > > > > Herbert1: Win8 Cert Section 4 : WM_QUERYENDSESSION needs to be >> >> > > > > implemented,these new messages are currently ignored >> >> > > > > >> >> > > > > 5. Apps must support a clean, reversible installation >> >> > > > > 5.1 Your app must properly implement a clean, reversible >> >> installation >> >> > > > > TODO 5.1 : Need verification, >> >> > > > > 5.2 Your app must never force the user to restart the computer >> >> > > > immediately >> >> > > > > TODO 5.2 : Need verification,we never >> >> > > > > 5.3 Your app must never be dependent on 8.3 short file names >> (SFN) >> >> > > > > TODO 5.3 : Need verification,we never >> >> > > > > 5.4 Your app must never block silent install/uninstall >> >> > > > > TODO 5.4 : Need verification, >> >> > > > > 5.5 Your app installer must create the correct registry >> entries to >> >> > > allow >> >> > > > > successful detection and uninstalls >> >> > > > > TODO 5.5 : Need verification, >> >> > > > > Herbert1: Win8 Cert Section 5: making sure that the registry >> >> entries >> >> > > and >> >> > > > > files are restored is difficult >> >> > > > > >> >> > > > > 6. Apps must digitally sign files and drivers >> >> > > > > 6.1 All executable files (.exe, .dll, .ocx, .sys, .cpl, .drv, >> .scr) >> >> > > must >> >> > > > be >> >> > > > > signed with an Authenticode certificate >> >> > > > > TODO 6.1:Need to do digitally sign >> >> > > > > Herbert1: Win8 Cert Section 6: Having authentication >> credentials >> >> > would >> >> > > be >> >> > > > > good even if don't pursue Win8 shop certification >> >> > > > > >> >> > > > > 7. Apps don’t block installation or app launch based on an >> >> operating >> >> > > > system >> >> > > > > version check >> >> > > > > 7.1 Your app must not perform version checks for equality >> >> > > > > TODO 7.1 : Need verification, >> >> > > > > Herbert1: Win8 Cert Section 7: We are doing win-version >> checks, but >> >> > I'm >> >> > > > > almost certain that it is not a check for equality. Needs to be >> >> > checked >> >> > > > > though. >> >> > > > > >> >> > > > > 8. Apps don’t load services or drivers in safe mode >> >> > > > > TODO 8 : Need verification, we don't >> >> > > > > >> >> > > > > 9. Apps must follow User Account Control guidelines >> >> > > > > 9.1 Your app must have a manifest that defines execution >> levels and >> >> > > tells >> >> > > > > the operating system what privileges the app requires in order >> to >> >> run >> >> > > > > TODO 9.1 : Need verification, >> >> > > > > 9.2 Your app’s main process must be run as a standard user >> >> > (asInvoker). >> >> > > > > TODO 9.2 : Need verification, >> >> > > > > >> >> > > > > 10. Apps must install to the correct folders by default >> >> > > > > 10.1 Your app must be installed in the Program Files folder by >> >> > default >> >> > > > > TODO 10.1: Need verification,we do >> >> > > > > 10.2 Your app must avoid starting automatically on startup >> >> > > > > TODO 10.2: Need verification, the quick start is a issue >> >> > > > > 10.3 Your app data, which must be shared among users on the >> >> computer, >> >> > > > > should be stored within ProgramData >> >> > > > > TODO 10.3: Need verification,we do >> >> > > > > 10.4 Your app’s data that is exclusive to a specific user and >> that >> >> is >> >> > > not >> >> > > > > to be shared with other users of the computer, must be stored >> in >> >> > > > > Users\<username>\AppData >> >> > > > > TODO 10.4: Need verification,we do >> >> > > > > 10.5 Your app must never write directly to the "Windows" >> directory >> >> > and >> >> > > or >> >> > > > > subdirectories >> >> > > > > TODO 10.5: Need verification,we never >> >> > > > > 10.6 Your app must write user data at first run and not during >> the >> >> > > > > installation in “per-machine” installations >> >> > > > > TODO 10.6: Need verification,we do >> >> > > > > >> >> > > > > 11. Apps must support multi-user sessions >> >> > > > > 11.1 Your app must ensure that when running in multiple >> sessions >> >> > either >> >> > > > > locally or remotely, the normal functionality of the app is not >> >> > > adversely >> >> > > > > affected >> >> > > > > TODO 11.1: Need verification, >> >> > > > > 11.2 Your app’s settings and data files must not persist across >> >> users >> >> > > > > TODO 11.2: Need verification, >> >> > > > > 11.3 A user’s privacy and preferences must be isolated to the >> >> user’s >> >> > > > > session >> >> > > > > TODO 11.3: Need verification, >> >> > > > > 11.4 Your app’s instances must be isolated from each other >> >> > > > > TODO 11.4: Need verification, >> >> > > > > 11.5 Apps that are installed for multiple users must store >> data in >> >> > the >> >> > > > > correct folder(s) and registry locations >> >> > > > > Refer to the UAC requirements. >> >> > > > > TODO 11.5: Need verification, >> >> > > > > 11.6 User apps must be able to run in multiple user sessions >> (Fast >> >> > User >> >> > > > > Switching) for both local and remote access >> >> > > > > TODO 11.6: Need verification, >> >> > > > > 11.7 Your app must check other terminal service (TS) sessions >> for >> >> > > > existing >> >> > > > > instances of the app >> >> > > > > TODO 11.7: Need verification, >> >> > > > > Herbert1: Win8 Cert Section 11.7: we need to rearchitect our >> IPC to >> >> > TS >> >> > > > > session management >> >> > > > > >> >> > > > > 12. Apps must support x64 versions of Windows >> >> > > > > 12.1 Your app must natively support 64-bit or, at a minimum, >> 32-bit >> >> > > > > Windows-based apps must run seamlessly on 64-bit systems to >> >> maintain >> >> > > > > compatibility with 64-bit versions of Windows >> >> > > > > TODO 12.1: Need verification, AOO can be run on 64-bit system >> >> > > > > 12.2 Your app and its installers must not contain any 16-bit >> code >> >> or >> >> > > rely >> >> > > > > on any 16-bit component >> >> > > > > TODO 12.2: Need verification, AOO not contain 16-bit code >> >> > > > > 12.3 Your app’s setup must detect and install the proper >> drivers >> >> and >> >> > > > > components for the 64-bit architecture >> >> > > > > TODO 12.3: Need verification, >> >> > > > > >> >> > > > > >> >> > > > > >> >> > > > > 2012/6/7 Rob Weir <robw...@apache.org> >> >> > > > > >> >> > > > > > I installed the Windows 8 Tech Preview (32-bit) today on a >> >> virtual >> >> > > > > > server. After a few minutes to figure out the new platform >> UI I >> >> > > > > > installed AOO 3.4. Install went without problems and it >> appears >> >> to >> >> > > > > > run fine. >> >> > > > > > >> >> > > > > > Of course, there is more that we could do to be a >> well-integrated >> >> > > > > > Windows desktop application. The best practices are outlined >> >> here: >> >> > > > > > http://msdn.microsoft.com/library/windows/desktop/hh749939 >> >> > > > > > >> >> > > > > > A lot of this is goodness that would help users on Windows 7 >> and >> >> > > > > > earlier versions as well. For example, the code signing >> reduces >> >> > the >> >> > > > > > risk of tampering or corrupt files. It also reduces false >> >> > complaints >> >> > > > > > by some anti-virus products. The recommended compiler >> options >> >> help >> >> > > > > > reduce the explotability of security vulnerabilities, >> especially >> >> of >> >> > > > > > the kind products run into reading binary file formats. More >> >> info >> >> > on >> >> > > > > > these options are here: >> >> > > > > > >> >> > > > > > >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> >> >> http://blogs.msdn.com/b/vcblog/archive/2009/05/21/dynamicbase-and-nxcompat.aspx >> >> > > > > > >> >> > > > > > Did OpenOffice.org ever try for logo certification from >> Microsoft >> >> > > > > > before? If so, what was the experience? >> >> > > > > > >> >> > > > > > I think it might be worth trying for this with AOO, It would >> >> takes >> >> > > > > > some work, but in the end we would have better platform >> >> > integration, >> >> > > > > > and a better user and admin experience. >> >> > > > > > >> >> > > > > > -Rob >> >> > > > > > >> >> > > > > >> >> > > > >> >> > > >> >> > >> >> >> > >