Windows 7's Virtual XP Mode a Support Nightmare? 413
CWmike writes "Microsoft's decision to let Windows 7 users run Windows XP applications in a virtual machine may have been necessary to convince people to upgrade, but it could also create support nightmares, analysts said today. Gartner analyst Michael Silver outlines the downsides. 'You'll have to support two versions of Windows,' he said. 'Each needs to be secured, antivirused, firewalled and patched. If a company has 10,000 PCs, that's 20,000 instances of Windows.' The other big problem Silver foresees: Making sure the software they run is compatible with Windows 7. 'This is a great Band-Aid, but companies need to heal their applications,' Silver said. 'They'll be doing themselves a disservice if, because of XPM, they're not making sure that all their apps support Windows 7.'"
Re:Pardon me... (Score:2, Informative)
XP Mode is very different from either of those. Quite simply, XP Mode is an extension of Virtual PC that allows an application to appear like it's running directly from the host OS, when in fact it is running under a guest OS. Because of this, you have a new, virtual system that needs to be secured, just like any other system.
Smart move? (Score:4, Informative)
If you're going to run virtualized, why bother using Windows 7 as the host OS? Ubuntu can virtualize XP with Virtualbox-OSE, one install away. You only need a license and any system currently running XP can be upgraded to Ubuntu with XP virtualized.
Interesting times...
Re:Pardon me... (Score:5, Informative)
No, it was an actual 68LC040 emulator in software.
In fact, large chunks of the System were still written in 68040 code for a long time. So new releases of the OS would actually run faster and faster as that code was replaced with native versions.
Re:Inflated numbers? (Score:5, Informative)
Why does every user need two operating systems? That seems awfully wasteful.
Because a non-free application that's no longer supported by its original publisher needs Windows XP, but the only OS of which Microsoft is selling new copies is Windows 7.
Re:Pardon me... (Score:4, Informative)
Exactly! Why is this an insanely great idea when Apple does it, and nothing but trouble when Microsoft does it.
For me, a Windows Power User, this is the best news I've had from MS in many, many years. Corporate IT shops will simply disable this "feature" if they don't want to support it; the rest of us will get the benefit anyway.
Re:Smart move? (Score:1, Informative)
You only need a license...
That's the catch. You can't get those anymore, except by buying Windows 7. ;)
Re:So what, if true (Score:2, Informative)
Do you even realize just how much more there is to .net than the _relatively_few_ portions of it that wrap Win32? Or that there are versions of .net (even from Microsoft!) that don't even run _on_ Win32?
Re:Pardon me... (Score:1, Informative)
Exactly! Why is this an insanely great idea when Apple does it, and nothing but trouble when Microsoft does it.
For me, a Windows Power User, this is the best news I've had from MS in many, many years. Corporate IT shops will simply disable this "feature" if they don't want to support it; the rest of us will get the benefit anyway.
actuialy XPM will be a download for PRO ENT and ULT only so thair is nothing to disable..
Re:So what, if true (Score:4, Informative)
And not that I make a habit of replying to myself, but even the NT system calls are just a wrapper around the low-level interface provided by the graphics card, which are just a wrapper around the DVI or VGA signals that go out on the wire, which are just a wrapper around whatever the monitor actually uses internally, which are just a wrapper ...
OO syntax (in C++ almost entirely, in Java mostly, and in Smalltalk or Ruby a little bit) is just a wrapper around dealing with function pointers yourself, which with the rest of C is just a wrapper around assembly language, which is just a wrapper around machine code, which is just a wrapper around the actual architectural blocks of the chip, which are wrappers around gates, which are wrappers around transistors, etc.
Sure, some of these "wrappers" are more complicated than others, some provide more of an abstraction increase than others, but you can't dismiss something just because it's a "wrapper". In .Net's case, even the part that is "just" a wrapper around Win32 is a very useful one.
Re:Pardon me... (Score:1, Informative)
The thing is, even in beta, the virtual XP support is nothing short of horrible. It doesn't work.
7 by itself is decent, but people are going to be mighty pissed switching to something with false assurances that it will enable them to use XP dependent software.
RTFA!!! (Score:3, Informative)
Seriously, this sounds a lot better than XP's lame "compatibility mode" for Windows 98 and older that never seemed to work anyway.
Re:Yes but ... (Score:3, Informative)
IIRC it was a flaw in the quicktime plugin (which is swiss cheese) and not the browser itself.
Re:OK with Virtual Support (Score:2, Informative)
Re:Drivers? (Score:3, Informative)
USB is much harder to virtualise than PCI. PCI devices look like like memory to the host. You could easily hack the HAL in Windows so that devices can appear on the virtualized machine. I'm not sure how the UI would work, but I could imagine you'd right click on a device in device manager and send it to the VM. The host version of Windows would then unload the driver and unmap the device from memory. Then it would map it into the guest address space and let plug and play do the rest.
USB, by contrast is a complete pain. The host builds a structure in memory and the USB controller zips through it and generates the packets. Also USB controllers and not hot pluggable from the point of view of Windows - you need to reboot the machine when they appear or disappear. What's worse is that one controller will typically control many devices - in fact on a netbook there is typically only one USB 2.0 controller in the whole system. And there are other issue too - the USB 2.0 controller only handles the USB 2.0 devices. USB 1.0 devices are handled by a companion controller. Both controllers have to be on the same machine.
Of course maybe you could have some sort of stub host controller driver on the guest machine that forwards the IRPs (device driver request packets) to the host. Looking at VMWare this is probably what it does.
Still either of these require extensive work in the host OS. And probably in the guest one too. There are horrible timing issues too with USB no matter what you do. Lots of USB device drivers are probably sensitive to timing, slow things down and they will bluescreen or stop working. And there are things like bus suspension.
I think you could do it, but it won't be reliable.
Of course, that's general USB device support. Specific cases like USB Mice and Keyboards are no problem at all, because the host handles the device access and can send messages with mouse position and keyboard scan codes into the guest. So it doesn't matter if the host has a USB mouse and keyboard. I think things like mass storage devices could be made to work too. The general case where you have ISO and interrupt endpoints or timing sensitive drivers that stream data and need to handle bus suspension is really hard however.
Re:Stupid, Stupid, Stupid... (Score:5, Informative)
Holy cow, how does this stuff get under the radar, especially on Slashdot?
Not directing this at the poster..
I am hit by about 80% of IT people not even realizing this exists, and there are a lot of people locked in a 'Windows' corporate world that would really enjoy this stuff, and could use it on a daily basis.
Quick Info...
POSIX was a watered down 'basic' UNIX model OS provided under Windows NT 3.1 through Win2K.
In the meantime MS sponsored and worked with several companies in their own UNIX subsystem technologies, and the result is SUA, or one that came from joint work with Interop and MS.
(MS made the Interop people very rich and bought them out in the early 2000s.)
So there has been a 'basic' POSIX environment running on NT since NT was born, but there has been a higher end UNIX subsystem that has been available around NT 4.0 and later provided by MS around the time Windows 2003 Server was released.
(So this has been free and around for at least 6 years.)
PS: MS also funded and worked with a couple of Linux (yes Linux) UNIX subsystems, but they haven't ever left R&D.
The current UNIX Subsystem for Windows provides SVR-5 and BSD UNIX. (And there are people do Linux stuff as well on their own, but that is a non-issue as it is not official MS supported subsystems.)
So yes Virginia you can easily run UNIX applications on Windows, in a native subsystem - no VM - native, that uses the IPC and Object Manager abilities of the NT kernel architecture that gives the UNIX Subsystem communication to the Win32/Win64 subsystem. Meaning you can take your UNIX app and let it tap an ODBC database driver instead of using MYSQL, as well as run on the Windows Desktop natively.
Two quick Links...
http://www.suacommunity.com/ [suacommunity.com]
http://technet.microsoft.com/en-us/library/cc771470.aspx [microsoft.com]
(There is a lot of information on the MS site and whitepapers all around, as well as even OSS sites that work with SUA as it is known.)
---
Even if you are just an IT person that is a UNIX CLI guru, break out the UNIX subsystem on Windows and go to town with your favorite UNIX CLI.
---
Again it has been a free download from MS for XP or Windows Server since at least 2003, and it even ships on the Vista DVDs (Business & Ultimate) that is just a one click to install from that add/remove Windows Features/Components.
This is also one of the cool things about the NT architecture, is the client/server kernel design that offsets and layers upper level OS API sets. NT also uses its 'hybrid' kernel to do things like this that OS X and Linux can't do, by allowing both direct and managed non-direct calls to let it create the upper layer OS subsystems with offset API kernel interfaces that are easily layered.
I hope that this helps *nix people using Windows or at least someone finds this cool and something that makes their life easier.
Stick your head out of the sand sometime (Score:5, Informative)
It's NOT the contest that proves it. Just read what the guy says and go investigate to see if what he is saying is true.
Just see: http://blogs.zdnet.com/security/?p=2941
and: http://news.cnet.com/8301-10784_3-9759132-7.html
Quote:
"With my Safari exploit, I put the code into a process and I know exactly where it's going to be. There's no randomization. I know when I jump there, the code is there and I can execute it there. On Windows, the code might show up but I don't know where it is. Even if I get to the code, it's not executable. Those are two hurdles that Macs don't have."
You don't have to be a genius to figure it out. OSX doesn't have the same protections. It doesn't even have the protections Windows XP SP2 has and that came out 5 years ago.
If you don't believe me, just get the opinion of any of the top security researchers on the security of OSX compared to XP/Vista.
The reason why OSX is not exploited as much as windows is it is the equivalent of a house in a small village. Hardly anyone would bother break in even if the door is unlocked.
There's no point creating a tiny network of zombies. A huge network is where the money is.
If I were a malware writer I'd be rubbing my hands with glee if OSX's market share goes up.
Apple makes cool stuff, but they don't make secure stuff.
Re:Yes but ... (Score:5, Informative)
And guess who is responsible for the code quality of quicktime? Apple.
OSX is swiss cheese too. It has dozens of setuid programs. It has no "DEP" - something that Windows XP had 5 years ago with service pack 2.
It's not just me claiming that. I know others who would say the same thing.
Both Charlie Miller and "Nils" say OSX is easier to exploit.
http://voices.washingtonpost.com/securityfix/2009/03/mac_os_x_top_target_in_browser.html [washingtonpost.com]
http://news.cnet.com/8301-10784_3-9759132-7.html [cnet.com]
http://blogs.zdnet.com/security/?p=2941 [zdnet.com]
Quotes:
"It's getting pretty hard to do a lot of this stuff on Windows Vista and Windows 7," Nils said. "Especially when a lot of people who stayed with [Windows XP] switch to Windows 7 because they didn't want Vista, the bad guys may start to figure out they can more easily exploit these bugs more reliably on a Mac."
"Mac OS X has some ASLR but not much, and there is no DEP in OS X," Miller said. "My exploit relied on exploit code being in certain spot, and that it would [execute], and in Vista neither of those things would have happened."
Re:Won't this largely depend on how well it works? (Score:4, Informative)
One of the features of Win7 that was announced early was that it can mount .VHD (Virtual Hard Disk, the format used by Virtual PC) natively (it can even boot off one, so long as the bootloader is on a real partition). So yes, the host AV *should* be able to protect the virtual system.
Firewall is just ridiculous; filter the VPC connection through the host (Win7) network interface, and the host's firewall is the guest's firewall. In fact, on current versions on VPC, if you want to connect the client to a network *without* running it through the host firewall, you need a dedicated NIC (i.e. the host can't connect via that interface).
OPTIONAL is the keyword here (Score:2, Informative)
This is just Microsoft trying to convince IT admins not to have application compatibility as an argument against Win7 migrations, and not requiring to implement dreaded MED-V like, Terminal Services, Remote Desktop XP, VDI solutions just to keep that darn ol' app running. That also requires maintenance of multiple operating systems, and in fact, just as many as there are instances of non-compatible apps.
Re:Drivers? (Score:4, Informative)
>USB is much harder to virtualise than PCI.
It is the other way round, very much for the reason that you mentioned. USB uses a data stream abstraction, and that can be virtualised (not easy, but possible). Most virtual machines can access USB devices on the host. But that is not possible for PCI, precisely because PCI works without this abstraction, and gives devices direct access to the memory. Because the interface to the DMA controller is different for each device, it is not possible to write a generic virtualisation layer.
Re:On the contrary... (Score:4, Informative)
It makes XP the safe choice of API to write new code to.
Wrong. (The Home versions of Windows 7 will not support the Virtual XP mode.)