Windows 11 Is Getting the Ability To Run Win32 Apps In Isolation (xda-developers.com) 63
At its Build 2023 conference this week, Microsoft announced Windows 11 will soon be able to run Win32 apps in isolation mode. XDA Developers reports: Starting [today], Microsoft is launching a preview of Win32 apps in isolation for Windows 11 customers. As the name suggests, it will allow users to run Win32 apps in an isolated environment so that they can be sandboxed from the rest of the operating system in order to further strengthen security. The idea is to leverage Windows 11's isolation capabilities to run Win32 apps in an environment where they don't have access to critical Windows components and subsystems. This will ensure that if someone runs a compromised Win32 app in isolation, it will be very difficult for an attacker to break through the sandbox and penetrate the rest of the system. This capability will be available in public preview for both enterprise customers and consumers.
Win32 is Windows (Score:4)
Seems Microsoft finally accepted the inevitable, Win32 is Windows and thus need modern capability based sandboxing. The final nail in the coffin for UWP.
Now they can add modern capability restrictions to win32 apps on the Microsoft store, makes the windowsapps directory fuckery somewhat easier to accept (it has a hidden layer of security below ACLs).
Re:Win32 is Windows (Score:5, Interesting)
Seems Microsoft finally accepted the inevitable, Win32 is Windows and thus need modern capability based sandboxing. The final nail in the coffin for UWP.
How wrong you are, UWP was divided up and rebranded into subcomponents to get developers to compile for TPM enabled applications, aka their 20 years long quest to kill plaintext binaries is coming to fruition.
So microsoft and everyone in the industry is quite confident they will finally kill game and application piracy you don't seem to grasp they are back porting Xbox one tech to future PC's.
Go have read gents, over the next 20 years TPM will be requires for future windows, and windows 10/11 allows microsoft to police the internet for piracy because you forgot basic tenets of electronics - one or more PC's networked together become and behave as a single computer. AKA aka you can steal assembly instructions out of program apps and trap them on the other side of the internet and sell them back to a computer illiterate public because software is licensed not owned.
https://youtu.be/U7VwtOrwceo?t... [youtu.be]
See here by comments at morgan stanley conferenc in 2008:
https://www.gamesindustry.biz/... [gamesindustry.biz]
So UEFI and secure boot on modern PC's was to finally kill plaintext access to prevent you from having root access to the device. AKA the thing that allowed piracy during the DOS, win95, winxp and windows 7 era, was that microchips designed for your motherboard and cpu were plaintext assembly, there was no antipiracy tech built into the hardware.
Microsoft began a research program in 1997 with other industry players to kill the plaintext CPU's and it's been an industry wide initative for 20 years.
If you don't think they are capable of killing win32, you haven't been paying attention, they didn't NEED TO because software came under copyright allowing game companies to put online drm and back end the shit out of programs starting in 1997 with ultima online.
You can see here where the UO dev team says ultima the local application was cancelled for the client-server version of the game (aka the game you don't want).
Ultima online devs, on the end of Ultima as a local application:
https://youtu.be/lnnsDi7Sxq0?t... [youtu.be]
Richard garriot changed PC gaming history, EA and the rest of the PC game industry at the time were giving us levels and dedicated servers in every PC game back then (quake 1-3, Warcraft 1-3, diablo 1-2) that stopped after UO, when the war on local applications began. They started stealing whatever wasn't nailed down under the rebrand "MMO" so they didn't have to give us level editors or basic features like multiplayer game hosting.
Many of us wanted diablo 2 to get full modding, it didn't because everyone at blizzard saw the money Ultima online, Lineage and Everquest were making, so publishers immediately changed gears to convert their PC games in development to client-server applications and rebrand them mmo once UO and everquest were a success and printing money.
Pantents by microsoft:
http://web.elastic.org/~fche/m... [elastic.org]
See the patent abstract here:
"A digital rights management operating system protects rights-managed data, such as downloaded content, from access by untrusted programs while the data is loaded into memory or on a page file as a result of the execution of a trusted application that accesses the memory. To protect the rights-managed data resident in memory, the digital rights management operating system refuses to load an untrusted program into memory while the trusted application is executing or removes the data from memory before loading the untrusted program. If the untrusted program executes at the operating system level, such as a debugger
Re: (Score:3)
How wrong you are, UWP was divided up and rebranded into subcomponents to get developers to compile for TPM enabled applications, aka their 20 years long quest to kill plaintext binaries is coming to fruition.
So microsoft and everyone in the industry is quite confident they will finally kill game and application piracy you don't seem to grasp they are back porting Xbox one tech to future PC's.
Microsoft couldn't do this without really pissing off their enterprise customers that use and enforce their own signing CAs, which would be really bad for business. That and with the TPM being a modular component, it would literally enable plug-and-play modchips with no soldering required, and better yet, producing and distributing them would be perfectly legal, and the DMCA need not apply as LOC explicitly carved out exemptions specifically for this after Apple's lobbying backfired in their face:
https://ww [federalregister.gov]
Re: (Score:2)
Microsoft couldn't do this without really pissing off their enterprise customers that use and enforce their own signing CAs.
You don't grasp trusted computing was aimed at music, movies, games and microsoft OS specficially - aka it was designed specifically for entertianment, to turn the home pc into a locked down computing device. To turn the PC into a console, that's why windows 10 had forced updates, you really need to look at all the recent patents by microsoft if you doubt what I'm saying. Just google "microsoft patent drm anti piracy" or "microsoft drm secure os" you'll find a tonne of shit pretty fast.
"
Re:Win32 is Windows (Score:4, Insightful)
You don't grasp trusted computing was aimed at music, movies, games and microsoft OS specficially - aka it was designed specifically for entertianment, to turn the home pc into a locked down computing device.
I'm well aware of the original intentions behind trusted computing, but I've been working with TPM lately, and all of said work involves run of the mill security such as key attestation on behalf of the user, not DRM. I've yet to see a single application that uses it for DRM. They may exist, but I've yet to run into one. Even if something out there does use it for that, that doesn't change the fact that it's a very poor choice.
Re: (Score:2)
You don't grasp trusted computing was aimed at music, movies, games and microsoft OS specficially - aka it was designed specifically for entertianment, to turn the home pc into a locked down computing device.
I'm well aware of the original intentions behind trusted computing, but I've been working with TPM lately, and all of said work involves run of the mill security such as key attestation on behalf of the user, not DRM. I've yet to see a single application that uses it for DRM.
The whole point is the future, lets remember the game industry got what it wanted because most of our species is ignorant about the evils of mainframe computing (aka steam, mmos, free to play game model). They've successfully stolen (back ended) all the games by taking advantage of the stupid and computer illiterate among the kids and professionals.
Where in mass effect 3 and transformers fall of cybertron, their multiplayer is living on a remote server instead of coming inside the game like it did in the 9
Re: (Score:2)
CTRL-F "plaintext" https://web2.qatar.cmu.edu/cs/ [cmu.edu]... [cmu.edu]
That's nice and all, but a TPM is really only as trustworthy as A) the manufacturer, and B) the person who put it there. If they're relying on the TPM to keep those bits encrypted, they're in for a world of hurt. That whole model relies purely on chain of trust, which is only as strong as the weakest link. Given the TPM is easily replaceable, it's a very weak link. Let's assume somebody starts with an already encrypted disk with e.g. bitlocker. There, nothing plaintext right? Well, all they have to do is ba
Re: (Score:2)
CTRL-F "plaintext" https://web2.qatar.cmu.edu/cs/ [cmu.edu]... [cmu.edu]
That's nice and all, but a TPM is really only as trustworthy as A) the manufacturer, and B) the person who put it there. If they're relying on the TPM to keep those bits encrypted, they're in for a world of hurt. That whole model relies purely on chain of trust, which is only as strong as the weakest link. Given the TPM is easily replaceable, it's a very weak link. Let's assume somebody starts with an already encrypted disk with e.g. bitlocker. There, nothing plaintext right? Well, all they have to do is back up whatever data they want to keep, let's say saved games in this case, then swap in a custom TPM, wipe their disk, reinstall the OS, and any keys on the custom TPM are theirs to do whatever they want with.
See this:
https://learn.microsoft.com/en... [microsoft.com]
EKCert EK Certificate. A TPM manufacturer-issued certificate for EKPub. Not all TPMs have EKCert.
In other words, windows 11 only requires a spec compliant TPM. It doesn't care what certificates are on it, who signed them or if they're even on it at all. So they've already missed that boat if they were counting on it. At this point, the TPM is really only an additional protection against software-based tampering.
The TPM spec is constantly being updated, aka they are still working out the bugs, I have no doubt by windows 13/14 we'll see some serious lockdown.
Re: Win32 is Windows (Score:2)
The TPM spec is constantly being updated, aka they are still working out the bugs, I have no doubt by windows 13/14 we'll see some serious lockdown.
That would be one hell of a serious uphill battle. Microsoft isn't the only one who uses TPM. Among others, so does Apple. Many Linux vendors also use it. I think between all of the parties that have a vested interest, it would be pretty hard to get them all to agree on a common set of policies for who could get certificates added to the PKI and who couldn't, or even which PKI they'd all settle on.
And then of course, you'd obviously have multiple hardware implementations, and if any one of them has an imple
Re: (Score:2)
They backtracked on forcing windows games into the windowsapps jail. You are now allowed to install a Gamepass game in a normal directory with full user control to mess with it, because that's what popular mods do.
Maybe they had plans to put everything in a walled garden, but that was before they remembered their market power is shit and they need every little advantage they can.
Re: (Score:1)
They backtracked on forcing windows games into the windowsapps jail. You are now allowed to install a Gamepass game in a normal directory with full user control to mess with it, because that's what popular mods do.
Maybe they had plans to put everything in a walled garden, but that was before they remembered their market power is shit and they need every little advantage they can.
Maybe you missed the last 23 years of mmos? aka mmos are literally stolen PC games. They were specifically designed to kill local applications like quake 1-3, Warcraft 1-3, starcraft 1, diablo 1-2.
Go look at the post mortem by the ultima online devs here, notice that there were no ultima 10/11/12s with dedicated servers and level editors once Ultima online beta was a success everyone at EA woke up to the fact the internet could be used to steal assembly instructions out of PC games, slap them into a sepe
Re: (Score:2)
Yet Todd is still making AAA single player RPGs and always online DRM died a quiet death.
The market is competetive, there are plenty of devs willing to take your money. Microsoft isn't going to force everything online either, as I said Gamepass actually got less restrictive, not more.
Re: (Score:2)
Yet Todd is still making AAA single player RPGs and always online DRM died a quiet death.
It didn't die a quiet death you idiots, windows 10/11 is a DRM client server operating system, counterstrike is now owned by valve not by us because of its integration with steams malware, the whole point was so that they could engage in hostile monetization, aka it didn't die. Diablo 3/4 are totally server locked, instead of having dedicated servers+level editing and modding. AKA the hope in the mid 90's when diablo 1 was released was that future versions of diablo 2+ would have full blown modding, level
Re: (Score:3)
You need to look outside the AAA "service" games. Most of my steam library is full of single player, offline, DRM-free indie or AA games. If you don't like Steam for whatever reason, there's itch.io or GoG or Humble. Lots of devs will also just take your money directly.
Re: (Score:2)
You need to look outside the AAA "service" games
You don't grasp, SaaS was the end goal, aka they are the same games of the 90's just converted to client-server apps. The whole point over the last 20 years beginning with ultima online in 97 was to confuse the mmo buying public so they could convert all big budget AAA PC games to client-server applications, and run off with all the games and all the money.
Re:Win32 is Windows (Score:5, Insightful)
Mate... this is some high-level nonsense. You're conflating two completely separate phenomena. I came up during the DOS gaming era, so I recall this stuff well.
MMOs didn't develop out of some weird scheme to force games to be client-server but with the client owned and controlled by the developer and publisher. That may have been part of the business case to develop the game, but it wasn't the reason the games were conceived and designed that way.
Massively-multiplayer games were just an old genre made new again. MMOs grew directly out of old MUDs from the 70s and 80s, where the entire game was on a remote server and you connected via a terminal. The primary draw of the genre is that they're a persistent world filled with other players where people can share experiences, and while some games (Neverwinter Nights) experimented with a distributed model where players ran their own worlds and crafted their own stories and quests it turned out to be quite limited; interaction between worlds was virtually non-existent, and the worlds and communities were generally very small.
To have a truly integrated, persistent, shared world able to support thousands of simultaneous players and that is also a functional, playable, engaging game, it turns out you need the following:
1. A dedicated development team with a shared vision and strong direction.
2. Server and network infrastructure to support it.
3. A business model that allows you to recoup the costs of the above.
Hence, the modern MMO and its business model. Consider the development budget and operational costs of almost any mainstream MMO - it's simply out of the scope of anything that could be accomplished outside of a corporate developed and publisher supported project.
Point is, the MMO grew out of actual player demand for this type of game. The MMO experience may have proved to be somewhat shallow in the long-term, but let me tell you, setting foot into Norrath (the world of Everquest) for the first time back in 1999 was an unforgettable experience. An actual 3D world, full of monsters, NPCs but - most importantly - other real people that you could enter and leave at will, and things would continue in your absence just like in the real world... that was a revelation, not a conspiracy.
I could go on for several more pages re: DRM and Steam and publisher greed but I don't have time right now. Regardless, the MMO wasn't a power-grab or a concerted step towards maintaining publisher control and it has nothing to do with TPS or DRM. It was simply the most feasible way to deliver an experience that players genuinely wanted.
Re: (Score:2)
other real people that you could enter and leave at will
Ah, punctuation, we meet again my old nemesis. My kingdom for an Edit button.
Re: (Score:2)
other real people that you could enter and leave at will
Ah, punctuation, we meet again my old nemesis. My kingdom for an Edit button.
Well, in fairness, there were some MUDs that were mostly about being able to enter and leave people at will. I'd be shocked if there aren't some MMORPGs with that as their basic premise. No, I don't want links.
Re: (Score:2)
Mate... this is some high-level nonsense.
It would be helpful if you HAD ANY CLUE how the game industry chooses which games to fund, perhaps you should actually listen to ultima online devs about how local application ultimas cancelled:
https://youtu.be/lnnsDi7Sxq0?t... [youtu.be]
Get some reading comprehension buddy the ultima TEAM ADMITS UO killed PC RPG's as local applications, aka instead of getting ultima 10/11/12 with dedicated servers+level editors.
So no you are the one who thinks "MMO's" have magical networking code, they don't you are an irrational low
Re: (Score:2)
It would be helpful if you HAD ANY CLUE how the game industry chooses which games to fund, perhaps you should actually listen to ultima online devs about how local application ultimas cancelled: https://youtu.be/lnnsDi7Sxq0?t [youtu.be]... [youtu.be]
I've seen that video before. The point he made was that EA (publisher) made a business decision to move all of Origin's dev team over to UO, which meant U9 got cancelled.
Why did EA make that decision? Because 50,000 people had just paid $5 each to be beta testers. EA saw the overwhelming demand for a massively-multiplayer Ultima game, and made the correct decision to support it. It was a shame that meant that U9 went down, but it's hard to argue that UO wasn't a massive success for EA and Origin.
Get some reading comprehension buddy the ultima TEAM ADMITS UO killed PC RPG's as local applications, aka instead of getting ultima 10/11/12 with dedicated servers+level editors.
They said n
Re: (Score:2)
They said no such thing.
They did say that you idiot, aka in case you hadn't noticed idiot there every ultima before UO was a local application, everyone was waiting for future versions of ultima to get dedicated servers, level editors like quake, descent, warcraft 2.
AKA why would I fund PC games as local applications when I can fund client-server locked PC games, you idiot, since quake, descent and warcraft 3 can easily be converted to a client-server app (server locked) now all future games would be server locked.
You clearly have
Re: (Score:2)
In the end, Quake and UO are completely different gametypes, running on completely different engines with completely different strengths and limitation
And this right here proves you are computer illiterate, ANY Game can be made in a game engine idiot, we could easily dump assets from Ultima online into quake 2 engine and have limitless players hanging off the multiplayer menu, aka the ability to host your own servers came inside the game, you don't seem to grasp they were just carving back the networking code into a seperate exe, coding it in a fraudulent way and selling it back to you as some new type of game.
Re: (Score:2)
Win32 is legacy Windows, not current. Windows 11 doe snot come in a 32-bit variety, though Win32 applications still run through backwards-compatibility support.
Re: (Score:3)
Win32 is just the general name of the API, on 64-bit windows it only exists as a 64-bit version. 32-bit applications run through a subsystem that acts as a compatibility layer.
Re: (Score:2, Informative)
The 64-bit version is called...win64.
https://en.wikipedia.org/wiki/... [wikipedia.org]
You are correct about the compatibility layer.
Re: (Score:2)
I haven't seen any Microsoft documentation that refers to it as anything other than Win32, even on 64-bit, and I've been through them quite a bit lately. I looked at the wikipedia citations on the page you linked and the ones that aren't dead links don't mention Win64. Wikipedia is pretty bad. Treat it a lot like you would one of these modern AI tools: Good for finding information, but at the end of the day don't ever trust it.
Re: (Score:3)
The first google link on "win64 api" refutes this
"The transition happened around the turn of the century. 64 bit versions of Windows using the 64 bit version of Win32 have been in use for a long time now. However, the 64 bit version of Win32 is still known as Win32 since it is essentially an identical interface with the only major difference being different sized pointers."
The api is called win32. The platform is called x64.
Re: (Score:2)
Win32 and Win64 APIs are basically the same. The Win32 system DLLs don't actually do anything, they just call the 64 bit version of things.
Most people just use Win32 as a shorthand for both the 32 & 64 bit versions.
Re: (Score:1)
The 64-bit version is not called Win32, it's called...Win64.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Sure, 32-bit app support in Windows 11 might be just a thunking layer, but that doesn't make them the same thing, nor does it clearly indicate that this isolation layer covers both win32 and win64.
Re: (Score:2)
No, Win32 is used by most developers as a synonym for Windows on 32 or 64 bit, and a name for the APIs.
_WIN32 Defined as 1 when the compilation target is 32-bit ARM, 64-bit ARM, x86, or x64. Otherwise, undefined. [microsoft.com]
Re: (Score:2)
+1, there's no better way to settle this than by referring to the actual Microsoft header files
Re: (Score:2)
Interesting that your link has the following:
_WIN32 Defined as 1 when the compilation target is 32-bit ARM, 64-bit ARM, x86, or x64. Otherwise, undefined.
_WIN64 Defined as 1 when the compilation target is 64-bit ARM or x64. Otherwise, undefined.
Re: (Score:1)
Re: (Score:2)
The 64-bit version is not called Win32, it's called...Win64.
Sure, 32-bit app support in Windows 11 might be just a thunking layer, but that doesn't make them the same thing, nor does it clearly indicate that this isolation layer covers both win32 and win64.
Win32 is the name of API interface windows software is written to. It doesn't mean exclusively software that runs in a 32-bit memory space. In the context of TFA they are talking about the interface not whether the software is 32 or 64 bit.
Re: (Score:2)
It's just Win32, the compatibility subsystem you're referring to is wow64. The closest thing to a successor is WinRT, which is somewhat crippled unless you're using the thankfully basically dead abomination they call UWP.
https://learn.microsoft.com/en... [microsoft.com]
Re: (Score:2)
This started with Windows Vista, it's not new.
On Vista the filesystem and the registry were virtualized for apps. Microsoft has been moving quite slowly because it doesn't want to break backwards compatibility too much. Every new version of Windows breaks a bit more in the name of security and app isolation, but they rarely do anything between major versions that creates new compatibility problems.
Things changed a bit with Windows 10 and continual updates. Now you get breaking changes between major releases
VM (Score:2)
If you run Win11 in a VM is that double isolation?
can they use network? directx? OLE? sound? (Score:2)
can they use network? directx? OLE? sound?
Re: (Score:2)
Why wouldn't they? This is just virtualization
Re: (Score:2)
It's not virtualization, it only relies on process isolation. This is AppContainer for Win32.
yo dawg (Score:2)
I heard you like isolation so I put some isolation in your isolation.
Re: (Score:2)
Based on their description, it sounds more analogous to docker than a VM.
After all these years (Score:4)
Windows can finally run Windows apps.
Might help combat malware (Score:3)
If untrusted downloads or email attachments are forced to run in "isolation mode" this could be a good thing.
Re: (Score:2)
Re: (Score:2)
Or it might help if the untrusted downloads were blocked
Depending on how the blocking is configured, this can heavily inconvenience users of applications distributed as free software. Individuals and smaller businesses that develop free software tend not to have the finances to pay for the overhead of getting an application for Windows officially trusted by Microsoft.
Re: (Score:2)
That root of trust is / should be the device owner. If the device owner chooses to trust Microsoft, then that's one thing, but the device owner should have the final say on their own device(s). The reason that is not the case for most is because of their own ignorance and willful surrendering of control. So in that regard, the answer is simple: You want to run your own binaries? Fine, don't give the final say over your CPU's actions to
Two ways Microsoft is Windows sole root of trust (Score:2)
If you use Windows as your device's primary operating system, then "the root of trust is solely comprised of Microsoft" in two areas. One is kernel-mode code signing. From "Cross-Certificates for Kernel Mode Code Signing" [microsoft.com]:
Re: (Score:2)
It's not helpful to throw flames at people who are not technically savvy. Worse, malware creators go to great lengths to disguise and deceive. It doesn't help to blame to victims of this fraud, for falling into the trap.
It's also not helpful to blame software makers. Originally, email and networking software had zero security. SMTP had no authentication requirements for decades. Over time, authentication became standard, as the arms race escalated. Running attachments in a VM is a highly sophisticated defen
Re: (Score:2)
Perhaps you are perfect and have never fallen for a security scam of any kind, but I doubt it. Even *you* had a learning curve.
I never said I was perfect. I simply said that there should be penalties for those that fail to secure their systems in the most basic of ways.
It's not helpful to throw flames at people who are not technically savvy.
It's also not helpful to blame software makers.
By that definition there is no accountability for failure, and therefore no motivation to improve. The technically illiterate will *never* want to learn or perform basic security themselves. The software makers will *only* do the bare minimum to save costs. (Unless they can turn that cost into profit by abusing their privileged position. See also: Data mining / sol
Re: (Score:2)
Saying that people should be punished for failing to take adequate security precautions, is like telling someone they should be punished for failing to lock their car doors in a parking lot. In some areas, failing to lock your door isn't smart, and your car might get stolen as a result. But no additional penalties are needed, just the natural ones. Businesses who fail to adequately secure their software also face natural penalties, just as stores that "fail" to adequately protect their merchandize, tend to
Microsoft Peaked With DOS 5 (Score:1, Insightful)
Re: Microsoft Peaked With DOS 5 (Score:2)
Point taken. I would like to put in a good word for win2000, but yeah.
Re: (Score:2)
I'd toss in NT 4.0 once it got to service pack 2. That was one of the best Windows experiences of my entire career. It spun up, it shut up, and got out of the way. It had its issues, but everything after that has become more bloated, and more user hostile. Even 2000, a decent runner-up, was like NT 4.0 with some extra fluff on top and the spyware feeling starting to creep in around the edges.
Re: (Score:2)
Windows NT 3.51 was rock-solid, super fast, and the whole OS fit in about 40MB of disk space. Plus it could boot with as little as 12MB RAM (although not really usable with that amount).
Re: (Score:2)
Microsoft peaked with DOS 5 (Maybe 6.55) but it has all been downhill since then.
I think that for what it was (hopelessly insecure) Windows 98 was really reasonably solid, and you could also conveniently and convincingly use it as DOS. I'm not convinced that DOS 5 was meaningfully better than 3.3, either. You really wanted QEMM and 4DOS anyway.
Downgrade Windows user-experience (Score:2)
I suspect this will break many Windows GUI add-ons that are Win32 only.
That's great! So... (Score:2)
... Obviously this means that all win32 apps are going to default to isolation mode, well and truly maximizing security postures and minimizing security vulnerabilities associated with those applications for all Windows 11 users... right?
Right?
Bueller?
Morgan Freeman: Needless to say, that's not what actually happened.
MS Windows and 32-Bit Aps, Sigh (Score:1)
Good in theory... (Score:2)
...but we first heard "...it will be very difficult for an attacker to break through the sandbox and penetrate the rest of the system" with Java 25 years ago. How did that work out for us?