WACK failed

Question

Windows App Certification Kit Test Results

Application Name:

Nero Backup Drivers

Application Version:

1.0.11100.8.0

Application Publisher:

Nero AG

Operating System:

Microsoft Windows 8 (6.2.8370.0)

Report Generation Time:

5/10/2012 11:29:55 PM

Overall Score: FAILED

You must resolve all cases marked "FAILED", to pass the Windows App certification.

Clean, reversible, installation

WARNING

Remove all non-shared files and folders

• Warning: This application failed to remove the following files during uninstall:
  • File 'C:\Windows\System32\restore\MachineGuid.txt' was not deleted.
• Impact if not fixed: A user might remove an application not only to free up disk space, but also to return the computer to its state prior to the application being installed. Failure to restore the machine to its original state is a poor user experience.
• How to fix: Ensure that all files and Add/Remove Program entries are properly removed.

WARNING

Do not force an immediate reboot during installation

• Warning: An immediate reboot shouldn't be the only option after install, the user must be presented with an option to restart the computer at a later time.
• Impact if not fixed: Forcing an immediate reboot post install can impact users in a variety of negative ways, and could cause data loss.
• How to fix: A reboot should never be the only option at the end of an install or update. Users should have the opportunity to restart later.Guidance on how to handle the need for a reboot is available here.

WARNING

Do not force an immediate reboot during uninstallation

• Warning: This application’s uninstall has forced an immediate reboot without providing the user with an option to restart the computer at a later time.
• Impact if not fixed: Forcing an immediate reboot during uninstall can impact users in a variety of negative ways, and could cause data loss.
• How to fix: A reboot should never be the only option when uninstalling an application. Users should have the opportunity to restart later. Guidance on how to handle the need for a reboot is available here.

PASSED

Write appropriate Add/Remove Program values

Install to the correct folders by default

PASSED

Install to Program Files

WARNING

Do not write to the %WINDIR% or %SystemDrive% folders

• Warning: This application wrote the following files to %SystemDrive%, and or %WinDir% folders:
  • File C:\Windows\Temp\~DF7A58050D394051DE.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DF36D043A8B476E300.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DF3153F35D2647D483.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DFAA781843C363BD94.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DFF7EF58CF09B805A0.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DF862E62A2FF096A2B.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DFB5067E7C8100B00B.TMP was written to an incorrect location.
  • File C:\Windows\System32\restore\MachineGuid.txt was written to an incorrect location.
  • File C:\Windows\Temp\~DF03A81C5786287CEB.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DF56B2680EB581C2BB.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DF5C5E2700DC8EE938.TMP was written to an incorrect location.
  • File C:\Windows\Temp\~DFB9B2408E1DDBC8CB.TMP was written to an incorrect location.
• Impact if not fixed: Avoid storing application’s data to %SystemDrive%, and or %WinDir% folders. The ACLs on certain Windows directories have been changed to enable data sharing and collaboration in data directories and outside of a user's protected directories. File virtualization addresses the situation where an application relies on the ability to store a file, such as a configuration file, in a system location typically writeable only by administrators. Running programs as a standard user in this situation might result in program failures due to insufficient levels of access. Also there are privacy and system integrity concerns when applications do not store files in the correct folders. Using the Known Folder APIs ensures that you are always able to get to your data. Please note: “Virtualization is implemented to improve application compatibility problems for applications running as a standard user on Windows. Developers must not rely on virtualization being present in subsequent versions of Windows”
• How to fix: Guidelines and API calls have been provided to help the application to know where to install and store system and data files. More information and guidance can be found at these links 1, 2, and 3

PASSED

Do not run the application on Windows startup.

Digitally sign files and drivers

PASSED

Do not install any DLLs into the AppInit_DLLs registry key

PASSED

Install signed driver and executable files

Support x64 versions of Windows

PASSED

Install platform specific files, including drivers

Do not block installation or application launch based on OS version check

PASSED

Proper OS version checking

Follow User Account Control (UAC) guidelines

SKIPPED

User Account Control Run Level

Adhere to Restart Manager messages

SKIPPED

Don't block reboot

Do not load Services and Drivers in Safe Mode

PASSED

Do not load Services and Drivers in Safe Mode

Support multiuser sessions

SKIPPED

Multi User Check Logs

PASSED

Multi User registry check

SKIPPED

Multi User session test

PASSED

Do not write to the 'Users' folder

Eliminate Application Failures

SKIPPED

Do not install executables that crash or hang during the testing process

Do not depend on Windows compatibility fixes

SKIPPED

Do not install binaries that have compatibility fixes applied to them by Microsoft

Do not disable Windows security features

FAILED

Attack Surface Analyzer

• Error: Following errors were encountered while running the Attack Surface Analyzer test.
  • Weak ACL on C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{c61455e6-4573-4d5a-8960-9e76141947ac} allows tampering by multiple non-administrator accounts.
  • File: C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{c61455e6-4573-4d5a-8960-9e76141947ac} Writable by: 1. NT SERVICE\DPS Rights: DELETE, FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, GENERIC_WRITE 2. NT SERVICE\WdiServiceHost Rights: DELETE, FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, GENERIC_WRITE
• Impact if not fixed: Customers are at increased risk due to a change in the default Windows security protections. During installation or runtime, the application changed an ACL on a registry key or directory.
• How to fix: During installation or runtime, your application should read and write data to the areas prescribed by the Windows App Certification without modifying the existing access control lists. Examples of disallowed behavior would be creating a directory under %Program Files% and allowing EVERYONE Write access.

Opt into Windows security features

PASSED

Binary Analyzer

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Question:

I'm not very sure the failure is caused by our driver. It seems the problem is caused by MS certification tools. So Please help check the testing result. We did some investigate with it, It seems If the access rights for the DPs and WdiServiceHost are already set before you do the installation, It is fine.

If it's not tools' fault, how to fix it? thanks.

Answer 1

Hi 看星星数月亮,

Thanks for posting to the forums. I see that you've posted the results from your Windows App Certification Kit. Was there a specific piece of this area that you had a question about?

Answer 2

Thanks John,

Well, I'm not very sure the failure is caused by our driver. It seems the problem is caused by MS certification tools. So Please help check the testing result. We did some investigate with it, It seems If the access rights for the DPs and WdiServiceHost are already set before you do the installation, It is fine.

Could you please help us check detail again? and If it's not tools' fault, how to fix it? thanks.

Answer 3

Hi,

The reason for the WACK fail test can be of following reasons:

Does your app try to create/read from any of the folder protected by the system or OS drive such as Program Files or System 32 kind of stuffs? Your app must never write directly to the "Windows" directory and or sub-directories.

It is evident from the results that your app writes  files to %SystemDrive%, and or %WinDir% folders.

To ensure Attack Surface Analyzer test runs properly:

Remove these rights on the object identified by the test for all non-administrator accounts: GENERIC_ALL, GENERIC_WRITE,WRITE_OWNER, WRITE_DAC, KEY_SET_VALUE, KEY_CREATE_SUBKEY, and DELETE.

For more details,you can refer to this MSDN Article

---

Subramanian Muthukrishnan Microsoft Student Partner iLink Systems General Secretary,Rockcity Dot Net User Group Windows 8 Trainer,DPE Program for Windows 8,Microsoft.

Answer 4

Try to remove the access rights such as GENERIC_ALL, GENERIC_WRITE,WRITE_OWNER, WRITE_DAC, KEY_SET_VALUE, KEY_CREATE_SUBKEY, and DELETE for DPS and WdiServiceHost and re-run the test.

---

Subramanian Muthukrishnan Microsoft Student Partner iLink Systems General Secretary,Rockcity Dot Net User Group Windows 8 Trainer,DPE Program for Windows 8,Microsoft.