locked
WACK failed RRS feed

  • Question

  • Windows App Certification Kit Test Results

    Application Name:

    Nero Backup Drivers

    Application Version:

    1.0.11100.8.0

    Application Publisher:

    Nero AG

    Operating System:

    Microsoft Windows 8 (6.2.8370.0)

    Report Generation Time:

    5/10/2012 11:29:55 PM

    Overall Score: FAILED

    You must resolve all cases marked "FAILED", to pass the Windows App certification.

    Clean, reversible, installation

    WARNING

    Remove all non-shared files and folders

    • Warning: This application failed to remove the following files during uninstall:
      • File 'C:\Windows\System32\restore\MachineGuid.txt' was not deleted.
    • Impact if not fixed: A user might remove an application not only to free up disk space, but also to return the computer to its state prior to the application being installed. Failure to restore the machine to its original state is a poor user experience.
    • How to fix: Ensure that all files and Add/Remove Program entries are properly removed.

    WARNING

    Do not force an immediate reboot during installation

    • Warning: An immediate reboot shouldn't be the only option after install, the user must be presented with an option to restart the computer at a later time.
    • Impact if not fixed: Forcing an immediate reboot post install can impact users in a variety of negative ways, and could cause data loss.
    • How to fix: A reboot should never be the only option at the end of an install or update. Users should have the opportunity to restart later.Guidance on how to handle the need for a reboot is available here.

    WARNING

    Do not force an immediate reboot during uninstallation

    • Warning: This application’s uninstall has forced an immediate reboot without providing the user with an option to restart the computer at a later time.
    • Impact if not fixed: Forcing an immediate reboot during uninstall can impact users in a variety of negative ways, and could cause data loss.
    • How to fix: A reboot should never be the only option when uninstalling an application. Users should have the opportunity to restart later. Guidance on how to handle the need for a reboot is available here.

    PASSED

    Write appropriate Add/Remove Program values

    Install to the correct folders by default

    PASSED

    Install to Program Files

    WARNING

    Do not write to the %WINDIR% or %SystemDrive% folders

    • Warning: This application wrote the following files to %SystemDrive%, and or %WinDir% folders:
      • File C:\Windows\Temp\~DF7A58050D394051DE.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DF36D043A8B476E300.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DF3153F35D2647D483.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DFAA781843C363BD94.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DFF7EF58CF09B805A0.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DF862E62A2FF096A2B.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DFB5067E7C8100B00B.TMP was written to an incorrect location.
      • File C:\Windows\System32\restore\MachineGuid.txt was written to an incorrect location.
      • File C:\Windows\Temp\~DF03A81C5786287CEB.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DF56B2680EB581C2BB.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DF5C5E2700DC8EE938.TMP was written to an incorrect location.
      • File C:\Windows\Temp\~DFB9B2408E1DDBC8CB.TMP was written to an incorrect location.
    • Impact if not fixed: Avoid storing application’s data to %SystemDrive%, and or %WinDir% folders. The ACLs on certain Windows directories have been changed to enable data sharing and collaboration in data directories and outside of a user's protected directories. File virtualization addresses the situation where an application relies on the ability to store a file, such as a configuration file, in a system location typically writeable only by administrators. Running programs as a standard user in this situation might result in program failures due to insufficient levels of access. Also there are privacy and system integrity concerns when applications do not store files in the correct folders. Using the Known Folder APIs ensures that you are always able to get to your data. Please note: “Virtualization is implemented to improve application compatibility problems for applications running as a standard user on Windows. Developers must not rely on virtualization being present in subsequent versions of Windows”
    • How to fix: Guidelines and API calls have been provided to help the application to know where to install and store system and data files. More information and guidance can be found at these links 1, 2, and 3

    PASSED

    Do not run the application on Windows startup.

    Digitally sign files and drivers

    PASSED

    Do not install any DLLs into the AppInit_DLLs registry key

    PASSED

    Install signed driver and executable files

    Support x64 versions of Windows

    PASSED

    Install platform specific files, including drivers

    Do not block installation or application launch based on OS version check

    PASSED

    Proper OS version checking

    Follow User Account Control (UAC) guidelines

    SKIPPED

    User Account Control Run Level

    Adhere to Restart Manager messages

    SKIPPED

    Don't block reboot

    Do not load Services and Drivers in Safe Mode

    PASSED

    Do not load Services and Drivers in Safe Mode

    Support multiuser sessions

    SKIPPED

    Multi User Check Logs

    PASSED

    Multi User registry check

    SKIPPED

    Multi User session test

    PASSED

    Do not write to the 'Users' folder

    Eliminate Application Failures

    SKIPPED

    Do not install executables that crash or hang during the testing process

    Do not depend on Windows compatibility fixes

    SKIPPED

    Do not install binaries that have compatibility fixes applied to them by Microsoft

    Do not disable Windows security features

    FAILED

    Attack Surface Analyzer

    • Error: Following errors were encountered while running the Attack Surface Analyzer test.
      • Weak ACL on C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{c61455e6-4573-4d5a-8960-9e76141947ac} allows tampering by multiple non-administrator accounts.
      • File: C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{c61455e6-4573-4d5a-8960-9e76141947ac} Writable by: 1. NT SERVICE\DPS Rights: DELETE, FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, GENERIC_WRITE 2. NT SERVICE\WdiServiceHost Rights: DELETE, FILE_ADD_FILE, FILE_ADD_SUBDIRECTORY, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, GENERIC_WRITE
    • Impact if not fixed: Customers are at increased risk due to a change in the default Windows security protections. During installation or runtime, the application changed an ACL on a registry key or directory.
    • How to fix: During installation or runtime, your application should read and write data to the areas prescribed by the Windows App Certification without modifying the existing access control lists. Examples of disallowed behavior would be creating a directory under %Program Files% and allowing EVERYONE Write access.

    Opt into Windows security features

    PASSED

    Binary Analyzer

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Question:

    I'm not very sure the failure is caused by our driver. It seems the problem is caused by MS certification tools. So Please help check the testing result. We did some investigate with it, It seems If the access rights for the DPs and WdiServiceHost are already set before you do the installation, It is fine.

    If it's not tools' fault, how to fix it? thanks.


    Friday, July 13, 2012 2:50 AM

Answers

  • Hi,

    The reason for the WACK fail test can be of following reasons:

    Does your app try to create/read from any of the folder protected by the system or OS drive such as Program Files or System 32 kind of stuffs? Your app must never write directly to the "Windows" directory and or sub-directories.

    It is evident from the results that your app writes  files to %SystemDrive%, and or %WinDir% folders.

    To ensure Attack Surface Analyzer test runs properly:

    Remove these rights on the object identified by the test for all non-administrator accounts: GENERIC_ALLGENERIC_WRITE,WRITE_OWNERWRITE_DACKEY_SET_VALUEKEY_CREATE_SUBKEY, and DELETE.

    For more details,you can refer to this MSDN Article


    Subramanian Muthukrishnan Microsoft Student Partner iLink Systems General Secretary,Rockcity Dot Net User Group Windows 8 Trainer,DPE Program for Windows 8,Microsoft.

    • Proposed as answer by kongwenbin Wednesday, October 10, 2012 3:34 AM
    • Marked as answer by Roberts_EModerator Tuesday, April 30, 2013 9:34 PM
    Saturday, July 21, 2012 5:52 PM

All replies

  • Hi 看星星数月亮,

    Thanks for posting to the forums. I see that you've posted the results from your Windows App Certification Kit. Was there a specific piece of this area that you had a question about?

    Friday, July 13, 2012 2:40 PM
  • Thanks John,

    Well, I'm not very sure the failure is caused by our driver. It seems the problem is caused by MS certification tools. So Please help check the testing result. We did some investigate with it, It seems If the access rights for the DPs and WdiServiceHost are already set before you do the installation, It is fine.

    Could you please help us check detail again? and If it's not tools' fault, how to fix it? thanks.

    Wednesday, July 18, 2012 2:12 AM
  • Hi,

    The reason for the WACK fail test can be of following reasons:

    Does your app try to create/read from any of the folder protected by the system or OS drive such as Program Files or System 32 kind of stuffs? Your app must never write directly to the "Windows" directory and or sub-directories.

    It is evident from the results that your app writes  files to %SystemDrive%, and or %WinDir% folders.

    To ensure Attack Surface Analyzer test runs properly:

    Remove these rights on the object identified by the test for all non-administrator accounts: GENERIC_ALLGENERIC_WRITE,WRITE_OWNERWRITE_DACKEY_SET_VALUEKEY_CREATE_SUBKEY, and DELETE.

    For more details,you can refer to this MSDN Article


    Subramanian Muthukrishnan Microsoft Student Partner iLink Systems General Secretary,Rockcity Dot Net User Group Windows 8 Trainer,DPE Program for Windows 8,Microsoft.

    • Proposed as answer by kongwenbin Wednesday, October 10, 2012 3:34 AM
    • Marked as answer by Roberts_EModerator Tuesday, April 30, 2013 9:34 PM
    Saturday, July 21, 2012 5:52 PM
  • Try to remove the access rights such as GENERIC_ALLGENERIC_WRITE,WRITE_OWNERWRITE_DACKEY_SET_VALUEKEY_CREATE_SUBKEY, and DELETE for DPS and WdiServiceHost and re-run the test.

    Subramanian Muthukrishnan Microsoft Student Partner iLink Systems General Secretary,Rockcity Dot Net User Group Windows 8 Trainer,DPE Program for Windows 8,Microsoft.

    Saturday, July 21, 2012 5:53 PM