PDA

View Full Version : Benefit of Vista manifest?



NewsArchive
12-19-2008, 02:31 AM
Hello again,

is there a short description what the benefir of the Vista manifest ist?

Why should I embed it?

I intended to include three "normal" EXE when %WINVER% if less $WIN_VISTA$
ELSE the same three EXE with an embed Vista manifest.

My experience is that I get an error with the most important EXE when
manifested: error with the "side-by-side-configuration". Funnily the other
two run well. The only difference I was aware of was that the "bad" EXE
contains cwVersionResource. After recompile without this versionResource
it still refused to run

But the EXE which was made without any manifest, for XP, runs fine under
Vista. (all exe/dll are code-signed)


Actualy my head is spinning!


Why do we have to go thru this???


And once again the final request: any ideas and hints?


Thanks in advance
Wolfgang





--
Grüße / Regards
Wolfgang Orth

http://www.odata.de



Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/

NewsArchive
12-19-2008, 02:32 AM
Hi Wolfgang,

> I intended to include three "normal" EXE when %WINVER% if less $WIN_VISTA$
> ELSE the same three EXE with an embed Vista manifest.
>
> My experience is that I get an error with the most important EXE when
> manifested: error with the "side-by-side-configuration". Funnily the other
> two run well. The only difference I was aware of was that the "bad" EXE
> contains cwVersionResource. After recompile without this versionResource
> it still refused to run

What error do you get?

Vista manifest, in my experience, works without any issues on XP. I have
done Vista manifesting with SB, Clarion and my own template and they all
behave the same.

The vista manifest differs in that it defines the security level that the
program requires. It can be one of three: requireAdministrator, asInvoker
and highestAvailable. This indicates the level that the program runs on.
Normally it would be asInvoker, but certain programs, such as installers
need to run with requireAdministrator because they need to be able to update
HKLM and write to otherwise protected folders.

I manifest just about every exe that I make these days and have yet to see
it fail. I use the cwresources in most of my apps too.

Also if you do not include a manifest (vista or XP) you don't get themed
controls in your program.

--
Arnór Baldvinsson - Icetips Creative, Inc.
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
12-20-2008, 02:32 AM
>
> Why should I embed it?
>

Without a Vista manifest, you can't make your applications "Vista-aware" and
allow them to express the application's requested security context.

If your application is not "Vista-aware, it's a "legacy" application under
Vista and "Virtualization" kicks in and redirects all write attempts to some
protected locations to a per-user store. This includes "Program Files",
Windows system locations and parts of the registry (e.g.
HKEY_LOCAL_MACHINE).

Please note that Microsoft is planning on removing the Virtualization
capabilities in a future version of Windows. So #1 priority should be to
make your application Vista-aware!

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder "point. click. ship"
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
12-20-2008, 02:33 AM
>>
>> Why should I embed it?
>>
>
> Without a Vista manifest, you can't make your applications "Vista-aware"
> and
> allow them to express the application's requested security context.

okay - you can't see any difference when the program running is made the
usual way, so you feel alright and its a false 'security'

But this is what I get:

"Diese Anwendung konnte nicht gestartet werden, da die Side-by-Side
Konfiguration ungültig ist. Weitere Informationen finden Sie im
Anwendungsereignisprotokoll."

First I thought it was because of the cwResource, so I removed that from
my EXE, but with no luck.




And the other thing is that a digitally signed EXE looses its signature
once SB embeds the Vista manifest.

Then I code-sign my EXE again and re-compile my install.

Is there any way to avoid that? Did I miss anything here?




> ...
> So #1 priority should be to
> make your application Vista-aware!

understood and agreed!

thx
Wolfgang





--
Grüße / Regards
Wolfgang Orth

http://www.odata.de



Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/

NewsArchive
12-20-2008, 02:34 AM
> And the other thing is that a digitally signed EXE looses its signature
> once SB embeds the Vista manifest.

Well, yes, of course it does. It is NOT allowed to modify a code-signed
application. That's what a signature is for - to detect a tampered or
hacked application ;-)

You have to embed the Vista manifest and AFTER that code-sign it.

Hope this helps.

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder "point. click. ship"
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

NewsArchive
12-20-2008, 02:34 AM
Hi Friedrich,

>> And the other thing is that a digitally signed EXE looses its signature
>> once SB embeds the Vista manifest.
>
> Well, yes, of course it does. It is NOT allowed to modify a code-signed
> application. That's what a signature is for - to detect a tampered or
> hacked application ;-)
>
> You have to embed the Vista manifest and AFTER that code-sign it.

I feel a blog entry coming...<g>

Best regards,

--
Arnór Baldvinsson - Icetips Creative, Inc.
Port Angeles, Washington
www.icetips.com - www.buildautomator.com

Icetips product subscriptions at http://www.icetips.com/subscribe.php

NewsArchive
12-20-2008, 02:35 AM
> Hi Friedrich,
>
> On 19 Dec 2008 07:44:50 -0500, friedrich linder wrote:
>
>>> And the other thing is that a digitally signed EXE looses its signature
>>> once SB embeds the Vista manifest.
>>
>> Well, yes, of course it does. It is NOT allowed to modify a code-signed
>> application. That's what a signature is for - to detect a tampered or
>> hacked application ;-)
>>
>> You have to embed the Vista manifest and AFTER that code-sign it.
>
> I feel a blog entry coming...<g>

Thanks to Jane Fleming, Arnór Baldvinsson, and Friedrich Linder - we are
ALL getting a First Class education on Vista Manifests, Code Signing,
bringing Clarion into the real world of the current OS, etc

Thank much for all your hard work and fine efforts to educate the Developer
public!

David

--
From David Troxell - Product Scope 7 - Encourager Software
Clarion Third Party Profile Exchange Online
http://encouragersoftware.com/profile/clarlinks.html
Profile Exchanges - www.encouragersoftware.com/profile/
http://www.profileexchanges.com/blog/

NewsArchive
12-21-2008, 12:54 PM
Hi Arnór,

>> You have to embed the Vista manifest and AFTER that code-sign it.
>
> I feel a blog entry coming...<g>

<G> ;-)

Friedrich

NewsArchive
10-09-2010, 03:23 AM
I had that problem before too. The way I got around it is I did not let
Clarion manifest the app. I used the free Bo utility to add the resource...
so it's automatically compiled into the app.

Then, I created a separate setupbuilder script to manifest then sign each of
my EXE's... I have a batch file to sign my dll's.

In SB I use the embed UAC Manifest, with skip and permanent checked, then
right after I code sign with skip and permanent checked... do that for each
EXE.

I saw no reason to add a manifest to the dlls.. I just code sign them with
my normal batch file.

Ray
VMT