Vista under the Hood

The new OS due to ship out of the Redmond camp later this year has its feature-frozen “beta 2” out on a CTP (Community Technical Preview). What this means is that give or take a few minor

pieces here and there, this is what the final release of Vista will look like, come end of the year. Coming as it does to the top of the pile from the line up of preceding desktop OSes like Windows XP, expectations are

high from everyone on what it should and needs to contain. So, how closely has your wish list been answered? And more importantly, when the sales people come knocking to say maybe its time you upgraded, what are the things you need to

know?

The skews



As per current information, there will be five different skews (editions) of
Vista


. Unlike Win XP, which the Home, Professional, Media Center and Tablet PC

editions, Vista has two editions each meant for the home and business users. And

then you have the Ultimate edtion as well. For organizations, there are Vista

Business and



Enterprise



editions. Home users can experience the Home Premium and Home Basic. The

Ultimate edition has a mix of features from both the Home and Business skews and

is useful for people who work from home. The Tablet PC and



Media



Center



editions are now gone and this functionality has been integrated into other

editions except the Basic.



Enterprise



edition contains all features of the Business Edition plus a few enhanced ones

like BitLocker encryption (to protect data even if somebody steals your hard

disk) and virtualization support (run previous versions of Windows). It also has

a sub-system that allows you to run UNIX apps. The Home Basic edition is meant

for basic productivity, and won't contain all the bells and whistles of the

Home Premium. The Premium likewise, contains



Media



Center



functionality, and other advanced features.

All skews except for Basic, come with the new 3D Aero UI

which requires pretty high system specs to be enabled and work.  This time,

MS has been particularly careful about security, and has therefore built-in

quite a few security features into the OS, as we shall soon see. It's claimed

to be the safest OS designed ever by MS. Then of course, the usual slew of

benefits of enhanced productivity, lower management costs, better connectivity,

etc are anyways being touted.

In this story, we try to look at many of the key features

being promised in

Vista

that deliver upon these benefits. For instance, all editions have early warning

systems for hardware failure, which would thereby reduce administrative

overheads. All have parental control features. This being a Beta, we did face

problems in some of them, and we sincerely hope that they would not be there in

the final release.

Security systems



There are several layers of security built into
Vista


. Some of these features are improved versions of those we've been used to so

far, in Win XP. Others like the UAP and BitLocker encryption are brand new. Of

course, when we at Labs see something new like this, we love to get our hands

dirty and see how sturdy it is. Here's what we found in the security features

shipped in

Vista

.

User account control (UAC) 



After being named a lot of things, this is what user account authority
limitation in

Vista

is being called now. To cut a long story short, UAC is in that layer of the OS,

which prompts you to enter administrator user credentials when you run certain

programs or commands. It's controlled by a set of group policy settings (six

of them). We expect that these can later be setup at the domain level (in the

Longhorn Server) and enforced by

Vista

.

UAC requires users to provide administrative credentials for certain programs or commands

• Behavior of elevation prompt for administrators
  
  

•  Behavior of elevation prompt for standard users
  
  

•  Elevate on application installs
  
  

•  Run all users, including administrators, as standard
  
  users
  
  

•  Validate signatures of executables that require
  
  elevation and;
  
  

•  Virtualize file and registry write failures to
  
  per-user locations
  
  

The first two control what happens when administrator and

non-administrator users encounter programs that require administrative

privileges. By default, administrators would see a consent dialog that simply

asks them permission to continue; while standard users will see a credential

entry box where they need to enter logon information for an administrator-class

account. Now, which account the user enters here depends on what he is trying to

access. For instance, if it is something on the local system, he needs to enter

the administrator credentials for the local system. But if it is a network or

domain operation then the credentials have to be for that resource. The possible

settings for these include-'Silent elevation' (where no prompts are

displayed and this is not recommended for regular use); 'Prompt for

credentials' (requires user to enter logon information) and; 'Prompt for

consent' (requires just an approval to continue).

The firewall in Vista allows extensive configuration and management of access rules

The logic behind this feature is that a user, regardless of

whether he is logged in as the Administrator, should never be running everything

in sight with full privileges. This cuts down on malicious software installing

themselves without consent from the user, and also prevents users from

inadvertently installing rogue applications (that can even be things banned by

the network administrator in an enterprise) on their systems. How and what kind

of programs the UAC invokes the consent/credential box for is determined

heuristically with a list of criteria (for example: words like 'setup' or

'install' in the file name and certain properties in the file's SxS

manifest data).

The sixth group policy setting above (virtualize...) is

designed to accommodate legacy applications that are designed for XP but needs

to run under

Vista

. It allows

Vista

to redirect read and write operations to sensitive system areas and registry

locations to virtual locations under that user's profile. MS has announced

that this virtualization would be removed in a future service pack and not

supported in future releases of

Vista

and thus developers should not depend on this virtualization in perpetuity.

Windows firewall



There are two interfaces to manage the Windows Firewall. One is the version
we've been used to since Win XP. This dialog, now accessible only through the

Control Panel, features re-written explanations under each option on the main

tab that are easily understood by the non-geek. Under the Exceptions tab, there

are many more programs and services listed compared to a standard Win XP

desktop.

You will find services like BITS (Background Intelligent

Transfer Service, existing since Win 2000) and Firewall Remote Management (new

to

Vista

) listed here. On our test system, we had around 20 items, including those for

IMs. The second and more advanced interface is an administrator-only MMC

console. To access this one, go into Administrative Tools and open the

'Windows Firewall with Advanced Security' item. Here you have a fairly large

number of options to configure. Some of them appear not to be working yet and we

hope they would be running in the next beta. There is no way to add new items to

monitor or generate reports.

Ports and exceptions



Using the WF console, you can manage exceptions for both inbound and outbound
connections. To add a new exception, right-click anywhere in the right-hand

pane. You can selectively enable or disable various exceptions by right-clicking

on that exception and selecting 'Enable Exception' or 'Disable

Exception'. You can change its parameters from the Properties dialog invoked

from its context menu. However, each entry in the exception list can control

only one combination of the set of available parameters. This means, if you need

to enable (say) ports for both the UDP and TCP protocols for some application,

you would need to create at least two rules for the same.

In the same exception entry, you can require secure

connections with encryption-and when this is selected, you can use the options

in the Authorization tab to allow in only specific computers and users. These

computers and users can be selected from your Active Directory if your system is

on a domain. The Protocols tab lists 18 pre-defined protocols and allows you to

configure custom ones (with the protocol number) as well. For inbound and

outbound scopes to apply the rule to, you can specify either a single IP address

or subnet mask or an IP range. Following the trend everywhere else in

Vista

, you can specify either IPv4 or IPv6 addresses in these boxes. You want to

configure more parameters for this exception? Go on to the Advanced tab and here

you can select if the exception applies when the PC is connected to a domain or

not; what network interfaces (if the system is multi-homed) the rule applies and

what services/processes the exception applies to. This answers the complaint so

far that Win XP's firewall isn't very configurable.

IPsec



Other than the setup, which ports to block or leave open, the IPSec console also
lets the administrator configure IPsec policies, where you can define what kind

of security keys to exchange, using what algorithm and how to validate that. You

can also setup data protection using ESP or AH protocol. ESP is compatible with

NAT and is recommended if you use NAT on your network. AH is not NAT compatible

and is suited if you use a standalone

Vista

system. Encryption can be setup too and in this option, you can use an ESP plus

AH hybrid protocol which is again not compatible with NAT.

Authentication



Both the computer as well as the user can be authenticated by setting up two
levels of authentication (First for the computer and Second for the user), with

a caveat that if a pre-shared key is used for the first level then you cannot

use the second level authentication. Therefore, if you require both levels, then

you need to select either Kerberos or (digital) certificate based authentication

for the first level. User level authentication can be performed either using

Kerberos, NTLM, digital certificates or 'computer health certificates'. When

using certificates, you need to select which issuing CA to use certificates from

and can enable the certificate to be mapped to user accounts.

Zooming has so far existed in a browser only for text (center image), and did not magnify images or resize other content on the Web page. IE 7 adds page zoom that magnifies everything on the page (right image)

What about IE 7?



Windows Vista bundles the next version of the Internet Explorer browser (now
renamed to 'Windows Internet Explorer 7'). This much anticipated browser

upgrade while including a lot of new features and bells and whistles for

security does not exactly manage to make everyone happy. For instance, standards

compliance and CSS2 support that the standards gurus have been clamoring for, is

squarely not there and MS has gone so far as to announce it is not even a

priority for them. So what are the security features in

Vista

's IE7 that would affect you? Let's take a quick look.

IE 7 didn't pass the frame injection test, wherein one genuine frame on a web page was replaced with a fake one

Anti-phishing



Windows Internet Explorer 7.0 includes an anti-phishing filter that will
perform an automatic check of the website you are visiting. This is essentially

a blacklist based check that involves checking the URL against a list of known

URLs that are known to be malicious.  Typical things the engine checks for

are IP addresses in the URL and forms being submitted to locations other than

the URL in the address bar. This is a subjective process, since it depends on

users submitting malicious sites they come across using the 'Report this

Website' option in the anti-phishing menu option.

Anti-spoofing



Spoofing is the process where the webmaster of a malicious website will try to
fool you into believing the URL you are seeing for a webpage is different from

where the content is actually coming from. One of the most common ways to hide

this is by hiding the UI elements (like the address bar and the status bar) that

display this information. IE 7.0 does not allow windows to be created that do

not have the address bar or the status bar. Also, scripts are not allowed to

replace the address displayed-if a script attempts this the user is

automatically redirected to the new URL.

Vulnerabilities: tested



Secunia.com has a battery of tests (which are not very openly listed, but you
can get there using a search engine like Google) to check your browsers against

known vulnerabilities. This is done using pages hosted on their servers that

check for the vulnerability in your browser copy using safe pages and scripts

that show you what can be done. We tested IE 7.0 against their IDN Spoofing, URL

Spoofing and Frame Injection attacks. URL spoofing is the process of replacing

URLs with other strings to make it seem the web page is actually from a

legitimate and harmless source. In IDN Spoofing, international characters (like

Chinese and Japanese on a computer setup for English) are used to make the URL

seem different. Frame Injection misuses the ability to inject content into a

frames page being hosted from a completely different URL, with the frame

displaying content from a different website. Sadly, IE 7 fails the Frame

Injection test. What this means is that you could be on a fake website

purporting to be of your bank, even see the content as they would be in the

header, menu and footer, including all their advertising

Observation

A note No options to gracefully recover from errors during migration...

There are three problems with the Easy Transfer Wizard and two of them dont seem to have options to recover.1. When using the network to transfer files, the wizard does not warn you that you need to return to the new PC to make a few selections while the transfer is in progress from the old system.2. If you get an error that the wizard is corrupted, the only option is to reinstall Vista (or attempt to copy over the wizard's files from installation media).3. A 'debug assertion failed' error crashes the wizard, and erases all information collected or transferred, without options to recover.

Inactive X



ActiveX components are what enable web pages to display rich media and content
that static content, scripting and images alone cannot satisfy. Flash, QuickTime

and MPEG movies, and page-embedded content (PDF, Word files) are played on HTML

pages using this technology. Other than helping display dynamic and rich

content, these components can also be a conduit for malware.

Traditionally, users have been able to install whatever

ActiveX components they so pleased and sometimes web sites have made use of the

leisurely attitude current and older browser versions have taken towards this

technology by silently installing components on visitors' PCs and spying on

the users. IE 7 seeks to undo and limit this damage by disallowing automatic and

even manual installations of ActiveX components. This will now require explicit

Administrator intervention.  Certified add-ons that are known to the

browser can be initialized and run without requiring explicit permission

-these include components that are either a part of Vista or IE 7 itself and

can be found under the 'Add-ons that can run without requiring permission'

box in the Add-on Manager. When you visit a Web page that requires a particular

add-on, the browser will automatically prompt you (via the Information Bar as

well as a status bar icon) and you can choose if you want to turn it on or leave

it off.

How productive?



The best way to test the productivity features of an OS is to use it in your
routine work. That's exactly what we did with

Vista

. We setup the OS and used it for our day-to-day work. There were some things we

really liked about it, and others that we feel need improvements. Below, we list

out experiences and complaints.

System specs and installation



There wasn't an official list available on the minimum or ideal system specs
to decently run

Vista

with all its bells and whistles. So we tried it out on four different types of

machines. These included two Centrino laptops from IBM and HP, a high-end

desktop, and a standard IBM ThinkCenter desktop having an Intel 915 chipset,

onboard graphics and 256 MB RAM. Barring a few quirks, it worked beautifully on

all the machines. The only difference was that the much talked about UI, Aero in

full-glass mode only worked on the high-end machine. It was automatically

disabled on the rest. You would need a decent graphics card with at least 128 MB

video memory, support for Direct X 9, and also supporting the Windows Display

Driver Model or WDDM. You'll find a list of compatible graphics cards on both

nVidia and Ati's websites. So most onboard and year old AGP cards are off the

list for Aero glass to function fully. The card we chose to try out the latest

CTP was the TurboForce edition 7800GTX card from Gigabyte.  While this

release is still very much a 'beta', there were quite a few installation

quirks we noted in our labs.

On a regular hard disk already having partitions and OSes

installed on them,

Vista

didn't let us repartition or even format existing partitions. The way to look

for this is to keep an eye open for the missing 'Advanced' link on the

right-hand side of the partition selection screen. Also, the setup needs a

pre-formatted NTFS partition (which it will freely allow you to re-format) to

install on. One of our

Vista

systems initially had Win XP and our PCQLinux 2006 installed in a dual-boot

configuration. The selection screen only showed up the partitions, with no

options to delete and reconfigure them. We had to boot into XP, remove the Linux

partitions and create a new one for

Vista

. Even then, it refused to let us install on it saying there weren't any free

NTFS drives. We had to give in, boot into XP again and format the new partition

to NTFS before we could go on. We also noted that

Vista

refused to install for us within virtual environments (such as those provided

by VMware and MS Virtual PC), even when we gave it fixed-sized disks formatted

with NTFS.

Recycle Bin shows previews of files, but not of those in sub-folders since it cannot enter the folder	The status bar has been revamped and gives more useful info about your documents

And, if you should need to pull out the DVD during

installation to lookup the installation key and click Next before you put it

back in, the installer will fail with an error and refuse to proceed further.

The way out is to reboot and re-enter the key. A third problem that existed with

the previous CTP appears to have been fixed in the Feb release-in the earlier

one, setup used to require you to enter the computer's name before it started

installation. Then it would forget what you entered before and ask for it again

post-installation when it also sets up the time-zone and so on. Now it asks for

it only once, post installation.

Post installation experience



The first thing we noticed after opening My Computer in
Vista


was the Tiles view, which is enabled by default. This graphically displays each

hard drive's capacity and available free space at one glance. You don't need

to right click on a hard drive and go to properties to get this information.

Remember the various types of file and folder views in older versions of

Windows? This allowed you to view all your files and folders in any window as a

list. The list view has been changed to what's now called small icons. Plus,

several other views have been added, right from the details view to a very large

icons view. You can even have a preview pane in place of the status bar, which

will give you a preview of all your documents, just so that you don't have to

open them. There's even a reading pane option, which would let you preview

certain types of files (text, images, Office files). Animations for copying

files are quite nice. Likewise, the lightup effects when you move a mouse over a

folder are also quite nice. If a file copy operation fails, the copy status

indicator bar turns red instead of green.

Infotainment

Parental Control  Vista parental control is an advanced tool to prevent your child from viewing restricted sites or playing violent or restricted games. It's present in all versions of Vista . By using this feature, you can restrict anyone from using the system beyond what is required. For instance, you can decide to activate the Internet and block access to other programs. You can decide the time limit for which somebody can use the system, like how many hours in a week. You can set preferences for allowed sites, downloads, games, specified programs and even have a report of the activity done on that account. The game control is done either by access to each of the games or by using the certification norms. Each of the programs on the system can be given the authorizations to be used by the account holder individually. So if you have to make more than one account with different levels of authorization. Note you cannot set this up for an administrator. Photo Gallery Vista 's Photo Gallery allows you to keep track of your photos as well as videos by date, rating, and several other parameters. You can also synchronize the photos to your portable device. For this, it links to the Windows Media Player.

The task bar still has a few bugs. If you configure it to

auto hide, and you move your mouse over it, then it will only respond if you

move it to an area of the task bar that is not holding an application. For

instance, if you've opened Word, then it occupies some space in the Task Bar.

If the Task Bar is auto-hidden, and you move the mouse to it, then it won't

pop back up if you move it to an area occupied by Word. While this might be

because the OS is still in beta, but the biggest complaint we had with the OS

was that many times it started doing some activity that hogged all system

resources. As a result, while the GUI was working, we couldn't open any other

application. In fact, many a times, even the Task Manager took a long time to

appear after we pressed Ctrl+Alt+



Del.



We do wish that the system would save some bandwidth, which can be used by the

user to find out what's hogging up all the system resources.

The tiles view shows you a graphical view of your hard drive capacity

One difference we found over WinXP was that if you do an

End Task to an unresponsive application, then it gives a pop up with an error

message saying that "the application is not responding...collecting more

information to help identify the problem, this might take several minutes".

Otherwise however, we found that the system does utilize system resources quite

optimally. For instance, while doing a file copying operation from a CD to a

directory on the system, we simultaneously launched other applications and the

system didn't seem to slow down. It did seem to slow down when we tried to

open a folder with too many files. It took a while to index them and display the

list, especially with all the nice effects. Once we were through playing around

with the GUI, we installed Thunderbird mail client. It did so without a hitch

and the mail client worked normally. After that, we tried using the erstwhile

Outlook Express, which has been rechristened as Windows Mail in

Vista

. The first thing we noticed was its automatic email filtering, which works like

a charm. On day one, it started filtering out spam automatically and moving it

to the junk folder.

Windows collaboration



This application allows you to create a small P2P network with users around you
so that you can collaborate.  In this, one user initiates a session to

share a PPT presentation. Other users can either look for this session on their

own or the initiator can send them invitations. The initiator can even handout

documents to the session members, just like in a real presentation. You can even

broadcast your desktop view so that whatever you're doing is visible to

others. This can be a great way for users to collaborate with each other. You

can even hand over the controls to another user, for instance if you've made a

presentation and your boss would like to make changes to it.

Easy migration



Earlier, you had two ways to migrate your data (settings as well as personal
files and documents) from your old PC to the new one. First, the USMT (User

State Migration Tool, found inside the VALUEADD\ MSFT\USMT folder on the Win XP

CD) lets the network/system administrator migrate settings and files for IE, OE,

settings configured via the Control Panel for that user (sound, desktop,

accessibility, etc) and those inside the user's profile and home folders. The

other tool-File and Settings Transfer Wizard-lets normal users do the same

thing without needing the assistance of the administrator. In

Vista

, the two are combined into a single 'Windows Easy Transfer Wizard'.

This wizard can help you if your old system is Win 2000, XP

or

Vista

. A caveat with using this wizard is that it will also move file association

settings over. So, you need to install the relevant applications before using

the wizard or the association settings could get overwritten by the migration

process. Windows Easy Transfer lets users transfer data in multiple ways,

including: CD/DVD media, USB drives and over the network. If you select the

optical media option, then both the systems need to have a CD or DVD writer and

you need to have blank media handy. USB drives are limited in their capacity and

unless you have a high-capacity drive, it's not advisable if you have a large

number of files (includes your e-mail) to move over.

The easiest is to use the network option, which lets both

computers establish a session directly with each other without requiring an

intermediary. Although the documentation for the process (at:

http://www.microsoft.com/technet/windowsvista/deploy/depenhnc .mspx) reads:

“Saves users state data to a server and restores it to the desktop after

installation”, we noticed that we had to restart the process on both systems

when it failed. Hopefully, this problem would disappear when

Vista

goes RTM. Anyway, the wizard needs to be started on the old system first. This

will compulsorily copy the wizard's files to the media or location you specify

(depending on the mechanism you selected earlier). Again, hopefully this would

disappear pre-release and we would be able to ask it to skip the step. Then, you

go over to the new system and run the 'Migwiz.exe' file from what was

copied. If you selected the network mechanism, the wizard waits for the incoming

connection. On the old PC, you can select what information to copy (including

adding and removing items --- folders and files) from the list it detects

automatically and then the process continues by itself, requiring minimal

intervention on that system. If you had selected some form of media (CD/DVD or

USB) for the transfer, once it is full, take it to the new system and insert it

to have the wizard automatically pick up the data.This process though easy,

still requires some fine-tuning and work. Obviously some mechanism has to be

provided to gracefully recover from errors and even resume over-the-network

transfers.

Super fetch



One of the biggest challenges that users face while using computers is that due
to hardware limitations, software stops responding as required. For instance, if

you are working on many heavy applications simultaneously, you'll find that

even machines with a GB of RAM sometimes freeze due to the heavy memory

requirements of all these apps.

Win XP had the “pre-fetch” option that allowed the

system to keep track of files required to be loaded as part of aech

application's startup. After a few such rounds of analysis, XP would start

loading these files in advance when it saw that the application in question was

getting initialized and this caused a performance boost.

Vista

offers certain enhancements to this scenario. First, the pre-fetching algorithm

predicts the components required for starting up an application better. It can

also create usage profiles to let the system know the application usage

patterns. For instance, application used during work hours will be very

different from those used during break hours which themselves will differ from

the applications being run during off-hours or idle times (say by the sys

admin).

Vista

's Super Fetch can recognize these patterns and optimize usage of the

application loads as per them. Now all of the above is done by the memory

management subsystem automatically in

Vista

. SuperFetch also allows users to dynamically increase the available secondary

memory in their systems using any compatible USB flash drive.

Simply plug in a compatible USB 2.0 flash drive and the

Autoplay option of

Vista

will offer you a new choice “Speed up my system using this device”. When

you select this,

Vista

allows you to decide what part of the device you wish to use for dynamic

memory. For example, if you plug in a 1 GB flash disk, you can reserve say, 768

MB as memory for your system. Which means that if you already have 1 GB RAM,

you've effectively increased the amount of memory in your system to 1.7GB! So

if you are in the middle of a technical demo and suddenly realize that you need

to increase the performance of the demo that you are showing, simply plug in

your flash disk, assign an amount of memory and see the system immediately start

using this extra memory for many tasks.

The information stored in the flash disk is encrypted.

Although it is not a fast as system RAM, it is faster than your hard disk (being

used for virtual memory) in many orders of magnitude. Apparently the next step

is to enable persistent SuperFetch that will allow you to store Super Fetch

information on the USB memory for different usage scenarios. For example, when

you do serious work, you plug in one USB key that has SuperFetch enabled for

those applications. When you wish to take some time off and play some heavy duty

gaming, remove the first one and put in another key that is ready with the Super

Fetch of your favorite game and you will be able to get up and running in no

time at all. All in all, Super Fetch is a cool new way of getting a major

performance boost from your system with a cheap alternative of USB flash drives.

Watch this space for actual performance benchmarks once the

final version of

Vista

is released. We are also continuing our series on this OS from the enterprise

perspective, which will feature all the updates as they happen.

Anil Chopra, Anubhav Verma, Sujay V Sarma and Vinod Unny