寻找关于“正确"文档的文档.在Windows 7上安装应用程序的方法 [英] Looking for documentation on the "right" way to install apps on Windows 7

问题描述

我正在使用一些旧应用程序(10-15岁)，并且正在寻求有关在Windows 7上安装和运行它们(以及任何用户应用程序)的正确"方法的指南，而无需完整的管理员权限

I'm working with some legacy applications (10-15 years old), and am trying to find guidance on the "right" way to install and run them (and any user application) on Windows 7 without requiring full Admin privileges.

换句话说，应将可执行文件/只读文件放到哪里，将用户数据/读写文件放到哪里，将注册表项放到哪里，以避免在两次访问期间UAC和Windows 7文件/注册表虚拟化出现问题安装并在运行时.

In other words, where executable/read-only should files go, where user-data/read-write should files go, where registry entries should go, to avoid issues with the UAC and Windows 7 file/registry virtualization during both installation and at run-time.

我似乎记得多年前有关此主题的Microsoft白皮书，但是现在找不到任何相关信息.我已经在用户端找到了信息(如何通过兼容性调整使遗留应用程序在Windows 7上运行)，而在开发人员方面却没有找到信息(如何创建/安装应用程序以在Windows 7本机上很好地运行).

I seem to remember, years ago, a Microsoft white paper on this subject, but am unable to find any relevent information now. I have found information on the user side (how to get legacy applications to run on Windows 7 via compatibility tweaks), but none on the developer side (how to create/install applications to play nicely on Windows 7 natively).

任何指向此类信息的指针将不胜感激.谢谢.

Any pointers to such information would be most appreciated. Thanks.

马克

推荐答案

您正在考虑

1. 默认情况下安装到正确的文件夹

用户应保持一致且 默认情况下的安全体验 文件的安装位置，而 维护选择安装 申请到他们所处的位置 选择.也有必要存放 正确的应用程序数据 允许几个人去的位置 使用同一台计算机而不 破坏或覆盖彼此的数据和设置.

Users should have a consistent and secure experience with the default installation location of files, while maintaining the option to install an application to the location they choose. It is also necessary to store application data in the correct location to allow several people to use the same computer without corrupting or overwriting each other's data and settings.

Windows提供 文件系统中的特定位置 存储程序和软件 组件，共享的应用程序数据， 和特定于 用户:

Windows provides specific locations in the file system to store programs and software components, shared application data, and application data specific to a user:

• 默认情况下，应将应用程序安装到Program Files [16]文件夹中.用户数据或应用程序数据绝不能存储在此位置，因为为此文件夹配置了安全权限

[16] ％ProgramFiles％(分别用于本机32位和64位应用程序)和％ProgramFiles(x86)％(对于在x64上运行的32位应用程序)

[16] %ProgramFiles% for native 32-bit and 64-bit applications, and %ProgramFiles(x86)% for 32-bit applications running on x64 respectively

• 必须在计算机上的用户之间共享的所有应用程序数据都应存储在ProgramData中

• All application data that must be shared among users on the computer should be stored within ProgramData

特定于用户的所有应用程序数据，并且不与计算机的其他用户共享的所有应用程序数据，必须存储在Users \\ AppData

All application data exclusive to a specific user and not to be shared with other users of the computer must be stored in Users\\AppData

切勿直接写入"Windows"目录和/或子目录.使用正确的方法来安装文件，例如字体或驱动程序

Never write directly to the "Windows" directory and or subdirectories. Use the correct methods for installing files, such as fonts or drivers

在按机器"安装中，必须在首次运行时而不是在安装过程中写入用户数据.这是因为在安装时没有正确的用户位置来存储数据.安装后，应用程序尝试在计算机级别修改默认关联行为将失败.相反，必须在每个用户级别声明默认值，以防止多个用户覆盖彼此的默认值.

In "per-machine" installations, user data must be written at first run and not during the installation. This is because there is no correct user location to store data at time of installation. Attempts by an application to modify default association behaviors at a machine level after installation will be unsuccessful. Instead, defaults must be claimed on a per-user level, which prevents multiple users from overwriting each other's defaults.

接下来的事实是，您不应将其写入需要管理权限的任何位置.

Next is that fact that you should not be writing to any location that requires administrative permissions.

注意:您只需在Windows 2000或Windows XP上以标准用户身份运行即可(只需Windows 2000徽标要求)即可测试所有这些功能.

Note: You can test all of this on a Windows 2000 or Windows XP simply by (as Windows 2000 Logo Requirements required) running as a standard user.

由于大多数应用程序都忽略了徽标要求，并且在使用标准用户权限运行时可能会失败，因此Windows Vista包括通过虚拟化对受保护位置的写入来保持这些错误应用程序的能力-而不是使它们失败.

Since most applications ignored the logo requirements, and would fail when run with standard user privileges, Windows Vista included the ability to keep these buggy applications limping along by virtualizing writes to protected locations - rather than having them fail.

您可以通过将应用程序显示为 RunAs Invoker 来退出兼容的hack:

You can opt out of this compatibly hack by manifesting your application to RunAs Invoker:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
    ...
    <!-- Disable file and registry virtualization -->
    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
        <security>
            <requestedPrivileges>
                <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
            </requestedPrivileges>
        </security>
    </trustInfo>
    ...
</assembly>

徽标准则讨论了UAC和对某些位置的写入的虚拟化:

The logo guidelines talk about UAC and virtualization of writes to certain locations:

1. 遵循用户帐户控制(UAC)准则

某些Windows应用程序在 管理员的安全上下文 帐户，并且许多要求过多 用户权限和Windows特权. 控制对资源的访问 使用户可以控制 他们的系统针对不需要的20 变化.最重要的规则 控制对资源的访问是为了 提供最少的访问量 所需的标准用户上下文" 用户执行其必要的操作 任务.遵循UAC准则 为应用程序提供 必要时具有必要的权限， 无需不断离开系统 面临安全风险.

Some Windows applications run in the security context of an administrator account, and many require excessive user rights and Windows privileges. Controlling access to resources enables users to be in control of their systems against unwanted 20 changes. The most important rule for controlling access to resources is to provide the least amount of access "standard user context" required for a user to perform his or her necessary tasks. Following UAC guidelines provides applications with the necessary permissions when needed, without leaving the system constantly exposed to security risks.

大多数应用程序不需要 运行时的管理员权限， 并且应该可以很好地运行 标准用户. Windows应用程序 必须有清单21(嵌入或 外部22)定义了他们的 执行级别并告诉OS什么 应用程序所需的特权 为了运行.

Most applications do not require administrator privileges at run time, and should be just fine running as a standard-user. Windows applications must have a manifest 21 (embedded or external 22 ) that defines their execution levels and tells the OS what privileges the application requires in order to run.

• 例如

• For example,

应用程序的主进程必须以标准用户身份运行 (asInvoker).任何行政 功能必须移到单独的位置 与管理一起运行的过程 特权.

The main process of the application must be run as a standard user (asInvoker). Any administrative features must be moved into a separate process that runs with administrative privileges.

运行主程序的应用程序需要豁免 具有提升特权的进程23 (requireAdministrator或 最高)

A waiver is required for applications that run their main process 23 with elevated privileges (requireAdministrator or highestAvailable)

豁免将被视为 以下情况:

Waivers will be considered for the following scenarios:

• 执行级别设置为的管理或系统工具 maximumAvailable，和或 requireAdministrator

• Administrative or system tools with execution level set to highestAvailable, and or requireAdministrator

或

• 仅可访问性或UI自动化框架应用程序设置了 uiAccess 24标记为true，以绕过用户界面特权隔离 (UIPI)

• Only Accessibility or UI automation framework application setting the uiAccess 24 flag to true to bypass the user interface privilege isolation (UIPI)

然后是高dpi.十年来Windows Logo的要求要求应用程序对高(即非96dpi)显示做出适当的响应.由于如果用户确实使用大字体"，大多数应用程序都会崩溃，因此Microsoft放弃了，并且像文件系统虚拟化一样，它们也对dpi设置进行了虚拟化.除非应用程序选择退出兼容性攻击:否则Windows会对您撒谎，并告诉您您的分辨率为96dpi.

Then there was high-dpi. The Windows Logo requirements for a decade has required applications to respond appropriately to high (i.e. non-96dpi) displays. Since most applications break horribly if the user does use "Large Fonts", Microsoft gave up and, like virtualization of the file system, they also virtualize the dpi setting. Unless an application opts out of the compatibility hack: Windows will lie to you and tell you that you are 96dpi.

只有在正确编写应用后，才应在应用清单中添加一个条目以禁用高dpi缩放:

Only once you've written your app properly should you add an entry to your application's manifest to disable high-dpi scaling:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
    ...
    <!-- We are high-dpi aware on Windows Vista -->
    <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
        <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
            <dpiAware>true</dpiAware>
        </asmv3:windowsSettings>
    </asmv3:application>
    ...
</assembly>

无论如何，都在这里， Windows 7客户端软件徽标计划.

Anyway, it's all there, the Windows 7 Client Software Logo Program.

注意:如果您15年前(1995年)正在编写Windows应用程序，那么我假设您是在为以下内容编写:

Note: If you were writing a Windows application 15 years ago (1995) i assume you were writing for:

• Windows 3.1或
• Windows 95

而不是:

• Windows NT 3.1
• Windows NT 3.5
• Windows NT 4
• Windows 2000
• Windows XP

重要的是要注意Windows NT被设计为安全的操作系统.您不得随意做任何您想做的事.这是与以下内容的根本区别:

It's important to note that Windows NT was designed as a secure operating system. You are not allowed to arbitrarily do anything you want. This is a fundamental difference from:

• Windows 1
• Windows 2
• Windows 3
• Windows 3.1
• Windows 95
• Windows 98
• Windows Me

没有安全性.

写入Windows和Program Files文件夹需要管理员权限.这是因为通常只有管理员才能安装应用程序.但是普通用户无法修改或损坏已安装的程序-或Windows本身的安装，例如:

Writes to the Windows and Program Files folder requires administrator permission. This is because normally only administrators should install applications. But it regular users cannot modify, or damage, installed programs - or the installation of Windows itself, e.g.:

• 删除System32是错误的
• 删除WinSxS是不好的

• deleting System32 is bad
• deleting WinSxS is bad

这篇关于寻找关于“正确"文档的文档.在Windows 7上安装应用程序的方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！