KFW and Vista

Jeffrey Hutzelman jhutz at cmu.edu
Wed Nov 29 18:59:37 EST 2006

On Thursday, November 23, 2006 07:47:01 AM -0500 Jeffrey Altman 
<jaltman at secure-endpoints.com> wrote:

> applications
> are not permitted to modify the contents of the %WinDir% directory tree.
> Any changes will be reverted.

So what's the problem?  Kerberos is not an "application"; it is system 
software.  Ordinary users should not be modifying the conf files we're 
talking about; only administrative users should be doing that.

If I understand what you're saying correctly, is that the virtualization of 
%WinDir% and \Program Files\ is not layered, so non-privileged code doesn't 
even get to _see_ the contents of the real directories; instead they see a 
tree of empty stuff.

Except I can't imagine that is actually true, because it would make it 
impossible for an administrator to install a traditional non-vista-aware 
application in a way that makes it available for all users of the system.

> (3) if you build for Vista, can the resulting binaries be executed
>     on Vista?

The answer to this one had better be "YES".  For which occurance of "Vista" 
should we be reading "XP" ?

> Now in the Vista SDK, symbols are being selectively defined
> based upon the OS version you are building the application for.

So it's impossible to build an application that uses appropriate interfaces 
based on a run-time test to determine if it's running on Vista or XP?  Ugh. 
Again, I have trouble believing it's that bad, given that they appear to 
have gotten this right for device drivers for several years and through 
several WDM versions.

> I'm suggesting drawing the line at Vista partly because the use of the
> Vista SDK requires it but also because the user experience on Vista
> is going to be different from the older OS versions anyway.

I actually find the latter argument somewhat compelling, especially if the 
feature set and user experience are expected to diverge further in the 

-- Jeff

More information about the krbdev mailing list