On Windows 8.1, the Start screen replaces the traditional Start menu. A desktop app is automatically added to Start when you install it and will have a Start tile. A Start tile makes it easy to start and manage the app. You can press and hold or right-click the tile to display management options. Management options for tiles depend on the type of tile. Live tiles can update their content, and these updates can be turned on or off. Some tiles can be displayed in several sizes, and you might be able to make a tile smaller or larger. If you no longer want a tile to be displayed on Start, you can choose the Unpin From Start option.

You can start and manage apps that you unpin in several ways, including through the Apps list. Apps is the Windows 8.1 equivalent to the Programs menu in earlier releases of Windows. From the Start screen, you can display Apps by selecting the down button on the Start screen.

When working with apps and tiles, you should be aware of a few handy keyboard shortcuts, which work with desktop programs as well:

Windows 8.1 has important improvements when it comes to working with apps. With Windows 8.1, apps can use four tile sizes: small (70 x 70 pixels), medium (150 x 150 pixels), wide (310 x 150 pixels), and large (310 x 310 pixels). Because more than two apps can share the screen at the same time, you can open one app and have it remain in the foreground when you open another app that also is in the foreground. Apps can open other apps and share the screen with them. A single app can also use multiple monitors.

Windows 8.1 apps with live tiles start updating immediately after installation. Previously, you needed to run the app after installation to start receiving updates.

In Windows 8.1, one of the lock screen slots is available for alarm apps. When you place an alarm app in this slot, it becomes the system alarm app and can generate alarm notifications. The default alarm app is Alarms, which has timer, stopwatch, and alarm features. Although other apps could issue alarm notifications, the notifications are handled as normal notifications rather than priority alarm notifications. In the Administrative Templates policies for User Configuration under Start Menu And TaskbarNotification, you’ll find options for managing times when notifications should be allowed or blocked.

Generally, apps are installed and updated over a network or the Internet. By default, computers running Windows 8.1 can install only trusted app packages that come from the Windows Store. If you want to install trusted apps developed in-house or by third-party developers, you’ll need to enable the Allow All Trusted Apps To Install policy in the Administrative Templates policies for Computer Configuration under Windows ComponentsApp Package Deployment.

You can manage user access to the Windows Store in several ways, including the following:

Apps run in a unique context and have a lower integrity level than desktop programs. The lower integrity level might allow apps to perform tasks that could compromise security because you’d otherwise need to provide consent to continue, and you don’t need to provide consent in these instances with apps. For example, by default, apps can open a file in a desktop program. With an unhandled file type or protocol, users get an Open With dialog box and can select a local application to open the unknown file type or protocol or use the Store service to find an application to do the same.

You can use several policies to enhance security and prevent these behaviors, including the following:

It’s also important to point out that some apps can display notifications on the lock screen and that a notification history is maintained by default. The notification history allows users to log off and then log back on later and see the tile just as they did prior to logging off. To block notifications on the lock screen, enable Turn Off App Notifications On the Lock Screen in the Administrative Templates policies for Computer Configuration under SystemLogon. To clear the notification history when a user logs off, enable Clear History Of Tile Notifications On Exit in the Administrative Templates policies for User Configuration under Start Menu And Taskbar.

Apps receive notifications through the Windows Push Notification Service (WNS). Live apps use WNS to update the content on their tiles, to display notifications, and to receive notifications. By using Administrative Templates policies for User Configuration under Start Menu And TaskbarNotifications, you can control the use of WNS in several ways, including the following:

Windows 8.1 supports several important networking features related to applications in general and apps specifically. Windows 8.1 uses a feature called Windows Network Isolation to automatically discover proxies and private network hosts when a computer is connected to a domain. By default, any proxy detected is considered authoritative and any network host can be discovered via the private subnets available to the computer.

Proxy discovery and private host discovery are separate features. You control the proxy discovery process by using policies in the Administrative Templates policies for Computer Configuration under NetworkNetwork Isolation. Enable the Internet Proxy Servers For Apps policy, and then enter a comma-separated list of authorized proxies that apps running on domain-connected computers can use for accessing the Internet. By default, this list of proxies is merged with the list of automatically discovered proxies. If you want only your listed proxies to be authoritative, enable Proxy Definitions Are Authoritative.

You can use the Intranet Proxy Servers For Apps policy to define authorized private network proxies. Enable this policy and then enter a comma-separated list of proxies that provide access to intranet resources. If you want only your listed proxies to be authoritative, enable Proxy Definitions Are Authoritative.

Policies in the Administrative Templates policies for Computer Configuration under NetworkNetwork Isolation are also used to control private host discovery. Hosts discovered in this way are designated as private. Normally, private host discovery will not go across subnet boundaries.

You can enhance the discovery process by enabling the Private Network Ranges For Apps policy and then entering a comma-separated list of your company’s IPv4 and IPv6 subnets. This tells Windows about the available subnets so that they can be used for private host discovery. By default, this list of subnets is merged with the list of automatically discovered subnets. If you enable Subnet Definitions Are Authoritative, only network hosts within address ranges specific in Group Policy will be discovered and considered private.

All applications used with Windows 8.1 are divided into two general categories:

The distinction between UAC-compliant applications and legacy applications is important because of the architectural changes required to support UAC. UAC-compliant applications use UAC to reduce the attack surface of the operating system. They do this by preventing unauthorized applications from installing or running without the user’s consent and by restricting the default privileges granted to applications. These measures make it harder for malicious software to take over a computer.

All applications that run on Windows 8.1 derive their security context from the current user’s access token. By default, UAC turns all users into standard users even if they are members of the Administrators group. If an administrator user consents to the use of her administrator privileges, a new access token is created for the user. It contains all the user’s privileges, and this access token—rather than the user’s standard access token—is used to start an application or process.

In Windows 8.1, most applications can run using a standard user access token. Whether applications need to run with standard or administrator privileges depends on the actions the application performs. Applications that require administrator privileges, referred to as administrator user applications, differ from applications that require standard user privileges, referred to as standard user applications, in the following ways:

Applications not written for Windows 8.1 run with a user’s standard access token by default. To support the UAC architecture, these applications run in a special compatibility mode and use file system and registry virtualization to provide “virtualized” views of file and registry locations. When an application attempts to write to a system location, Windows 8.1 gives the application a private copy of the file or registry value. Any changes are then written to the private copy, and this private copy is then stored in the user’s profile data. If the application attempts to read or write to this system location again, it is given the private copy from the user’s profile with which to work. By default, if an error occurs when the application is working with virtualized data, the error notification and logging information show the virtualized location rather than the actual location where the application was trying to work.

The focus on standard user and administrator privileges also changes the general permissions required to install and run applications. In early versions of Windows, the Power Users group gave users specific administrator privileges to perform basic system tasks when installing and running applications. Applications written for Windows 8.1 do not require the use of the Power Users group. Windows 8.1 maintains it only for legacy application compatibility.

As part of UAC, Windows 8.1 by default detects application installations and prompts users for elevation to continue the installation. Installation packages for UAC-compliant applications use application manifests that contain run-level designations to help track required privileges. Application manifests define the application’s privileges as one of the following:

To protect application processes, Windows 8.1 labels them with integrity levels ranging from high to low. Applications that modify system data, such as Disk Management, are considered high integrity. Applications performing tasks that could compromise the operating system, such as Internet Explorer, are considered low integrity. Applications with lower integrity levels cannot modify data in applications with higher integrity levels.

Windows 8.1 identifies the publisher of any application that attempts to run with an administrator’s full access token. Then, depending on that publisher, Windows 8.1 marks the application as belonging to one of the following three categories:

To help you quickly identify the potential security risk of installing or running the application, a color-coded elevation prompt displays a different message depending on the category to which the application belongs:

Prompting on the secure desktop can be used to further secure the elevation process. The secure desktop safeguards the elevation process by preventing spoofing of the elevation prompt. The secure desktop is enabled by default in Group Policy, as discussed in the section Optimizing UAC and Admin Approval Mode in Chapter 5.

By default, only applications running with a user’s administrator access token run in elevated mode. Sometimes you’ll want an application running with a user’s standard access token to be in elevated mode. For example, you might want to open the Command Prompt window in elevated mode so that you can perform administration tasks.

In addition to application manifests (discussed in the previous section), Windows 8.1 provides two different ways to set the run level for applications:

To run an application once as an administrator, press and hold or right-click the application’s shortcut or menu item, and then tap or click Run As Administrator. If you are using a standard account and prompting is enabled, you are prompted for consent before the application is started. If you are using a standard user account and prompting is disabled, the application will fail to run. If you are using an administrator account and prompting for consent is enabled, you are prompted for consent before the application is started.

Windows 8.1 also enables you to mark an application so that it always runs with administrator privileges. This approach is useful for resolving compatibility issues with legacy applications that require administrator privileges. It is also useful for UAC-compliant applications that normally run in standard mode but that you use to perform administration tasks. As examples, consider the following:

You can mark a program to always run as an administrator by following these steps:

The program will now always run by using an administrator access token. Keep in mind that if you are using a standard account and prompting is disabled, the program will fail to run.

With regard to applications, several areas of UAC can be customized, including:

In Group Policy, you can configure these features by using settings for Computer Configuration under Windows SettingsSecurity SettingsLocal PoliciesSecurity Options. The security settings are as follows:

In a domain environment, you can use Active Directory–based Group Policy to apply the security configuration you want to a particular set of computers. You can also configure these settings on a per-computer basis by using local security policy. To do this, follow these steps:

When you insert an application disc, Windows 8.1 checks for a file named Autorun.inf. If present, Autorun.inf specifies the action that the operating system should take and might also define other installation parameters. Autorun.inf is a text-based file that can be opened in any standard text editor. If you were to examine the contents of an Autorun.inf file, you’d find something similar to the following code:

[autorun]
OPEN=SETUP.EXE AUTORUN=1
ICON=SETUP.EXE,4
SHELL=OPEN
DisplayName=Microsoft Digital Image Suite 9
ShortName=PIS
PISETUP=PIPpisetup.exe

This Autorun.inf file opens a file named Setup.exe when a disc is inserted into a drive. Because Setup.exe is an actual program, this program is invoked. The Autorun.inf file also specifies an icon to use, the status of the shell, the program display name, the program’s short name, and an additional parameter, which in this case is the location of another setup program to run.

The file that Autorun.inf specifies to open won’t always be a program. Consider the following example:

[autorun]
OPEN=AutorunShelExec default.htm

This Autorun.inf file executes via the shell and opens a file named Default.htm in the computer’s web browser. It’s important to note that even in this case, the document opened in the web browser contains links that point to a setup program.

Most applications have a setup program that uses InstallShield, Wise Install, or Windows Installer. When you start the setup program, the installer helps track the installation process and should also make it possible to easily uninstall the program when necessary. If you are installing an older application, the setup program might use an older version of one of these installers, and this might mean the uninstall process won’t completely uninstall the program.

Even if you are absolutely certain that a program has a current installer, you should consider the possibility that you will need to recover the system if something goes wrong with the installation. To help ensure that you can recover your system, check that System Restore is enabled for the drive on which you are installing the program so that System Restore can create an automatic checkpoint before installing the program.

Although the installers for most current programs automatically trigger the creation of a restore point before making any changes to a computer, the installers for older programs might not. You can manually create a restore point, as discussed in Chapter 9. Then, if you run into problems, you can try to uninstall the program or use System Restore to recover the system to the state it was in prior to the program’s installation.

Before installing any application, you should check to determine whether it is compatible with Windows 8.1. To determine compatibility, you can do the following:

Windows 8.1 attempts to recognize potential compatibility problems before you install applications. If it detects one, you might get a Program Compatibility Assistant dialog box after you start a program’s installer. Often, this dialog box contains information about the known compatibility issues with the program, and in many cases, it displays a possible solution. For example, you might be advised to install the latest service pack for the program before running the program on the computer. In some cases, the Program Compatibility Assistant might display the message “This program is blocked due to compatibility issues.” Here, the program is blocked because it causes a known stability issue with Windows, and you can’t create an immediate fix to work around the problem. Your only options are to tap or click the Check For Solutions Online button or tap or click Cancel. If you check for solutions online, the typical solution requires you to purchase an updated version of the program. If you cancel, you stop the installation process without checking for possible solutions.

If the installation continues but fails for any reason before it is fully complete (or fails to properly notify the operating system regarding completion), you’ll also get a Program Compatibility Assistant dialog box. In this case, if the program installed correctly, tap or click This Program Installed Correctly. If the program didn’t install correctly, tap or click Reinstall Using Recommended Settings to allow the Program Compatibility Assistant to apply one or more compatibility fixes, and then try again to run the installer.

When you start programs, Windows 8.1 uses the Program Compatibility Assistant to automatically make changes for known compatibility issues as well. If the Program Compatibility Assistant detects a known compatibility issue when you run an application, it notifies you about the problem and provides possible solutions for resolving the problem automatically. You can then allow the Program Compatibility Assistant to reconfigure the application for you, or you can manually configure compatibility as discussed in the section Configuring program compatibility later in this chapter.

Policies in the Administrative Templates policies for Computer Configuration under Windows ComponentsApplication Compatibility are also used to control compatibility settings. The policies are as follows:

After installation, most desktop programs should have related tiles on the Start screen and related options on the Apps list. This occurs because a program’s shortcuts are placed in the appropriate subfolder of the Start MenuPrograms folder (%SystemDrive%ProgramDataMicrosoftWindowsStart MenuPrograms) for all users so that any user who logs on to the system has access to that program. Some programs prompt you during installation to choose whether you want to install the program for all users or only for the currently logged-on user. Other programs simply install themselves only for the current user.

If setup installs a program so that it is available only to the currently logged-on user and you want other users to have access to the program, you need to take one of the following actions:

If you want to make a program available to all users on a computer, you can copy or move a program’s shortcuts by completing the following steps:

If you want to make a program available only to the currently logged-on user rather than all users on a computer, you can move a program’s shortcuts by completing the following steps:

The Prevent Access To 16-bit Applications setting under Computer ConfigurationWindows ComponentsApplication Compatibility controls whether 16-bit applications can run on Windows computers. If this setting is not configured, 16-bit applications might require elevated administrator privileges to run. If this setting is enabled, 16-bit applications are prevented from running; and if the setting is disabled, 16-bit applications can run and don’t require elevated administrator privileges.

Many 16-bit and MS-DOS-based programs that don’t require direct access to hardware can be installed and run on Windows 8.1 without any problems; however, most 16-bit and MS-DOS-based programs do not support long file names. To help ensure compatibility with these programs, Windows 8.1 maps long and short file names as necessary to ensure that long file names are protected when they are modified by a 16-bit or an MS-DOS-based program. Additionally, it’s important to note that some 16-bit and MS-DOS-based programs require 16-bit drivers, which are not supported on Windows 8.1. As a result, these programs won’t run.

Most existing 16-bit and MS-DOS-based programs were originally written for very early Windows operating systems. Windows 8.1 runs these older programs by using a virtual machine that mimics the 386-enhanced mode used by these very early Windows operating systems. Unlike on other recent releases of Windows, on Windows 8.1 each 16-bit and MS-DOS-based program runs as a thread within a single virtual machine. This means that if you run multiple 16-bit and MS-DOS-based programs, they all share a common memory space. Unfortunately, if one of these programs stops responding or “hangs,” it usually means the others will also.

You can help prevent one 16-bit or MS-DOS-based program from causing others to hang or crash by running it in a separate memory space. To do this, follow these steps:

Some programs won’t install or run on Windows 8.1 even if they work on previous versions of the Windows operating system. If you try to install a program that has known compatibility problems, Windows 8.1 should display a warning prompt telling you about the compatibility issue. In most cases, you should not continue installing or running a program with known compatibility problems, especially if the program is a system utility such as an antivirus program or a disk partitioning program, because running an incompatible system utility can cause serious problems. Running other types of incompatible programs can also cause problems, especially if they write to system locations on disk.

That said, if a program will not install or run on Windows 8.1, you might be able to run the program by adjusting its compatibility settings. Windows 8.1 provides two mechanisms for managing compatibility settings. You can use the Program Compatibility Troubleshooter Wizard, or you can edit the program’s compatibility settings directly by using the program’s Properties dialog box. Both techniques work the same way. However, the Program Compatibility Troubleshooter Wizard is the only way you can change compatibility settings for programs that are on shared network drives, CD or DVD drives, or other types of removable media drives. As a result, you can sometimes use the Program Compatibility Troubleshooter Wizard to install and run programs that would not otherwise install and run.

In Windows 8.1, you can view and work with a computer’s currently running programs and processes by using Task Manager. You can open Task Manager by pressing Ctrl+Shift+Esc. Alternatively, press and hold or right-click the lower-left corner of the screen, and then tap or click Task Manager on the shortcut menu.

By default, Task Manager displays a summary list of running applications, as shown in Figure 7-3. You can manage an application by tapping or clicking it in the list. To exit an application (which might be necessary when it’s not responding), tap or click the application in the Task list, and then tap or click End Task. To display other management options, press and hold or right-click the application in the Task list.

Figure 7-3. Use summary view to quickly manage running applications.

When working with the summary view, you can tap or click More Details to open the full Task Manager. You’ll then find detailed information about running applications and processes, as shown in Figure 7-4. The Processes tab lists applications and processes running on the computer. Generally, items listed under the Apps heading are applications that you’ve started, processes being run in the background by Windows are listed under Background Processes, and all other processes running on the computer are listed under Windows Processes.

Figure 7-4. Use the full view of Task Manager to get an expanded view of running applications and processes.

Each application or process is listed by name, status, CPU usage, memory usage, disk usage, and network usage. A blank status means the application or process is in a normal state. As with the summary view, you can exit an application or stop a running process by tapping or clicking the application or process in the Task list, and then tapping or clicking End Task.

Double-tap or double-click the application or process to view related windows or processes. Display more management options by pressing and holding or right-clicking the application or process in the Task list. The options include Open File Location, which opens the folder containing the executable file for the application or process in File Explorer; Create Dump File, which creates a memory dump file for the selected process; Go To Details, which opens the Details tab with the process selected; and Properties, which opens the Properties dialog box for the executable file.

Windows 8.1 considers any program you’ve installed on a computer or made available for a network installation to be an installed program. You use the setup program that comes with the program to install programs, and you use the Programs And Features page in Control Panel to manage programs.

You can use the Programs And Features page to view, add, remove, or repair installed programs by following these steps:

When you are uninstalling programs, keep the following in mind:

Default programs determine which programs are used with which types of files and how Windows handles files on CDs, DVDs, and portable devices. You configure default programs based on the types of files those programs support, either globally for all users of a computer or only for the current user. Individual user defaults override global defaults. For example, you could select Windows Media Player as the global default for all types of files it supports, and then all users of the computer would use Windows Media Player to play the sound, audio, and video files it supports. If a specific user wanted to use Apple iTunes instead, for example, as the default player for sound and audio files, you could configure iTunes to be that user’s default player for the types of media files it supports.

You can configure global default programs for all the users of a computer by following these steps:

Figure 7-5. Choose a global default configuration.

To override global defaults, you can set default programs for individual users. You can configure default programs for the current user by following these steps:

Windows uses the command path to locate executable files. You can view the current command path for executable files by using the PATH command. In a command shell, type path on a line by itself, and then press Enter. In a Windows PowerShell console, type $env:path on a line by itself, and then press Enter. In the output from either technique, observe that Windows uses a semicolon (;) to separate individual paths, marking where one file path ends and another begins.

The command path is set during logon by using system and user environment variables. The path defined in the PATH system variable sets the base path. The path defined in the PATH user variable adds to the base path by using the following syntax:

%PATH%;AdditionalPaths

Here, %PATH% tells Windows to insert the current system paths, and AdditionalPaths designates the additional user-specific paths to use.

Don’t forget about the search order that Windows uses. Paths are searched in order, with the last path in the PATH user variable being the last one searched. This can sometimes slow the execution of your programs and scripts. To help Windows find your programs and scripts faster, you should consider placing a required path earlier in the search order.

Be careful when setting the command path. It is easy to overwrite all path information accidentally. For example, if you don’t specify %PATH% when setting the user path, you will delete all other path information. One way to ensure that you can easily re-create the command path is to keep a copy of the command path in a file:

At the command prompt or in the Windows PowerShell window, you can modify the command path by using the Setx.exe utility. You can also edit the command path by completing the following steps:

In Group Policy, you can use a preference item to modify the -command path by following these steps:

File name extensions and file associations also are important for determining how applications run. The types of files that Windows considers to be executable files are determined by the extensions for executable files. File name extensions allow users to execute a command by using just the command name. File associations are what allow users to double-tap or double-click a file and open the file automatically in a related application. Two types of file name extensions are used:

With executable files, the order of file name extensions in the %PATHEXT% variable sets the search order used by the command line on a per-directory basis. Thus, if a particular directory in the command path has multiple executable files that match the command name provided, a .com file would be executed before an .exe file, and so on.

Every known extension on a system has a corresponding file association and file type—even extensions for executable files. In some cases, the file type is the extension text without the period followed by the keyword file, such as cmdfile, exefile, or batfile, and the file association specifies that the first parameter passed is the command name and that other parameters should be passed on to the application. For example, if you enter assoc .exe to view the file associations for .exe executable files, you then enter ftype exefile. You’ll find the file association is set to the following:

exefile="%1" %*

Thus, when you run an .exe file, Windows knows that the first value is the command that you want to run and anything else provided is a parameter to pass along.

File associations and types are maintained in the Windows registry and can be set by using the Assoc and Ftype commands, respectively. To create the file association at the command line, enter assoc followed by the extension setting, such as assoc .pl=perlfile. To create the file type at the command line, set the file-type mapping, including how to use parameters supplied with the command name, such as ftype perlfile=C:PerlBinPerl.exe “%1” %*.

You can also associate a file type or protocol with a specific application by completing the following steps:

In Group Policy, you can use a preference item to create new file types and file associations. To create a preference item for a new file type, follow these steps:

To create a preference item for a new file association, follow these steps:

In Windows 8.1, AutoPlay options determine how Windows handles files on CDs, DVDs, and portable devices. You can configure separate AutoPlay options for each type of CD, DVD, and other media your computer can handle by following these steps:

Operating system components are considered Windows features that can be turned on or off rather than added or removed. You can turn on or off Windows features by following these steps: