Oops, no sandbox
Project C apps are not sandboxed in the same way as Universal Apps, though they are a little more restricted than traditional Win32 applications. A Project C app runs with full user-level trust, though it is not allowed to run with administrative rights (also known as "elevated"). This means they can never display the UAC (User Access Control) dialog that requests permission to change parts of the system. However they can use Windows features like COM and WMI (Windows Management Instrumentation), and access custom hardware, things not available to other Store apps.
A restriction is that a Project C app cannot load libraries from other Project C apps. That said, Sheehan added: "We will give you a pipe to communicate," though the details are not yet finalized.
A Project C app is installed per-user, though according to Sheehan there is clever stuff under the covers, such as de-duplication of files so that only one copy is downloaded. The auto-update mechanism is also smart, he said, so that only changed files, or potentially just the difference between a file and its new version, gets downloaded.
Security is the big weakness of Project C. "Early on we erred on the side of not doing it, but we trust you guys," Sheehan told developers at Build, somewhat through gritted teeth. A malicious Project C app could do damage, though it has to get through Microsoft's approval procedures before it can be listed in the Store. "We have kill-bit mechanisms," Sheehan added, in the case that malware slipped through.
Microsoft's dilemma is that without Project C, it is reliant on developers writing apps specifically for the Windows Runtime, the platform underlying both Windows 8 Store apps and the new Universal Apps. Now there are millions of existing desktop apps which could be packaged for the Store. Project C also has potential for businesses, who get the easy deployment and updating of Store apps for their existing Win32 applications, presuming they meet the requirements to work under Project C. Use of an internal, private store, or installing from the command line (called side-loading) of Project C apps is also possible.
A Project C app will only run on a PC, not on a phone, an Xbox nor on a HoloLens. Microsoft is presenting the project as a bridge to the Universal App Platform (UAP), in the hope that what begins as a Project C package will migrate to a full UAP port with access to all the platforms.
It could also have the opposite effect, enabling developers to support the Store with apps that lack the security and touch-friendly user interface of UAP apps. The existence of Project C means that developer tools like Embarcadero's RAD Studio can build Store apps without needing to support UAP itself. In other words, Project C could actually inhibit the development of true UAP apps by making it easier to get away with packaged Win32 apps instead, just as Android and Objective-C support may mean more apps get quick ports rather than full native implementations for Windows 10.
Microsoft's master plan is to offer mobile, web, and desktop apps, all in one store
At this point, Microsoft would presumably rather put up with all the above than risk a repeat of Windows 8, where the Store was largely ignored. Project C is imperfect, but has the potential to bring better, more controlled application management to Windows even for desktop applications. This depends, of course, on Microsoft successfully convincing users to upgrade from Windows 7 to 10; perhaps Project C will be one good reason to do so.
Project C will not be included in the first release build of Windows 10 in the summer, but will follow on later, as part of the "release wave" described by Windows exec Joe Belfiore. ®