In (very) broad terms, there are two types of requirements: implicit and explicit.

Explicit requirements are those that come from upon high. For example, the application must handle authentication over SSL. There isn’t much discussion about those necessary. We’re used to those.

Implicit requirements are a much trickier thing to navigate. It is implied that the application “shouldn’t suck”, or not be “dog slow”. These require human judgement to decide whether there is a bug in this implicit requirement or not.

One other implicit requirement is often the look-and-feel in terms of the operating system. (And to a lesser degree corporate look-and-feel, but that is often explicit.). For Windows based applications, the official Microsoft look-and-feel guidelines are posted on MSDN. To be specific, they here: Windows User Experience Interaction Guidelines (or are a giant pdf).

If you have an application that lives in Windows, you really should have that page bookmarked.