Folder Virtualization Concepts in Windows Vista
Filed under:
Deployment Solution, Wise Package Studio
Application Compatibility, Troubleshooting, Best Practices, Vista Migration, Packaging
Submitted by Yukon on 12 October, 2007 - 09:30.
Under User Account Control, Windows Vista restricts portions of the Windows file system and registry. UAC also restricts write operations during normal operation (i.e., standard user mode). For example, applications no longer have unlimited access to C:\Program Files and C:\Windows, which has considerable ramifications because most software created for Windows today expects unfettered access to all directories. The system-wide file system and Registry writes are automatically and silently redirected to per-user locations that won't harm the wider system.
Editors Note: Although this is a form of "virtualization," it is not the same as the application virtualization offered in Altiris SVS. Please see this post for a brief discussion of the difference.
To accommodate existing software for Windows that writes to protected file directories, Microsoft provides a backward compatibility technology known as Virtualization. While virtualization enables older applications to run without programmer intervention, it does not guarantee correct behaviour, and many applications will need to be updated to comply with UAC restrictions. Virtualization is often referred to as data redirection because it functions by funnelling attempted access to protected locations to new locations stored under user profiles. For example, if a legacy application attempts to write to the Program Files directory, UAC silently redirects that operation to an unprotected user-specific folder.
Virtualization Process
When an application installer attempts to write a file called Entry.txt in C:\Program Files, it is silently redirected to a Virtual Store directory located inside the current user's account. To the application, things proceed as normal, and it has no idea that it is being redirected. To the user, the application, too, still appears to be located at the old, expected location. But because the application is not access system-wide file locations, it cannot be used to harm the system. And on multi-user systems, each user will have isolated, local copies of redirected files. When this action is being invoked by a admin user, the file entry is done in Program Files itself. This is depicted in the figures below.
Registry virtualization works similarly. In this case, the HKEY_LOCAL_MACHINE\SOFTWARE hive is virtualized so that applications which attempt to store configuration information in system-wide portions of the Registry are re-directed to a new introduced structure under HKEY_CLASSES_USER\Classes\VirtualStore\MACHINE\SOFTWARE.
As with file virtualization, each user on a system will have their own copy of configuration information that was previously issued once on a global basis.
Sample Demo
Here is a simple code snippet which I developed to explain the Folder Virtualization concepts. To demonstrate this, login to a Vista machine in a standard user account and launch the application "Folder Virtualization.exe".
Click on the "Test the access Credential" push button to verify the account type. As expected this dialog will be showed as below because, we have logged in as a standard user.
To start with, let's create a registry key test in HKLM\Software\Vista by clicking on the push button as shown below.
The above screen tells that, the registry entry has been done. When checked in HKLM\Software\ there is no key created.
Here comes the Registry virtualization, this key is instead created in HKEY_CURRENT_USER\Softwares\Classes\VirtualStore\Machine\Software\Vista as shown in the figure below.
Now let's try creating a file called "entry.txt" in C:\ProgramFiles\Vista by clicking on the push button as shown below.
The above screen shows that, the file has been created in "Program Files" Folder, but there is no folder called Vista created in Program Files.
Use the folder options view all the hidden files.
The Entry.txt file is virtualized and created in C:\Users\Vijay\Appdata\Local\VirtualStore\Program Files\Vista
These were the operations done as a standard User.
Now, right click on the Folder Virtualization.exe and click on Run as administrator as shown below.
Just to test the access token, you are an administrator user.
Now on clicking registry creation and File creation buttons the key and file are created in HKLM\Software\Vista and C:\ProgramFiles\Vista because, you are running with an admin credential.
Folder Redirection
Windows Vista doesn't have any folder called "Documents and Settings" in root drive. Instead it has a folder called "Users". However, there is a support for the applications which uses "Documents and Settings" as a hard-coded entry.
To demonstrate this, click on the last button to create a file on the desktop. Now, goto command prompt, type cd "Documents and Settings", this command will work. This is not a hidden folder; this is a re-directed folder to Users.
Limitations of Virtualization
Virtualization is a security measure aimed at making legacy software work better in Vista. Microsoft expects Vista compliant applications to respect the new Windows application guidelines. And future Windows versions will do away with file system and Registry virtualization after more applications are moved to the new development style. This is short-term solution only.
Although most legacy applications created for previous versions of Windows will run because of virtualization, it is not an ideal solution and only intended to serve as a short-term workaround. Because virtualization isolates files in per-user locations, it can lead to undesirable and seemingly bizarre behaviour, especially on computers shared by multiple users.
Consider, for example, a test application created for Windows XP that performs quality assurance on products at the end of a manufacturing line. Like many existing applications, this software writes test data to a location in the Program Files directory. "C:\Program Files\QA".
Under Windows Vista, virtualization could affect the behaviour of the application. If you run the application on this machine using your standard user profile, Windows Vista automatically detects that you don't have permission to access that location and redirects the data to the following location:
C:\Users\<username>\AppDataLocal\VirtualStore\ProgramFiles\QA
Subsequent write and read operations performed under this user profile will always use the copy located in the Virtual Store. But, the application will continue to believe that it's accessing the Program Files directory. If a second operator logs into this computer under his or her profile, he or she won't have access to the previously saved data because it's not shared across user profiles.
While an administrator can forcibly disable virtualization in Windows Vista, Microsoft has vowed to remove it in a subsequent version of Windows. To ensure that software behaves as expected under all use cases in Windows Vista and beyond, you must update test systems so that writable files no longer appear in virtualized directories. In many cases, software rewrites may be minimal, but compliance with UAC restrictions could entail major architectural changes, depending on the application.
Steps to follow when virtualization is not needed
If the developer needs to install the application into C:\Program Files\ProductName\... and write into HKEY_LOCAL_MACHINE\Software\ProductName registry key then he can do these two things:
- Provide a manifest file with the application where the credential level should be set to "asInvoker"
- Provide a manifest file with your installer (or a separate helper EXE) where you mention level="asInvoker". Then give your installer (or a separate helper EXE) the ability to grant the 'Users' group write access into the C:\Program Files\ProductName\ and into the HKEY_LOCAL_MACHINE\Software\ProductName registry key so that, normal users have access.
Please change the extension of Virtualization Demo and Concepts.txt to Virtualization Demo and Concepts.zip and execute the Virtualization.exe inside.
Hope it's useful for all.
Cheers'
Viju
(41 votes)
| Attachment | Size |
|---|---|
| Virtualization Demo and Concepts.txt | 815.7 KB |
- Login or register to post comments
- 5406 reads
- Printer-friendly version
Very good
Vijay,
This is in my opinion the best piece on the juice.
Great.
I can use it very well.
To bad i only can give it a 5. I would give it a 10 if possible.
Regards
Erik
www.svs4u.nl
Thanks Erik..
Hi Erik,
Thanks for your compliments. I am really happy to see such a good reply and comment for my post. Hope I keep the readers entrancing with quality works and posts.
Thanks again..
Cheers'
Viju
HKCR re-direction
If the applications write to HKCR at run time to reinforce their file associations, COM registration data, and so on. An error is raised if the write fails, even if the data to be written is already there. The same data is written every time the app runs. If that same registration data were stored in HKCU\Software\Classes, then the write operations would succeed, without changing program behavior.
To fix this, first you must identify the keys under HKCR that the application is trying to write to. Export those keys to one or more .reg files (in the Registry Editor, select File | Export and choose Selected branch). Then using a text editor, replace all instances of [HKEY_CLASSES_ROOT\ with [HKEY_CURRENT_USER\Software\Classes\ and save your changes. When you’re finished, import the edited .reg file into the registry of the user who needs to run the program.
How Vista detects software as a legacy software
Hi Vijay,
This is an excelent article for Vista Virtualzation.
i have one query,
i want to know how vista detects application as a legacy software.
Detection of Legacy Installs
Hi Jain,
Thanks for your compliments.
Well, a legacy install is detected by an OS through many ways.
1. If the installation of a particular application occurs without invoking the Windows Installer service, then its a legacy installs.
2. When the concurance and dependency are not checked during the isntallation, its a legacy software.
3. When the installation and un-intallation information is not put by the application. For eg (msi in %temp% and in C:\windows\Installer)
4. When the application cannot undergo done an ondemand installation.
These are very little things I could figure out..
Hope others can given you much more input.
Please do share the same with me.
Cheers'
Vijay
"Documents and Settings" Folder in Vista
As discussed in the article the "Documents and Settings" location and structure has changed in Windows Vista to provide a better user experience
Developer Guidelines
e.g. \Documents and Settings\%username%\My Documents\foo.doc
Virtualization in Vista
Hi Vijay,
is there any way we can on/off (some setting) virtualization in Vista.
You could try..
To disable the registry virtualization you can use the command
REG FLAGS HKLM\Software\ SET DONT_VIRTUALIZE /s
Not sure if you can use the 'HKLM\Software\' path to stop all subsequent registry keys from being virtualized, or if you can only apply it to 'HKLM\Software\Company Name' for a granular method.
If you want to disable both folder and registry virtualization, you should do so via policy / registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
"EnableVirtualization"
Very Nice Article
Thanks Vijay, for providing such a great informative knowledge. This concept is like refreshment to brain.