Home » Groups » Endpoint Virtualization

Hide SVS Against Editing

Hide SVS Against Editing
Filed under: Software Virtualization Solution
FrankB's picture
Submitted by FrankB on 12 September, 2008 - 10:45.

The purpose of hiding SVS is to keep local admin users from noticing that SVS is on the machine. This keeps the machine maintainable - fewer times you need to re-install the OS or software.

To Hide SVS you have to do the following:

  1. Copy the SVSCMD.EXE to the %WINDIR%\System32 folder.
  2. Make a registry setting to hide the fslrdr folder:
  3. Open regedit and go to HKLM\SYSTEM\Altiris\FSL and create a new DWORD value named HideRedirectAreas and set the data value to 1.

    Click to view.

  4. Remove %PROGRAMFILES%\Altiris\Software Virtualization Agent directory.

    When you manage your layers you have to use the SVSCMD.EXE file from now on.

You will have to reboot the computer for this to take effect.

FrankB

3.64
Average: 3.6 (25 votes)

More Pros of Obscuring Redirect Areas, Plus the Limitations

Scott Jones's picture
Submitted by Scott Jones on 15 September, 2008 - 10:43.

More pros, plus the limitations of obscuring the redirect areas. You need to know all before deciding whether to do this:

Pros:

  • Prevents inventory scanners from hitting on virtualized apps twice (see this).
  • Prevents self-healing shortcuts (esp. Quick Launch shortcuts) from getting "fixed up" by Windows when the app's layer is inactive. By "fixed up" I mean the target gets altered to point to the real path instead of the virtual and you end up running the app (or at least trying to) from the redirect area. Result: either the app breaks, or if it does run it runs as if from the base so is effectively not virtualized.

For these two reason, obscuring the redirect area is usually a best practice. However...

Limitations:

  • Only works for the default redirect areas (usually c:\fslrdr and HKLM\SOFTWARE\fslrdr, or as specified during SVS Agent install). So when you have multiple redirect areas, all the non-default ones will be visible.
  • The purpose of Obscure Redirect Areas is to achieve the benefits above (and esp. the one Frank listed -- to keep nosey users from seeing it and getting curious!). But it is not a security feature. Even when the redirect areas are obscured, users still have their normal Windows permissions for objects (files or reg. values) in the redirect areas and can still access them directly if they know the full path and object name.
  • Can be an annoyance for technicians trying to troubleshoot a layer problem locally on a client. If they want to switch the setting, they have to reboot and then remember to switch it back before handing the machine back to the end user.

Scott Jones
Technical Product Manager
Symantec Endpoint Virtualization

That's a long answer for such a short article ;)

FrankB's picture
Submitted by FrankB on 16 September, 2008 - 05:30.

Imagine this:

On a University your students need to have administrative access on their machine, for developing or other purposes. Then the above mentioned solution is perfect.

With the Pro's I agree completly, but the con's :)

1. Default Redirect, I agree, but nowadays the system partition is rather big.
2. What a user doesn't know can't harm him.
3. Which technician distributes applications that aren't tested?
______________________________________________
Kind Regards, Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.

see also this article

robertser's picture
Submitted by robertser on 30 September, 2008 - 07:04.

Same problem from 2 years ago.

http://juice.altiris.com/tech-tip/342/how-to-deal-...