Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Chapter 6: Advanced Virtual Software Layer Topics

Created: 01 Aug 2007 • Updated: 12 Feb 2013
Language Translations
Admin's picture
+3 3 Votes
Login to vote

This section describes the following advanced Virtual Software Layer topics:

Managing Data Within Layers

Data can be preserved or deleted depending on how layers are used.

This section includes the following topics:

Preserving Data

When an application layer is active, all files created or modified by that layer, and that are stored on the client computer, are redirected by the SVS File System Filter Driver to the layer itself. (If files are stored on a network share, the SVS File System Filter Driver does not redirect the file to the layer.) The files redirected to a layer are stored in the Writeable sublayer. If a layer is reset, all data in the Writeable sublayer is deleted. In many cases, you may want to preserve the files created from a layer. As a result, it is important to properly manage the data within a layer so that data that should be preserved is not deleted.

Example: If you have a Microsoft Word layer, and from that layer you save a DOC file to the client computer's hard drive, in any folder, that file will be redirected by the SVS File System Filter Driver to the Microsoft Word layer. When the layer is active, the file will appear to be stored in the destination folder that was selected, but the file is actually stored in the SVS redirection area. If the Microsoft Word layer is reset, that DOC file will be deleted.

Non-local Storage

If you save a file from a layer to a non-local storage device, such as a network share, the SVS File System Filter Driver will not redirect the file to the layer.There are three ways to preserve data created through layers:

  • Exclude Entries
  • Data Layers
  • Non-local Storage

Exclude Entries

Exclude entries are used to select file types and folders that you do not want to be captured in layers.

Example: Suppose that you have a layer for Microsoft Word. You can exclude the file types .DOC, .RTF, .TXT, .HTML, .XML, and so on, so that any data file that is saved by the Word program in the layer is excluded from being redirected to the layer. Those files will be saved in the core file system instead. You can also exclude directories so that any files saved to a folder and its subfolders are not redirected.

There are two types of exclude entries:

  • Layer Exclude Entries
  • Global Exclude Entries

Layer Exclude Entries

You can configure a layer to exclude file types or folder locations so that specified file types or files saved to a specified location will not be redirected by the SVS File System Filter Driver into the layer. Instead it is saved directly to the core file system.

Layer exclude entries only apply to their associated layer, so you must configure the exclude entries for each layer. For a more global solution, you can use Global Exclude Entries (page 52) and Data Layers (page 53).

To configure layer exclude entries

Note To configure exclude entries, the layer must be deactivated.
  1. Open SVS Admin.
  2. Double-click the deactivated layer.
  3. Click the Exclude Entries tab.
  4. Under Type, right-click and select New Exclude Entry.
  5. Select the entry type, file extension, or directory.
    • To specify file extensions, do the following:
      1. Select File extension(s).
      2. Enter the file extension(s). Example: doc
    • To specify a directory, do the following:
      1. Select Directory.
      2. Click Browse and select the directory. By default, sub-directories are not included. To include subdirectories, select the Include subdirectories check box.

After an entry has been created, you can modify or delete it by right-clicking the entry and clicking Modify or Delete.

Global Exclude Entries

You can setup exclude entries on a global level for a system. These entries can be file type extensions or directory locations. Global Exclude entries are stored in the Windows registry and apply to the system.

Example: You may want to always exclude all .DOC files or all files saved to the desktop, regardless of which layer's application created it.

During SVS installation you have the option to select two default directory locations to exclude: My Documents and Desktop.

Global exclude entries only apply to application layer captures. Data layer specifications always override global exclude entries. If you have a global exclude entry for My Documents and you have also created a data layer that references files in My Documents, then the data layer still functions correctly; the data layer still captures the files. Using SVS Admin or the SVS Control Panel Applet, you can add, modify, and remove global exclude entries.

Editing Global Exclude Entries

  1. Open SVS Admin.
  2. Select Edit > Edit Global Excludes. The Edit Global Exclude Entries window opens.

Adding Global Exclude Entries

  1. Right-click in the Edit Global Excludes Entries window.
  2. Select New Exclude Entry.

    The Global Exclude Entry window opens.

  3. You may enter either a File Extension or a Directory entry.

    If you enter a Directory exclude entry, you have the option to Exclude Subdirectories as well.

  4. Click OK.

    The entry and its details are displayed in the Edit Global Exclude Entries window.

Modifying Global Exclude Entries

  1. In the Edit Global Exclude Entries window, right click on an entry.
  2. Select Modify Exclude Entry.
  3. Modify the entry as needed.
  4. Click OK.

    The changes are saved and displayed in the Edit Global Exclude window.

Deleting Global Exclude Entries

  1. In the Edit Global Exclude Entries window, right click on an entry.
  2. Select Delete Exclude Entry.
  3. Select Yes.
  4. The entry is deleted.

Distributing Global Exclude entry settings to other computers

  1. Click Start > Run.
  2. Type Regedit.
  3. Click OK.
  4. Browse to HKEY_LOCAL_MACHINE > SYSTEM > Altiris > FSL > Exclude.
  5. Right-click the Exclude key.
  6. Click Export.
  7. Name and save the .REG file.
  8. Run this file on the computers where you want to copy the global exclude settings to.
Caution Running this file replaces the contents of the previous registry key with the new contents.

Reloading the Global Exclude List

Whenever you change a global exclude entry, SVS Admin will automatically reload the global exclude list. However, when you distribute global exclude entry settings to other computers, using a .REG file as outlined above, you must manually reload the global exclude list using SVS Command. The command line option is REL[OAD]. To do this:

  1. Click Start > Run.
  2. Enter CMD.
  3. Click OK.
  4. Enter SVSCMD.EXE.
  5. Enter SVSCMD REL.

    The global exclude list is reloaded.

Data Layers

You can create a data layer that will capture data files into a dedicated data layer. This is useful in storing data files that are created by other layers. Data layers cannot be reset so the data files contained in data layers are protected.

For information, see Creating and Using Virtual Data Layers.

Deleting Data

This topic describes what happens when you delete files when using layers.

There are two possible outcomes for deleting files while working with layers:

  • The file is not really deleted, but hidden while the layer is active.
  • The file is actually deleted.

These different results depend on how the layer is being used when a file is deleted and also how the file was deleted.

  • When Files are not Deleted, but Hidden
  • When Files are Actually Deleted

When Files are not Deleted, but Hidden

When a layer is activated, under normal circumstance, files in the layer are visible that are not visible when the layer deactivated. The opposite can also occur. Files in the core file system may be deleted (hidden) when a layer is activated.

Example: During the capture process of installing Firefox, you create a shortcut for Firefox and you also delete a shortcut for Internet Explorer. When the Firefox layer is activated, the Firefox shortcut is visible while the Internet Explorer shortcut is not. When the Firefox layer is deactivated, the Internet Explorer shortcut is again visible while the Firefox shortcut is not.

Files that are deleted from the base from an application within a layer are not actually deleted. They are hidden while the layer is active. When the layer is deactivated, the "deleted" file is again visible.

The files or registry entries that are hidden are called delete entries and registry delete entries. Delete entries and registry delete entries can be viewed through the Advanced Layer Editor. For more information, see Viewing and Editing Layer Properties.

Delete entries can be stored in either the Read-only sublayer or the Writeable sublayer depending on the way a layer is being used.

Delete Entries stored in the Read-only sublayer

When in capture mode, all changes made to the file system are stored in the layer's Read-only sublayer. If a file or registry setting was deleted while in capture mode, the file is not actually deleted, but a delete entry is stored in the Read-only sublayer. This would be the case in the Internet Explorer shortcut example listed above.

You can view and edit file delete entries and also registry delete entries from the Delete Entries tab in the Edit Advanced Layer Properties window. See View Delete Entries and Registry Delete Entries of a Layer (Application Layers Only).

Delete Entries stored in the Writeable sublayer

When performing tasks through a virtual application all changes made are stored in the Writeable sublayer. As a result, if you use a service in a virtual application to delete a file in the Read-only sublayer, a delete entry is stored in the Read-only sublayer.

Example: You have a layer for Microsoft Word. From Word, you select File > Save As, and a list of files is displayed in the current folder. You can delete an existing file from the Save As dialog. If you delete a file that is in the Read-only sublayer, the file is not actually deleted, but a delete entry is stored in the Writeable sublayer and the file is hidden.

This occurs because the file deletion was performed by a service running from the layer.

If the layer is reset, the delete entry is deleted and the deleted file would reappear from the layer.

Another case of a delete entry being stored in a Writeable sublayer is when a file in the Read-only sublayer is deleted by a process running outside of a layer. Example: If while a Firefox layer is active, and using Windows Explorer, a Firefox program file in the Read-only sublayer is deleted, the file is not actually deleted, but hidden and a delete entry is stored in the Writeable sublayer. The file will be restored if the layer is reset.

This illustrates one of the benefits of virtualized applications. If a virtualized application becomes unusable because required files were deleted, the layer can be reset and all original files are restored.

You can view and edit file delete entries and also registry delete entries from the Delete Entries tab in the Edit Advanced Layer Properties window. See View Delete Entries and Registry Delete Entries of a Layer (Application Layers Only).

When Files are Actually Deleted

There are cases where files are actually deleted.

While a layer is active, if you delete a file in a layer's Writeable sublayer, the file is actually deleted from the layer. The files are deleted whether the deleting process is in or out of a layer.

Since all files in a data layer are stored in a Writeable sublayer, deletions of files in a data layer are permanent.

Note In the case where a file is not really deleted but moved to the Recycle bin, the file is still in the layer, under an folder node representing the recycle bin. The file is not actually deleted until the recycle bin is emptied while the layer is active.

While a layer is active, if you delete a file that is not in a layer through a process that is not in a layer, SVS is not involved and the file is deleted.

Viewing and Editing Layer Properties

Using SVS Admin, you can view and edit the contents of layers. In order to view or edit layer properties, the layer must be deactivated.

To open the Advanced Layer Editor

  1. Open SVS Admin.
  2. Double-click a deactivated layer

    This opens the Advanced Layer Editor.

This topic explains how to do the following tasks:

  • View and Modify Files Contained in a Layer
  • View and Edit Registry Settings Contained in a Layer
  • View Variables used in a Layer
  • Configure Exclude Entries of a Layer
  • View Delete Entries and Registry Delete Entries of a Layer (Application Layers Only)
  • Configure Data Capture Properties of a Layer (Data Layers Only)

View and Modify Files Contained in a Layer

In the Advanced Layer Editor under the Files tab, you can view all the folders and files that are contained in the layer. The Read-only and Writeable sublayers are separated in two different nodes (Read-only) and (Writeable). By default, the (Read-only) node is displayed on top. You can either scroll down or collapse the (Read-only) node to see the (Writeable) files.

The folder names that are displayed are the variablized names. For information about variablization, see View Variables used in a Layer (page 57). To see what folders the variablized folders represent, click the Variables tab.

  • Viewing Layer Files
  • Modifying Layer Files

Viewing Layer Files

To view the files in a layer, click a folder in the left pane and the files in the folder are displayed in the right pane.

For example, you can view the following files in a Mozilla Firefox application layer.

To see the main program executable files, click layer name (Read-only) > System > [Programfiles]. In this case, [PROGRAMFILES] represents C:\Program Files.

To see the Firefox bookmarks file that was captured with the layer, click layer name (Read-only) > User-specific > USER_TEMPLATE > [APPDATA] > Mozilla > Firefox > Profiles > xxx (where xxx is a Firefox controlled name. In this case, [APPDATA] represents C:\Documents and Settings\username\Application Data.

If you have added a bookmark to the Firefox layer, the updated bookmarks file is written to the Writeable sublayer and can be found under layer name (Writeable) > User-specific > USER_SID > [APPDATA] > Mozilla > Firefox > Profiles > xxx.

If you reset a layer, you can see that all the files in the Writeable node are deleted.

Modifying Layer Files

In a layer, you can create new folders and copy, rename, and delete folders. You can also copy, rename, and delete files. This is useful in modifying a layer without having to recapture it.

Not only can you copy files within a layer, you can copy files and folders into a layer from outside the layer and vice-versa. You can either use copy/paste or drag and drop.

Caution

Using the Advanced Layer Editor, you can't overwrite files. To update a file, delete the original and copy or move the new file.

When using drag and drop, you can only move files into the layer, not copy. To copy, use copy and paste, rather than drag and drop.

You can't modify the actual file in a layer. Example: You can't open and edit an .INI file. You must activate the layer and then edit the file.

View and Edit Registry Settings Contained in a Layer

In the Advanced Layer Editor under the Registry tab, you can view or modify all the registry settings that are contained in the layer. The Read-only and Writeable sublayers are separated in two different nodes (Read-only) and (Writeable).

To edit registry settings you follow the same process as you would with Microsoft Registry Editor. However, you must keep in mind that you have both the Read-only and Writeable sublayers to maintain.

Note

SVS does not store data in the virtual HKEY_CLASSES_ROOT key. Instead it stores it in its real location under either HKEY_USERS\USER_TEMPLATE\Software\Classes or HKEY_LOCAL_MACHINE\Software\Classes. At runtime, Windows reads the SVS data for active layers from these locations and properly renders HKEY_CLASSES_ROOT.

View Variables used in a Layer

Many applications have specific environment settings for file paths, paths in registry values, .MSI paths, and so forth. To make VSPs portable across computers, many application settings and data layer properties are variablized by Software Virtualization Solution.

For instance, SVS uses common system variables to substitute for well-known locations on a Microsoft Windows based installation, such as WINDIR as a substitute for the "Windows" folder. This provides seamless compatibility with systems that may not be using the standard folder structure, such as systems that have moved their "My Documents" folder, or that have renamed operating system folders.

Example: If you have a VSP for My Documents, that may be on the C drive on one computer but on a D drive on a different computer. Variablization allows the data layer to work correctly on both computers.

  • Variable Types
  • Variable List and Description

Examples of items that are variablized include:

  • File Paths
  • Paths in Registry Values
  • Short Paths
  • .MSI Paths
  • Data Layer Specifications
  • Exclude Entries
  • Delete List Entries

You can use the layer editor to see the variables used for each layer and what values they have in them.

To open the layer editor

  1. Open SVS Admin.
  2. Double-click a deactivated layer.
  3. Click the Variables tab.

Variable Types

There are two types of variables: SYSTEM and USER.

System variables System variables are static and loaded at boot time.
Example: WINDIR = C:\Windows SYSTEMDRIVE = C:
User variables User variables are per user and are loaded when the user logs on.
Example: DESKTOP = C:\Documents and Settings\User\Desktop USERPROFILE = C:\Documents and Settings\User

These are set as environment variables when layers are active SVS uses the following tags to denote variables:

  • [_B_] = Beginning tag
  • [_E_] = Ending tag
  • [_CS_] = Convert to short path
  • [_MSI_] = Convert to .MSI path

When converting a path to its variablized form, the longest matching variablized path is used. Example: C:\Documents and Settings\User\Desktop\1.txt would convert to DESKTOP\1.txt not USERPROFILE\Desktop\1.txt

Variable List and Description

The following is a list of default variables that the system uses.

System Variables

Variable Description Example
SYSTEMDRIVE The drive letter of the volume that contains the Windows directory that the system booted. C:
WINDIR The Windows directory that was booted. C:\Windows
PROFILESDIRECTORY The directory that contains local user profile information. C:\Documents and Settings
ALLUSERSPROFILE The directory that contains the All Users profile. C:\Documents and Settings\All Users
DEFAULTUSERPROFILE The directory that contains the Default User profile. C:\Documents and Settings\Default User
COMMONADMINTOOLS   C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
COMMONAPPDATA   C:\Documents and Settings\All Users\Application Data
COMMONDESKTOP   C:\Documents and Settings\All Users\Desktop
COMMONDOCUMENTS   C:\Documents and Settings\All Users\Documents
COMMONFAVORITES   C:\Documents and Settings\All Users\Favorites
COMMONPROGRAMS Folder that contains common items that show up under Start Menu / All Programs C:\Documents and Settings\All Users\Start Menu\Programs
COMMONSTARTMENU   C:\Documents and Settings\All Users\Start Menu
COMMONSTARTUP   C:\Documents and Settings\All Users\Start Menu\Programs\Startup
COMMONTEMPLATES   C:\Documents and Settings\All Users\Templates
COMMONMUSIC   C:\Documents and Settings\All Users\Documents\My Music
COMMONPICTURES   C:\Documents and Settings\All Users\Documents\My Pictures
COMMONVIDEO   C:\Documents and Settings\All Users\Documents\My Videos
PROGRAMFILES   C:\Program Files
MEDIAPATH   C:\WINDOWS\Media
COMMONFILES   C:\Program Files\Common Files
MSSHAREDTOOLS   C:\Program Files\Common Files\Microsoft Shared

User Specific Variables

Variable Description Example
ADMINTOOLS   C:\Documents and Settings\user\Start Menu\Programs\Administrative Tools
APPDATA   C:\Documents and Settings\user\Application Data
CACHE   C:\Documents and Settings\user\Local Settings\Temporary Internet Files
CDBURNING   C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\CD Burning
COOKIES   C:\Documents and Settings\user\Cookies
DESKTOP   C:\Documents and Settings\user\Desktop
FAVORITES   C:\Documents and Settings\user\Favorites
FONTS   C:\WINDOWS\Fonts HISTORY C:\Documents and Settings\user\Local Settings\History
LOCALAPPDATA   C:\Documents and Settings\user\Local Settings\Application Data
LOCALSETTINGS   C:\Documents and Settings\user\Local Settings
MYMUSIC   C:\Documents and Settings\user\My Documents\My Music
MYPICTURES   C:\Documents and Settings\user\My Documents\My Pictures
MYVIDEO   C:\Documents and Settings\user\My Documents\My Videos
NETHOOD   C:\Documents and Settings\user\NetHood
PERSONAL   C:\Documents and Settings\user\My Documents
PRINTHOOD   C:\Documents and Settings\user\PrintHood
PROGRAMS Folder that contains user specific items that show up under Start Menu / All Programs C:\Documents and Settings\user\Start Menu\Programs
RECENT   C:\Documents and Settings\user\Recent
SENDTO   C:\Documents and Settings\user\SendTo
STARTMENU   C:\Documents and Settings\user\Start Menu
STARTUP Folder that contains user specific items to be run on system startup C:\Documents and Settings\user\Start Menu\Programs\Startup
TEMPLATES   C:\Documents and Settings\user\Templates
TEMP Folder where temporary files can be created C:\Documents and Settings\user\Local Settings\Temp
USERPROFILE Location of the current user's profile C:\Documents and Settings\user

Configure Exclude Entries of a Layer

By default, data generated by a layer is stored in the layer. You can exclude data from being saved in a layer so that it will be stored in the base file system. For information, see Managing Data Within Layers.

View Delete Entries and Registry Delete Entries of a Layer (Application Layers Only)

When using a layer, a user may delete a file or registry setting that is outside of the layer. The file or registry setting is not actually deleted. It is hidden because if a file or registry setting is from the Read-only sublayer, it needs to exist if the layer is reset.

Example: A user is using an application layer for Firefox and that user deletes a file. That file is part of the Read-only sublayer and needs to be maintained. It is hidden from the user but is displayed in the Delete Entries.

The Delete Entries tab in the Edit Advanced Layer Properties window, shows file delete entries and also shows registry delete entries.

In the Delete Entries tab, you can view, select, and configure:

  • Read-only File Delete Entries
  • Writeable File Delete Entries
  • Read-only Registry Delete Entries
  • Writeable Registry Delete Entries.

Configure Data Capture Properties of a Layer (Data Layers Only)

Data capture properties are configured in the same manner as exclude entries, except for everything is referred to as a data capture item. The data capture properties dialogs look and behave the same as the configuring exclude items dialogs.

Using SVSCMD Command-Line Parameters

When working with VSA files outside of the SVS Admin tool, you perform actions on VSA files using the SVSCMD executable with command-line parameters. SVSCMD.exe is part of the Software Virtualization Solution Agent installation. The following sections describe how to use command-line parameters.

  • SVSCMD Usage Scenarios
  • SVSCMD Parameters, Flags, and Examples

SVSCMD Usage Scenarios

The section explains how SVSCMD is used in the following usage scenarios:

  • Notification Server Environment
  • Deployment Solution Environment
  • Stand-alone Environment

Notification Server Environment

When Software Virtualization Solution is used in a Notification Server environment, the Software Virtualization Agent (SVSCMSD) is deployed to managed computers. You create a Virtual Software Package resource for each VSA file with the desired action and state. Each Virtual Software Package resource specifies the command-line to be used on the VSA file.

Example: You may create a package that will activate a Mozilla Firefox VSA. In the Virtual Software Package resource properties, you would specify the command-line execution properties as:

SVSCMD.exe [LayerName|GUID] "Activate"

You also create a Virtual Software Task to deploy the package with the command-line parameters to client computers. When the client computer receives the package, it runs SVSCMD and activates the specified layer.

Note The Virtual Software Wizard is provided to easily create packages and tasks with the appropriate command-line statements. For information, see Using Software Virtualization Solution in a Notification Server Environment.

Deployment Solution Environment

When Software Virtualization Solution is used in a Deployment Server environment, the Software Virtualization Agent (SVSCMSD) is deployed to AClient-enabled computers. You create a Deployment Server job for each VSA file with the desired action and state. Each job specifies the command-line to be used on the VSA file.

Example: You may to deploy a Mozilla Firefox VSA and have it imported and automatically activated. In the job, you would add a "Run Script" and specify the command-line execution properties as:

SVSCMD.exe [LayerName|GUID] I -p [PathToExe] Auto -Y

For information about Deployment Server jobs, see Using Software Virtualization Solution in a Deployment Solution Environment.

Stand-alone Environment

If you have the Software Virtualization Agent installed on a computer, but not the SVSAdmin tool, you can use SVSCMD to perform layer tasks. Example: You can create new layers or import existing VSA files. You can activate, deactivate, or reset layers.

Example: If you want to create a new layer for Mozilla Firefox, you would do the following:

  • Have access to the Firefox setup file.
  • From the command-line, type:
    SVSCMD.EXE "Firefox" CAPTURE -P "C:\FirefoxSetup1.0.7.exe"

    Where "Firefox" is the name of the layer, CAPTURE tells SVSCMD to create a layer, and -P "C:\FirefoxSetup1.0.7.exe" is the path to the setup file.

    When the layer is created, it is activated automatically.

    Layers are stored in a protected area on the file system and the files are not viewable.

  • To view a list of layers on the computer, type:
    SVSCMD.EXE ENUM
  • To view the status and properties of a layer, type:
    SVSCMD.EXE "Firefox" p

SVSCMD Parameters, Flags, and Examples

SVSCMD has many parameters that can be used. There are also flags that can be used with specific parameters.

The syntax for using SVSCMD is the following:

SVSCMD [LayerGUID|LayerName] {<command> [flags]} [...n]

The following tables list and describe the available command-line parameters, flags, and provides examples:

  • Valid Parameters:
  • Valid Parameter Options (Flags):
  • Command-line Examples:

Valid Parameters:

Parameter Associated Flags Description
A[CTIVATE]   Activates the layer.
D[EACTIVATE] [-F] Deactivates the layer.
R[ESET] [-F] Resets the layer.
I[MPORT] [-P|-F] Imports a VSA file.
E[XPORT] [-P] Exports the layer to a VSA file.
DEL[ETE] [-F] Deletes the layer.
REN[AME] -NAME Renames the layer.
C[APTURE] [-P|-S|-E] Creates a new layer by capturing changes.
Note You cannot perform a capture if any other layer is active on that computer.
Note The lighting bolt icon only appears if capturing through SVS Admin.
AUTO[ACTIVATE] [-Y|-N] Sets a layer to activate on start of computer. If this parameter is entered without a flag, the default behavior is yes to automatically activate on start.
P[ROPERTIES]   Displays properties for the layer, such as its name, state, type, priority, version, guid, last activated time, create time, and last reset time.
CREATE   Creates an empty layer.
VER[SION]   Displays SVS version information.
ENUM[ERATELAYERS] [-V] Enumerates all layers on the computer.
SEND[INVENTORY]   Sends updated inventory to Notification Server.
REL[OAD]   Reloads the Global Exclude list from the registry into the SVS Agent. Use this command after the global exclude properties have been manually changed directly in the registry. This list is automatically reloaded when the computer is rebooted, or if the changes were made locally using the SVS Admin utility.
H[ELP]   Displays this help screen.
CHECKKEY -K Checks for a valid product serial number. This tells you if your key is good and provides information about it. If this parameter is entered without a flag, the default behavior is to check for a valid product serial number.
SETKEY -K Updates the product serial number. You can use this to manually set a key.
PRIORITY [-T|-L|-R] Sets the priority of a layer. See Using Layer Prioritization.
EXEC[FROMLAYER] [-PID|-PATH] Executes a process as a part of the layer. This makes a certain process appear as if it is running from a layer. This can be useful in the following ways:
  • Suppose you are running an audit tool, and you want that tool to see the computer from the perspective of the layer. You can run SVSCMD "LayerName" EXEC [path to the executable] and then any process that is run will have the same priority as if run from the layer.
  • You can run a process that will make changes to the file system or registry and those changes will be saved in the layer, and not in the base.
    Example: You can run a patch or update (.EXE) using the SVSCMD EXEC, and all the updates made by the patch are contained by the layer.
REF[RESHDESKTOP]   Flushes paused desktop refreshes, or forces all layers to refresh.
IGNORE [-W] -P Tells SVS to ignore this process.
SETGUID   Sets the layer ID to the new GUID.
     

Valid Parameter Options (Flags):

Flag Description
-F[ORCE] Force command when it might otherwise fail (forces an overwrite during import, or applications closed if running from layer).
-S[TART] Start capture.
-E[ND] End capture.
-P[ATH] <path> Full filename path to VSA file or program to capture. If the filename has a space, you can put the path and filename in quotes. For example, "C:\Firefox Setup 1.0.7".
-Y[ES] Turns the option on.
-N[O] Turns the option off.
-V[ERBOSE] Display verbose output from the command.
-NAME <name> Specifies the new name.
-K[EY] <serial> Specifies the product serial number.
-L[EVEL] <level> Priority of the layer.
-T[YPE] <type> Priority type (HKCR).
-R[ESET] Resets the priority to default.
-PID <PID> Specifies the Pid of the process that needs to be executed as a part of layer.
N[O]D[ESTOP]R[EFRESH] Pause or suppress Desktop Refresh.
W[AIT] SVSCMD will wait for the application to close before continuing.

Command-line Examples:

Command-line examples Result
SVSCMD.EXE "Sample App" CREATE Creates an empty layer named Sample App.
SVSCMD.EXE "Sample App" A Activates the Sample App layer.
SVSCMD.EXE "Sample App" D -F Forces a deactivation of the Sample App layer.
SVSCMD.EXE "Sample App" DEL -F Forces a deletion of the Sample App layer.
SVSCMD.EXE 4db31efa-9163-45de-b33f-bb4737aa022c RESET -F Forces a reset of the layer with the specified GUID.
SVSCMD.EXE "Sample App" CAPTURE -START Creates a new layer named Sample App by capturing changes. The capturing is started and is active.
SCMD.EXE "Sample App" CAPTURE -E Ends the capture of changes to the layer named Sample App. (Used after the CAPTURE START command).
SVSCMD.EXE "Sample App" CAPTURE -P C:\WINDOWS\system32\notepad.exe Creates a layer for the specified application Notepad.exe.
SVSCMD.EXE MyData Layer P Displays the properties for the layer named MyDataLayer.
SVSCMD.EXE 4db31efa-9163-45de-b33f-bb4737aa022c AUTO -Y Sets the layer with the specified GUID to start automatically.
SVSCMD.EXE I -P C:\VSP\Layer.vsa -F Forces the import the specified VSA file.
SVSCMD.EXE "Sample App" EXPORT -PATH "C:\My Packages\Sample App.vsa" Exports the layer named Sample App to the specified VSA file.
SVSCMD.EXE VER Displays the current version of the Software Virtualization Agent files.
SVSCMD.EXE ENUM Lists all existing layers.
SVSCMD.EXE SEND Sends inventory information to Notification Server.
SVSCMD.EXE HELP Displays the help for SVSCMD.
SVSCMD.EXE CHECKKEY -KEY xxxxx-xxxxx-xxxxx-xxxxx Lets you know if the key you pass on the command line is a valid key.
SVSCMD.EXE SETKEY -KEY xxxxx-xxxxx-xxxxx-xxxxx Sets the product key.
SVSCMD.EXE "Sample App" PRIORITY -L 65.4

(For information about priorities, see Using Layer Prioritization).

Sets the priority for the Sample App layer with a priority value of 65.4.
SVSCMD.EXE "Sample App" PRIORITY -T HKCR -L 65.4 Sets the priority for the Sample App layer to type HKCR with a priority value of 65.4.
SVSCMD.EXE "Sample App" PRIORITY -R Resets the priority of the Sample App layer.
SVSCMD.EXE "Sample App" PRIORITY -T HKCR -R Resets the priority of the Sample App layer and sets the type to HKCR.
SVSCMD.EXE * A -NDR REF Activate

Using Layer Prioritization

There may be times when you need to control which layer has precedence in the event that different layers have conflicting contents. Prioritization lets you control the priority of those conflicting contents.

Example: If you open an HTML file, Windows Explorer will go to the registry and determine which application is registered to open that file. When using Software Virtualization Solution, you may have different application layers that are associated with HTML files, such as Internet Explorer, Firefox, or Opera. You can control which layer (which Web browser application) gets the priority and opens the file.

In another example, you may have different versions of the same .DLL file in different layers. Prioritization lets you control which version of the .DLL file has the highest priority and is therefore used.

Topics include:

  • How Prioritization Works
  • HKEY_CLASSES_ROOT Priorities
  • Configuring Layer Priorities

How Prioritization Works

When a request is made, Software Virtualization Agent does the following:

  1. Builds a list of all the active layers
  2. Assigns a priority to each active layers based on the following:
    • . The type of request that is being made (Normal or HKEY_CLASSES_ROOT)
    • . Where is the request coming from
  3. Orders and searches the layers based on priority

Request Types

Prioritization is based on two types of requests:

  • The request being made to the normal file system
  • The request being made to HKEY_CLASSES_ROOT

Each type of request has a different set of priorities.

The following sections describe how to use prioritization:

  • HKEY_CLASSES_ROOT Priorities
  • Configuring Layer Priorities

HKEY_CLASSES_ROOT Priorities

This is the priority assigned to a layer when looking at HKEY_CLASSES_ROOT data. HKEY_CLASSES_ROOT priorities are handled differently because this is typically what applications use to register what files they use and they are not tied to the rest of the layer priorities.

By using HKEY_CLASSES_ROOT priorities, you can control when an application registers to handle certain extensions in HKEY_CLASSES_ROOT and you can order separately than the file order of the application.

Example: Which application will be opened to handle a given file type.

For example, you may have two active layers for two different Web browser applications. Both of them are registered to handle opened HTML files. You can use priorities to determine which layer you want to open the HTML files.

Note The HKEY_CLASSES_ROOT key is a virtual key that Windows creates by combining the data from HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. When there is a conflict in this data, preference is given to the data contained in HKEY_CURRENT_USER\Software\Classes. SVS does not store data in the virtual HKEY_CLASSES_ROOT key. Instead it stores it in its real location under either HKEY_CURRENT_USER\Software\Classes or HKEY_LOCAL_MACHINE\Software\Classes. At runtime, Windows reads the SVS data for active layers from these locations and properly renders HKEY_CLASSES_ROOT.
  • Conflicting Settings within the Same HKEY_CLASSES_ROOT Priority

After the request is identified as a HKEY_CLASSES_ROOT type request, the priority is based on where the location of the file or registry entry is located.

HKEY_CLASSES_ROOT Priorities

Default Priority Location Description
55.5 Highest Owner Layer If the executable that is used to start a process comes from a layer, that layer is the "owner layer" for the process. Also, child processes have the same "owner layer" as their parent process, regardless of where their executable is located.

Example: Suppose you have an active layer for Firefox and you have Internet Explorer installed in the base and both are registered in HKEY_CLASSES_ROOT to be the default application for HTML files, then when the Firefox layer is active, Firefox will be given priority and will be used when an HTML file is opened.

65.5 Normal Normal priority is given to HKEY_CLASSES_ROOT settings in any other active layer than the application is not running from.
75.5 Base Owner The base is the normal HKEY_CLASSES_ROOT settings on the computer outside of any layers. If the process is running from the base, the settings in the base are given this priority.
85.5 Lowest Base The base is the normal HKEY_CLASSES_ROOT settings on the computer outside of any layers. If the process is not running from the base, the settings in the base are given this priority.

Because there are no registry entries in a data layer, data layers are not considered for HKEY_CLASSES_ROOT priorities.

HKEY_CLASSES_ROOT Priorities Example #1

You have an active layer for Firefox but also have Internet Explorer installed on the base. If you open an HTML file, the Software Virtualization Agent will do the following:

  1. Build a list of all active layers and the base.
  2. Assign the following priorities:
    • 65.5 assigned to the Firefox layer that is the "owner layer"
    • 85.5 assigned to the base
  3. In this example, Firefox has the highest priority; therefore, it is launched.

Conflicting Settings within the Same HKEY_CLASSES_ROOT Priority

You may have a situation where you have conflicting settings within the same priority. For example, what if you have two different active layers and each one is registered in HKEY_CLASSES_ROOT to handle HTML files? You can set a different priority for each layer.

For information on how to resolve priority conflicts, see Configuring Layer Priorities (page 71).

Configuring Layer Priorities

You may have a situation where you have conflicting files within the same priority. For example, what if you have two different active layers and each one is registered in HKEY_CLASSES_ROOT to handle HTML files? You can set a different priority for each layer.

Conflicting HKEY_CLASSES_ROOT Priorities Example #2

You have two active layers for different Web browsers: Firefox and Opera. If you open an HTML file, it will do the following:

  1. Build a list of all active layers and the base.
  2. Assign the following priorities:
    • 65.5 assigned to the Firefox layer
    • 65.5 assigned to the Opera layer
    • 85.5 is assigned to the base
  3. Determines which application to launch.

    By default, because both Firefox and Opera have the same priority, it will not know application to launch.

    If you wanted to Firefox to always have priority of Opera, you can configure the Firefox layer to be priority 65.3 and Opera would keep the default priority 65.5.

  4. In this example, because the Firefox label has the higher priority, Firefox will be launched instead of Opera.
Note If the two layers have the same priority, such as 65.5, then the priority is undeterminable and which file or registry entry is used cannot be guaranteed.

To set layer priorities

You can set the priorities for a layer using command-line parameters with SVSCMD.EXE.

Note Use caution when changing the priorities of layers. When setting a priority value, you can specify any numeric value. However, we recommend that you only change the values to the right of the decimal. If you change the values to the left of the decimal, you will change the default priorities and may cause problems when new layer types are created in the future. Example: If you have two layers that have a default priority of 65.5, you can change one to 65.3, giving it a higher priority than the other layer, but still maintaining the general class of priority.

For general information about SVSCMD.EXE, see Using SVSCMD Command-Line Parameters (page 61).

  1. On a computer where you have the agent installed, open a DOS window (Start > Run > CMD > OK).
  2. From the DOS prompt, Type SVSCMD.EXE "LayerName" PRIORITY [-T|-L|-R]
    • -T[YPE] <type> = Priority type (HKCR).
    • -L[EVEL] <Level> = Priority of the layer.
    • -R[ESET] = Resets the priority to default.

The following table lists examples that change layer priorities.

SVSCMD.EXE "Sample App" PRIORITY -L 65.4 Sets the priority for the Sample App layer with a priority value of 65.4.
SVSCMD.EXE "Sample App" PRIORITY -T HKCR -L 65.4 Sets the priority for the Sample App layer to type HKCR with a priority value of 65.4.
SVSCMD.EXE "Sample App" PRIORITY -R Resets the priority of the Sample App layer.
SVSCMD.EXE "Sample App" PRIORITY -T HKCR -R Resets the priority of the Sample App layer and sets the type to HKCR.

Managing Application Updates within Layers

A common use of Software Virtualization Solution is to have layers for application that you commonly use. What if you want to update the application in a layer? For example, suppose you have a layer for Microsoft Office, but an update or patch is released for Office that you want to add to your Office layer.

It is possible to update the application within a layer; however, we recommend that rather than updating an application layer that you create a new layer that contains both the application and the update, and then remove the old layer and use the new one.

There are a couple of reasons for this:

  • If you update the application in a layer, the changes are captured into the Writeable sublayer. If you ever reset the layer, those changes are deleted (see Layer Architecture on page 19). So if you apply a security patch to a layer, but then later reset the layer, the patch is deleted.
  • By patching individual layers, you lose the consistency of managing which users are using which versions of applications. For example, if you run and .MSI repair on different computers, different changes may be made and captured in the layer.

If you do want to update an application within a layer, do the following:

  1. Make sure that the .MSI for the application is in the layer (this will be the case by default).
  2. In SVS Admin, select File > Update Existing Layer.
  3. Highlight the layer you want to update and click Next.
  4. Select Single program capture and click Next.
  5. Click Browse.
  6. Navigate to the setup file.
  7. Click Next.
  8. Click Finish.
  9. This puts you in capture mode.
  10. Update the .MSI.

If this is a layer that you have deployed on your network, you will need to re-export it to a .VSA file and redistribute it to client computers.

Handling Duplicate Services in Multiple Layers

You may have a situation where a service is run from the base or from a layer, and then the same service is launched through a different layer. Software Virtualization Solution uses reference counts to properly control the creation, starting, stopping, and deletion of services with the Service Control Manager. If you deactivate the layer running a service, the first instance of the service continues to run. The reference count information is stored under HKLM\SYSTEM\Altiris\FSL\Services.

Software Virtualization Agent Installation

The following sections provide information on installation, upgrading, and maintenance of the Software Virtualization Agent.

  • Installer Basics
  • Automating Installation
  • Upgrades and Repairs
  • Troubleshooting Failed Installs

Installer Basics

The SVS Agent installer is a Windows Installer package and therefore includes many features common to all Windows Installer packages. Some of the more common options are documented in this section.

The SVS Agent package installs a number of components on the system, some optionally. The components installed and corresponding files are shown in the following table. The paths shown are the defaults on a Windows XP English computer, so adjust them appropriately for the systems you are working with.

Driver C:\Windows\system32\drivers\fslx.sys
Library C:\Windows\system32\fsllib32.dll
WMI Provider C:\Program Files\Altiris\Software Virtualization Agent\AltirisVSProvider.dll
C:\Program Files\Altiris\Software Virtualization Agent\AltirisVSProvider.mof
Command-line Utility C:\Program Files\Altiris\Software Virtualization Agent\svscmd.exe
Graphical Admin Tool C:\Program Files\Altiris\Software Virtualization Agent\svsadmin.exe
C:\Program Files\Altiris\Software Virtualization Agent\<Language>\svsadmin_resources.dll
C:\Program Files\Altiris\Software Virtualization Agent\fslui.dll
C:\Program Files\Altiris\Software Virtualization Agent\<LCID>\fslui_resources.dll
File Redirection Area C:\fslrdr

In addition to installing these files on the hard drive, the installer also creates the file redirection area at C:\fslrdr. This is where files that are contained in virtual layers are stored. There is a corresponding area of the registry where registry entries for the virtual layers are stored. The installer creates this area at HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FLS in the registry. A few other registry keys are created by the installer as described below.

Virtual Layer Metadata HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL
SVS Product Settings HKEY_LOCAL_MACHINE\SYSTEM\Altiris\SVS
Registry Redirection Area HKEY_LOCAL_MACHINE\SOFTWARE\fslrdr

After creating these resources, the installer has to register some of them on the system. It installs the driver in a fashion similar to how a service is installed. (Do not expect to see it in your services list, but the registry keys look very similar to a service.) The WMI provider is installed using the programmatic equivalent of mofcomp.exe.

The installer sets the security permissions on the File Redirection Area and the Registry Redirection Area. For these, administrators and the SYSTEM account are given full access.

Finally, Windows Installer itself has some information that it stores about the installation. It caches the installer package on the hard drive, creates an entry for the agent in Add/Remove Programs, and stores some internal information about the components installed.

After the installer has completed, it needs a restart in order for the product to become fully usable.

Automating Installation

Now that you have an understanding of the installer package, what do you actually do with it? An individual user may double-click the package and run the installer user-interface to perform the installation. The more advanced user or administrator may want to use additional options discussed in this section to customize the installation and automate it.

Rolling the agent out to an organization probably means doing a silent install. The typical Windows Installer switches are a good start, but not sufficient. At a minimum you will need to specify a product key in order to complete the installation. The following command-line is an example of this:

msiexec.exe /qn /i Software_Virtualization_Agent.msi PRODUCT_KEY=<product-key>

A few other command line parameters can be used to customize the installation, as discussed in the following table.

INSTALL_ADMIN=1 Installs the SVS Admin Tool.
Note: INSTALL_ADMIN=<any value> will cause SVS Admin to be installed.
REBOOT=ReallySuppress Suppresses restart prompts. Without this switch, the installer will automatically restart the computer (assuming that you are doing a silent install).
D_FSLRDR=D:\fslrdr Changes the location of the file redirect area.
INSTALLDIR=C:\SVSAgent Changes the install location of the command line utility, WMI provider, and Admin tool.
PRODUCT_KEY=<product key> Specifies the product key to be used to install. This product key is obtained from Altiris, either when you purchase the product or when you download a key for free personal use of the product.

The following command silently installs the SVS Agent with SVS Admin:

msiexec.exe /qn /i "C:\Software_Virtualization_Agent.msi" PRODUCT_KEY=<product-key> INSTALL_ADMIN=1

The following command installs the SVS Agent without SVS Admin (not silent):

msiexec.exe /qb /i "C:\Software_Virtualization_Agent.msi" 
PRODUCT_KEY=<product-key> 

Upgrades and Repairs

Upgrades and repairs of a broken installation can be accomplished through standard Windows Installer methods. The product key is validated each time the install runs, and therefore must be provided. The following commands repair an existing install and upgrade the installation respectively.

msiexec.exe /qn /i Software_Virtualization_Agent.msi REINSTALL=All 
REINSTALLMODE=omus PRODUCT_KEY=<product-key> 

In this example, we use the Windows Installer product code for the SVS Agent rather than pointing to an .MSI file. Since the installer has cached the .MSI file on the computer during the initial install, the cached copy can be used for future repair work.

You can use a repair to install SVS Admin at some point after the initial install. This is useful if you forget to include the parameter the first time the installer was run.

An upgrade looks almost identical, but provides a slight variation on the switches. In order to do an upgrade, you need to provide a new .MSI file. You also need to tell Windows Installer to recache the installer package using the new file (the v switch on REINSTALLMODE does this).

msiexec.exe /qn /i Software_Virtualization_Agent.msi REINSTALL=All 
REINSTALLMODE=vomus PRODUCT_KEY=<product-key> 

Modifying SVS Agent Installations

When you installed the SVS agent, you may or may not have installed the SVS Admin, or the SVS Control Panel Applet components. If you need to add or remove either of these components you can.

Adding the SVS Admin utility

Adding locally:

  1. Click Start > Control Panel.
  2. Select Add or Remove Programs.
  3. Select Altiris Software Virtualization Agent.
  4. Click Change.
  5. Select Modify.
  6. Click Next.
  7. Expand the Complete feature.
  8. Click the SVS Admin Tool button.
  9. Select Entire feature will be installed on local hard drive.
  10. Click Next.
  11. Click Next.

Adding through the command line:

You can add the SVS Admin utility by using the ADDLOCAL=SVS_Admin command-line switch.

Example:

Msiexec.exe /i Software_Virtualization_Solution.msi ADDLOCAL=SVS_Admin 

Removing the SVS Admin utility

Removing locally

  1. Click Start > Control Panel.
  2. Select Add or Remove Programs.
  3. Select Altiris Software Virtualization Agent.
  4. Click Change.
  5. Select Modify.
  6. Click Next.
  7. Expand the Complete feature.
  8. Click the SVS Admin Tool button.
  9. Select Entire feature will be unavailable.
  10. Click Next.
  11. Click Next.

Removing through the command line

You can remove the SVS Admin utility by using the REMOVE=SVS_Admin command-line switch.

Example:

Msiexec.exe /i Software_Virtualization_Solution.msi REMOVE=SVS_Admin 

Adding the Control Panel Applet

Adding locally

  1. Click Start > Control Panel.
  2. Select Add or Remove Programs.
  3. Select Altiris Software Virtualization Agent.
  4. Click Change.
  5. Select Modify.
  6. Click Next.
  7. Expand the Complete feature.
  8. Click the SVS Control Panel Applet button.
  9. Select Entire feature will be installed on local hard drive.
  10. Click Next.
  11. Click Next.

Adding through the command line

You can add the SVS Control Panel Applet by using the ADDLOCAL=SVS_Control_Panel_Applet command line switch.

Example:

Msiexec.exe /i Software_Virtualization_Solution.msi ADDLOCAL=SVS_Control_Panel_Applet 

Removing the Control Panel Applet

Removing locally

  1. Click Start > Control Panel.
  2. Select Add or Remove Programs.
  3. Select Altiris Software Virtualization Agent.
  4. Click Change.
  5. Select Modify.
  6. Click Next.
  7. Expand the Complete feature.
  8. Click the SVS Control Panel Applet button.
  9. Select Entire feature will be unavailable.
  10. Click Next.
  11. Click Next.

Removing through the command line

You can remove the SVS Control Panel Applet by using the REMOVE=SVS_Control_Panel_Applet command line switch.

Example:

Msiexec.exe /i Software_Virtualization_Solution.msi REMOVE=SVS_Control_Panel_Applet 

Troubleshooting Failed Installs

Most failed installs can be successfully completed after a restart and reattempting the install. In the event that this does not work, more drastic steps may be necessary.

In the event of an installation failure, you need to create a Windows Installer log in order to determine where the failure occurs. You can add the /l*v <logfile> switch to the command-line for the installation to generate a log file. Search for "return value 3" inside the install log and the few lines above it should have an error message regarding the failure.

This error message may tell you exactly what the problem is, such as an invalid product key. In other cases, the error message indicates a more involved failure, such as not being able to install the driver or WMI provider, or something similar. In those cases, you may need to contact Altiris support or do a manual cleanup of the installation.

Manually cleaning up a computer is a simple matter of cleaning up everything the installer does.

To clean up a computer

  1. Removing all the files and registry keys listed in the above sections.
  2. Delete the FSLX driver with the following command:
    sc.exe delete FSLX 
    
  3. Use the following command to remove the local group created for SVS Agent security:
    net.exe localgroup "Software Virtualization Administrators" / delete 
    

Removing the WMI Provider is a little more complex. Use the built-in tool named wbemtest.exe for this purpose.

To remove the WMI Provider

  1. Launch wbemtest.exe.
  2. Click the Connect button.
  3. Enter the namespace "root\default" and click Connect.
  4. Click the Delete Class button
  5. Enter the class name "AltirisVSProv", "VirtualSoftwarePackage", and "VirtualSoftwareSublayer" and follow the prompts to delete the class. For completeness, you also need to remove the registry keys created by the WMI provider: HKEY_CLASSES_ROOT\AppID\AltirisVSProvider.DLL HKEY_CLASSES_ROOT\CLSID\{71D8DF9A-AD2D-44BF-A542-1412F68061D1} HKEY_CLASSES_ROOT\TypeLib\{888967EF-E75C-4480-992D-93FDA658F21E}
  6. Clean up the information that Windows Installer caches about the package. The easiest way to do this is with a tool called msizap.exe from the Windows Installer SDK. The following command removes all Windows Installer data for the SVS Agent: msizap.exe TW! {7D8DBB7C-1C55-4950-A107-043C164F379A}

Uninstalling the Software Virtualization Agent

You can uninstall the Software Virtualization Solution Agent from client computers. By default, uninstalling the SVS Agent does not remove layers. To uninstall the SVS Agent and also remove all layers see Uninstalling the SVS Agent and removing all layers.

Remotely uninstalling the SVS Agent

You can remotely uninstall the SVS agent by using one of the following command line options:

  • Msiexec.exe /x Software_Virtualization_Agent.msi or
  • Msiexec.exe /uninstall Software_Virtualization_Agent.msi

If you want to remotely uninstall the SVS Agent in a Notification Server environment, see Uninstalling the Software Virtualization Agent with a Policy.

If you want to remotely uninstall SVS the SVS Agent in a Deployment Server environment, see Using Deployment Server to Uninstall the Software Virtualization Agent.

To manually uninstall the SVS Agent

To manually remove the Software Virtualization Agent from a computer, use the Windows Control Panel > Add or Remove Programs Applet.

  1. Click Start > Control Panel > Add or Remove Programs.
  2. Select Altiris Software Virtualization Agent.
  3. Click Remove.
    A dialog requests confirmation.
  4. Click Yes.

Uninstalling the SVS Agent and removing all layers

There is a command line switch that you can use to uninstall the SVS Agent along with all local layers: DELETE_LAYERS=1

Example: Msiexec.exe /x Software_Virtualization_Agent.msi DELETE_LAYERS=1

Manually removing layers after uninstalling the SVS Agent

If you have already removed the SVS Agent and you need to also remove layers, you can:

  • Manually remove the layer files and registry keys
    1. Delete the FSLRDR directory. This is located by default at c:\fslrdr.
    2. Delete the HKEY_LOCAL_MACHINE\SYSTEM\ALTIRIS key, by running regedit, browsing to the key, and selecting delete.
  • Reinstall the SVS Agent and then uninstall again passing in the DELETE_LAYERS=1 command line switch. For information see Uninstalling the SVS Agent and removing all layers.

Software Virtualization Solution Security

Software Virtualization Solution uses the security systems that are built into the Windows NT family of operating systems. Access to Software Virtualization Solution is controlled by Access Control Lists (ACLs) in the registry and file system. The ability to protect files and directories through ACLs requires the use of the NTFS file system. ACLs on virtualized items (registry entries, files, and services) are persisted normally and Software Virtualization Solution moves the ACLs when a Virtual Software Package (VSP) is exported and imported. This section explains how SVS handles rights on virtual files, and the on-disk structure of a VSP. It also explains how to make sure that anti-virus, inventory, and other programs function correctly in the virtualized environment.

Rights necessary to administer Software Virtualization Solution

In order for a user to manipulate Software Virtualization Solution or VSP data through SVS Admin, that user must be a member of the local Administrators group. There are two exceptions: the rights to activate and deactivate can be delegated. Users that have Read access to a key named HKLM\System\Altiris\FSL\Rights\Activate are able to activate VSPs through SVSCMD or SVS Admin. Users that have Read access to a key named HKLM\System\Altiris\FSL\Rights\Deactivate are able to deactivate VSPs through SVSCMD or SVS Admin. Users that have rights to change the permissions on these keys are able to modify these privileges for other users. While SVS Admin requires a user to be an administrator in order to modify VSP data, the user may still be able to browse directly into the Software Virtualization Solution redirection areas and modify files and registry keys. The user will have the same rights to the files and registry keys in the redirection areas as if the application had been installed normally, so this is not a problem if the application properly creates ACLs for its files during install.

Anti-virus products and inventory products

Software Virtualization Solution does not affect the run-time protection feature of antivirus software. Anti-virus products properly scan virtualized files when they are opened. Any measures that the anti-virus product takes against a file that it thinks is infected really happen and are not virtualized. However, there is an issue with manual anti-virus scanning. If multiple files exist in the base and in one or more VSPs and these overlay each other, the scanner only sees and scans one of the files. For example, it might enumerate a file named C:\TEST.TXT and scan it, but what it does not see is that a VSP may have another version of the same named file. For this reason, we recommend that anti-virus scanner programs be configured to be "ignored" by the SVS system. This means that when the scanner programs run, they will not see any virtualized files; they will only see the file system as it really exists. This guarantees that all files are properly scanned. The list of ignored executables can be modified by adding or removing strings to HKLM\System\Altiris\FSL\ProgramIgnoreList which is a MULTI-SZ value. The paths can be hard-coded (c:\windows\scan.exe) or variablized ([_B_]WINDIR[_E_]\scan.exe). If you have other programs, like an inventory product, that you wish to have view the file system data without any virtualization, you can add them to this list. You must restart in order for these to be in affect.

VSP User Specific Areas

Data layers and the Writeable sublayer of Application layers are user specific. This means that the layer has a unique area for each user that holds information that is unique to each user. In the advanced editor in SVS Admin on the File tab, you can see that these layers contain some areas that are common for all users, like the Windows directory, but areas that are unique for each user exist under a SID directory. The directory is named with a string representation of the user's SID. This directory contains directories like the user's profile directory and desktop directory. A corresponding area exists in the registry. Under HU (HKEY_USERS) you will see a SID directory for each user. At runtime, this maps to HKEY_CURRENT_USER.

The Read-only sublayer of an Application layer does not contain unique entries for each user. It contains only one copy of user data that is contained in a section called USER_TEMPLATE. During the capture process, any user specific data goes into this area. When the layer is first used by any user outside of capture mode, a SID directory is created for the current user and the contents of the USER_TEMPLATE area are copied. The USER_TEMPLATE area in the Read-only sublayer is not used during normal operation.

Files, directories, and registry keys are protected with the same rights that protect the corresponding objects in the base. Example: When the DESKTOP folder is created in the layer, the ACLs are copied from the user's base DESKTOP folder. This assures that only the proper users have rights to this folder.

The FAT file system is not secure. It does not support the protecting of files and directories with rights. When you build layers that you plan to use on a computer that is using an NTFS file system, you must build the layer on a computer that is using the NTFS file system. If you build a layer on a computer that is using the FAT file system, no rights will be used and when the layer is moved to a computer that is using the NTFS file system, all files and directories will simply get default rights.

When a layer is exported, the rights that are contained in the file system are represented in a file called "acls" in SDDL format. At import time, after the files and directories have been extracted, this information is used to re-apply the proper rights.

Rights to services are handled in a similar fashion. An SDDL string is generated and used to maintain the proper rights on the service.

Hiding the FSLRDR Redirect Locations

The SVS File System Filter driver has the ability to actively hide the fslrdr redirect locations in the registry and the file system. These areas are already protected with ACLs so that, by default, limited rights users are not able to enter these areas. Causing the driver to actively hide these areas has the advantage that the locations are not visible to anyone even if the system is configured to show hidden files. The disadvantage of using this is that programs that traverse the entire file system looking for data (Example: anti-virus scanners and inventory programs) will not see these areas either.

Note Enabling this does not affect run-time virus checking. To enable the active hiding of the redirect locations by the driver, create a value called "HideRedirectAreas" of type DWORD under HKLM\SYSTEM\Altiris\FSL. Set the value to "1". A restart is required to put into effect any changes to this value.

Launching of Startup Items

The information in this section does not apply when a layer is activated at start time because it is marked to be active on start. This only applies when a layer is manually activated.

When a layer is activated, Software Virtualization Solution typically launches all of the items in the layer that are configured to run at startup. This includes entries in the startup folder, the common startup folder, run entries, and run-once entries. The launching of these programs happens in the context of the user that activates the layer. This is a potential security concern. Example: When a layer is activated remotely by Notification Server, this happens in the SYSTEM context by default. Because of this, Software Virtualization Solution will not launch these items unless the activation is being done by the interactive user who is logged on to the system.

This does not apply to the OnEvent actions. OnEvent actions are run regardless of how the layer is activated. Care must be taken to ensure that actions configured to run in these scenarios are secure and cannot be exploited by any users on the system.

Chapter 5: Performing Virtual Software Layer Tasks

Chapter 7: Altiris SVS Applet