Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Folder Virtualization Concepts in Windows Vista

Created: 12 Oct 2007 • Updated: 12 Oct 2007 | 13 comments
Language Translations
R-Vijay's picture
+1 1 Vote
Login to vote

Under User Account Control, Windows Vista restricts portions of the Windows file system and registry. UAC also restricts write operations during normal operation (i.e., standard user mode). For example, applications no longer have unlimited access to C:\Program Files and C:\Windows, which has considerable ramifications because most software created for Windows today expects unfettered access to all directories. The system-wide file system and Registry writes are automatically and silently redirected to per-user locations that won't harm the wider system.

Editors Note: Although this is a form of "virtualization," it is not the same as the application virtualization offered in Altiris SVS. Please see this post for a brief discussion of the difference.

To accommodate existing software for Windows that writes to protected file directories, Microsoft provides a backward compatibility technology known as Virtualization. While virtualization enables older applications to run without programmer intervention, it does not guarantee correct behaviour, and many applications will need to be updated to comply with UAC restrictions. Virtualization is often referred to as data redirection because it functions by funnelling attempted access to protected locations to new locations stored under user profiles. For example, if a legacy application attempts to write to the Program Files directory, UAC silently redirects that operation to an unprotected user-specific folder.

Virtualization Process

When an application installer attempts to write a file called Entry.txt in C:\Program Files, it is silently redirected to a Virtual Store directory located inside the current user's account. To the application, things proceed as normal, and it has no idea that it is being redirected. To the user, the application, too, still appears to be located at the old, expected location. But because the application is not access system-wide file locations, it cannot be used to harm the system. And on multi-user systems, each user will have isolated, local copies of redirected files. When this action is being invoked by a admin user, the file entry is done in Program Files itself. This is depicted in the figures below.

Registry virtualization works similarly. In this case, the HKEY_LOCAL_MACHINE\SOFTWARE hive is virtualized so that applications which attempt to store configuration information in system-wide portions of the Registry are re-directed to a new introduced structure under HKEY_CLASSES_USER\Classes\VirtualStore\MACHINE\SOFTWARE.

As with file virtualization, each user on a system will have their own copy of configuration information that was previously issued once on a global basis.

Sample Demo

Here is a simple code snippet which I developed to explain the Folder Virtualization concepts. To demonstrate this, login to a Vista machine in a standard user account and launch the application "Folder Virtualization.exe".

Click on the "Test the access Credential" push button to verify the account type. As expected this dialog will be showed as below because, we have logged in as a standard user.

To start with, let's create a registry key test in HKLM\Software\Vista by clicking on the push button as shown below.

The above screen tells that, the registry entry has been done. When checked in HKLM\Software\ there is no key created.

Here comes the Registry virtualization, this key is instead created in HKEY_CURRENT_USER\Softwares\Classes\VirtualStore\Machine\Software\Vista as shown in the figure below.

Now let's try creating a file called "entry.txt" in C:\ProgramFiles\Vista by clicking on the push button as shown below.

The above screen shows that, the file has been created in "Program Files" Folder, but there is no folder called Vista created in Program Files.

Use the folder options view all the hidden files.

The Entry.txt file is virtualized and created in C:\Users\Vijay\Appdata\Local\VirtualStore\Program Files\Vista

These were the operations done as a standard User.

Now, right click on the Folder Virtualization.exe and click on Run as administrator as shown below.

Just to test the access token, you are an administrator user.

Now on clicking registry creation and File creation buttons the key and file are created in HKLM\Software\Vista and C:\ProgramFiles\Vista because, you are running with an admin credential.

Folder Redirection

Windows Vista doesn't have any folder called "Documents and Settings" in root drive. Instead it has a folder called "Users". However, there is a support for the applications which uses "Documents and Settings" as a hard-coded entry.

To demonstrate this, click on the last button to create a file on the desktop. Now, goto command prompt, type cd "Documents and Settings", this command will work. This is not a hidden folder; this is a re-directed folder to Users.

Limitations of Virtualization

Virtualization is a security measure aimed at making legacy software work better in Vista. Microsoft expects Vista compliant applications to respect the new Windows application guidelines. And future Windows versions will do away with file system and Registry virtualization after more applications are moved to the new development style. This is short-term solution only.

Although most legacy applications created for previous versions of Windows will run because of virtualization, it is not an ideal solution and only intended to serve as a short-term workaround. Because virtualization isolates files in per-user locations, it can lead to undesirable and seemingly bizarre behaviour, especially on computers shared by multiple users.

Consider, for example, a test application created for Windows XP that performs quality assurance on products at the end of a manufacturing line. Like many existing applications, this software writes test data to a location in the Program Files directory. "C:\Program Files\QA".

Under Windows Vista, virtualization could affect the behaviour of the application. If you run the application on this machine using your standard user profile, Windows Vista automatically detects that you don't have permission to access that location and redirects the data to the following location:

C:\Users\<username>\AppDataLocal\VirtualStore\ProgramFiles\QA

Subsequent write and read operations performed under this user profile will always use the copy located in the Virtual Store. But, the application will continue to believe that it's accessing the Program Files directory. If a second operator logs into this computer under his or her profile, he or she won't have access to the previously saved data because it's not shared across user profiles.

While an administrator can forcibly disable virtualization in Windows Vista, Microsoft has vowed to remove it in a subsequent version of Windows. To ensure that software behaves as expected under all use cases in Windows Vista and beyond, you must update test systems so that writable files no longer appear in virtualized directories. In many cases, software rewrites may be minimal, but compliance with UAC restrictions could entail major architectural changes, depending on the application.

Steps to follow when virtualization is not needed

If the developer needs to install the application into C:\Program Files\ProductName\... and write into HKEY_LOCAL_MACHINE\Software\ProductName registry key then he can do these two things:

  1. Provide a manifest file with the application where the credential level should be set to "asInvoker"
  2. Provide a manifest file with your installer (or a separate helper EXE) where you mention level="asInvoker". Then give your installer (or a separate helper EXE) the ability to grant the 'Users' group write access into the C:\Program Files\ProductName\ and into the HKEY_LOCAL_MACHINE\Software\ProductName registry key so that, normal users have access.

Please change the extension of Virtualization Demo and Concepts.txt to Virtualization Demo and Concepts.zip and execute the Virtualization.exe inside.

Hope it's useful for all.

Cheers'
Viju

Comments 13 CommentsJump to latest comment

erikw's picture

Vijay,

This is in my opinion the best piece on the juice.
Great.
I can use it very well.
To bad i only can give it a 5. I would give it a 10 if possible.

Regards
Erik
www.svs4u.nl

Regards Erik www.DinamiQs.com Dinamiqs is the home of VirtualStorm (www.virtualstorm.org)

*************************************************************
If your issue has been solved, Please mark it as solved
***********

0
Login to vote
R-Vijay's picture

Hi Erik,

Thanks for your compliments. I am really happy to see such a good reply and comment for my post. Hope I keep the readers entrancing with quality works and posts.

Thanks again..

Cheers'
Viju

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

0
Login to vote
R-Vijay's picture

If the applications write to HKCR at run time to reinforce their file associations, COM registration data, and so on. An error is raised if the write fails, even if the data to be written is already there. The same data is written every time the app runs. If that same registration data were stored in HKCU\Software\Classes, then the write operations would succeed, without changing program behavior.

To fix this, first you must identify the keys under HKCR that the application is trying to write to. Export those keys to one or more .reg files (in the Registry Editor, select File | Export and choose Selected branch). Then using a text editor, replace all instances of [HKEY_CLASSES_ROOT\ with [HKEY_CURRENT_USER\Software\Classes\ and save your changes. When you’re finished, import the edited .reg file into the registry of the user who needs to run the program.

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

0
Login to vote
arjain's picture

Hi Vijay,
This is an excelent article for Vista Virtualzation.
i have one query,
i want to know how vista detects application as a legacy software.

~ SQA Manual - Crafting tomorrow

If a forum post solves your problem, please flag it as a solution. If you like an article or blog post vote for it.

0
Login to vote
R-Vijay's picture

Hi Jain,

Thanks for your compliments.
Well, a legacy install is detected by an OS through many ways.

1. If the installation of a particular application occurs without invoking the Windows Installer service, then its a legacy installs.

2. When the concurance and dependency are not checked during the isntallation, its a legacy software.

3. When the installation and un-intallation information is not put by the application. For eg (msi in %temp% and in C:\windows\Installer)

4. When the application cannot undergo done an ondemand installation.

These are very little things I could figure out..
Hope others can given you much more input.

Please do share the same with me.

Cheers'
Vijay

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

0
Login to vote
R-Vijay's picture

As discussed in the article the "Documents and Settings" location and structure has changed in Windows Vista to provide a better user experience

  • The user data is now stored in: \users\%username%\ folder structure
  • Pictures, Music, Documents, Desktop, and Favorites are all new folders directly under this structure
  • Apps that use the ShGetFolderPath function and the folder path dynamically, it will be redirected automatically to the new path and file locations. In general, applications will not see a compatibility impact due to these changes.

Developer Guidelines

  • Never hard code absolute paths
  • Use Directory junction (symbolic link)
  • Provide backward compatibility for hardcoded paths e.g. "Documents and Settings" Users
    1. DENY_READ set for 'Everyone'
    2. Cannot be enumerated
    3. Only allow full path to be accessed
      e.g. \Documents and Settings\%username%\My Documents\foo.doc

Microsoft MVP [Setup-Deploy]
Weblog: www.msigeek.com

0
Login to vote
arjain's picture

Hi Vijay,

is there any way we can on/off (some setting) virtualization in Vista.

~ SQA Manual - Crafting tomorrow

If a forum post solves your problem, please flag it as a solution. If you like an article or blog post vote for it.

0
Login to vote
Richard Jeffrey's picture

To disable the registry virtualization you can use the command
REG FLAGS HKLM\Software\ SET DONT_VIRTUALIZE /s

Not sure if you can use the 'HKLM\Software\' path to stop all subsequent registry keys from being virtualized, or if you can only apply it to 'HKLM\Software\Company Name' for a granular method.

If you want to disable both folder and registry virtualization, you should do so via policy / registry.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
"EnableVirtualization"

+1
Login to vote
greendaale's picture

Hi

Thanks for great blog post about Virtualization in Vista.

Is it possible to detect old VirtualStore files and them remove them on install of a newer version of the same app? How do I create an package to do this?

I use Wise Installation Express v7.3

Cheers,

greendaale

0
Login to vote
aroon's picture

Thanks Vijay, for providing such a great informative knowledge. This concept is like refreshment to brain.

0
Login to vote
Joboy's picture

Hi Vijay,

Its great. I understood the Vista Virtualization Folder concept. I am facing some problems with the same Virtualization Folder.

I am using Vista as a web client, my web client ASP.NET application runs with Low rights, when the web client application tries to get the data from server it throws an error:

Could not find a part of the path: (which is highlighted)
C:\Users\account\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\account\AppData\Local\Temp\Low\6br1dtzk.dll'

If I create the missing folder "Temp\Low" it shows one more error:

Could not find file:
C: \Users\account\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Virtualized\C\Users\account\
AppData\Local\Temp\Low\6br1dtzk.dll

My web client application loads a assembly in the following folder which has some dll.

"C:\Users\account\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Virtualized\C\Users\account\
AppData\Local"

If I manually copy this assembly into the following path my second error goes of and it works fine, the data sink is happening between the server and the client.

"C:\Users\account\AppData\Local".

One more thing is if I run the IE7 as run as run as administrator every thing works fine. In this scenario the assembly is directly loaded in "C:\Users\account\AppData\Local".

How can I avoid manually copying this assembly folder, I cannot ask my customer to do this and one more issues is why this "\Temp\Low\" is not created automatically.

Thanks in advance for you help.

Joboy.

0
Login to vote
MastAvalons's picture

great tool!

But I use boxedapp.......

boxedapp is more powerful.

0
Login to vote
Krushna's picture

when trying to provide zip extension to above downlodable file i got this multiple error !!

Thanks !! great work

First error.png Second error.png Thired error.png
0
Login to vote