Of course there are huge new technologies in Windows Vista that have an impact on packaging, this article will cover the most important ones:
- User Account Control (UAC)
- File and Registry Virtualization - a UAC sub feature
- Integrity Access Level (IL) - a UAC sub feature
- Windows Resource Protection
User Account Control (UAC)
UAC is meant to enable users to run with standard user rights, as opposed to administrative rights. This article will cover the sub features File and Registry Virtualization and Integrity Access Level because they will have the most impact in the repackaging world. The Internet contains a lot of documents that cover the UAC feature of Windows Vista.
Impact of UAC in Packaging
A known problem is Active Setup. If an executable is not signed by the product vendor, like a Wise Script executable, it will hang as a minimized task during the login phase, waiting to be accepted by the end user.
Possible Solution
This can be solved by using a UAC compliant MSI Installation (figure 1) instead of a Wise Script executable or using a script technology that will not activate the UAC 'An unidentified program wants access to your computer' dialog box (figure 2).
Figure 1: This dialog box stops the login process while Active Setup is running a task that is not signed
Click to view.
Figure 2: UAC compliant processes will not activate the UAC dialog box
Click to view.
File and Registry Virtualization
The basics of this sub feature is explained in the article Folder Virtualization Concepts in Windows Vista, therefore I will concentrate on what this means in repackaging.
Impact in Packaging
Files in a registry key can be found twice in your installation. Especially if the application has to be launched to customize options and settings.
Possible Solution
During Setup-Capture (Snap-Shot technology):
Virtualized resources needs to be merged with the original files and the virtualized resources can be deleted from the installation resources.
If file and registry virtualization is enabled on the default user environment, you will need to test the application with two different default user accounts. Check if resources from the application gets virtualized and that those contents will not affect the proper functionality of the application.
The best practice is to disable the file and registry virtualization. Microsoft does not guarantee this feature will be in future releases of Windows. If a file or registry key needs permission changes, use the LockPermission table or use a custom action to modify the related security descriptor of those resources. If the user has the permission to modify the resources, it won't be virtualized.
It's recommended to use the latest release of a product that supports Vista. Applications following the Microsoft development guidelines for Vista compliant applications, are modifying resources in the user profile where virtualization will not take place.
Integrity Access Level (IL)
IL is a new security model in Windows Vista. All processes and objects have integrity levels and an object's integrity policy can restrict accesses that would otherwise be granted to a process, protecting them from running malware.
Impact in Packaging
The Low (Untrusted) Integrity Level can be a problem while repackaging an application. If a process is launched in the Low Level it could create files in the %USERPROFILE%\AppData\LocalLow folder. This folder is not available as a predefined special folder in the directory table.
Possible Solution
This folder has to be set up during installation using a custom action like the following vb script, to avoid hard coding:
Set wshshell = CreateObject("WScript.Shell")
Set fs = CreateObject("Scripting.FileSystemObject")
If fs.folderexists(WshShell.ExpandEnvironmentStrings("%USERPROFILE%") & "\AppData\LocalLow") Then
STRDEST = WshShell.ExpandEnvironmentStrings("%USERPROFILE%") & "\AppData\LocalLow\"
Else
STRDEST = WshShell.SpecialFolders(5) & "\"
End If
SessionProperty("APPDATALOWFOLDER")=STRDEST
set fs = Nothing
set wshshell = Nothing
Windows Resource Protection
Windows Resource Protection will replace Windows File Protection (WFP) that has been available since Windows 2000. Windows Resource Protection will now cover registry keys and files (WFP was only covering files). A special account, the TrustedInstaller, will be the owner of those resources.
Impact in Packaging
The Windows Resource Protection could lead to problems while removing an application when registry keys (specially the HKCR keys) or files that are protected are part of the installation.
Possible Solution
To avoid this problem, enable the Windows Vista Compatibility Check inside the Package Validation from Wise. The WiseVista_ChecktProtectedKeys and WiseVista_CheckProtectedFiles will show all affected resources that needs to be removed from the installation.
Vista Repackaing Best Practices with Wise Package Studio Part 1