I previously wrote this article on my blog, Think Big!.
This article does not belong to Windows Vista only! It belongs to the existence of UAC.
Introduction
Enabling UAC (User Access Control) feature in Windows Vista, Administrator users in Windows Vista, by default, don't have administrative privileges. Every Windows process has two security tokens associated with it, one with normal user privileges and one with admin privileges. With applications that require administrative privileges, the user can elevate the application to run with Administrator rights. And that process is called Elevation.
As you expect, it's the least-privilege principle well-recognized for security pros and people who use Linux.
User can elevate an application either by clicking "Run as Administrator" from the context menu of the application icon, or even by editing the Compatibility tab in the properties of the application file.
Also, while an application running it can ask the user to provide administrative permission to complete a specific operation (a good example is switching to the All Users mode in Task Manager).
Windows Vista keeps track of the compatibility options edited for an application by adding a compatibility flag to the registry at HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlagsLayers.
Try changing any of the compatibility options for an application and see how Windows tracks that.
Because UAC feature of Windows Vista, it doesn't allow users to access some folders like Program Files and Windows folder. Also it doesn't allow them to access the registry without administrative permission.
But, there're lots of applications that write lots of data to the Program Files folder for instance. And Windows Vista must keep them away from doing such these operations without administrative permission -you can imagine the amount of applications that require administrative privileges-. So to handle this dilemma, Windows Vista has a new technique called Virtualization.
When a program tries to write to the Program Files folder for instance, Windows Vista redirects it to a special virtual store so that the application can read/write data without generating errors (because of course it doesn't have the permission).
As we would see in the next example Windows Vista uses this technique with registry too.
For folders, Virtualization called File Virtualization. For registry, it's called Registry Virtualization.
File Virtualization
To see virtualization in action let's try this example:
string programFiles = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles); string appDir = Path.Combine(programFiles, "MyApplication");
if (Directory.Exists(appDir) == false) Directory.CreateDirectory(appDir);
string file = Path.Combine(appDir, "SampleFile.txt");
File.WriteAllText(file, "Hello, World!");
|
When you run the example it doesn't write to C:Program FilesMyApplication. Instead it writes to the Program Files virtual store in C:\Users\AppData\LocalVirtualStore\Program Files\MyApplication.
Note that if you are running your Visual Studio instance in elevated mode and run your application it gets the elevated mode from Visual Studio. So you need to run it manually from its icon.
Try changing the application so it writes to Windows folder. And check the virtual store folder.
Registry Virtualization
Virtualization is not only done with folders but also with registry entries. If the application tries to write to the registry key Software in HKEY_LOCAL_MACHINE hive, it is redirected to the HKEY_CURRENT_USER hive. Instead of writing to HKLM\Software\{Manufacturer}, it writes to the registry Virtual Store HKCU\Software\Classes\VirtualStore\MACHINE\SOFTWARE\{Manufacturer}.
File and registry virtualization is available only for 32-bit applications. This feature is not available for 64-bit applications on Windows Vista.
Don't use virtualization as a feature of your application. It is better to fix your application than to write to Program Files folder and the HKLM hive without elevated user privileges. Redirection is only a temporary means to fix broken applications.