23 Dec 2009

UAC Virtualization (Part 2)

As expressed in my earlier part about User Account Control in Windows Vista; when a standard user is logged into a Windows based computer, there are certain activities and actions that need to be protected. This is essential to protect the overall stability and security of the operating system. Windows Vista provides an excellent solution to help protect these key system areas. Vista uses User Account Control and Virtualization to accomplish the security and protection.

The Program Files directory (typically located at C:\Program Files and referred to as %ProgramFiles%) is where most applications store the executable files. The settings for the application are stored under the HKEY_LOCAL_MACHINE\Software key in the Registry in most cases. Both of these locations are protected by the operating system by only allowing the system and administrators write access, where users have read and execute access only.

The application data locations are created on user basis and are protected such that only that user has access to the data that is written by default.

However, many applications are not designed to work this way. Instead, they are designed to store user specific data under %ProgramFiles% and HKEY_LOCAL_MACHINE\Software. Unfortunately standard users do not have access to write to these locations, which has caused many companies to add standard users to the local Administrators group in order to run these applications.

Since the applications are not easily changed and users must still run these applications, Vista takes a different approach to fix the problem. Within Vista, UAC lends a helping hand by virtualizing the file system and Registry namespace. UAC will virtualize legacy applications, allowing standard users to remain a “standard user”, but still run the application. The definition of legacy in this case includes processes that are 32-bit, not running with administrative privileges, and does not include a Windows Vista manifest file. If a process or operation does not meet these criteria it is not virtualized.

UAC Virtualization
In Vista, you can see the UAC virtualization option in Task manager where you can see the various processes running in process tab. Right click on any one of the process which you wish to virtualize and you can click the UAC Virtulaization option.

When an action is virtualized, the resulting content is stored within the users’ profile as mentioned above. Depending on which content has been virtualized, there will be some indicators within the different interfaces to help you see the virtualization.

The first indicator will be within the Windows Explorer GUI. Depending on which folder and files have been virtualized, you will see additional menu options within Windows Explorer. Figure below illustrates what Windows Explorer shows when you have Virtualized files under the C:\Windows folder. (Compatibility Files)

The “Compatibility Files” menu addition to Windows Explorer only appears when there are files that have been virtualized. The new menu option appears only for those folders which have virtualized files or folders.

When the Compatibility Files menu option is selected, it will direct the Windows Explorer window to the virtualized files and the containing folder. Figure below illustrates what the contents of this virtualization of files and folders looks like.


comments powered by Disqus