Vista registry virtualization

[Bob Butler]

Vista "virtualizes" the registry so the attempts to access values under HKLM
get redirected to HKCU\Software\Classes\VirtualStore\Machine but I've run
into a problem because it also appears to work the opposite way as well.

I have an app that needs to scan the entire HKCU hive and it works great
except that when I get to the VirtualStore key it picks up all the keys and
values from HKLM as well. I'm running with UAC enabled and am logged on as
a user without admin rights and the code below gives me a whole long list of
keys. The odd thing is that when I run regedit.exe without elevation I see
just a few keys so there must be a way to turn off virtualization when
reading these keys.

I've tried using ImpersonateLoggedOnUser which the MS web page says disables
virtualization and that seems to work for a user that has admin rights
(running elevated or not) but not for a regular user. What am I missing?



Private Const KEY_READ = &H20019
Private Const HKEY_USERS = &H80000003
Private Const HKEY_CURRENT_USER = &H80000001
Private Type FILETIME
dwLowDateTime As Long
dwHighDateTime As Long
End Type
Private Declare Function RegCloseKey Lib "advapi32.dll" _
(ByVal hKey As Long) As Long
Private Declare Function RegOpenKey Lib "advapi32.dll" _
Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, _
phkResult As Long) As Long
Private Declare Function RegEnumKey Lib "advapi32.dll" _
Alias "RegEnumKeyA" (ByVal hKey As Long, ByVal dwIndex As Long, _
ByVal lpName As String, ByVal cbName As Long) As Long

x = RegOpenKey(HKEY_CURRENT_USER,
"Software\Classes\VirtualStore\Machine\Software", hKey)
If x = 0 Then
k = 0
Do
sKey = String$(1024, 0)
lSize = Len(sKey)
x = RegEnumKey(hKey, k, sKey, lSize)
If x Then Exit Do
Me.Print k; " "; Left$(sKey, InStr(1, sKey, vbNullChar) - 1)
k = k + 1
Loop
x = RegCloseKey(hKey)
End If

 

[Andrew McLaren]

I've tried using ImpersonateLoggedOnUser which the MS web page says
disables virtualization and that seems to work for a user that has admin
rights (running elevated or not) but not for a regular user. What am I
missing?

Hi Bob,

This is rather a stab in the dark, but ... maybe you can add a manifest to
the EXE?

As per the MSDN page on Virtualisation
(http://msdn2.microsoft.com/en-us/library/aa965884.aspx) if the app uses a
requestedExecutionLevel in a manifest, then Virtuliasation will be disabled.

It looks like you're using VB6? Embedding a manifest into a VB6 app is a
little bit of a hassle; at least setting it up the first time. There's a
good description of the procedure, here:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_22156349.html

Caveat, I haven't tried this myself ... I'm just guessing it will solve your
problem, really (albeit, an educated guess .

Other folks may have better ideas.

 

[Bob Butler]

Hi Bob,

This is rather a stab in the dark, but ... maybe you can add a manifest to
the EXE?

As per the MSDN page on Virtualisation
(http://msdn2.microsoft.com/en-us/library/aa965884.aspx) if the app uses a
requestedExecutionLevel in a manifest, then Virtuliasation will be
disabled.

It looks like you're using VB6? Embedding a manifest into a VB6 app is a
little bit of a hassle; at least setting it up the first time. There's a
good description of the procedure, here:

http://www.experts-exchange.com/Programming/Languages/Visual_Basic/Q_22156349.html

Caveat, I haven't tried this myself ... I'm just guessing it will solve
your problem, really (albeit, an educated guess .

I tried a manifest specifying "asInvoker" (external though) and it didn't
help. I'm not sure my follow-up post got through because I don't see it but
I did find the solution using ImpersonateLoggedOnUser on my own token. I
realized right after sending the original post what I'd done wrong when
testing it as a non-admin user.

I was just surprised that the virtualization works in both directions.

 

[Andrew McLaren]

I tried a manifest specifying "asInvoker" (external though) and it didn't
help. I'm not sure my follow-up post got through because I don't see it
but I did find the solution using ImpersonateLoggedOnUser on my own token.
I realized right after sending the original post what I'd done wrong when
testing it as a non-admin user.

I didn't see that follow-up post; but, glad you got it working. Yeah I would
expect that ImpersonateLoggedOnUser should also work.

I was just surprised that the virtualization works in both directions.

Virtualisation seems to be a mystery, wrapped in a puzzle, inside an enigma.

Good luck with the project,

 

[Rick Raisley]

Vista "virtualizes" the registry so the attempts to access values under HKLM
get redirected to HKCU\Software\Classes\VirtualStore\Machine but I've run
into a problem because it also appears to work the opposite way as well.

I have an app that needs to scan the entire HKCU hive and it works great
except that when I get to the VirtualStore key it picks up all the keys and
values from HKLM as well. I'm running with UAC enabled and am logged on as
a user without admin rights and the code below gives me a whole long list of
keys. The odd thing is that when I run regedit.exe without elevation I see
just a few keys so there must be a way to turn off virtualization when
reading these keys.

Isn't this to be expected? When a normal user is logged in, virtualization
means that they see the virtualized data, be it files or Registry. So, like
when looking at My Documents, when you browse HKCU, you are seeing the
user's "version" of HKLM. Just like when you look at your Desktop you see
all /your/ items, but also all items in the All Users Desktop. Even though
only the /added/ items are actually on the user's desktop.

I don't really have an answer to your question, except that I think the
situation you're seeing should be expected, and it would seem that if you
/really/ want to see what's there, you'll need to log on as an Admin. Then
you should see what the "real" configuration is.
[/QUOTE]

 

[Bob Butler]

Isn't this to be expected? When a normal user is logged in, virtualization
means that they see the virtualized data, be it files or Registry. So,
like
when looking at My Documents, when you browse HKCU, you are seeing the
user's "version" of HKLM. Just like when you look at your Desktop you see
all /your/ items, but also all items in the All Users Desktop. Even though
only the /added/ items are actually on the user's desktop.

I would expect that when browsing HKLM I'd see the values overlaid with the
virtualized data that is stored in HKCU but when browsing HKCU I'd expect to
see just that. Seeing HKLM data when browsing HKCU makes no sense to me.

It's more like viewing the all users desktop folder and also seeing the
files from the current user's desktop there. That doesn't happen because
that merge only happens in one direction. The registry virtualization is
happening in both directions. Interesting that although MS did that they
ensured that regedit disables it.

 

[Jimmy Brush]

Hello,

Putting a manifest on your application should prevent it from being
virtualized. You can double-check the virtualization of your application
using task manager. Right-click on your process in the processes tab,
and the virtualization menu item will be checked if it is being virtualized.

Note that if you are running inside of a standard user account, any
program that is running "as administrator" will see the HKCU of the
administrative user who authenticated with the UAC dialog, and not of
the standard user.

- JB