File Virtualization in Windows 7
When Microsoft developed Windows 7, the company realized that taking away administrative privileges from users would break a lot of applications. That's why they needed a fix to make sure that, for the time being, those old applications which do not behave according to Windows security best practices keep working on the new operating system. File virtualization is the fix for these applications.
File virtualization will make a "misbehaving" application-running as a standard user-think it is still allowed to write to one of the well-known "no go areas," while the data is actually stored in a different location that is fully accessible for a standard user account. So, when an application tries to write data to C:\Windows, it is redirected to another location in %USERPROFILE% instead of being presented an "Access Denied" message. Without the user being confronted with an "Access Denied" message, the data is written to a per-user alternative location. The consecutive read action also gets redirected to the alternative location, so that the application can retrieve the data that was redirected earlier.
Windows file virtualization is a temporary workaround that is planned to be removed from the next version of Windows after Windows 7.
When Are Files Virtualized?
Windows file virtualization will kick in only under the following circumstances:
- When the user is logged on as a standard user or administrator in Admin Approval mode.
- When the application is not a part of Windows 7.
- When the application is not a 64-bit application.
- When User Account Control (UAC) is enabled.
- When the application tries to write to a specific file or registry location where it has no write permissions.
- When the user running the application is logged on locally.
How File Virtualization Works File virtualization virtualizes only the following folders:
- %windir% and its subfolders
- \Program Files and its subfolders
- \Program Files (x86) and its subfolders
This list cannot be extended.
All redirected files are stored in the following location:
%USERPROFILE%\AppData\Local\VirtualStore.
When a virtualized application tries to store a file in C:\Windows, for instance, the write action gets redirected to the following location:
C:\Users\username\AppData\Local\virtualStore\Windows
Figure 1. The effect of file virtualization
To subsequently read the correct version of the file, Windows must do something special when this application tries to read the file it just stored using file virtualization. The fact is that Windows uses an alternative scheme for reading files when file virtualization is active. Windows will first look in the VirtualStore folder to see if the file is there before looking in the protected folder the application is trying to read.
By default, all programs that belong to Windows 7 are not virtualized. This means that programs such as CMD.exe and Notepad.exe will not be virtualized. 64-bit applications will also never be virtualized. Virtualization is enabled by default for all other applications on Windows 7. You can see in the Task Manager if an application is virtualized by adding the Virtualization column in the Processes tab.
Using Group Policy to Disable File Virtualization
Group Policy contains two security settings that you can use to turn off file virtualization:
- User Account Control: Run all administrators in Admin Approval mode. When this setting is disabled, UAC is disabled, including file and registry virtualization.
- User Account Control: Virtualize file and registry write failures to per-user locations. When disabled, this setting will disable only file and registry virtualization.
By Raymond Comvalius, IT Infrastructure Specialist and STEP Member