Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Development
  New Posts New Posts RSS Feed - Virtual Registry vs. "Real registry"
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Virtual Registry vs. "Real registry"

 Post Reply Post Reply
Author
Message
Skeeto View Drop Down
Newbie
Newbie


Joined: 25 May 2007
Location: Denmark
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote Skeeto Quote  Post ReplyReply Direct Link To This Post Topic: Virtual Registry vs. "Real registry"
    Posted: 25 May 2007 at 1:06am

Hi All

Is there any way to read a registry value and know if it's really in registry or only existing in virtual registry?
 
It seems if a value is written in a users virtual registry, a call to read registry will return the value in virtual registry, even if the original values are deleted from registry (eg by uninstall).
 
Is there any way to delete a key in virtual registry without knowing the user? Or am I understanding this correctly: A delete in registry will not delete virtual registry keys for that user too?
 
All the best
 
Skeeto
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 25 May 2007 at 6:00am
Hi Skeeto,
 
Perhaps you would like to read Mark's "Inside Windows Vista User Account Control" article on TechNet - it may not answer all of your questions completely, but could at least give you some hints / suggestions.  I suspect that the answers to your questions may vary based on specific scenarios (64-bit process? manifest file? admin rights?).
Daily affirmation:
net helpmsg 4006
Back to Top
Skeeto View Drop Down
Newbie
Newbie


Joined: 25 May 2007
Location: Denmark
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote Skeeto Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2007 at 12:33am
Hi Molotov
 
Thanks for answering. I will try to clarify a bit.
We have been doing children games for Windows since 1996. It was the happy days of 3.11, hehe. Through all the changes we have done a lot to be compatible and do "the right thing". XP was a big change and we redesigned our programs to read/write the correct places in registry and folders. Old versions wouldnt work.
With Vista there is a change. Some of the older versions work again (well to some extent) . Users never know the difference, the program writes to virtual registry etc.
Our problems start if a user installs an old version they got somehow. Should the try to upgrade to the latest version, uninstall of old program will leave some keys in virtual registry (and some files in folders too, but nvm them). The problem is after installation of newest program, a read in registry will return the key and key value in the virtual registry, even if there is nothing in the "real" registry. Nowadays we ofc dont write to local machine, except during install, but we do read there.
 
I hope i have clarified the problem a bit.
Thanks for your time.
 
Skeeto
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 28 May 2007 at 8:19pm
Hi Skeeto,
 
Some of my thoughts...
Originally posted by Skeeto Skeeto wrote:

Is there any way to read a registry value and know if it's really in registry or only existing in virtual registry?

It appears that it is easier to tell if a key only exists in the global store, than to tell if it exists in the virtual store.
Check the explanation of the flags (REG_ KEY_DONT_VIRTUALIZE, REG_KEY_DONT_SILENT_FAIL, REG_KEY_RECURSE_FLAG) in Mark's Technet article.
 
Originally posted by Skeeto Skeeto wrote:

It seems if a value is written in a users virtual registry, a call to read registry will return the value in virtual registry, even if the original values are deleted from registry (eg by uninstall).

Values, yes - it seems that an approximation of this scenario is described in Registry Virtualization on MSDN.
Keys, it would seem to be no, as the flags are stored with the key; if the global key is gone it would seem that there is no flag to tell that it should or should not be virtualized.
 
Originally posted by Skeeto Skeeto wrote:

Is there any way to delete a key in virtual registry without knowing the user? Or am I understanding this correctly: A delete in registry will not delete virtual registry keys for that user too?

I suspect for keys a delete from the global store would result in at least the inability to access them from the virtual store, for the reason mentioned above.  However, this theory is untested by me, so it is just that - a theory.
 
Originally posted by Skeeto Skeeto wrote:

uninstall of old program will leave some keys in virtual registry (and some files in folders too, but nvm them). The problem is after installation of newest program, a read in registry will return the key and key value in the virtual registry, even if there is nothing in the "real" registry.

Have you verified this with Process Monitor?
 

It would seem that if you would set the aforementioned registry flags on the key(s) you were having problems with, there should be no concern as any values that might be stored in the virtualized registry would be irrelevant.  Alternatively, if you made your app compatible with Vista and include a manifest, it would seem like you would be OK as well, as Mark writes:
Quote For the purposes of this virtualization, Windows Vista treats a process as legacy if itís 32-bit (versus 64-bit), is not running with administrative rights, and does not have a manifest file indicating that it was written for Windows Vista

Daily affirmation:
net helpmsg 4006
Back to Top
Skeeto View Drop Down
Newbie
Newbie


Joined: 25 May 2007
Location: Denmark
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote Skeeto Quote  Post ReplyReply Direct Link To This Post Posted: 30 May 2007 at 12:34am
Hi Molotov
Thanks a lot for your input.
 
Some more facts and thoughts:
1) The flags (REG_ KEY_DONT_VIRTUALIZE, REG_KEY_DONT_SILENT_FAIL, REG_KEY_RECURSE_FLAG) it appears they can be set using a command line interface with reg.exe. Is this correct or is there a windows api call?
 
2) "uninstall of old program will leave some keys in virtual registry" is verified. That is, if said program has attempted write and virtualization creates keys and values in virtual registry. Is there a way to secure deletion of all virtual registry keys for every user when deleting the HKEY_LOCAL_MACHINE key?
 
3) After trying some times with manifest file it seems this might work for our c++ projects. However we have 8 Macromedia Director projects and trying to compile a manifest file with those exe's doesn't seem a possibility. Our conclusion is manifest files is a solution for apps made in C++, C#, VB etc. - in other words developed with Visual studio.
 
However, after this investigation it seems that Virtualization will not be supported in coming versions of Windows, as it is not on 64bit.
 
All the best
 
Skeeto
 
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 30 May 2007 at 6:53am
Originally posted by Skeeto Skeeto wrote:

Is this correct or is there a windows api call?
Reg.exe has to be doing it somehow... But I honestly can't find any information on what API one might use to do it.  Probably, the import tables in Vista's REG.EXE and REGEDIT.EXE (not sure offhand if it allows one to manipulate the flags) hold the answer.  I'll try to check later.
 
Originally posted by Skeeto Skeeto wrote:

Is there a way to secure deletion of all virtual registry keys for every user when deleting the HKEY_LOCAL_MACHINE key?
I suppose from an admin account one might be able to do something like iterate through the registry virtual roots (HKEY_USERS\<USER_SID>\Software\Classes\VirtualStore\ MACHINE\SOFTWARE), looking for the (un)desired keys.  Not tested though - just speculating that this might work.
Again, though - if the reg flags are set appropriately, this wouldn't seem to be an issue.  And if you were able to make your programs not be considered legacy, it would also seem that virtualization would not be an issue.
 
Originally posted by Skeeto Skeeto wrote:

Our conclusion is manifest files is a solution for apps made in C++, C#, VB etc. - in other words developed with Visual studio.

"The MT.EXE tool that ships with Visual Studio or the Vista SDK can allow you to embed a manifest as a Windows Resource in an EXE file."
Haven't tried it, but seems like it should work for Director.
Additional info here.
 
Originally posted by Skeeto Skeeto wrote:

it seems that Virtualization will not be supported in coming versions of Windows
Yes, the Registry Virtual article on MSDN does state:
Quote This form of virtualization is an interim application compatibility technology; Microsoft intends to remove it from future versions of the Windows operating system as more applications are made compatible with Windows Vista.
 
Originally posted by Skeeto Skeeto wrote:

as it is not on 64bit
EDIT:
I'm a bit torn on how to interpret 64-bit Vista's support for UAC / virtualization.  To me, it would seem that it is on 64-bit, but 64-bit processes are not virtualized as they are not considered legacy.
 
Paul Thurrott states in the May 2007 Windows IT Pro "What You Need to Know" article about "More Vista Security Technologies":
Quote Because file system and registry virtualization is a stop-gap measure intended to make legacy software compatible with Vista, such virtualization is available only in the 32-bit versions of Vista.
 
Mark's Technet article on UAC doesn't explicitly state that file system and registry virtualization are or are not available on 64-bit Vista, but I'm inclined to think that they are because there is presumably a strong chance that one might run a "legacy" 32-bit process that will need to be virtualized, on the 64-bit OS.
 
Mark's article does state:
Quote For the purposes of this virtualization, Windows Vista treats a process as legacy if itís 32-bit (versus 64-bit) [...]
Since a 64-bit process cannot run on a 32-bit version of Vista, can the distinction be interpreted as meaning that a 32-bit process running on 64-bit Vista will be considered "legacy"*, and thus subject to virtualization?
 
*=barring other "legacy" considerations


Edited by molotov - 30 May 2007 at 1:13pm
Daily affirmation:
net helpmsg 4006
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 30 May 2007 at 6:57pm
Originally posted by molotov molotov wrote:

Reg.exe has to be doing it somehow... But I honestly can't find any information on what API one might use to do it.  Probably, the import tables in Vista's REG.EXE and REGEDIT.EXE (not sure offhand if it allows one to manipulate the flags) hold the answer.  I'll try to check later.
Doesn't look like REGEDIT.EXE provides an interface to inspect / adjust these flags.
 
REG.EXE appears to use undocumented native APIs (NtQueryKey and NtSetInformationKey) to manipulate the flags. Cry
Daily affirmation:
net helpmsg 4006
Back to Top
Skeeto View Drop Down
Newbie
Newbie


Joined: 25 May 2007
Location: Denmark
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote Skeeto Quote  Post ReplyReply Direct Link To This Post Posted: 31 May 2007 at 5:06am
Hi Molotov
 
Again, many thanks for your time and advice.
 
I tried to embed a manifest file again on the Director projector files, with no luck though. I know for sure that previously versions of Director projector exe's was not "normal" exe files. I dont know for sure if latest version is 100% compatible. I have asked in Director forum about any experience with embedding manifest file. I do know we can digitally sign them though.
 
What happens is I get no error message, but the file shrinks in size and I can see the internal media are missing after embedding manifest.
 
I think we will leave the problem as it is and support the hopefully few customers with this problem (getting old software installed on Vista) on a per case basis.
The new versions we make will behave nicely and shouldnt create any problems with virtualization at all.
 
All the best
 
Skeeto
 
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.