If you missed the first part in this article series please read Protecting System Files with UAC Virtualization (Part 1).
Windows Vista comes with an excellent tool to help prevent your system files, folders, and Registry from becoming compromised, which is User Account Control Virtualization. UAC Virtualization helps prevent applications from writing to protected system resource locations by redirecting the “Writes” to a location where the user has access, which is their own personal profile. The end result of this virtualization is that the user is still able to run these applications, but the data that is written by the application is not sent to the system location, helping protect the stability of the overall operating system. With the virtualization, it also means that multiple users are now able to run the application on the same computer, as each of their personal data is written to their own user profile. In this article, I will show you how to control UAC virtualization using Group Policy, the Registry, and Task Manager.
UAC Related Group Policy Settings
UAC has many options associated with it to help control the behavior of UAC on all of your Vista computers. Of course, Group Policy is the ideal solution to control UAC, as well as nearly every other Vista configuration, as it provides a centralized management solution for these settings.
Within any GPO you can find the settings that control UAC under the Computer Configuration section. Since UAC is a security related setting, you will find that it is under the standard Security Options node, which can be found at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, as shown in Figure 1.
Figure 1: UAC settings are located under the Security Options node under the Computer Configuration section
The UAC settings within the GPO are located at the bottom of the Security Options list, which will appear on the right hand pane. To see the list, just select the Security Options node on the left pane, as shown in Figure 2.
Figure 2: The UAC settings are all located at the bottom of the Security Options list of settings
Here you will find all of the controls you need to set up UAC on a Vista and Windows Server 2008 computer. Notice that you can control how UAC behaves when an Administrator is logged in, as well as when a standard user is logged in. The very last option controls how Virtualization associated with UAC behaves. This setting is labeled “User Account Control”; Virtualize file and registry write failures to per-user locations.
Enabling this policy setting will in fact virtualize these settings. If this setting is not configured for your Vista computers and you want to set it, you will first need to set this policy to Enabled, as shown in Figure 3.
Figure 3: To virtualize file and Registry writes, set the policy to Enabled
After you configure this policy setting, you will need to ensure it applies to the Vista computers. You will need to restart the Windows Vista computer for this setting to take affect, as it only adheres to a foreground policy refresh to start virtualizing files and the registry. Once the Vista computer is back running, you will now have files and Registry locations being virtualized.
Tip:
Foreground policy settings that fall under the Computer Configuration need to have the computer restarted, where foreground policy settings that fall under the User Configuration need to have the user logoff, then back on to take affect.
Task manager virtualization
Now that you have ensured that UAC is virtualizing your files and Registry updates, you should verify that each process is performing the virtualization appropriately. In order to view, and soon you will see control, the UAC virtualization, you can launch Task Manager. The easiest way I have found to launch Task Manager is to right-click on the Start bar, then select the Task Manager Menu option. When Task Manager initially starts, you should be within the Applications tab. You need to get over to the Processes tab in order to see the virtualization.
Now that you are on the Processes tab in Task Manager, you will see there is no initial indication of virtualization. However, to see what is virtualized is rather easy. To see what is virtualized, select the View menu option, then, click on the Select Columns option. At the bottom of this list you will see a check box for Virtualization, as shown in Figure 4.
Figure 4: Add the Virtualization column to the Processes view in Task Manager
Once you save your new column view, you should see a new column, Virtualization, in the main Task Manager view under the Processes tab, as shown in Figure 5.
Figure 5: Virtualization column added to the Processes tab in Task Manager
If you want to see all of the processes and their virtualization, you will need to click on the “Show processes from all users” button, which will also include system processes. You will notice that the processes owned by the SYSTEM, Network service, and Local Service are not allowed to be virtualized. Again, this goes back to my last article on which applications and processes are virtualized.
Reg hack to add extensions
As you can see from Figure 5, none of the executables that are run directly are virtualized. This is due to the fact that .exe, .bat, .scr, .vbs, and others are excluded from the standard virtualization. This can cause problems if a program needs to be updated by itself. A standard user will not be able to do this, as the application will be running in protected areas.
If you have an application extension that you need to omit from this initial list of non-virtualized extensions, you can do so by modifying the Registry. To add your extension to the exception list of non-virtualized extensions, enter them under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Luafv\Parameters\ExcludedExtensionsAdd Registry value. To add in your extension(s), you will need to create the ExcludedExtensionsAdd Registry value. When you add in the new value, use the multi-string Registry value type. The extensions are added without the preceeding dot, so .exe would just be exe. After modifying the entire list of extensions, reboot your computer so the change can take affect.
Real-time Virtualization
If you want to virtualize an application or process that is not already virtualized, you can do this on the fly. To perform this task, you will need to be in Task Manager. Within Task Manager, get to the Processes tab, like we did before. Then, select the process that you want to virtualize. From there, right-click the process and then click the Virtualization menu option. This will present you with a confirmation dialog box, as shown in Figure 6.
Figure 6: Confirmation dialog box that you want to virtualize the process
After you virtualize the application, the process will now show Enabled in the Processes tab list of processes.
Summary
The ability to control the different aspects of UAC virtualization provides administrators with management of which applications are virtualized. Within any GPO the control over every aspect of UAC is easy to use and easy to deploy via Active Directory. After UAC is enabled and the virtualization of files and the Registry is enabled, your Windows Vista computers should start to virtualize processes it was not before. You can see what has been virtualized within Task Manager, giving you a clear picture as to what has been virtualized and what has not.
If you missed the first part in this article series please read Protecting System Files with UAC Virtualization (Part 1).
