Why Virtualization ?
· The applications from XP era (when applications
ran in assumed administrative privileges) that needed to run with administrator privileges
can now work in Vista because when they try to access the filesystem or
registry they are given virtual fs and registry.
Starting from Windows Vista the users, even
those who are members of the local admin group, cannot be the administrators
constantly. This is so that the users do
not cause any damage to the system by accident or by malicious intent. The applications
who presumed administrator access had compatibility problems with Windows
Vista. This is a problem for legacy applications which is solved using
filesystem and registry namespace virtualization.
· The purpose of virtualization is to only fix compatibility issues. New applications written in the post vista era should not be written with the assumption that they are the admin user unless absolutely necessary.
What problem does Virtualization address ?
In the times of XP, the standard user did not have permission to write to “Program Files” or the HKEY_LOCAL_MACHINE”, but normally windows computers are a single user environment and users have enjoyed local admin privileges.
What Microsoft recommends is the following:
a. Application install in the “Program files” directory
b. The settings for the software can be saved in a registry key under HKEY_LOCAL_MACHINE\Softwares
c. The applications can run from the “Program Files” folder and will be executed by different users. The data for each user will be stored in the AppData folder under “documents and settings”
d. The applications settings for individual users will be stored in the key: HKEY_CURRENT_USERS\Software
UAC does not virtualize various executable files (exe, bat, dll, etc.). wqHow does virtualization solve the ProblemWhen a user’s application tries to access system location (like Program Files) and gets an access denied error, Windows Vista re-directs the request to a user area for that particular user like the LocalAppData folder under C:\Users\<username>\AppData\Local\VirtualStore\Program Files.
This process of detecting an error and intervening is called ‘trap’ping and is done by the Virtualization File Driver Luafv.sys (%SystemRoot%/System32/Drivers/luafv.sys).
Similarly in case of registry access the process is re-directed to HKEY_CURRENT_USERS\Software\Classes\VirtualStore\Machine\Software\AppNameOrVendorName. The first process that tries to access has this VirtualStore folder created, others don’t need to.
On repeated access attempts luafv.sys traps and redirects again to the virtual location. The application remains blind to the underlying virtualization taking place and thinks that it is running in it’s assumed admin privileged mode.
Luafv.sys is the driver that does the virtualization.If a process tries to access a piece of data from the Virtual Store and does not find it, Luafv.sys will look in the actual location.
The redirection is illustrated in the diagram below:
About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services(www.itbutler.com.au) . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.