Filesystem and Registry Virtualization in UAC

This article/blog discusses the filesystem (FS) and registry virtualization as done by UAC in order to support legacy applications and still avoid giving them full administrator access to critical filesystem and registry areas. FS and registry virtualization are main components of the UAC in Windows. We will look at the why, who and what of FS and registry virtualization.

Why Virtualization ?

·     The applications from XP era (when applications ran in assumed administrative privileges)  that needed to run with administrator privileges can now work in Vista because when they try to access the filesystem or registry they are given virtual fs and registry.

       

      Starting from Windows Vista the users, even those who are members of the local admin group, cannot be the administrators constantly.  This is so that the users do not cause any damage to the system by accident or by malicious intent. The applications who presumed administrator access had compatibility problems with Windows Vista. This is a problem for legacy applications which is solved using filesystem and registry namespace virtualization.

·         The purpose of virtualization is to only fix compatibility issues. New applications written in the post vista era should not be written with the assumption that they are the admin user unless absolutely necessary.

What problem does Virtualization address ?

In the times of XP, the standard user did not have permission to write to “Program Files” or the HKEY_LOCAL_MACHINE”, but normally windows computers are a single user environment and users have enjoyed local admin privileges.

      What Microsoft recommends is the following:

         a. Application install in the “Program files” directory
         b. The settings for the software can be saved in a registry key under HKEY_LOCAL_MACHINE\Softwares
         c. The applications can run from the “Program Files” folder and will be executed by different users. The data for each user will be stored in the AppData folder under “documents and settings”              
         d. The applications settings for individual users will be stored in the key: HKEY_CURRENT_USERS\Software

UAC does not virtualize various executable files (exe, bat, dll, etc.). wq

How does virtualization solve the ProblemWhen a user’s application tries to access system location (like Program Files) and gets an access denied error, Windows Vista re-directs the request to a user area for that particular user like the LocalAppData folder under C:\Users\<username>\AppData\Local\VirtualStore\Program Files.
This process of detecting an error and intervening is called ‘trap’ping and is done by the Virtualization File Driver Luafv.sys (%SystemRoot%/System32/Drivers/luafv.sys).

Similarly in case of registry access the process is re-directed to HKEY_CURRENT_USERS\Software\Classes\VirtualStore\Machine\Software\AppNameOrVendorName. The first process that tries to access has this VirtualStore folder created, others don’t need to.

On repeated access attempts luafv.sys traps and redirects again to the virtual location. The application remains blind to the underlying virtualization taking place and thinks that it is running in it’s assumed admin privileged mode.

Luafv.sys is the driver that does the virtualization.If a process tries to access a piece of data from the Virtual Store and does not find it, Luafv.sys will look in the actual location.
The redirection is illustrated in the  diagram below:

About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services(www.itbutler.com.au) . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.

He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.