Registry virtualization is implemented in Windows Vista and 7 for providing application support for legacy applications. The legacy application (till Windows XP) runs in administrator privilege by default which enables the crappy applications to access the sensitive system area without user knowledge. UAC is the solution introduced to defend this kind of attacks. By default the applications will be launched in user privileged mode and the application can request user if it requires to have elevated privilege.
Registry Virtualization emulates the HKEY_LOCAL_MACHINE\Software write operations under HKEY_USER\<User SID>_Classes\VirtualStore\Machine\Software path.
Open Registry Virtualization – If the application doesn’t have enough privilege to open a specific key, the virtualized key will be opened with maximum privilege.
Write Registry Virtualization – If the application doesn’t have enough privilege to write to the specified location, the write operation will be performed under virtual store path.
Read Registry Virtualization – System provides a merged copy of information from Virtual store and the original global store together.
Virtualization is provided for
- 32 bit interactive process
- Keys in HKEY_LOCAL_MACHINE\Software
- Keys that an administrator write to (if the application doesn’t have privilege)
Virtualization is disabled for
- 64 bit processes
- Processes which doesn’t have GUI (e.g Services)
- Process that impersonate a user
- Kernel mode processes such as drivers
- Process that has specified requestedExecutionLevel in their manifest
- Keys and subkeys of HKEY_LOCAL_MACHINE\Software\Classes, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows, and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT.
The applications which required to run under Windows Vista and 7 must follow the UAC guidelines and should not use registry to store the applications information. Microsoft may stop supporting this feature in the upcoming versions of Windows. So keep your applications compatible with the latest platform.
See more
