data redirection - managedaz12722.vo.msecnd.net/windows7trainingcourse1-0/labs/uac... · web viewin...
TRANSCRIPT
Hands-On Lab UAC Data Redirection - .NET
Lab version: 1.0.0
Last updated: 5/17/2023
UAC Data Redirection - .NET
CONTENTS
OVERVIEW................................................................................................................................................. 3
EXERCISE 1: EXPLORING USER ACCOUNT CONTROL VIRTUALIZATION.........................................4Task 1 – Run the Application without a Manifest................................................................................4
Task 2 – Find the Problem...................................................................................................................8
Task 3 – Add a UAC Manifest.............................................................................................................10
Task 4 – Correct the Access Denied Error..........................................................................................13
SUMMARY................................................................................................................................................ 16
2
UAC Data Redirection - .NET
Overview
In this lab, you will experience first hand the effects of UAC virtualization and will walk through the steps to solve the problem.
Objectives
In this lab, you will learn how to:
Troubleshoot a file redirection issue
Use Process Monitor to find the root cause of the issue
System Requirements
You must have the following items to complete this lab:
Microsoft Visual Studio® 2008
Microsoft Windows® 7
Process Monitor from Microsoft TechNet (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)
3
UAC Data Redirection - .NET
Exercise 1: Exploring User Account Control Virtualization
In this exercise, you will diagnose a managed (.NET Framework) application that is incompatible with Windows 7and exhibits User Account Control (UAC) virtualization, specifically, file redirection, to the VirtualStore folder.
You will start by identifying the problem through a series of tests. Next, you will add a UAC manifest section and compile the application, thereby marking it as UAC-aware. As you run the application, you will notice that UAC does not virtualize your files when writing to any of the protected folders, such as Program Files; rather, the operation is blocked and results in an “access denied” error. Finally, you will fix the application by modifying it to store the file to the Application Data (ProgramData) folder.
Task 1 – Run the Application without a Manifest
In this task, you will run the application without a manifest, which simulates an older application and triggers the UAC virtualization mechanism. New applications created with Visual Studio 2008 automatically embed a manifest containing a UAC section by default.
1. Make sure UAC is enabled.
a. From the Start menu:
i. Open Search
ii. Type “UAC”
iii. Click "Change User Account Control settings" in the search results list.
b. The User Account Control Settings dialog box appears. To ensure UAC is NOT disabled:
i. Set the UAC slider at the default level (as pictured)
ii. Click OK.
4
UAC Data Redirection - .NET
2. Navigate to the folder containing the DataRedirection solution.
3. Double-click the solution file to open the solution in Visual Studio 2008.
a. Make sure you don’t start Visual Studio with Administrator privileges
b. If Visual Studio is started with elevated privileges, then “Visual Studio (Administrator)” will display in the title bar
4. Set the BrokenAppManaged project as the startup project:
5. Right-click the project in Solution Explorer and select Set as StartUp Project
6. Set the target architecture to x86:
7. Right-click the BrokenAppManaged project and select Properties.
For C#:
a. Configure the project to build the application without a manifest (the default manifest contains a UAC section)
b. In the Application tab, under Manifest, select Create application without a manifest.
For Visual Basic:
a. Configure the project to build the application without a manifest.
b. In the Application tab, click on View UAC Settings, app.manifest will open. In app.manifest delete following code within <assemblyIdentity> element.
XML
5
UAC Data Redirection - .NET
<?xml version="1.0" encoding="utf-8"?><asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><assemblyIdentity version="1.0.0.0" name="MyApplication.app"/></asmv1:assembly>
8. Navigate to the FileIO class (in FileIO.cs (C#) or FileIO.vb (Visual Basic)).
9. Inspect the Save and Load functions and the static constructor and observe how the data file path is constructed as a file under Program Files\BrokenApp.
10. Build the project and run it. Again, make sure you don’t run it with administrator privileges.
11. Open Task Manager and click the Processes tab.
a. From the View menu, choose Select Columns
b. The Select Process Page Columns dialog box appears
c. Check the User Account Control (UAC) Virtualization check box, as showing in the red box (just make sure you actually set the checkbox!)
d. Click OK
12. Notice that the UAC Virtualization column is enabled for your process.
6
UAC Data Redirection - .NET
13. Type some text into the edit box and then click Save. The operation should succeed (that is, you won't receive any error).
14. Try to navigate to the path indicated (for example, C:\Program Files (x86)\BrokenApp on x64 Windows 7 or C:\Program Files\BrokenApp on x86 Windows).
Watch Out
You won't find BrokenApp under Program Files because the write file operation was redirected to the VirtualStore folder
7
UAC Data Redirection - .NET
Task 2 – Find the Problem
In this task, you will walk through the different steps that will confirm that your application is experiencing UAC virtualization.
1. Download and unzip Process Monitor from Microsoft TechNet (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx).
2. Launch Process Monitor.
3. Launch the BrokenAppManaged application.
4. Make sure Process Monitor is capturing by clicking the third toolbar button. You can also toggle capturing on/off by pressing CTRL-E.
5. In the BrokenAppManaged application, enter some text into the textbox.
6. Click Save in the BrokenAppManaged application.
7. You can stop capturing in Process Monitor by clicking the third toolbar button again (or by pressing CTRL-E).
8. In Process Monitor, from the Tools menu, click Process Tree. The Process Tree dialog box appears.
8
UAC Data Redirection - .NET
9. Look for BrokenAppManaged.exe in the tree and double-click it.
10. Click Close to close the Process Tree dialog box.
11. Right-click the process name BrokenAppManaged in Process Monitor.
12. Select Include BrokenAppManaged. This will filter out all other events.
9
UAC Data Redirection - .NET
Help
You can see that BrokenAppNative is trying to create the file C:\ProgramFiles (x86)\BrokenApp\SomeFile.txt. This file is redirected to the VirtualStore folder, where the actual data file ends up.
Notice the Result column. The line where the result is “REPARSE” is the original operation. The next line with the result “SUCCESS” is the redirected operation.
Task 3 – Add a UAC Manifest
In this task, you will add a manifest to the application to mark the application as UAC-aware. By marking your application as UAC aware, you declare that the application does not require write access to protected locations. UAC virtualization will not apply to your application.
1. Right-click the project in Project Explorer and select Properties.
2. Right-click the BrokenAppManaged project and select Properties.
3. Configure the project to build the application with a manifest.
10
UAC Data Redirection - .NET
For C#:
a. Under Manifest, select Embed manifest with default settings
b. The default manifest contains a UAC section
For Visual Basic:
a. Open the app.manifest file from solution explorer
b. Add following tags to the manifest file
XML<?xml version="1.0" encoding="utf-8"?><asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><assemblyIdentity version="1.0.0.0" name="MyApplication.app"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"><!-- UAC Manifest Options If you want to change the Windows User Account Control level replace the requestedExecutionLevel node with one of the following. <requestedExecutionLevel level="asInvoker" uiAccess="false" /> <requestedExecutionLevel level="requireAdministrator" uiAccess="false" /> <requestedExecutionLevel level="highestAvailable" uiAccess="false" />
11
UAC Data Redirection - .NET
If you want to utilize File and Registry Virtualization for backward compatibility then delete the requestedExecutionLevel node.--><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo></asmv1:assembly>
4. Re-build the application.
5. Run the application.
6. Look at Task Manager again, and you will notice that virtualization is now disabled for the process:
7. Type some text into the edit box and click Save in the BrokenAppManaged application. You should receive the following error:
12
UAC Data Redirection - .NET
Help:
Because UAC virtualization is turned off, writing to protected locations results in an error.
Task 4 – Correct the Access Denied Error
By embedding the manifest containing a UAC section, you declare to Windows 7 that your application is UAC-aware; therefore the application will be unable to write to any protected storage area. In this task you will change the location to which the text file will be saved and fix the access denied error.
1. Return to Visual Studio.
2. In the static constructor of the FileIO class in FileIO.cs (C#) or FileIO.vb (Visual Basic):
a. Comment out the line to save to Environment.SpecialFolders.ProgramFiles
b. Uncomment the line to save to Environment.SpecialFolders.CommonProgramData
c. This will save the file to the common program data folder (C:\ProgramData, by default), which is accessible by all users.
3. Rebuild and run the application.
4. Make sure the data file is now saved to the correct folder: C:\ProgramData\BrokenApp.
5. You now have fixed the redirection issue and saved your data file to the correct location.
13
UAC Data Redirection - .NET
Watch Out
Notice that file operations to the text file are not redirected and are successful.
Help:
14
UAC Data Redirection - .NET
In order for redirection to work in Visual Studio 2008, you must turn off UAC in the manifest generation. To do so:
For C# projects In Visual Studio:
1. Click the Project menu.
2. Click the Properties for that project.
3. On the Application tab, in the Resources area, select the Icon and manifest button.
4. Select Create application without a manifest.
5. Click OK.
For Visual Basic projects In Visual Studio:
1. Click the Project menu.
2. Click the Properties for that project.
3. On the Application tab, click on View UAC Settings, app.manifest will open.
5. In app.manifest delete following code within <asmv1:assembly> element.
For C++ projects In Visual Studio:
1. Click the Project menu.
2. Click the Properties for that project.
3. Expand Configuration Properties.
4. Expand Linker.
5. Select Manifest File.
5. Change the Enable User Account Control (UAC) selection to No.
6. Click OK.
UAC is turned off here only for demonstration purposes. All executables should contain a UAC section in the manifest. If a UAC section is present in the manifest, Windows will not consider the application a legacy application and does not enable redirection. Writing to Program Files would return an access denied error.
15
UAC Data Redirection - .NET
Summary
In this lab you have used Process Monitor to diagnose Windows 7 UAC virtualization, which redirects file and registry updates to any protected areas. You have sucessfully solved the problem by modifying your code and saving the file in the correct location.
For more information, please refer to:
Common file and registry virtualization issues in Windows Vista – http://support.microsoft.com/kb/927387
New UAC Technologies for Windows Vista – http://msdn.microsoft.com/en-us/library/bb756960.aspx
“Inside Windows Vista User Account Control” – http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx
16