locked
App-V - newbie question: cmd.exe running inside the bubble and file system writes outside the sandbox RRS feed

  • Question

  • If I launch CMD.EXE inside the bubble and type MKDIR C:\FOLDERFROMTHEBUBBLE, directory FOLDERFROMTHEBUBBLE is created on the root of drive C: and visible from inside the bubble but is visible outside the bubble too. In fact, if I start explorer.exe (outside the bubble in a separate process) I can see the folder C:\FOLDERFROMTHEBUBBLE.

    Why the folder creation is not virtualized and visible only inside the bubble? Why file system changes made by CMD.EXE affect the real file system? Should files, folder and registry modifications be confined to the sandbox?

    Please, help me understand!

    This is the OSD I’m using:

    <?xml version="1.0" encoding="utf-8" standalone="no"?>

    <SOFTPKG GUID="DA2E2D06-557C-47AA-83B0-4F77F091FE51" NAME="MyTestAppName" VERSION="1.0">

      <IMPLEMENTATION>

        <CODEBASE HREF="RTSPS://%SFT_SOFTGRIDSERVER%:322/PackageName_EmptyForTest_3.sft" GUID="AA7E692C-77CF-4804-8F4B-2B51C445CF70" PARAMETERS="" FILENAME="%CSIDL_SYSTEM%\calc.exe" SYSGUARDFILE="TestOnly\osguard.cp" SIZE="6512" />

        <WORKINGDIR>%CSIDL_SYSTEM%</WORKINGDIR>

        <VIRTUALENV TERMINATECHILDREN="TRUE">

          <ENVLIST />

        </VIRTUALENV>

        <VM VALUE="Win32">

          <SUBSYSTEM VALUE="windows" />

        </VM>

        <OS VALUE="Win764" />

      </IMPLEMENTATION>

      <DEPENDENCY>

        <CLIENTVERSION VERSION="4.6.0.0" />

        <SCRIPT TIMEOUT="0" TIMING="PRE" EVENT="LAUNCH" WAIT="TRUE" PROTECT="TRUE">

          <SCRIPTBODY>%systemroot%\system32\cmd.exe</SCRIPTBODY>

        </SCRIPT>

      </DEPENDENCY>

      <PACKAGE NAME="PackageName_EmptyForTest" />

      <ABSTRACT>Comments_EmptyForTest</ABSTRACT>

      <MGMT_SHORTCUTLIST>

        <SHORTCUT LOCATION="%CSIDL_STARTMENU%" FILENAME="" OVERRIDDEN="TRUE" DISPLAY="MyTestAppName" ICON="%SFT_MIME_SOURCE%/PackageName_EmptyForTest Icons/EmptyForTest.ico" />

      </MGMT_SHORTCUTLIST>

      <MGMT_FILEASSOCIATIONS>

        <PROGIDLIST />

        <FILEEXTENSIONLIST />

      </MGMT_FILEASSOCIATIONS>

    </SOFTPKG>

    Wednesday, September 16, 2009 12:34 PM

Answers

  • Hi,

    for the file system - I think you can't force virtuaization of the complete C: drive. The better solution would be to prohibit writing to C:\ and the other folders (locally) via Group Policy.


    For the Registry, everything is virtualized so the issue does not exist here.


    Falko
    • Proposed as answer by znack Thursday, September 17, 2009 6:48 PM
    • Marked as answer by Aaron.ParkerModerator Friday, December 30, 2011 12:14 AM
    Thursday, September 17, 2009 2:58 PM
    Moderator

All replies

  • Hi Mimmo,
    App-V does not restrict write to the client system unless the write is to a virtualized directory. For example, a write to Q:\packroot.001\MyApp\MyApp.ini would reside virtual or even Q:\packroot.001\VFS\CSIDL_PROGRAM_FILES \MyApp\MyApp.ini . But as C:\ has not been virtualized the write is local. This behaviour allows users to create their own documents and save them in My Documents etc.
    HTH,
    Brian
    Wednesday, September 16, 2009 1:47 PM
  • Thanks Brian for fast replay!

    Can I force virtualization for the whole drive C: and the whole registry?
    The only folders I need to exclude are "My Documents" and "Desktop".
    Wednesday, September 16, 2009 2:30 PM
  • Can I force virtualization for the whole drive C: and the whole registry?
    The only folders I need to exclude are "My Documents" and "Desktop".

    Anyone can help me?
    Thursday, September 17, 2009 1:19 PM
  • Hi,

    for the file system - I think you can't force virtuaization of the complete C: drive. The better solution would be to prohibit writing to C:\ and the other folders (locally) via Group Policy.


    For the Registry, everything is virtualized so the issue does not exist here.


    Falko
    • Proposed as answer by znack Thursday, September 17, 2009 6:48 PM
    • Marked as answer by Aaron.ParkerModerator Friday, December 30, 2011 12:14 AM
    Thursday, September 17, 2009 2:58 PM
    Moderator
  • Hi,

    for the file system - I think you can't force virtuaization of the complete C: drive. 
    Is it a shortcoming of App-V or is it by design?
    VMware ThinApp (Thinstall) and Symantec Workspace Virtualization (Altiris SVS) can virtualize everything on C:\
    Friday, September 18, 2009 12:08 PM