locked
Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx RRS feed

  • Question


  • I am researching some of the event log structures in Vista and I have come across the following file:
    \Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

    I am not able to find any decent information as to the purpose, structure, contents, etc. of this file.

    Any help or assistance would be greatly appreciated!

    Wednesday, October 15, 2008 3:28 PM

Answers

  • Hi,

    It logs all the redirections of legacy applications to the VirtualStore. Open eventviewer > "application and services logs" > Microsoft > Windows > UAC-FileVirtualization > Operational. You can read more about the Event Viewer in Vista on my blog here.

     

    Vista has what's called a File and folder virtualization. The way it works is that when you try to write to a protected zone, such as Program Files, without prompting for administrator rights, you are redirected to a mirror location of the program files folder in the %userprofile% under the folder name VirtualStore, where you have write access. This helps many legagy applications work properly without user intervention.

    Wednesday, October 15, 2008 3:50 PM

All replies

  • Hi,

    It logs all the redirections of legacy applications to the VirtualStore. Open eventviewer > "application and services logs" > Microsoft > Windows > UAC-FileVirtualization > Operational. You can read more about the Event Viewer in Vista on my blog here.

     

    Vista has what's called a File and folder virtualization. The way it works is that when you try to write to a protected zone, such as Program Files, without prompting for administrator rights, you are redirected to a mirror location of the program files folder in the %userprofile% under the folder name VirtualStore, where you have write access. This helps many legagy applications work properly without user intervention.

    Wednesday, October 15, 2008 3:50 PM

  • Victor, Thank you very much.

    So in this case, if a user attempted to copy a file or execute a program out of Program Files for which he currently has no rights, it would log this in Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx and redirect the attempt to the VirtualStore ?
    Wednesday, October 15, 2008 5:53 PM
  • Hi,
    Let me clarify.
    If the given proccess is running virtualized (all do, except 64 bits apps and those you choose not to virtualize) within standard username context attempt to write to a restricted zone, the write will succed, but it will not be done in the restricted zone, but in the Virtualstore folder. The same goes for attempting to write to restricted registry hives, such as the HKLM.

    Wednesday, October 15, 2008 6:19 PM
  • Very good Victor. I understand much better now. 

    So when I see a path\filename in the Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx file, it means that the user attempted a write to that file\path in the restricted zone
    but it was actually done in the VirtualStore folder ?  Is there any way to correlate what was logged with the action requested? ie. was it a delete, edit, copy, etc ?  This can be valuable to Vista forensic investigations.

    Thanks again


    Wednesday, October 15, 2008 7:37 PM
  • Heya,

    I see that it shows you the name of the file that was created.Deletion of virtualized files isn't recorded.

     

    Friday, October 17, 2008 8:50 AM