UE-V captures user settings data in two formats:  PKGX files and PKGDAT files.  PKGX files are Open Packaging Conventions (OPC) documents that contain registry settings and links to files.  PKGDAT files are renamed settings files that belong to a monitored application.  PKGX files contain a file name mapping to refer to PKGDAT files stored in the same folder as the PKGX file.

 

Examining the Contents of PKGX files

 

To examine the contents of an individual PKGX file, navigate to the folder that contains the PKGX file and use the Export-UevPackage cmdlet.  Typically this will be a subfolder under the SettingsPackages folder located in the Settings Storage Path folder assigned to a user (for example \\server\MySettings\%username%\SettingsPackages\MicrosoftOffice2010Win32.Word).  Export-UevPackage expects the name of PKGX file as its argument.  For example:

 

Export-UevPackage -Path .\MicrosoftOffice2010Win32.Word.pkgx

 

You can export the output of this command to a text file for easy reference by using the PowerShell Out-File cmdlet:

 

Export-UevPackage -Path .\MicrosoftOffice2010Win32.Word.pkgx | out-file $env:temp\wordpkgx.txt

 

You can examine the resulting file in a text editor to determine file and registry settings captured by UE-V.

 

Interpreting Registry Values

 

Registry values are stored in the /SettingsDocument/registry/Setting element(s) of the PKGX document.  Each Setting element contains 3 attributes – Type, Name, and Action.  The value stored in the registry key is specified in the data of the Setting element.  For example, in the following setting:

                                                                                                                                                                                                                                           

<Setting Type="VT_DWORD" Name="registry://HKCU\Software\Microsoft\Shared Tools\Proofing Tools\1.0\Office\WordSpellingOptions" Action="Create">5</Setting>

 

The value of HKCU\Software\Microsoft\Shared Tools\Proofing Tools\1.0\Office\WordSpellingOptions is “5”.

 

 

The Type attribute corresponds to standard registry types.  See the table below for reference:

PKGX Type

Registry Type

VT_BINARY

REG_BINARY

VT_DWORD

REG_DWORD

VT_QWORD

REG_QWORD

VT_EXPAND_STRING

REG_EXPAND_SZ

VT_MULTI_STRING

REG_MULTI_SZ

VT_STRING

REG_SZ

 

The Name attribute refers to the location of the registry key in the format “registry://<Location>” where <Location> is the absolute path of the registry value.

 

The Action attribute will either specify either Update,  Create or Delete.  “Update” appends values in the case of registry values which may have multiple values, such as REG_MULTI_SZ and REG_EXPAND_SZ.  “Create” will add single values.  “Delete” is only present in cases where the DeleteIfNotFound="true" has been added to the Path value and the registry key or value has subsequently been removed from the registry.  If the Delete Action is specified, the value will be removed from an client machines where the value is present.  Note that this setting attribute will not create or remove registry keys that do not contain child values.

  

Mapping PKGDAT Files to Replicated Files

 

PKGDAT files are renamed settings and data files included in various packages.  It may be useful during troubleshooting to determine the contents of a particular file in order to verify that settings are replicating.  To determine the mapping of a PKGDAT file to its source file, run the following command against the PKGX file:

 

(Export-UevPackage .\<FILENAME>.pkgx).split("`n") | select-string VT_FILE

 

            Where <FILENAME> is the name of the PKGX file.

 

For example:

 

PS X:\(Export-UevPackage .\MicrosoftOffice2010Win32.Word.pkgx).split("`n") | select-string VT_FILE


    <Setting Type="VT_FILE" Name="file://%APPDATA%\Microsoft\Templates\Blog post.dotx"

Action="Update">5DDB5F1D-56B0-4E78-8639-ADE6678D83CE.pkgdat</Setting>

    <Setting Type="VT_FILE" Name="file://%APPDATA%\Microsoft\Templates\mycustomtemplate.dotx"

Action="Create">A92D3D7A-738D-426F-A4C7-8101C6C4ABED.pkgdat</Setting>

    <Setting Type="VT_FILE" Name="file://%APPDATA%\Microsoft\Templates\Normal.dotm"

Action="Update">0B6E1C7F-C866-4E44-8277-B39E80B23081.pkgdat</Setting>

 

In this example, we clearly see that x:\0B6E1C7F-C866-4E44-8277-B39E80B23081.pkgdat (located on a mapped drive to \\server\uevshare\username\SettingsPackages\MicrosoftOffice2010Win32.Word) reflects to %APPDATA%\Microsoft\Templates\Normal.dotm on the local machine.

 

Hint:  You can usually tell if the file has replicated based on the PKGDAT file’s timestamp.  A definitive test is to use the FC.exe (file compare) to determine if the two files are identical:

 

X:\>fc 0B6E1C7F-C866-4E44-8277-B39E80B23081.pkgdat     %APPDATA%\Microsoft\Templates\Normal.dotm

Comparing files 0B6E1C7F-C866-4E44-8277-B39E80B23081.pkgdat and C:\Users\markstan\AppData\Roaming\Microsoft\Templates\Normal.dotm

FC: no differences encountered

Manually Investigating PKGX Files


Finally, it should be noted that because PKGX files are stored in OPC format (sometimes referred to as APPX), the file is essentially a structured ZIP archive.  To see the contents of the file, make a copy of the .PKGX and rename the extension to .zip (or associate the .PKGX extension with a program capable of opening ZIP files).  The internal documents may then be viewed in any text editor.  This is seldom necessary, as the Export-UevPackage cmdlet displays all of the information that is typically relevant to troubleshooting.  In rare cases such as file corruption issues, it may be necessary to use this manual method.