Installing HKCU keys using a Windows Installer repair, Pt. II

2017-07-27T00:01:04+00:00 March 27th, 2013|Uncategorized|

Previously, in Pt. I of this series, I wrote about how to install HKCU registry keys (which can also be used for installing data anywhere in a user profile).  Now I’ll go into more depth on how to do this using the popular application packaging product Wise Package Studio.

Though Wise Package Studio has been discontinued by Symantec, it’s still quite popular in many packaging environments.  The main tool used for creating and editing Windows Installer projects in Wise Package Studio is the “Windows Installer Editor”, which was previously available alone as “Wise for Windows Installer” (wfwi.exe). 

Most of the packaging work will be done in the “Installation Expert” view, which is a slightly more “user friendly” or “cleaner” project editor.  After creating my new project, I’ll add a couple files to it.  The files I added are Process Explorer (procexp.exe) from “SysInternals” and it’s help file (procexp.chm).  Process Explorer is one of several extremely useful utilities available (free!) in the Sysinternals Suite




Next, I’ll add an “Advertised” desktop shortcut to “procexp.exe” from the “Shortcuts” page.  By default, when you add a shortcut to point to a file in your installation the “Advertised” check box is marked. 




Note that “Complete” is listed in the “Current Feature” drop down list.  By default, Wise starts with a feature named “Complete” and puts all files, registry keys, shortcuts, etc. under the “Complete” feature, but we need a “hidden” parent feature.  So, from the Features page “Add” a new feature.  Give it a name, select “<None>” from the Parent drop down list, “Hidden” from the Display drop down, and check the “Required Feature” check box; the rest of the defaults can be left.  After adding the hidden parent feature, I go into the “Complete” feature to select the hidden feature from its “Parent” drop down list. 




Finally, I add an HKCU registry key to the new hidden feature.  Notice now that I’ve added a new feature, I can select it from the “Current Feature” drop down list from all the pages in Installation Expert. 




After the project is compiled, the .MSI can be run on any system “per machine” with the “ALLUSERS” value set to ‘1’.  When a new user logs onto the machine and clicks on the advertised shortcut, the HKCU key will be installed by the windows installer repair. 

 Next time, I’ll take a look at implementing self repair using InstallShield.  I hope you found this tutorial enlightening, instructive, and maybe even a little fun.  Well..uh..instructive and enlightening should be good enough! 




Installing HKCU keys using a Windows Installer repair

2017-07-27T00:01:04+00:00 March 13th, 2013|Uncategorized|

One of the more common (and tricky) issues faced when installing an application in the enterprise is how to install user data.  Typically, the application installer is run silently with no user interaction in the “system” context with administrative privileges.  This method is commonly used so that the software can install in the background without disrupting the end users work.  Fortunately, this method works for a majority of software deployments, because the installer does not need to install anything in the “user” context. 

There are situations, however, when an application requires registry keys or some data files installed in the user’s profile prior to the applications first launch.  One common post-installation method used for installing user data is called “Active Setup”; a full explanation of how to implement this method is beyond the scope of this post… and besides… there’s already been a blog post on this topic

A major drawback of the Active Setup method is that any user logged on to the system when the silent installation occurred must log out of their profile and log back in.  The reason is because the mechanism which initiates Active Setup compares a Local Machine registry keys to one in the User’s profile when the user logs on.  A more convenient and functional method (and slicker, I must say) to install data to the user profile in the user context is by initiating a Windows Installer repair. 

By design, Windows Installer initiates “self repair” or “self healing” when an entry point to the installed application is launched.  Typically, the entry point is an “Advertised” shortcut.  When the user clicks on the shortcut, Windows Installer will perform an integrity check to verify all the “key paths” of the installed application are present; if not present, the Windows Installer repair will install any missing component(s) and their key path.  The key path of a component is typically a file or shortcut. 

One  method for installing Current User registry keys post install is to add a top level “Hidden Feature” (note: the feature doesn’t really have to be hidden, but we do this to ensure that whoever runs the install doesn’t have the option not to install it) to the install which contains all the HKCU keys.  Mark the feature as “required” and make it the “Parent” feature to all other features in your MSI.  Move all HKCU keys to the same component in the required feature.  Finally, add an “advertised” to your application to facilitate the repair.  After the application is installed (in the system context), when a user click on the advertised shortcut a self repair will occur to install the components with the missing key paths… IF the key path doesn’t exist.

Ya see…this blog post was partly inspired by a setup I encountered on a customer location which attempted to use this method for installing the required HKCU registry keys.  When I tested the application, it was not behaving as expected.  I looked into the .MSI that installed it and found that everything had been laid out according to the prescribed method detailed above… except… the component key path holding the HKCU keys was actually an HKLM registry key which already existed on my system!  Thus, the self repair would never “kick off”.  When attempting to initiate a controlled Windows Installer repair, you must ensure the component key path is truly unique, or the repair won’t happen. 

I hope you enjoyed this little insight into Windows Installer and find this method to install user data helpful.  This was just a high level overview; next week, I’ll follow up with a more detailed post on how to implement this functionality. 



Application Virtualization – The UAC Panacea?

2017-07-27T00:01:08+00:00 January 18th, 2012|Uncategorized|

…with contributions from Aaron Gierak, Voltaire Toledo, and Jeremy Pavlov.

The User Account Control (UAC) Challenge

It is commonly known that in XP you have to give end users Administrator privileges in order to do even the most simple routine tasks; like changing the system clock, plugging in a USB drive, running a defrag, updating software, or even running security products.  Of course you can use the RunAs command, but that still requires having an Administrator password – which defeats the security purpose of a limited user account.  And just when we thought moving to Windows 7 would eliminate this security privilege nightmare, enter UAC…

User Account Control (UAC) is a technology aimed to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation.  In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system.  In other words, a user account may have Administrator privileges assigned to it, but the applications that the user runs do not inherit those privileges unless they are approved beforehand, or the user explicitly authorizes it.

It is possible to turn off UAC while installing software, and re-enable it at a later time.  However, this is not recommended since File & Registry Virtualization is only active when UAC is turned on – and if UAC is switched off, user settings and configuration files may be installed to an unintended location (i.e. a system directory rather than a user-specific directory).  Also Internet Explorer 7’s “Protected Mode” – whereby the browser runs in a sandbox with lower privileges than the standard user – relies on UAC; and will not function if UAC is disabled.

The Application Virtualization Question

So is application virtualization the solution?  If a virtualized package runs at the kernel level, does it eliminate having to give an XP user Administrator rights?  When you repackage an application that you have been running in XP – in order to port to Win7 – does the app skate by UAC in a way that allows you to keep UAC turned on?

By default, UAC virtualizes requests for protected resources to provide compatibility with applications not developed for UAC.  This is important because many applications written for Windows XP and earlier operating systems assume that the user has administrative privileges and attempt to write to protected resources such as the Program Files or System folders.  The first time an application makes a change to a virtualized resource, Windows copies the folder or registry key to the location within the user’s profile.  Then, the change is made to the user’s copy of that resource.  UAC virtualization is designed to allow already-installed applications to run successfully with standard user privileges, even if they store temporary files or logs in a protected folder.

Installs, Upgrades, and Updates

Many of the problems with UAC come from application installs or upgrades/updates where a new driver or an action that requires UAC acceptance is needed.  With application virtualization – especially a tool like Symantec’s Workspace Streaming where you package from the kernel level – you can bundle the drivers *inside* the virtual app.  As a result, nothing would ever be required of the end-user since nothing is ever “installed”. 

Secondary Executions

However, another issue that bumps against UAC is what we commonly call the “Secondary Execution Event”, where a loaded executable decides to make a call on its own (outside of the one that the app designer intended).  For instance, if a permitted/intended executable launched, and then it calls out to the manufacturer for an updated version, or the latest driver, that is not pre-bundled in the package.  Examples of this are the Juniper VPN agent or the MS Security Center executable.

Panacea or Pariah?

The good news is that application virtualization absolutely does address UAC and elevation features by isolating areas that normally prevent non-elevated users from writing to them by creating a virtual HKLM registry hive, Windows and Program Files.  Virtualizing applications also mitigates potential conflicts in a shared session environment like Remote Desktop Servers or XenApp.

However, is application virtualization the silver bullet to fix all elevation and UAC issues?  The answer is “it depends”.  If the application explicitly requires elevated privileges within its manifest, then it will always present a UAC prompt.  In addition, if the application attempts to make a system change like a driver installation or some kind of self-updating feature, it will force Windows 7 to prompt you for elevation.  These challenges can be further addressed with tools such as AppSense Application Manager, or Viewfinity Privilege Management (which elevate a user’s privilege on a per-executable basis), or SystemGuard (which can elevate privileges to write to the registry).

The bottom line is that application virtualization brings many advantages.  In addition to extending the life of legacy applications, reducing deployment costs, and reducing user downtime caused by install/uninstall issues and application conflicts, many UAC issues can be mitigated with application virtualization, especially when coupled with effective use of user virtualization tools.


Next installment – Application Streaming…


Application Strategy in the New Enterprise…

2017-07-27T00:01:08+00:00 December 14th, 2011|Uncategorized|

Why is the right application strategy important?

Whether it is physical or virtual, the endpoint device won’t matter if you can’t get to your data; and it’s through applications that you get to your critical data.  But management of applications can be an administrative burden.  How can you take applications administration to the next level?

 The right application virtualization tool will:

  • Decrease your time to market by 20-40%
  • Decrease your software license spend by 30-50%
  • Reduce or eliminate your need to rewrite legacy applications
  • Allow central management of all your apps
  • Increase Software license management and compliance

For example, in the common case of having to reset a hung application, the average cost of a help desk ticket to reset an app is $345 without an application virtualization tool.  With the proper tool, an app reset can be done in 18 seconds; virtually eliminating that cost.  This has a two-fold benefit – decreased end user downtime, and decreased IT support costs.  But just having a tool to handle these situations does not — by itself — solve all your problems; you must have a strategy.

The right application strategy requires a 3-pronged approach

To arrive at an optimized virtual user-centric experience requires a three-part strategic focus that encompasses the following:

  1. Desktop Strategy
  2. Application Strategy
  3. User Strategy 

Each of these pieces is equally important.  While in some cases you can have an application strategy without a desktop strategy, you should never have a desktop strategy without an application strategy.  From this perspective, it becomes clear that an application strategy can actually be more important than a desktop strategy.  

How it can go wrong

My thoughts based on what I see from a sales and trending perspective:

  • Over time, server virtualization created such a positive ROI for both capex and opex, that it was assumed that desktop virtualization would be another no-brainer to implement.  Companies who have embarked on VDI pilots and initiatives have quickly become disillusioned; realizing that the same efficiencies that were gained at the server level do not necessarily apply at the desktop. Eventually, they are forced to rethink their strategy.
  • Companies that embark on Win7 migrations – and do not take the time to make a strategic decision about how they will manage their applications – may become disillusioned as well, as they are feeling the pain of long cycles to virtualize their applications for a new OS and new endpoint device.  And in addition to the long cycles to prepare the applications, there are the inevitable challenges with legacy apps and conflicting apps.
  • Aging infrastructures and desktop devices create projects driven by choosing an “endpoint strategy” (translated as endpoint device only) where the only thing taken into consideration is the device.  Their whole strategy is around making decisions about thin client, zero client, fat client, etc.; all without thinking about the delivery method or the user profile.

Overall, as companies make strategic decisions about their Virtual Desktop Strategy, there can be tunnel vision about the desktop piece as the only strategic piece, with applications and users being an afterthought.

How to make it right

Herein lies my mission:  To educate those embarking on a VDI initiative about the importance of choosing the right application strategy.


On-demand Application Delivery

2017-07-27T00:01:11+00:00 April 9th, 2010|Uncategorized|


Enabling on-demand application delivery involves streamlining or automating the application delivery process to be more responsive to end-user productivity needs and less reliant on IT intervention, without compromising security or manageability.


  • Increasing number of mobile and remote users makes traditional application delivery less reliable
  • Increasing mobility of users between computers complicates application delivery and license management
  • The fluidity of virtual desktops and virtual machines requires an equally flexible delivery technology

Symantec Solution: Endpoint Virtualization

Provision and protect endpoint environments instantly using streaming, virtualization, and desktop broker technologies to reduce costs and increase productivity

  • Avoid downloads and installations and improve application delivery and streaming
  • Support local execution while maintaining central control
  • Allow users to obtain authorized applications, on-demand, without requiring IT intervention
  • Enable delta-only application upgrades or back-grades to reduce network bandwidth usage

Microsoft’s – Remote Desktop Services

2017-07-27T00:01:11+00:00 April 5th, 2010|Uncategorized|

Virtual Desktop Infrastructure (VDI)

Virtual Desktop Infrastructure (VDI) is an emerging architectural model where a Windows client operating system runs in server-based virtual machines (VMs) in the data center and interacts with the user’s client device such as a PC or a thin client. Similar to session virtualization (formerly known as Terminal Services), VDI provides IT with the ability to centralize a user’s desktop; instead of a server session, however, a full client environment is virtualized within a server-based hypervisor. With VDI, the user can get a rich and individualized desktop experience with full administrative control over desktop and applications. However, this architecture, while flexible, requires significantly more server hardware resources than the traditional session virtualization approach.

Key benefits of VDI are:

  • Better enablement of flexible work scenarios, such as work from home and hot-desking
  • Increased data security and compliance
  • Easy and efficient management of the desktop OS and applications

VDI Standard Suite and VDI Premium Suite

Microsoft provides two suite offerings to purchase and deploy VDI: Microsoft Virtual Desktop Infrastructure Standard Suite (“VDI Standard Suite”) and Microsoft Virtual Desktop Infrastructure Premium Suite (“VDI Premium Suite”). These two suites make it simple for customers to purchase the comprehensive Microsoft VDI infrastructure and management software, while providing excellent value amongst competing VDI offerings.

The Microsoft VDI Standard Suite is a complete VDI offering which offers the following features:

Desktop Delivery:

  • Basic connection broker to deliver personalized and pooled virtual machine-based desktops in low-complexity environments
  • Web-based remote access and full-fidelity end user experience

Application Delivery:

  • Separation of application layer from image with app streaming
  • Reduces app-to-app conflicts and need for regression testing
  • Easy application life cycle management via policies

Virtualization Platform:

  • Reliable, micro-kernelized hypervisor with small footprint
  • Supports live migration


  • Integrated, end-to-end management
  • Dynamic provisioning of apps to physical, virtual and session-based desktops
  • Rapid VM provisioning with cloned VHD’s
  • Support for failover clustering and storage migration
  • Patching, updating and monitoring of physical VDI host

For customers that want additional functionality, the Microsoft VDI Premium Suite is a comprehensive desktop centralization offering: It includes all the features of the VDI Standard Suite, but it also leverages the full capabilities of Windows Server Remote Desktop Services to provide greater flexibility for desktop and application delivery. Specifically, it offers the following desktop and application delivery features and benefits on top of the VDI Standard Suite:

Desktop Delivery:

  • Single brokering, discovery and publishing infrastructure for VDI and session-based desktops and applications
  • Higher user density with session-based desktops than with virtual desktops

Application Delivery:

  • Separation of hosted applications from the image
  • Isolation of incompatible applications and consolidation of Remote Desktop Session Host server silos

In order to enable the above mentioned features, the Microsoft VDI Suites incorporate a package of specific use rights of the following Microsoft infrastructure and management products; please contact your Microsoft licensing specialist for details:

  • Remote Desktop Services Client Access License (RDS CAL)
  • Microsoft Desktop Optimization Pack (MDOP) including App-V
  • System Center Virtual Machine Manager (SCVMM) Client Management License
  • System Center Configuration Manager (SCCM) Standard Server Management License
  • System Center Operations Manager (SCOM) Standard Server Management License

Both the VDI Standard Suite and the VDI Premium Suite are licensed per client device that accesses the VDI environment, and thereby allow for flexibility of server infrastructure design and growth. The subscription based license will ensure that customers always have access to the latest versions of software. The VDI Standard Suite and the VDI Premium Suite are designed to complement the per device subscription model of VDA, further simplifying the buying experience for Microsoft VDI customers

VDI is best suited for contract and offshore workers and for users who need access to their work environment from home, including from a non-company owned PC. For complex deployments which require enterprise-level VDI capabilities, Microsoft is partnering with third party vendors such as Citrix Systems to provide a complete and scalable end-to-end solution to customersMS RMD Chart

 MS RMD Diagram

Remote Desktop Services’ RemoteApp virtualizes a processing environment and isolates the processing from the graphics and I/O, making it possible to run an application in one location but have it be controlled in another.

Remote Desktop Services makes it possible to remotely run an application in one location but have it be controlled and managed in another. Microsoft has evolved this concept considerably in Windows Server 2008 R2, and renamed Terminal Services to Remote Desktop Services (RDS) to better reflect these new features and capabilities. The goal of RDS is to provide both users and administrators with both the features and the flexibility necessary to build the most robust access experience in any deployment scenario.

To expand the Remote Desktop Services feature set, Microsoft has been investing in the Virtual Desktop Infrastructure, also known as VDI, in collaboration with our partners, which include Citrix, Unisys, HP, Quest, Ericom and several others. VDI is a centralized desktop delivery architecture, which allows customers to centralize the storage, execution and management of a Windows desktop in the data center. It enables Windows and other desktop environments to run and be managed in virtual machines on a centralized server. RDD and VDI addresses all these challenges with the following features:

For both virtual and session-based desktops, the quality of user experience is more important than ever before. Windows Server 2008 R2 Remote Desktop Services improves the end user experience significantly for VDI and session virtualization (fka Terminal Services) through new Remote Desktop Protocol capabilities. These new capabilities, enabled with Windows Server 2008 R2 in combination with Windows 7, provide for a richer user experience and improve end user productivity. Microsoft RemoteFX, a new set of remote user experience capabilities being developed by Microsoft for Windows Server 2008 R2 SP1, will enable a full-fidelity, local-like desktop environment for virtual and session-based desktops and applications. RemoteFX will complement the enhancements made to RDP in Windows Server 2008 R2 Remote Desktop Services and will extend the benefits of a rich remote desktop or application to a wide array of client devices, from the most powerful PC to low-cost thin clients and other access devices.
  • Extends Remote Desktop Services to provide tools to enable VDI
  • Provides simplified publishing of, and access to, remote desktops and applications
  • Improved integration with Windows 7 user interface
  • Multimedia Redirection
  • True multiple monitor support
  • Audio Input & Recording
  • Aero Glass support
  • Improved audio/video synchronization
  • Language Bar Redirection
  • Task Scheduler

 New RemoteApp & Desktop Connection (RAD) feeds provide a set of resources, such as RemoteApp programs and Remote Desktops. These feeds are presented to Windows 7 users via the new RemoteApp & Desktop Connection control panel, and resources are tightly integrated into both the Start menu and the system tray. The improved RemoteApp and Desktop Connections features in Windows Server 2008 R2 and Windows 7 provide the following improvements:

Improved RemoteApp and Desktop Management


While RAD improves the end-user experience, RAD also reduces the desktop and application management effort by providing a dedicated management interface that lets IT managers assign remote resources to users quickly and dynamically. Windows Server 2008 R2 includes the following RAD management capabilities to help reduce administrative effort:

  • RemoteApp & Desktop Connections control panel applet
  • Single administrative infrastructure
  • Designed for computers that are domain members and standalone computers
  • Always up to date
  • Single sign-on experience within a workspace
  • RemoteApp & Desktop Web Access

Improved RemoteApp and Desktop Deployment


Administrators faced with larger RAD deployment scenarios will also find additional management features in Windows Server 2008 R2’s Remote Desktop Services aimed at improving the management experience for all existing scenarios previously addressed by Remote Desktop Services as well as the new scenarios available via RAD. These improved management features include:

  • PowerShell Provider
  • Profile Improvements
  • Microsoft Installer (MSI) compatibility
  • Remote Desktop Gateway

 Source: Microsoft