Thursday, February 11, 2010

The deal with LUAFV.SYS

I noticed that a lot of the people that end up on this blog are looking for information on LUAFV and for some reason it seems there isn’t a lot on it. I imagine that people are looking for it for two major reasons. They want to know what it is and what it does or they want to know how to disable virtualization for a certain application. There are some posts that do a pretty good job of describing what it does, but to find them you need to search for “UAC file virtualization”. Anyway, i’ll try to address all these issues.

A lot has been written and discussed (and flamed) about UAC (aka LUA) but i’ll go over the basics one more time. There are a lot of applications that require the user to be an administrator on the machine for no good reason (the same way some online services ask for your home phone number or SSN.. you know they don’t really NEED it.. ). This used to be a pretty common thing a while back (I remember even IM applications that needed administrative privileges ?!) and the end result is that the machine is a lot less secure that it needs to be. So it is in some way related to security, but it’s not a security feature (though why the icon is a shield is beyond me.. MS must have had some leftover shield icons or something). Anyway, in order to ‘fix’ this without breaking backwards compatibility MS needed a couple of things:

  1. a way to make a normal user elevate to administrator (the UAC prompt)
  2. a way to make applications that want to write data (files or registry) to a system location write it to a user location instead
  3. possibly a way to ‘encourage’ app writers to not do this anymore (the unintended side effect of annoying the users should have worked, but people like their scapegoats and so they blame Microsoft and not the app writers..)
  4. get all this without changing existing apps!!

Well, LUAFV.SYS is the component that implements the second thing on the list. It silently (the application doesn’t know) redirects file operations from protected locations to locations in the user’s path. So when the application tries to write it’s configuration to “c:\windows\system32\lame_app_config.ini”, it is redirected in some directory somewhere under the “Users\<user_name>\AppData\Local\VirtualStore\” path (i think that’s the path, but if you need a definitive answer you need to search some more). It is part of the operating system since Vista and it ships in the box (as far as i can tell, I’m not familiar with all the versions that get shipped) on both server and client.

My first encounter with LUAFV was a while back when i was using the BEST file manager known to man (and possibly dolphins and other species), FAR, to write some configuration file to some protected system location to be used by a service. I was writing to the file and my service seemed to ignore everything i wrote… It was a pain to figure out and it drove me crazy until i remembered about LUAFV. It turns out far.exe was virtualized, while the service was not (so FAR wrote to my user path while the service read the real path). To check that an application is virtualized (and even to change it from being virtualized to not being virtualized) one can use the Task Manager:

UAC_1

Please note that the “User Account Control (UAC) Virtualization” column is not shown by default, you need to select it from View->Select Columns.

So once you found that your process is virtualized (and you probably don’t want your file manager virtualized) it’s an easy fix disable virtualization. But what if you never want a certain process to be virtualized (like FAR in my case) ? Well, it seems you need to create a manifest file and embed it in the executable (you might not need to embed it for it to work, but i did it anyway because i don’t like keeping extra files around). Manifests are not my strong suite, but all the information you need (and more) is available from MSDN if you search for “Create and Embed an Application Manifest”. I also found a very short tutorial here. The manifest that i created for far.exe looks like this:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="Far.exe"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>


I hope this helps.

No comments:

Post a Comment