SHIMs and APP-V 5.0

We are glad to publish our first blog post from our new APP-V 5.0 advanced techniques series. Today we will have a look onto the new possibility to execute programs & scripts and how to implement shims in that case properly.

With APP-V 4.6 you couldnt really benefit from shims because there was no Event Action where you could trigger an elevated process (All actions were in current-user-context).

There was actually an article from microsoft about it here: http://technet.microsoft.com/en-gb/magazine/ff458340.aspx

However this was limited to environments where user DO have administrative priviliges, however this doesn not apply to most enterprises.

There are of course other solutions like maintaining the shims centrally or deploying them with some classic approach. however most customers really want to keep everything inside the package and prefer to use per user deployment only.

If you dont have a clue what SHIMS or ACT (Application Compatibility Toolkit) is all about, stop here and check out this comprehensive article first:

http://msdn.microsoft.com/de-ch/library/windows/desktop/dd562082(v=vs.85).aspx

As you maybe already know Microsoft introduced the possibility to execute “actions” under the “System” Account for certain events:

 

Source: http://www.tmurgent.com/TmBlog/?p=1154

Our example today is a selfmade application called AdminRequired. Yeah, its just an example application which we will use to see our SHIMs working in action!

The application basically just tries to elevate (Vista+, requireAdministrator as requested execution level) and afterwards it runs a deprecated API Call to verify if the current user has administrative priviliges.
In this example application I did actually use the IsUserAnAdmin function from the Shell32.dll (Source: http://goo.gl/EPjxG). As you can imagine this isn’t really a real world scenario however it will help us to demonstrate the Shim fixes.

We are glade to provide you with this application so you can actually try the tutorial for yourself.

Download: AdminRequired.msi

Lets examine our application!

As always we just start by installing this application without using the sequencer. You are asking why?

App-V is not a application compatibility framework or something similiar!

As we already know that our program will produce trouble we should fix those issues first!

I recommend to use a Windows Vista+ Machine with UAC for our demonstrating purpose. After the installation login with an unprivilged (non-admin) User and try to start the application.

The following screen will appear:

2013-03-08_16h54_46

The application is requesting elevation, and because the current user does not have administrative privileges it actually proposed the local admin account.

This however can be easily fixed. To proceed with our application we simply open up a new cmd window and set the __COMPAT_LAYER Environment Variable to “RunAsInvoker” to override the original executionlevel request:

 

2013-03-26_15h08_05

The program starts now without any UAC prompt however our API call still fails:

2013-03-26_15h11_17

 

Lets shim it!

The only way to implement a workaround for this is now using the Application Compatibility Toolkit (Short ACT). The newest version can be obtained from the Windows Assessment and Deployment Toolkit (ADK).

Install this Tool (only the Application Compatibility Toolkit Feature is required) now on your Workstation or the virtual machine and run the Compatibility administrator, in our case 32-bit variant because our executable is a 32-bit executable.

2013-03-27_11h41_14

Then we need to create our “Application Fix”. Rightclick onto “New Database” -> “Create New” -> “Application Fix…”

2013-03-28_11h45_36

 

Fill in the information as shown on the screenshot. Lets proceed with “Next > “.

2013-03-28_11h56_22

The first fix (no UAC Prompt) is applied by enabling the predefined compatbility mode “RunAsInvoker”. However for our deprecated API we still need another fix. “Next > “.

2013-03-28_13h13_15

“ForceAdminAccess” shims various API Calls which are checking whetever the current user has somehow administrative priviliges. By enabling it for our application it will catch our API Call and always return true. More Information: http://technet.microsoft.com/en-us/library/cc766024(v=ws.10).aspx. Lets continue!

2013-03-28_13h38_10

 

The proposed Matching information should usually be suitable your needs. Click “Finish”.

Our “Shim DB” is now finished and should look now like this:

2013-03-28_13h44_12

 

 

Save this Database now with the name “AdminRequired.sdb”.

Include into our App-V Package

Now we can start with sequencing our application. This however should be easy and you may follow “common sequencing best practices” to create your package.

Open the package in the sequencer (Editing-Mode) and add your created shim database into the scripts folder:

2013-03-28_14h12_24

 

Result:

2013-03-28_14h55_31

 

Save the package. We are now ready to adjust the deployment config file to implement the SHIM Installation/Uninstallation upon package import.

Implement the Action

In our example we implement the required action into the deployment XML File (appvname_DeploymentConfig.xml)

Adjust the file as following:

2013-03-28_16h19_01

I recommend to use an editor with XML syntax highlighting, otherwise the risk may be very high to include some typos or to miss some other vital elements. If the xml is malformed somehow it will simply fail and have no effect on the client machine.

Test / Run it App-V Streaming Server

Import the package into the console and ensure that your are overwritting the default configuration with your adjusted deployment_config.xml (this wont happen automatically).

Edit the default configuration…

2013-03-28_16h34_06

and Import your customized XML File:

2013-03-28_16h35_13

 

Test / Run it PowerShell CMDlets

Import and activate the package. Dont forget to specify the _DeploymentConfig.xml otherwise the information wont be applied!

Add-AppVClientPackage –Path c:PathToMyApp.appv -DynamicDeploymentConfiguration c:PathTo_DeploymentConfig.xml | Publish-AppVClientPackage

 You should be able to test the result for your own now 🙂

Its NOT working!

It is! Did you miss to enable script execution in/for App-V 5.0? (PackageScripts)

PowerShell CMDlet:

Set-AppVClientConfiguration –EnablePackageScripts 1

Regards,

SPA Team

Post Navigation