We are glad to publish our first blog post from our new APP-V 5.0 advanced techniques series. Today we will have a look onto the new possibility to execute programs & scripts and how to implement shims in that case properly.
With APP-V 4.6 you couldnt really benefit from shims because there was no Event Action where you could trigger an elevated process (All actions were in current-user-context).
There was actually an article from microsoft about it here: http://technet.microsoft.com/en-gb/magazine/ff458340.aspx
However this was limited to environments where user DO have administrative priviliges, however this doesn not apply to most enterprises.
There are of course other solutions like maintaining the shims centrally or deploying them with some classic approach. however most customers really want to keep everything inside the package and prefer to use per user deployment only.
If you dont have a clue what SHIMS or ACT (Application Compatibility Toolkit) is all about, stop here and check out this comprehensive article first:
http://msdn.microsoft.com/de-ch/library/windows/desktop/dd562082(v=vs.85).aspx
As you maybe already know Microsoft introduced the possibility to execute “actions” under the “System” Account for certain events:
Source: http://www.tmurgent.com/TmBlog/?p=1154
Our example today is a selfmade application called AdminRequired. Yeah, its just an example application which we will use to see our SHIMs working in action!
The application basically just tries to elevate (Vista+, requireAdministrator as requested execution level) and afterwards it runs a deprecated API Call to verify if the current user has administrative priviliges.
In this example application I did actually use the IsUserAnAdmin function from the Shell32.dll (Source: http://goo.gl/EPjxG). As you can imagine this isn’t really a real world scenario however it will help us to demonstrate the Shim fixes.
We are glade to provide you with this application so you can actually try the tutorial for yourself.
Download: AdminRequired.msi
Lets examine our application!
As always we just start by installing this application without using the sequencer. You are asking why?
App-V is not a application compatibility framework or something similiar!
As we already know that our program will produce trouble we should fix those issues first!
I recommend to use a Windows Vista+ Machine with UAC for our demonstrating purpose. After the installation login with an unprivilged (non-admin) User and try to start the application.
The following screen will appear:
The application is requesting elevation, and because the current user does not have administrative privileges it actually proposed the local admin account.
This however can be easily fixed. To proceed with our application we simply open up a new cmd window and set the __COMPAT_LAYER Environment Variable to “RunAsInvoker” to override the original executionlevel request:
The program starts now without any UAC prompt however our API call still fails:
Lets shim it!
The only way to implement a workaround for this is now using the Application Compatibility Toolkit (Short ACT). The newest version can be obtained from the Windows Assessment and Deployment Toolkit (ADK).
Install this Tool (only the Application Compatibility Toolkit Feature is required) now on your Workstation or the virtual machine and run the Compatibility administrator, in our case 32-bit variant because our executable is a 32-bit executable.
Then we need to create our “Application Fix”. Rightclick onto “New Database” -> “Create New” -> “Application Fix…”
Fill in the information as shown on the screenshot. Lets proceed with “Next > “.
The first fix (no UAC Prompt) is applied by enabling the predefined compatbility mode “RunAsInvoker”. However for our deprecated API we still need another fix. “Next > “.
“ForceAdminAccess” shims various API Calls which are checking whetever the current user has somehow administrative priviliges. By enabling it for our application it will catch our API Call and always return true. More Information: http://technet.microsoft.com/en-us/library/cc766024(v=ws.10).aspx. Lets continue!
The proposed Matching information should usually be suitable your needs. Click “Finish”.
Our “Shim DB” is now finished and should look now like this:
Save this Database now with the name “AdminRequired.sdb”.
Include into our App-V Package
Now we can start with sequencing our application. This however should be easy and you may follow “common sequencing best practices” to create your package.
Open the package in the sequencer (Editing-Mode) and add your created shim database into the scripts folder:
Result:
Save the package. We are now ready to adjust the deployment config file to implement the SHIM Installation/Uninstallation upon package import.
Implement the Action
In our example we implement the required action into the deployment XML File (appvname_DeploymentConfig.xml)
Adjust the file as following:
I recommend to use an editor with XML syntax highlighting, otherwise the risk may be very high to include some typos or to miss some other vital elements. If the xml is malformed somehow it will simply fail and have no effect on the client machine.
Test / Run it App-V Streaming Server
Import the package into the console and ensure that your are overwritting the default configuration with your adjusted deployment_config.xml (this wont happen automatically).
Edit the default configuration…
and Import your customized XML File:
Test / Run it PowerShell CMDlets
Import and activate the package. Dont forget to specify the _DeploymentConfig.xml otherwise the information wont be applied!
Add-AppVClientPackage –Path c:PathToMyApp.appv -DynamicDeploymentConfiguration c:PathTo_DeploymentConfig.xml | Publish-AppVClientPackage
You should be able to test the result for your own now 🙂
Its NOT working!
It is! Did you miss to enable script execution in/for App-V 5.0? (PackageScripts)
PowerShell CMDlet:
Set-AppVClientConfiguration –EnablePackageScripts 1
Regards,
SPA Team