UAC and App-V 5.0 Demystified

There are some methods through which we can suppress UAC prompts when virtualizing using
App-V 5.0. You can try the below methods which ever suits your need.

1. SET __COMPAT_LAYER:

Edit the sequenced shortcut and add the below command.
cmd.exe /c “SET __COMPAT_LAYER=RunAsInvoker & START Appname.exe”



Note: There is a space in between SET and __COMPAT_LAYER. If you didn't leave any space it will throw an error.

"SET' is not recognized as an internal or external command.

2. Registry Method:

Right click on the shortcut and select properties-compatibility-privilege level- run as admin-apply. This will create a registry entry in the HKCU\HKLM based upon User/Machine selection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers (or)

HKEY_Current_User\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers



Export the registry key and add it in the deployment config file and register it in the local machine.


NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

3. SHIMS:

Using Application compatibility toolkit, we can create shims to suppress the UAC prompt for an application.Install the ACT tool first and open the 32 bit compatibility administrator (since we are going to create shim for a 32 bit application).

Click on New Database - Create new- Application fix.


Select the required compatibility mode.In this example we have used RunAsInvoker.


Click Next.


Click finish to create the .sdb file.After creating open the package in the sequencer machine to add this .sdb file under scripts folder using package editor.



Save the package.Now edit the deployment config.xml file and add the script to trigger the shim database installation.




NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

4. Manifest File:( I usually go with this only at the worst case if none of the above methods helped me)

Usually developers create a manifest file which tells the executable as how to request the execution.
There are two types of manifest file. They are Internal/External manifest file.


If the application has an external manifest file then it is easy to edit it and suppress the UAC prompt.
Usually external manifest will have the same executable name ending with .manifest.

                           

We can edit the file using notepad and change the requestedExecutionLevel from "requireAdministrator"  to "asInvoker" or remove the requestedExecutionLevel tag completely.By this way we can easily suppress UAC.


If there is no external manifest file seen, then it will be an embedded one within the executable. Use Resource hacker or PEExplorer tool to open up the executable. After opening you can see the requestedExecutionLevel tag in the manifest. In the example below I used Resource hacker tool to open the shortcut exe.



Change the level to "asInvoker" or you can completely remove the  requestedExecutionLevel tag and compile it and save. After doing these steps manually,test once. Now your application should work fine without any UAC prompt.

If there is no external manifest file or embedded one, then you can create a new external manifest file with the same name as the executable ending with .manifest.
For example, if the main executable name is abc.exe, then the external manifest file name should be abc.exe.manifest and should be kept in the same folder. Edit the abc.exe.manifest file and create the <requestedExecutionLevel> with asInvoker as mentioned earlier.


NOTE: From vista or above if the .exe already has embedded manifest, then the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case. on XP, external manifest is used and internal is ignored.)

5. SET__COMPAT_LAYER Environment Variable:

This is pretty old way. During monitoring with the sequencer, open up a elevated CMD and type in the below command.

setx __COMPAT_LAYER RunAsInvoker /m

setx = creates or modifies environment variables.
__COMPAT_LAYER = Variable.
RunAsInvoker = value.
/m = specifies that variable should be set for system wide(HKLM)

This creates an environmental variable in the package. In the configuration phase edit the shortcut and add c:\windows\system32\cmd.exe /c "START abc.exe" or c:\windows\system32\cmd.exe /c START "" abc.exe.

                 
      
After publishing, the shortcut will look like this. When launching, it will open up CMD which will have the environment variable loaded inside and then start the main exe. Now the shortcut will work without UAC.

                         
Thanks to Dan Gough and other App-V MVP's for providing different solutions which helped me to write up this blog.

Hot Fix 1 released for App-v 5.1

Hot fix 1 has been released for App-v 5.1 and it has some new advantages over the earlier version.

Check out the official release notes in the below link.

https://support.microsoft.com/en-us/kb/3115834

Failed to open the WMI namespace [root\AppV].Error (0x8004100e) - App-V 5.0

Option 1 - Reinstall the App-V Client in the machine to resolve the wmi namespace issue.

Option 2 - If you want to avoid reinstalling the App-V client, then try to reinitialize the wmi namespace. This can be done by using the below commands and running it in an elevated CMD.

mofcomp "C:\Program Files\Microsoft Application Virtualization\Client\AppvClientWmiProvider\Remove.Microsoft.Appv.AppvClientWmi.mof"


mofcomp "C:\Program Files\Microsoft Application Virtualization\Client\AppvClientWmiProvider\Microsoft.Appv.AppvClientWmi.mof"


Option 3 - Alternatively check in wmimgmt.msc and restore appv wmi namespace.The below link is pretty old but should work.

Application in use & Unpublish - App-V 5.1

Question : What happens when we unpublish an application that is in use in App-V 5.1? We see that the unpublish is getting failed, but when we launch the shortcut, it doesn't work.What is the issue?

Answer : Lets take an example by publishing the Mozilla Firefox App-V 5.0 package in a standalone machine using Powershell. Launched the shortcut and everything works fine. Now tried to unpublish by keeping mozilla firefox open(in-use).We are seeing the below "Currently in use" error.


We can see that the unpublishing has failed. Nothing has changed to the mozilla application. Shortcuts are seen in the Start menu etc. But when we try to launch the shortcut, we see this error.


When analyzed more by checking in event viewer, we see the below entry.


The package has been scheduled to be unpublished during restart/reboot. How this works?
The App-V client creates an entry in pendingtasks registry for the particular application with its ProductGUID_VersionGUID.


REASON: 

With App-V 5.0 SP2 or higher, App-V packages that are being used cannot be unpublished. It will be made to unpublish automatically during restart/reboot if globally published and unpublish during logoff/login if published to the user. This is handled by making a PendingTasks entry to the following registries.

Global Publish - HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\PendingTasks 

User Publish - HKCU\Software\Microsoft\AppV\Client\PendingTasks

Prior to App-V 5.0 SP2, Application in use cannot be unpublished. It can be done only by closing the application and then unpublishing it again.

Sequencing VLC Media Player using App-V 5.1

1)  Launch the Microsoft Application Virtualization Sequencer from Start-> All Programs




2)  Select the create package (default) option.


3) Select the "Standard application" type in the type of application to be sequenced.


4)  Select "Perform a custom installation" in the select installer screen and click next.


5) Provide the virtual application name as VLC Media Player and click next.


6) Install the VLC Media player application now.





Uncheck Desktop shortcut option.



Uncheck Run Vlc Media Player option and click finish.


7) Once Installation is completed, Select "I am finished Installing" and click next.

                                   

8) In the configure Phase, launch the required shortcuts and perform custom changes if needed and remove unwanted shortcuts.


Here we have removed all unwanted shortcuts other than the main VLC Media Player shortcut. Launched it and unchecked the check for updates and allow network access.Launched it again to make sure everything is captured in feature block 1.


Click Next.


11) Select stop now to create virtual package and click next.


12) Save the package.

Standalone Powershell Testing in the client side:

Execution Policy should be bypassed first.Then enter the below command in PS to publish the VLC Media Player App-V package.

Add-AppvClientPackage "path to .appv file" | Publish-AppvClientPackage -Global | Mount-AppvClientPackage

Shortcut Location:


Shortcut launch:
                                    
                                 

App-V 5.0/App-V 5.1 Applications not launching when selected "RunAs" option

Question: We have an environment where user has separate login account and for testing purpose there is an administrator account to which we as an administrator login to the published applications for troubleshooting. With App-V 5.0, we are unable to launch by shift+Right clicking on the shortcut and selecting "RunAs" option to troubleshoot. This worked exactly as desired in App-V 4.6 The Applications are published through SCCM 2012 for the users. We are not seeing any error when launching the App-V 5.0 shortcuts using "RunAs". When normally double clicking on the shortcut, it launches fine. What might be the reason?


Reason: The reason is, the App-V 5.0/5.1 application has been published for the user through SCCM 2012. When published for a particular user collection, the application will work only for that users. It won't work for other users. This is the reason why "Run as different user" failed to launch the application.


Solution: If you want your Admin account to launch the shortcut, then it should also be added to the  user collection in the SCCM 2012 console or you may want to publish the application globally to the machine so that all the users and the admin account can launch the shortcut properly.


I have added the user/admin account  to the collection and updated the statistics in SCCM 2012, even then I am not able to use "Run as different user". What might be the cause?


If the deployment is made available to the user, then the application needs to be installed first to all the users in the collection then only "Run as different user" will work for that user account.
For example: user A and user B are in the user collection and the application has been deployed to the user group through SCCM 2012. User A logs in and installs the application as it has been made as available. Launches the shortcut and it works fine. Now tries to launch the shortcut using " RunAs" option and entering User B credentials. It fails to load because the application has not been installed to the User B. After installing the application to the User B and tried to launch the shortcut in User A with User B credentials the application launches fine. This is because the application has been installed for User B. This method is not required if the deployment is made as required in SCCM 2012.


NOTE: When published to the users, the "Run as Administrator" option will work properly as desired. Only the "Run as different user" will fail to launch the shortcut correctly.

Internet Explorer getting crashed after upgrading App-V 5.0 SP2 or SP3 to App-V 5.1

After upgrading from App-V 5.0 Sp2 or App-V SP3 to App-V 5.1 , Internet explorer starts crashing for no reason.

The Application event log shows two possible errors:

1.Faulting module : EMET.DLL
2.Faulting module : NTDLL.DLL

This is a known bug with App-V 5.1. Some possible workaround is to either revert back to 5.0 or follow the below steps.

Solution:

Remove the following lines in the registry and IE 10 / IE 11 will stop crashing.

HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / AppV / Client /Virtualization

ProcessesUSingVirtualComponents

Data:

%ProgramFiles%\Internet Explorer\iexplorer.exe

%ProgramFiles(x86)%\Internet Explorer\iexplorer.exe


You can also try removing the App-V 5.0 earlier versions manually and then install App-V 5.1 instead of upgrading to avoid this issue.

Though the above said step is just a workaround, it is not a recommended way to bypass this issue. We need to wait for Microsoft to come up with possible fix or service pack soon.

Technet post - https://social.technet.microsoft.com/Forums/en-US/f1bdd607-dd05-450c-90b7-8fcd8b8bccc1/internet-explorer-1011-hangs?forum=mdopappv&prof=required


Management console generates “Could not load file or assembly Newtonsoft.Json” error - App-V 5.1 Support Tip

After upgrading the App-V 5.0 Service Pack 1 Database and Management Server, the following error is generated when loading the App-V management console:


Could not load file or assembly 'Newtonsoft.Json, Version=4.5.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)


To know more about resolving this issue click on the below official Microsoft TechNet link:


http://blogs.technet.com/b/appv/archive/2015/10/22/app-v-5-1-support-tip-management-console-generates-could-not-load-file-or-assembly-newtonsoft-json-error.aspx

App-V Support Tip: Publishing Server URL is unreachable after upgrade to 5.1

After upgrading App-V 5.0 Management and Publishing servers to App-V 5.1, you may encounter a problem where publishing no longer function properly and the following issues appear:

- Accessing the Publishing URL in Internet Explorer from directly on the Publishing Server (e.g.http://localhost:82, where 82 is the port assigned to the Publishing Server Service) generates the following error message:

The website cannot display the page

- The event below is seen in Event Viewer\Applications and Servers logs\App-V\Server-Publishing-Private\Debug:
Failed to pre-load publishing metadata. 

Message: Object reference not set to an instance of an object. 
Details:  
Stack Trace: 
   at Microsoft.AppV.Server.Publishing.PublishingMetadataSerializer.PackageSerializer.Load(XElement pkgElement, PublishingMetadata& data) 
   at Microsoft.AppV.Server.Publishing.PublishingMetadataSerializer.RootSerializer.Load(XmlReader reader) 
   at Microsoft.AppV.Server.Publishing.PublishingMetadataSerializer.LoadFromFile(String filePath) 
   at Microsoft.AppV.Server.Publishing.DataManager.ProcessRawMetadata() 
   at Microsoft.AppV.Server.Publishing.DataManager.PreLoadPublishingMetadata() 
   at Microsoft.AppV.Server.Publishing.DataManager..ctor()

To know about the cause and the resolution check the below Microsoft Technet link.


Can we sequence application entries installing to both C:\ Drive and E:\ Drive - App-V 5.0

Question : Consider application entries are going to both C:\ Drive and E:\ Drive ..
In this case whether we can go ahead with sequencing this application? as these both locations entries will be reflecting in VFS.

Answer : App-V 5.0 won't support multiple drive entries. Below you can find an example.

start the sequencing steps using App-V sequencer 5.0 SP3.

1. Select create a new virtual package.


2. Select create package.


3. Select standard package.


4. Select custom installation.


5. Enter the virtual package name as test. Click next. In the monitoring phase, Go to c:\programfiles (x86), create a folder named test1 and add a file. eg:1.jpg.

Go to E:\ drive, create a folder named Test2 and place a text file test2.txt.

6. Click "I am finished monitoring"

                                     

7.Select continue to modify the package option and click next.

8. In the package editor select Package Files tab to see the files that were captured during monitoring phase.


Here you can see that only the file that was kept in c:\programfiles (x86)\test1 has been captured in the VFS. 

Conclusion : App-V 5.0 or App-V 5.1 doesn't support file entries installing to multi drive( c:\ and D:\ ) using the sequencer.

Note: However if your application explicitly needs files to be in D:\ or E:\ drive. Simply extract the files from the package and place it in the SCRIPTS section in the package editor. Write a script to copy them to respective D:\ or E:\ drive in the Add/Publish scripts trigger in Deploymentconfig.xml file.Thanks to troubleshooting enthusiastic Vinod Reddy for pointing out this workaround.

APPV_ROOT and APPV_ROOTS - AppV 5.0

Question : When we open CoW local user location we can see that Application has created many folders. Among them we can see two folders with the same name APPV_ROOT & APPV_ROOTS.What is the difference?Any Special reasons why two folders are created?

Answer : When a virtual application requires to make changes to the files or folders during runtime, it does not make changes in package store (%programdata%\App-V).Instead App-V creates Copy on Write (COW) locations and make changes over there during runtime, CoW support both roaming and non-roaming locations.

Roaming CoW Location - %AppData%\Microsoft\AppV\Client\VFS

Local CoW Location - %LocalAppData%\Microsoft\AppV\Client\VFS

In Local CoW location we can see two folders named APPV_ROOT & APPV_ROOTS created during runtime when shortcut makes changes to files/folders.


The S signifies the restricted location when the virtual service requests the change as a different elevated user from the logged on users. The non-S location stores standard user based changes.
In other words from Steve Thomas - Standard users will read and write from the regular directory (with relaxed ACL’s) while elevated processes will read and write to the “S” version.

In a test lab, we have user A named admin who is the local administrator. Lets create four other users USER 1, USER 2, USER 3, USER 4. Among them USER 1 and USER 2 are made as admins and USER 3 and USER 4 are made as standard users. Now Publish the package to the machine globally. When launching the shortcut in admin(local administrator) the runtime files were created in APPV_ROOTS. Launching the shortcut in USER 1 and USER 2, they made changes to APPV_ROOT. The same happens with USER 3 and USER 4 they make changes to APPV_ROOT folder.

Now let us elevate USER 3 and we can see that the changes were written to APPV_ROOTS.

To conclude folders with 'S' (APPV_ROOTS,Common AppDataS, Common ProgramsS,WindowsS etc) are special restricted folders to which only elevated users/Local admin can make changes to.

How to make App-V package to read from or write to the local registry - Appv 5.0

Question : In some cases, application might require to read or write to the native registry locations. In this case how to proceed with App-V 5.0.

Answer : We can make use of PassThroughPaths key located in HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry to read or write to local registry.

Usually when an application is launched it reads registry in the following order.

1. COW location.
2. Package location.
3. Native registry.

If we use PassThroughPaths key it can only be read/write from the native registry, bypassing the Package and COW registry locations. Pass-through locations are global to the machine (Not per package) meaning all virtual packages will make use of the path specified in PassThroughPaths to read or write to the local registry.

How to configure : It can configured by adding the path to the key PassThroughPaths in HKLM\Software\Microsoft\AppV\Subsystem\VirtualRegistry which is a REG_MULTI_SZ (Multi string).



Example we are adding HKLM\Software\Test to the PassThroughPaths so that the virtual application sees or writes only to the local registry.


In this case all published virtual applications will make use of local HKLM\Software\Test to read/write.