Thursday, November 26, 2015

UAC and App-V 5.0 Demystified

There are some methods through which we can suppress UAC prompts when virtualizing using
App-V 5.0. You can try the below methods which ever suits your need.

1. SET __COMPAT_LAYER:

Edit the sequenced shortcut and add the below command.
cmd.exe /c “SET __COMPAT_LAYER=RunAsInvoker & START Appname.exe”



Note: There is a space in between SET and __COMPAT_LAYER. If you didn't leave any space it will throw an error.

"SET' is not recognized as an internal or external command.

2. Registry Method:

Right click on the shortcut and select properties-compatibility-privilege level- run as admin-apply. This will create a registry entry in the HKCU\HKLM based upon User/Machine selection.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers (or)

HKEY_Current_User\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Layers



Export the registry key and add it in the deployment config file and register it in the local machine.


NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

3. SHIMS:

Using Application compatibility toolkit, we can create shims to suppress the UAC prompt for an application.Install the ACT tool first and open the 32 bit compatibility administrator (since we are going to create shim for a 32 bit application).

Click on New Database - Create new- Application fix.


Select the required compatibility mode.In this example we have used RunAsInvoker.


Click Next.


Click finish to create the .sdb file.After creating open the package in the sequencer machine to add this .sdb file under scripts folder using package editor.



Save the package.Now edit the deployment config.xml file and add the script to trigger the shim database installation.




NOTE: Enable script execution prior to adding the virtual package.

Set-AppVClientConfiguration –EnablePackageScripts 1

4. Manifest File:( I usually go with this only at the worst case if none of the above methods helped me)

Usually developers create a manifest file which tells the executable as how to request the execution.
There are two types of manifest file. They are Internal/External manifest file.


If the application has an external manifest file then it is easy to edit it and suppress the UAC prompt.
Usually external manifest will have the same executable name ending with .manifest.

                           

We can edit the file using notepad and change the requestedExecutionLevel from "requireAdministrator"  to "asInvoker" or remove the requestedExecutionLevel tag completely.By this way we can easily suppress UAC.


If there is no external manifest file seen, then it will be an embedded one within the executable. Use Resource hacker or PEExplorer tool to open up the executable. After opening you can see the requestedExecutionLevel tag in the manifest. In the example below I used Resource hacker tool to open the shortcut exe.



Change the level to "asInvoker" or you can completely remove the  requestedExecutionLevel tag and compile it and save. After doing these steps manually,test once. Now your application should work fine without any UAC prompt.

If there is no external manifest file or embedded one, then you can create a new external manifest file with the same name as the executable ending with .manifest.
For example, if the main executable name is abc.exe, then the external manifest file name should be abc.exe.manifest and should be kept in the same folder. Edit the abc.exe.manifest file and create the <requestedExecutionLevel> with asInvoker as mentioned earlier.


NOTE: From vista or above if the .exe already has embedded manifest, then the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case. on XP, external manifest is used and internal is ignored.)

5. SET__COMPAT_LAYER Environment Variable:

This is pretty old way. During monitoring with the sequencer, open up a elevated CMD and type in the below command.

setx __COMPAT_LAYER RunAsInvoker /m

setx = creates or modifies environment variables.
__COMPAT_LAYER = Variable.
RunAsInvoker = value.
/m = specifies that variable should be set for system wide(HKLM)

This creates an environmental variable in the package. In the configuration phase edit the shortcut and add c:\windows\system32\cmd.exe /c "START abc.exe" or c:\windows\system32\cmd.exe /c START "" abc.exe.

                 
      
After publishing, the shortcut will look like this. When launching, it will open up CMD which will have the environment variable loaded inside and then start the main exe. Now the shortcut will work without UAC.

                         
Thanks to Dan Gough and other App-V MVP's for providing different solutions which helped me to write up this blog.

Tuesday, November 24, 2015

Hot Fix 1 released for App-v 5.1

Hot fix 1 has been released for App-v 5.1 and it has some new advantages over the earlier version.

Check out the official release notes in the below link.

https://support.microsoft.com/en-us/kb/3115834

Monday, November 2, 2015

Failed to open the WMI namespace [root\AppV].Error (0x8004100e) - App-V 5.0

Option 1 - Reinstall the App-V Client in the machine to resolve the wmi namespace issue.

Option 2 - If you want to avoid reinstalling the App-V client, then try to reinitialize the wmi namespace. This can be done by using the below commands and running it in an elevated CMD.

mofcomp "C:\Program Files\Microsoft Application Virtualization\Client\AppvClientWmiProvider\Remove.Microsoft.Appv.AppvClientWmi.mof"


mofcomp "C:\Program Files\Microsoft Application Virtualization\Client\AppvClientWmiProvider\Microsoft.Appv.AppvClientWmi.mof"


Option 3 - Alternatively check in wmimgmt.msc and restore appv wmi namespace.The below link is pretty old but should work.

Application in use & Unpublish - App-V 5.1

Question : What happens when we unpublish an application that is in use in App-V 5.1? We see that the unpublish is getting failed, but when we launch the shortcut, it doesn't work.What is the issue?

Answer : Lets take an example by publishing the Mozilla Firefox App-V 5.0 package in a standalone machine using Powershell. Launched the shortcut and everything works fine. Now tried to unpublish by keeping mozilla firefox open(in-use).We are seeing the below "Currently in use" error.


We can see that the unpublishing has failed. Nothing has changed to the mozilla application. Shortcuts are seen in the Start menu etc. But when we try to launch the shortcut, we see this error.


When analyzed more by checking in event viewer, we see the below entry.


The package has been scheduled to be unpublished during restart/reboot. How this works?
The App-V client creates an entry in pendingtasks registry for the particular application with its ProductGUID_VersionGUID.


REASON: 

With App-V 5.0 SP2 or higher, App-V packages that are being used cannot be unpublished. It will be made to unpublish automatically during restart/reboot if globally published and unpublish during logoff/login if published to the user. This is handled by making a PendingTasks entry to the following registries.

Global Publish - HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\PendingTasks 

User Publish - HKCU\Software\Microsoft\AppV\Client\PendingTasks

Prior to App-V 5.0 SP2, Application in use cannot be unpublished. It can be done only by closing the application and then unpublishing it again.