1. Denis Gundarev
Entisys Solutions
Application Streaming is
dead, what are the options?

2. Agenda
• What is Application Streaming (Virtualization)?
• Application Virtualization internals
• Overview of available solutions

3. Application Isolation Environments
• Was introduced in MetaFrame Presentation Server 4.0 (2005)
• Virtualization layer that redirects system resources
• Virtualizes:
– File system
– Registry
– Named objects (events, semaphores, etc)
• Transparent to the application
• Was a great compatibility aid for:
– Applications which are not multi user friendly
– Applications which have problems coexisting on the same server
– Applications that cannot have multiple instances running simultaneously

4. Launching initial process into AIE
File System Isolation
Isolation Environment
Launcher (aierun.exe)
Registry and
Object Isolation
Application
(eg winword.exe)
IMA
2. Launch application
suspended
4. Resume process
File System Object
Manager
Registry
5. Read rules
from driver
and start
isolating
6. Application
execution
continues
3. Tell driver
about AIE
being
launched.
Pass down
rules
File System redirection
Registry
redirection
Named Object
redirection
File System calls
1.Retrieve
AIE data
from IMA

5. Isolation Environment Roots
• Specifies directories and registry locations
• User Profile Root
– Changes made by the user reside here
– Suitable for Multi-user
incompatible applications
• Installation Root
– Per Isolation environment location
– Enables conflicting applications to
coexist

6. Isolation Environment Rules
•Three types of Rules:
• Ignore
• Redirect
• Isolate

7. Isolation Environment: IGNORE Rule
• Used to create “holes” in an isolation environment
• Virtual address is not modified by the virtualization
system
• Used to allow access outside of the isolation
environment

8. Isolation Environment: REDIRECT Rule
• Redirects an application request for a file or registry
key to a specified location
– If an application creates the file, c:tempdata.txt, regardless
of the user, then it might be sensible to redirect those files
to c:aietemp%USERNAME%
– This means, if UserA ran the application isolated, then
c:tempdata.txt is created in c:aietempUserAdata.txt

9. Isolation Environment: ISOLATE Rule
• Per User:
– Ensure that each user gets his own copy of the
requested resource
• Per Isolation Environment:
– A single copy of the required system resource is
created in the installation root location and shared by
all users

10. Application Streaming
• Codenamed Project Tarpon
• Introduced in Citrix Presentation Server 4.5 (2007)
• Had 6 major releases before being deprecated
• Still available with XenApp 6.5 and XenDesktop 5.6
• Completely removed in XenDesktop 7

11. 1
Tarpon Client
Extension of CPS Foundation
remote
users
firewall
firewall
local
users
Access
Gateway Advanced
Access
Control
Web Servers Application
Servers
IMA Service
PN Agent
Persistent
Store
AIE
PN Agent
Access
Management
Console
Tarpon App
Subsystem
Tarpon Session
Subsystem
Tarpon Client
Tarpon Profiler
License
Server
Web
Interface
AIE
AIE
Tarpon Client
AIE
Presentation
Servers
DatabasesFile Servers
New Apps
License
Presentation Server
Data
Collector

12. 1
Project Tarpon Infrastructure
Profiling Station
File Share / NAS
Project Tarpon
Server Farm
Web Interface
Clients
SMB
SMB
HTTP/
HTTPS
XML
SMB
License Server
27000

13. Application Virtualization
Internals

14. How it works
• Two main components of Application Virtualization:
– Isolation/Redirection
– Delivery mechanism
• Optional features:
– File type associations and OS integration
– Rights Management and usage tracking
– Packaging
– Shareable sandboxes

15. File I/O Redirection options
• API Hooking
– at USER or Kernel Level
• Hooking CreateFile, OpenFile, DeleteFile, NtCreateFile, NtOpenFile, NtDeleteFile
etc
• Hooking into System Service Descriptor Table (SSDT)
–
• File System Filter Driver or Mini-Filter
– Write file system driver to redirect virtualized file requests.

16. Registry Redirection Options
• API Hooking at USER Level
– Hooking advapi32.dll - RegCreateKeyEx, RegDeleteKeyEx etc
– Hooking Ntdll.dll – NtCreateKey, NtDeleteKey etc
• API Hooking at Kernel Level
– Hooking SSDT – NtCreateKey, NtDeleteKey etc

17. Players in App Virtualization

18. • Microsoft App-V
• VMware ThinApp
• CloudVolumes
• Symantec/Altiris SVS
• Spoon (Novell ZENworks)
• Numecent Jukebox
• FSLogix
• Sandboxie
• Microsoft Windows

19. Microsoft App-V
• Version 2.0 was released in 2002 by Softricity
• ~8 major and ~50 minor releases before App-V 5.0
• App-V 5.0 is completely rewritten and released in 2012
• Available as a part of MDOP under SA
• App-V 5.0 is only supported version for XenDesktop 7

20. App-V 5.0 Cons
• Requires SA
• Requires management servers
• Requires SQL
• User-level apps only
• Cannot virtualize drivers
• Cannot isolate applications that are a part of the OS

21. App-V Pros
• Tons of information on Internet
• Huge user community
• Integration with System Center
• Integration with XenDesktop
• Managed by PowerShell

22. VMware ThinApp
• Uses user-mode hooks
• Application packaging solution, just like PortableApps.com
• emulates the Windows COM and DCOM
• Supports Streaming Execution (SMB/CIFS) and Deployed Execution
(i.e. USB)
• Does not support installed Apps
• No centralized management
• End of availability (“EOA”) of VMware ThinApp, effective on December
15, 2013. After that will be available only as a part of View or Horizon

23. CloudVolumes
• AppStack – basically a VHD or VMDK attached to a VM
• Web-based management console that communicates with hypervisor
• Full support for server software
• Available Now: VMware ESX 5.0, 5.1, Coming soon…
HyperV, Azure, Amazon EC2

24. CloudVolumes

25. CloudVolumes

26. CloudVolumes pros
• Server software support
• No streaming or any other delivery mechanism
• Combination of file system minifilters and a service
• Text file-driven configuration
• Storage segregation on the hypervisor layer
• Per-machine or per-user assignments
• No packaging

27. CloudVolumes cons
• Works with virtual workloads only
• Came out of stealth mode in 2013
• Text file-driven configuration
• No integration with VDI brokers

28. Symantec/Altiris SVS
• Now called Symantec Workspace Virtualization
• Kernel-level hooks
• Umanaged computers support
• Application license management
• Best in class integration with OS

29. Spoon
• Formerly Xenocode
• Web portal for app access
• Desktop integration
• Works over HTTP/HTTPS
• License management
• Available as SaaS offering
• Server software support
• Auditing
• Support for installed applications
• Application snapshots

30. Numecent Jukebox
• HTTP-based streaming
• Encrypted cache
• Virtualized File System
• DRM and license control
• OPSWAT integration
• Kernel-level file system driver
• Web portal for user access
• Currently targeted for ISVs and MSP
• No publicly available demos or code

31. Numecent Jukebox
• Patents:
• Software streaming system and method
• Intelligent Network Streaming and Execution System for
Conventionally Coded Applications
• Rule-based application access management
• Opportunistic block transmission with time constraints
• Deriving component statistics for a stream enabled application

34. FSLogix
• AIE:Ressurection
• Came out of stealth mode about in July 2013
• First release planned in Q3 2013
• No streaming, no packaging
• Combination of file system minifilter and user-level hooks
• Support changes in realtime
• Text-file based configs with a GUI editor

35. FSLogix

36. FSLogix

37. FSLogix

38. Sandboxie
• Isolated sandboxes for applications
• Virtualizes Files, Disk Devices, Registry Keys, Process and Thread
objects, Driver objects, and objects used for Inter-process
communication: Named Pipes and Mailbox Objects, Events, Mutexs
(Mutants in NT speak), Semaphores, Sections and LPC Ports
• Not designed for VDI
• Not designed for Enterprise
• Developed by one person

39. Microsoft Windows
• UAC Virtualization is available out of the box
• Application compatibility toolkit can be used to manage folder and
registry redirection
• No additional software needed

40. What Are Shims?
• Applied to specific apps
– Configured with Compatibility Administrator in the App Compat Toolkit
– Deployable to enterprise
• Changes what the app thinks it sees
• Does not change what app is allowed to do

41. What Are Shims Good For?
• Great for many kinds of bugs:
– Bad Windows version checks
– Writing to HKCR at runtime
– Unnecessary checks for “am I admin?”
– Writing to WRP-protected keys and files
– Windows thinks your app is an installer
– File/Registry redirections

42. Version Lie Shims
• Win95VersionLie
• WinNT4SP5VersionLie
• Win98VersionLie
• Win2000VersionLie
• Win2000SP1VersionLie
• Win2000SP2VersionLie
• Win2000SP3VersionLie
• WinXPVersionLie
• WinXPSP1VersionLie
• WinXPSP2VersionLie
• Win2K3RTMVersionLie
• Win2K3SP1VersionLie
• VistaRTMVersionLie
• VistaSP1VersionLie
• VistaSP2VersionLie
• Win7RTMVersionLie

43. Most Used Shims
• VirtualRegistry
– Fixes the problem with reading/writing
registry value
– AddRedirect ( HKLMKey ^ HKCUKey
^ HKLMKey2 ^ HKCUKey2)
• CorrectFilePaths
– Fixes the problem with reading/writing
a file
– c:Program.ini=
%AppData%Program.ini
• WRPRegDeleteKey
– Lie when app tries to delete protected
OS registry key
• ForceAdminAccess
– Spoofs queries of administrator group
membership
• VirtualizeDeleteFile
– Spoofs deletion of global file
• LocalMappedObject
– Forces global section objects into
user’s namespace
• VirtualizeHKCRLite, VirtualizeRegist
erTypeLib
– Redirects global registration of COM
objects

44. Conclusion
• There are many vendors on the market
• If you care about App compatibility, take a look at simple solutions
• Consider using SaaS-based services
• Check the Application Virtualization Smackdown from Ruben Spruijt
– http://www.pqr.com
– 61 pages cover major vendors on the market

45. Conclusion

46. Contacts
• @fdwl
• meetup.com/BayCUG
• denisg@entisys.com