App-V: On Application Compatibility and Shims with Regards to Applications Virtualized with App-V 4.x and 5.x
While the origins of Softgrid may have revolved around addressing some application compatibility issues, the primary tenets of using Softgrid then (and App-V now) still are to provide on-demand application delivery, “installation-footprint-free” assets, as well as application-to-application isolation. This does not include being a solution for application compatibility. The old notion of “If you can’t fix it with shims, you can just use App-V and sequence it on XP! - Then run it on Windows 7 or 8” is not true. If this solved one of your application issues when migrating to Windows 7 or 8 – it was only a case of luck. App-V has not, does not, and will not fix App-to-OS bugs.
So where does App-V fit into the Application Compatibility Process?
Application Virtualization is a packaging technology that contains both state separation and isolation. But it alone, does not remediate compatibility issues. Laying out the industry accepted AppCompat process, virtualization/sequencing is considered a form of packaging.
The sequencing of applications for a target operating system should occur only after that application has been verified for operating system compatibility directly or through remediation. Yes, that remediation may include a shim containing compatibility fixes.
But I heard you can’t shim App-V applications!
You heard wrong. If you must shim that internal custom LOB application for which you can no longer locate the source code, you can certainly apply the same shim to an application running natively or virtualized so long as you have deployed the shim locally. This is so the Application Experience service can work with the fixes properly. I, personally believe in Shims as a last resort, especially with App-V. Remember, some global compatibility flags (__COMPAT_LAYER) can also be applied to App-V applications as environment variables. Zarbie mentioned this a while back in one of his blogs: (https://blogs.technet.com/b/virtualworld/archive/2010/04/13/the-requested-operation-requires-elevation-2c-000002e4.aspx.) You should always look for the simplest of solutions first.
But for that application that may require several fixes, there have been many questions and requests regarding guidance on how shims developed to address compatibility issues (also known as AppCompat Shims) can be implemented with App-V.
Using the Stock Viewer application that comes with the ACT, I will demonstrate both the relationship of how most compatibility issues affect App-V packages as well as how we apply compatibility shims to App-V packages. The well-known Stock Viewer Demo App (from the ACT) is a great teaching tool to demonstrate applying some of the issues that will rear their ugly head exactly the same way in a virtual App-V application the same way they would in a native application. So if we wanted to implement the ElevateCreateProcess, ForceAdminAccess, LocalMappeObject, and VirtualizeHKCRLite fixes into an application virtualized with App-V, we would go about it the same way we would using a normal local installation of the Stock Viewer application along with the rest of the ACT. I create my shim as follows:
1. Start the Compatibility Administrator application (COMPATADMIN.)
2. Click yes to the UAC prompt.
3. In the left pane click Custom Databases and then select “New Database(1) [Untitled_1].”
4. On the toolbar, click Fix.
5. In the Create new Application Fix wizard, on the Program information page, in name, type StockViewer, in Location, type c:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Demo Application\StockViewer\StockViewer.exe, and then click Next.
6. On Compatibility Modes page select None for Operating Systems Modes, and then click Next .
7. On the Compatibility Modes page, click Next.
8. On the Compatibility Fixes page, check ElevateCreateProcess, ForceAdminAccess, LocalMappedObject, VirtualizeHKCRLite, and then click Next.
9. On the Matching Information page, click Finish .
10. On the toolbar, click Save.
11. In the Database Name dialog box, type StockViewerFixes, and then click OK.
12. On the Save Database browse window, in filename, type C:\SDBShare\StockViewerFixes, and then click Save.
So now we have a shim StockViewerFixes.sdb that can later be applied with a simple command:
sdbinst.exe -q
The –q installs it in quiet mode.
Shims and App-V 4.6
When Stock Viewer is virtualized and executed as a standard user, you will find that the user encounters the same initial launch error virtualized as it would when it is installed natively.
Permission Denied
You must be an administrator to run this application.
So if we wanted to apply this shim to the computers local database, we could do so by quietly deploying the shim (using sdbinst as an administrator.) Then you would want to add in a Service Inclusion for the Application Experience service (AeLookupSvc) in the App-V Client Configuration so the Application Experience service can work inside the App-V virtual environment and ensure all shims are applied properly. I discussed Service Inclusions last year in the following blog: https://blogs.technet.com/b/gladiatormsft/archive/2012/08/01/app-v-4-6-using-service-and-process-inclusions.aspx
Service Inclusions can be useful not only for Anti-Virus applications, but other key services as well. For example, this is how we allow for AppLocker to work with virtualized applications. For the Application Experience service, you would need to create the service inclusion for the service – AeLookupSvc by simply creating a string value (REG_SZ) under the following key:
X86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\<version>\Client\AppFS\ServiceInclusions
X64
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\<version>\Client\AppFS\ServiceInclusions
Value: AeLookupSvc1
Data: AeLookupSvc
The main challenge will be if you want to deploy the shim “on-the-fly” when you deploy the application. My good friend and idol Chris Jackson mentioned this a while back in his Technet Magazine article:
https://technet.microsoft.com/en-us/magazine/ff458340.aspx
He mentions the use of a pre-launch script in the OSD file to apply a shim using sdbinst. This works well except that it requires administrator access and the command will be running in the security context of the user. Also note that he also addressed the problem with using a centralized shim database due to problems with elevation and the AppV Bubble. The use of creating a Service Inclusion for the AE Lookup service addresses this issue now.
Shims and App-V 5
With App-V 5, the process is more straight-forward. You can use individual shims or a centrally managed shim database without the need to have a service inclusion included due to the new App-V file system and hook model. You even have better options of applying the shim for each virtualized application individually by taking advantage of the more advanced App-V script model. Since the desired workflow is to be able to apply the shim without unnecessarily elevating the security context of the user or application itself, you can apply the shim using the AddPackage event within the deploymentconfig.XML file. This will run under the context of the SYSTEM account.
<MachineScripts>
<AddPackage>
<Path>sdbinst</Path>
<Arguments>-q stockviewerfixes.sdb </Arguments>
<Wait RollbackOnError="true" Timeout="15"/>
</AddPackage>
Likewise, you can reverse this when the package is removed by assigning a script on the RemovePackage event.
<MachineScripts>
<RemovePackage>
<Path>sdbinst</Path>
<Arguments>-u stockviewerfixes.sdb </Arguments>
<Wait RollbackOnError="true" Timeout="15"/>
</RemovePackage>
Bear in mind, these events will only occur when deploying using PowerShell. If you want to deploy this shim using the publishing server, you will want to target the machine and not the user and assign the shim installation to the PublishPackage event.
With Windows XP hitting end of life, there is a rapid increase in the movement to Windows 7, Windows 8, and Windows 8.1. While modernization of your legacy applications still should be your ultimate goal, remediating your application into a working solution that is both compatible and portable is, in many cases, the next best thing from a transitional perspective.
Comments
- Anonymous
January 01, 2003
OK. A lot of comments to digest here:
Nathan Comment #1 - it depends on which version of App-V you will be implementing. Either way, the command specified to install the shim is what you will need to include - whether you are doing it via v.4 or v.5 - The process to do this effectively is very different between the two versions as I pointed out.
Nathan additional comments: The compatibility fixes/modes must be in an SDB file and not done on the fly using the shortcut properties - even during sequencing.
Mark also had additional good suggestions. - Anonymous
February 27, 2014
Um... what comes after step 12? I launched the sequencer, installed the app, created the sdb, ran the sdbinst on it, installed it, then... what? I tried publishing the app that way assuming it would pick up on whatever it was doing but no such luck. All I want to do is set compatibility mode to Windows 2003 SP1. App-V doesn't pick up on the change to the shortcut regardless if you do it for all users or not. - Anonymous
February 27, 2014
Oh I didn't see that last bit, got confused thinking it was part of App-V 4. - Anonymous
February 27, 2014
Nope those last steps didn't work. I added the lines for my app to the relevant deployment.xml file MachineScripts section on the App-V Publishing server using notepad. Unpublished it, republished it, tried again and again with no luck whatsoever. - Anonymous
February 27, 2014
It'd be cool if this actually worked. I've tried every possible configuration with this that I can think of. After I wrote the above I saw the MachineScripts section as a whole was commented out, I uncommented it, thinking that it would finally work, nope. I tried using the AddPackage event, I tried using the PublishPackage event, nothing works. I even tried adding [{AppVPackageRoot}]nameofexe.exe instead of just the exe file name. Since that's where the file is located. That didn't work either. - Anonymous
February 27, 2014
The comment has been removed - Anonymous
March 13, 2014
Nathan. Did you enable scripting on the client. Set-AppVClientConfiguration -EnablePackageScripts $True ? - Anonymous
March 13, 2014
Also you must reference the _DeploymentConfig.XML on the Package Add Command
Add-AppVClientPackage -Path -DynamicDeploymentConfiguration - Anonymous
March 13, 2014
Also you must reference the _DeploymentConfig.XML on the Package Add Command
Add-AppVClientPackage -Path UNCPathToAppVFile -DynamicDeploymentConfiguration UNCPathToDeploymentConfigFile - Anonymous
November 23, 2015
I use the sdbinst command on the AddPackage and RemovePackage in the DeploymentConfig.xml file. Works there too. - Anonymous
December 08, 2016
I've tried this out but cannot get it to work at all.Where do I check if the shim has been installed? Locally or in the App-V bubble?We have App-V 5.1