Poltergeist? No, Vista Data Redirection

As I was working with a Vista machine, I started noticing that occasionally when I make a changes to some files, only certain programs can see them, but others can’t. Most often this happened with files in the “Program Files” directory. It was so weird, that initially I did not believe my eyes. You open a file in console-based FAR manager, and you see one thing. You open it in notepad – completely different thing.

It went on for a while, until the mystery affected an important config file. I spent several hours trying to understand what’s going on, and now it was personal.

It turns out that Vista Vista “virtualizes” write access to otherwise unwritable files in system directories, but it does it in a very peculiar way.

Apparently, Microsoft developers thought along these lines: OK, we must lock down the Program Files and other system directories, but many legacy applications do write their logs to Program Files. We don’t want them to break, do we? So, let’s quietly redirect their failed writes to a safe user-specific location. But of course, we can’t do that for all applications, only for the old ones.

This works, but it creates quite astonishing results. E.g., you legacy claims it created a log file in c:\program files\myapp\important.log. You can smell it, you can feel it, you can even open it inside the application if it has such a capability. But if you go to Windows Explorer or Notepad, the file is simply not there! Poltergeist? No, data redirection. The file is actually in AppData\Local\VirtualStore in your user profile. Windows Explorer and Notepad are obviously designed for Vista, so they see the real, unmodified version of the data.

As far as I understand, all programs are divided into “designed for Vista” and “legacy”. Programs designed for Vista do not require data redirection and thus see the real picture. When legacy programs try to write into an area such as “Program Files” that would fail, this write is redirected to the VirtualStore folder inside user profile. If the write would not fail, it is allowed to go through to “Program Files”. Only locally running programs are redirected.

Thus, it creates a number of astonishing inconsistencies.

  1. The changes made by your application are not visible to system programs, as described above.
  2. The same application sees different data when it runs in elevated “administrator” mode.
  3. If a legacy application accesses modified files via network, it will not see the unmodified data, since no redirection is performed for remote reads.
  4. Only unwritable files are redirected, files writable by non-administrators will be modified in place. If another user looks at the files, he will see some files modified, but not the others.

Furthermore, the config file that started this investigation was in ProgramData directory. This is a new directory in Vista, and no legacy program would write to it. Why data redirection is applied to this directory is yet another mystery.

Leave a Reply

Your email address will not be published. Required fields are marked *