Search the VMware Knowledge Base (KB)
View by Article ID

Configuring isolation modes for the file system and registry in ThinApp (1017265)

  • 13 Ratings

Symptoms

  • A virtual application fails to run properly on a computer with the same application running natively.
  • One person's use of a virtual application in a multiuser environment affects other people's use of the same application.
  • A virtual application cannot access a necessary file on the physical computer.
  • A virtual application does not run correctly in a locked-down kiosk environment.

Purpose

This article provides in-depth information about ThinApp isolation modes.

Resolution

 
 
Subtopics of this article:
If isolation mode is set incorrectly for your application environment, the virtual application may interact with registry keys and files on the physical computer either too closely or not closely enough. Carefully consider what you want to achieve and set isolation mode accordingly.
 
Isolation modes allow you to control the degree to which a virtualized application can read from and write to the local, physical PC where the virtual application resides. ThinApp automatically configures isolation modes for directories in the file system and for registry subtrees in a ThinApp project. You can change the default isolation modes.
 
The Sandbox directory works in conjunction with isolation mode by providing a place to write user application data if the isolation mode forbids writing to the physical system.
 
For more information on the Sandbox, see the ThinApp User’s Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html .
 
For example, with the proper selection of isolation mode, you can:
  • Disallow the integration of a user's application documents with the rest of the documents on the physical computer by storing the user's documents in the Sandbox. These documents are available whenever the user launches the virtual application.
  • Allow everyone using a computer to access each other's application documents by storing those documents on the physical computer.

Three isolation mode choices

ThinApp provides three isolation modes:
  • Full
  • Merged
  • WriteCopy

Full isolation of the virtual application means that the user cannot read from or write to the physical system. With Full isolation of the virtual application, users read from and write to the virtual "bubble." ThinApp records user registry and file system changes in a directory called the Sandbox.

For more information on the Sandbox, see the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html .

Merged isolation of the virtual application means that the user can read from and write to the physical system.

WriteCopy isolation mode means that the user can read from the physical system, but cannot write to the physical system. Instead, the user writes to a copy of the physical system in the Sandbox.
 
For more information about the rules of precedence when both virtual and physical versions of the same element exist, see http://kb.vmware.com/kb/1006991 .

Directory and registry isolation modes
 
You can set default isolation modes for:
  • the file system
  • registry keys
You also can configure exceptions to these overall defaults. (For more information, see Exceptions.)

The Setup Capture wizard allows you to configure only the default file system isolation mode.

The wizard provides a choice between two isolation modes:

  • Full write access to non-system directories (Modified Merged isolation mode)
  • Restricted write access (Modified WriteCopy isolation mode)

The Setup Capture wizard modifies the pure Merged and WriteCopy isolation modes by building in common exceptions.

Modified Merged isolation mode

The default file system isolation mode in the Setup Capture wizard is Full write access, or modified Merged.

The modified Merged isolation mode in the Setup Capture wizard allows users to write to any directory except for specified system directories. This is recommended for applications that you trust.

Almost every directory is writable, except for:
  • %AppData%
  • %Local AppData%
  • %Common AppData%
  • %SystemRoot%
  • %SystemSystem% (*see note below)
  • %ProgramFilesDir%
  • %Program Files Common%

* %SystemSystem%\spool remains as writable, so Setup Capture creates an exception file to preserve Merged mode in this subdirectory of %SystemSystem%.

Writes to these directories go to the Sandbox instead.

Modified WriteCopy isolation mode
 
The Restricted write access, or modified WriteCopy, isolation mode in the Setup Capture wizard prevents users from writing to any directory on the physical system except for a few specified user directories. Modified WriteCopy is recommended for applications you do not trust, or for legacy applications that you will deploy to more recent operating system versions. It is also recommended for virtual applications running in locked-down PC environments.
 
The only directories that are writable on the physical system with modified WriteCopy isolation mode are:
  • %Desktop%
  • %Personal% (My Documents)
  • %SystemSystem%\spool
All other writes go to the Sandbox.
 
ThinApp writes the configurations that you selected in the Setup Capture wizard into a project configuration file called Package.ini. You can manually configure the Package.ini parameters with a text editor.
 
For more information on editing the Package.ini file, see the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html .
 
The Setup Capture wizard provides a GUI only for the file system isolation mode, but not for registry isolation mode.
 
The configuration parameter in Package.ini for the default file system isolation mode is DirectoryIsolationMode.
 
The configuration parameter in Package.ini for the default registry key isolation mode is RegistryIsolationMode.
 
Both the DirectoryIsolationMode and the RegistryIsolationMode require the [Isolation] heading before them in the Package.ini file. For example:
 
[Isolation]
DirectoryIsolationMode=Merged
RegistryIsolationMode=Merged
DirectoryIsolationMode

The default DirectoryIsolationMode in Package.ini is Merged if you capture the application outside of Setup Capture with the snapshot.exe utility. This default directory isolation mode in Package.ini is the same as the default in the Setup Capture wizard.
 
If you capture the virtual application outside of Setup Capture, ThinApp also builds in the same exceptions to the isolation mode as in Setup Capture.
 
For more information about configuring exceptions, see Exceptions.
 
For more information about the snapshot.exe command-line utility, see the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html .
 

RegistryIsolationMode

The default RegistryIsolationMode in Package.ini is WriteCopy.

Note:

The Setup Capture wizard does not provide a GUI to change the registry isolation mode from its default value of WriteCopy. If you wish to change the default registry isolation mode, you must manually configure Package.ini. You can do this by briefly exiting the Setup Capture wizard to edit the project.
 

Summary of differences between isolation modes in the Setup Capture wizard and in Package.ini

  1. Full isolation mode is not available as a choice in the Setup Capture wizard. You may use Full isolation mode in a manual configuration of isolation mode in Package.ini, but it is not recommended. Full isolation mode is best used only in exception files. (For example, if you use Full directory isolation mode as a default, ThinApp cannot use system DLLs.)
  2. Configuration of the registry isolation mode is not available in the GUI of the Setup Capture wizard.

Exceptions to the default isolation modes

You can set up exceptions to the default isolation mode for specified directories or registry subtrees.

Both the Setup Capture wizard and snapshot.exe build in common exceptions to the pure Merged or WriteCopy isolation mode choices so that your virtual application behaves in the expected manner. These exceptions allow or disallow writing to specific directories. You can add to or change these exceptions.
 

Configuring an exception to the default DirectoryIsolationMode

The default file system isolation mode that you set applies to all directories. You may configure exceptions to the default directory isolation mode. An exception applies to the directory for which you set the exception and to all subdirectories.

To configure an exception to the default directory isolation mode, create and place a ##Attributes.ini file in the directory within the application project.

The application project is located by default in:

C:\Program Files\VMware\VMware ThinApp\Captures\<application_name>

Here is an example of the contents of a ##Attributes.ini file:
 

Here is an example of the placement of the ##Attributes.ini file in the \%ProgramFilesDir%\Opera\defaults directory in the virtual application project:
 
 
 
 

Configuring an exception to the default RegistryIsolationMode

The default registry isolation mode that you set applies to all registry keys. You may configure exceptions to the default registry isolation mode. An exception applies to the registry key for which you set the exception and to all subkeys.

To configure an exception to the default registry isolation mode, create and place an HKEY_<registry_subtree>.txt file within the application project.

The application project is located by default in:

C:\Program Files\VMware\VMware ThinApp\Captures\<application_name>

Here is an excerpt from an HKEY_LOCAL_MACHINE.txt registry key exception file:
 
 
Here is an example of the placement of this registry key exception file in the Opera 10.10 application project:
 
 

 
Your setting for the default directory isolation mode applies not only to the local physical drive, but also to:
  • Virtual drives

For information about configuring a ##Attributes.ini exception file for virtual drives, see the documentation on the VirtualDrives Package.ini parameter in the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html.

Your setting for the default directory isolation mode does not apply to:

  • Network drives
  • Removable disks and drives

By default, users can write to network drives and removable disks.

For information about how to turn off the ability to write to network drives and removable disks or drives, see the documentation on the SandboxNetworkDrives and SandboxRemovableDisk Package.ini parameters in the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html.
 

Additional Information

For information about making sure that users can write to the virtual application's working directory, see the documentation on the WorkingDirectory Package.ini parameter in the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html.

For more information about isolation of shared memory objects and isolation of synchronization objects, see the IsolatedMemoryObjects and IsolatedSynchronizationObjects Package.ini parameters in the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html.

For information about how isolation mode interacts with Application Link (AppLink), see Affecting Isolation Modes with Application Link in the ThinApp User's Guide: http://www.vmware.com/support/pubs/thinapp_pubs.html.

For more information about troubleshooting isolation mode, see http://kb.vmware.com/kb/1006991.

See Also

Update History

22 July 2011 (TdeB): Enabled video-related hidden fields so that searches for ThinApp videos include this KB article.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 13 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 13 Ratings
Actions
KB: