1

I rewrote the question from scratch in order to focus on what really is asked and avoid helpdesk-like comments or answers

I have recently faced an issue (two instances of it actually), where one of my windows programs, which is using Firebird embedded engine with normal user rights behaved in an unexpected way. After turning off antivirus on both these machines unexpected behavior subsided. Because of this I think my program is being either sandboxed or is subject to Folder Virtualization (possibility pointed to by Ken White in the comments).

Because of this (sandboxing or virtualization) one user experienced data loss, I want to at least be able to detect when this happens and warn any future user of my app of potential data loss. The only thing is I don't really know how such "features" work. I fear they differ per every AV that can do this. My detection would have to work on windows from WinXP up to Win10.

Please someone point me the right path, I need to resolve this so my app users do not face data loss.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Kitet
  • 855
  • 1
  • 10
  • 20
  • 1
    Sounds like it has nothing to do with sandboxes, and everything to do with folder virtualization. Check each user's AppData\Local folder for a subfolder named VirtualStore (e.g., "C:\Users\Kitet\AppData\Local\VirtualStore"), and see if anything in that VirtualStore folder is related to your app. – Ken White Dec 01 '16 at 18:30
  • Reading [this](https://support.microsoft.com/en-us/kb/927387) makes sense? One of these stations is WinXP though – Kitet Dec 01 '16 at 18:42
  • Yes, specifically Scenario #2. I suspect it's the issue because you said *opened libraries and databases are in the same path that application executable is* - if you're installing under %ProgramFiles(x86)% or %ProgramFiles%, and trying to update a database or other file in that same folder, the write can be virtualized to VirtualStore. The solution: Put the writable data in a folder off of `C:\Users\Public`, where everyone can write. You can access it's location at runtime via an API call or reading the value from the %PUBLIC% environmental variable. – Ken White Dec 01 '16 at 18:46
  • Allright, but I never install this app in Program Files. It's meant to be run from any folder or even a thumb drive by normal users. Too bad I don't have access to that particular workstation, but it didn't install in Program files either, it was subfolder directly under c:\. Could it be possible that user installed my app in this folder with admin privileges and when trying to run as normal user he got virtualized? How does then turning on/off AV fit into this, since folder virtualization seems to be a feature of Windows? – Kitet Dec 01 '16 at 19:00
  • The AV could also be configured to not allow writes to a specific folder (which is why I asked you to check the virtual store in my first comment - did you look there as asked?). The point is that you're jumping to conclusions, when there are lots of other issues that can be causing your problem. If users are supposed to be sharing the same data (seeing the same data regardless of who is currently running the app), then put the data in a location where everyone has access and have everything write there, then configure the AV to allow write access to that folder. Does that solve the problem? – Ken White Dec 01 '16 at 19:10
  • 1
    You enlightened me, but it doesn't. I will test this in my environment, but I have no control of who worldwide and where from (which folder) has it running. I'm called only to solve specific incidents, which I'd like to prevent in the future. Keep in mind my app has to, and has run, for over 5 years even from thumbdrive. This was and still is a must for my client. So I'll rewrite my question shortly to be `how to detect sandbox and/or folder virtualization`, because writing user manuals saying "do it this way not the other" has historically proven... well... ineffective. – Kitet Dec 01 '16 at 19:33
  • 1
    It kind of sounds as if the user might have had two copies of your application running at once, both trying to be in control of the same database files. The other problem doesn't strike me as related. – Harry Johnston Dec 01 '16 at 20:43
  • No, that's not the case. I was remotely in control of both these machines at the time and all relevant information was provided in the post above. – Kitet Dec 02 '16 at 10:09
  • 2
    Windows folder virtualization is not related to antivirus. Perhaps the antivirus has its own virtualization, but Windows is not involved with that. – Raymond Chen Dec 02 '16 at 14:14
  • Yes, I understand this fact, but effects of both features (windows and av ones) are undesirable from my point of view, that's why I'd like to explore both at once. – Kitet Dec 05 '16 at 08:53

0 Answers0