Figure 1: UAC settings are located inside the Security Options button in the Computer Configuration section
UAC settings within the GPO are located at the end of the Security Options list, the list appears in the right pane. To see this list, simply select the Security Options button on the left panel, as shown in Figure 2.
Here you will see all the controls that need to be set up for UAC on Vista and Windows Server 2008 computers. Note that it is possible to control how UAC works when an administrator logs in, as well as when a user logs in. The final option controls how Virtualization is linked to UAC behaviors. This setting is labeled 'User Account Control'; Virtualize files and registry will write errors to the location on each user.
Enabling this policy setting will virtualize the settings. If this setting is not configured for Vista computers, but you want to set it up, you need to set this policy to Enabled, as shown in Figure 3.
After configuring this policy setting, you need to ensure that it is used for Vista computers. It is also necessary to restart the Vista computer so that this setting is valid, as it only adheres to the foreground policy refresh to perform virtualization of files and registry. When the Vista computer is finished, you will have virtualized Registry files and locations.
Tips :
Foreground policy settings within the Computer Configuration need to be restarted by the computer, while the foreground policy setting in User Configuration needs to log off the user then log back in to take effect.
Virtualization of Task manager
Now that you have ensured that UAC will virtualize your files and registry updates, you need to verify that each process is performing virtualization properly. To see that, you need to have control, UAC virtualization, to launch Task Manager. The simplest thing we found to launch Task Manager is to right-click on the Start bar. You need to go to the Processes tab to see virtualization here.
Once in the Processes tab in Task Manager, you will see that there is no initial indication of virtualization. Even so, to see what is virtualized is quite easy. See what is virtualized, select the View menu option, then click on the Select Columns option. At the bottom of this list you will see a Virtualization check box, shown in Figure 4.
Save your new window, and you'll see a new column called Virtualization in the main Task Manager window under the Processes tab, shown in Figure 5.
If you want to see all of their processes and virtualization issues, click the 'Show processes from all users' button, which will contain system processes. You will see that the processes owned by the SYSTEM, Network service, and Local Service are not allowed to be virtualized.
Organize registers to add extensions
As you can see in Figure 5, none of the executables that are run directly are virtualized. This is because the executable files .exe, .bat, .scr, .vbs, and other executables are excluded here. This causes some problems if a program needs to upgrade itself. Standard users will not be able to do this, because the application will be running in protected areas.
If you have an application extension that needs to be removed from this initial list of non-virtualized extensions, you need to change the Registry. To add your extension to the list of non-virtualized extensions, go to HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLuafvParametersExcludedExtensionsAdd Registry value. To add your extensions, you need to create an ExcludedExtensionsAdd Registry value. When you add a new value, use the multi-string Registry value type. Extensions will be added without the forward dot, for example, .exe will only be exe. After changing the entire list of extensions, restart the computer for the changes to take effect.
Real-time virtualization
If you want to virtualize an application or process that is not virtualized, you can do that when the system is running. To perform this task, you need to go to Task Manager. Inside Task Manager, go to the Processes tab just like you did before. Then select the process you want to virtualize. From there, right-click the process and then click the Virtualization menu option. This will show you a confirmation dialog, as shown in Figure 6.
After you virtualize the application, the process will have Enabled status in the Processes tab list of processes.
Conclude
The ability to control different aspects of UAC virtualization allows administrators to manage which applications are virtualized. Within any GPO, control over UAC is easy to use and easy to deploy via Active Directory. After UAC is enabled and the virtualization of files and Registry is also activated, your Windows Vista will launch virtual processes that were not previously available. What you can see inside Task Manager, it shows you a clear picture of what has been virtualized and what is not.