Why Program Files is read only and what you can do about it

Ronan Geraghty wrote a long and informative email to my previous rant (since removed, I wasn’t comfortable with it) about Microsoft. I repost here with his permission.

Developers have consistently written applications which require excessive user rights and Windows privileges meaning that enterprises have had to prioritise ease of deployment over security. As you probably know one of the major goals of Vista was improved security, and one of the design goals of UAC is to prevent installations being run without the user’s knowledge, requiring explicit consent for writing to protected locations. As you know, %ProgramFiles% is a protected location and is a good example (along with say writing to HKEY_LOCAL_MACHINE\Software) where applications that do not separate user and admin functionality run into problems.


Bearing all this in mind, the aim of virtualization is to improve compat for _legacy_ apps running as standard user on Vista.

Taking your main point:

‘Well not anymore, nope with UAC (User Access Control) turned on, config files written under the C:\Program Files directory get virtualized. i.e. This is not a normal file system any more, its some weird, hacked up, broken, not the file system you were brought up on. So edits with notepad don’t work, file saves don’t work right and uninstalls and upgrades just go straight to hell in a hand basket.’

The rule is that if an app hasn’t requested explicit permission to write to a protected location then virtualization kicks in. Below is an example of this on my machine. Note the “Compatibility Files� button on the explorer bar. The reason for this is that when it’s run this particular application attempts to write a log file to %ProgramFiles%. Since that’s a protected location if the app is run as a standard user the file is virtualized, hence the compatibility files button shows up in explorer. From that point on app reads will be from the virtualized folder, so rather than attempting to edit e.g. the log file or config file directly you should click this button and it will take you to the location where you can use e.g. Notepad to edit your virtualized files. In my case for example editing my virtualized sim.cfg file with Notepad allowed me to hide/show a toolbar in the application.

Bear in mind that Virtualization is for legacy applications : new applications ideally should strive not to use Virtualization i.e. not cause files to be written to the virtualized store. Say you have an app which attempts to save user preferences such as window co-ordinates in your config file to %ProgramFiles%. The first time this is run by a standard user the file will be virtualized for that user. Subsequent updates to the config which are pushed out by e.g. SMS will be picked up by first-time users but not by those users which have already used the app and been virtualized. Also, on uinstall, the virtualized files won’t be uinstalled.

To reiterate, Virtualization is there to enable legacy apps, however the long term approach should be to fix the app to take UAC/least privilege into account, and actually request permission to write to the protected locations if that’s required. In fact if user settings are separated out then there may be no need for the app to write to the protected location at all.

A quick solution for your existing app is to right click it and select Run as Administrator. Or alternatively users can apply a compatability fix to indicate that the application requires administrative privileges.

Compatibility Files

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.