Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.
A few weeks ago, my wife mentioned that she sometimes saw files in her desktop folder that didn’t appear on the actual desktop. She brought it up not only because she was confused by the discrepancy, but because she wanted to move some of these phantom files to other folders and wanted to delete others. I had no idea what she was talking about (which was usually the case when she described her computer troubles), so I told her that the next time she saw these mysterious files, to call me to look at it.
A few days later I got home from work and she greeted me excitedly at the door and explained that the problem reoccurred and that she had left a window open showing the elusive files. I rushed to the kitchen computer with anticipation, not even bothering to greet the dogs on the way, and surveyed the situation. She had a maximized IE window open with a full row of tabs for her open emails (I don’t think she ever closes an email window). An IE “Choose a File” dialog box was in the foreground listing the files in her desktop folder, which she had opened by clicking the attachment button in the email editor. The dialog looked like this:
I minimized IE to view the desktop background and sure enough, several of the files visible in the dialog, such as the “Maui Feb. 08” folder and the CIMG13xx JPG files, were missing. I opened an Explorer window and navigated to her desktop folder to see if the files would show up there, but they were missing there as well:
I’d never seen that behavior before. I knew this was a job for Process Monitor. Since my wife doesn’t keep the Sysinternals tools on her system (sad, but true), I ran it directly from the network using the Sysinternals Live address, \\live.sysinternals.com\tools\procmon.exe. With Process Monitor recording activity, I closed and reopened the Choose File dialog from the email editor and then I search for “CIMG”, a portion of the file name for many of the files present in the Choose File dialog, but not in the Explorer view of the desktop. The first hit was a directory enumeration operation with the file names showing as results in the Details column on the far right:
The files were located in her profile under \Appdata\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Daryl\Desktop. This Virtualized is directory created by IE7 when run in Protected Mode (PMIE), which is the default mode on Windows Vista and Windows Server 2008.
PMIE uses Integrity Levels, introduced in Vista and Server 2008, to limit the file system and registry locations to which code running in IE can modify to a subset of those writeable by the user account in which IE executes. As I described in an earlier blog post, the sandbox defined by locations labeled with Low Integrity, the level at which PMIE executes and of the objects that PMIE can modify, allow PMIE to save favorites and temporary files, like the IE cache and browsing history. However, PMIE cannot modify other locations in a user’s account, like documents folders and per-user autostart locations in the registry and file system, because they have an integrity level of Medium. That prevents drive-by-download malware that might infect the IE process from establishing a persistent presence.
In order to preserve backward compatibility with legacy code, such as ActiveX controls and Browser Helper Objects, that might be coded to write to locations outside of the sandbox, PMIE implements shims that intercepts file and registry operations and redirects ones that got outside the sandbox to the Virtualized directory within it.
To see if that was what was happening here, I examined the stack trace of the virtualized operation highlighted above by right-clicking on the line and choosing Stack. The stack showed that Acredir.dll was intercepting the operation and executing redirection functions:
Double-clicking on the line in the stack trace opens the module properties dialog, which shows that the DLL is the “Windows Compatibility DLL”, thus confirming this was part of PMIE’s sandbox implementation:
I had been familiar with PMIE’s virtualization, but I’d never seen files virtualized on the desktop, so it had not been obvious to me that was what was causing the discrepancy. Process Monitor revealed the cause, so now all I was left with was cleaning up the virtualized files. Most users don’t realize that you can move and delete files from within a file browse dialog, so I took the opportunity to show my wife how she can manage virtualized files from the email editor’s attachment dialog if she came across them again. We deleted the files she didn’t want and moved the pictures out to her photo library folders.
The case was closed. As a bonus, my wife was impressed at the ease with which I’d figured out the source of the phantom files and even more impressed that I wrote the tool I used to solve it. She’d also gotten an in depth look at PMIE’s virtualization and integrity levels, but I think in the end my lecturing on those subjects actually subtracted points.
Incidentally, you’ll almost certainly see files and directories if you look at the PMIE Virtualized folder in your profile, because even routine operations within IE result in redirection. Here you can see thumbnail cache files that the shell’s file browsing dialog creates when you use it from within IE. Normally, the shell stores thumbnail cache files in your profile, but PMIE can’t write to that location so the shim virtualizes it:
I've had problems with .exe's from a .rar unzipped (unrar'd?) to the desktop - problems deleting them. Is this related? I've also unzipped a .exe by dragndrop from winrar to the desktop and not seen it, but it showed up in explorer. Maybe winrar and win7 don't get along.
So what did the dogs think?
Interesting way to solve the multi-integrity level & backwards compat...gawd...the things MS goes through to preserve backwards compat for some apps...it's torturous.
Have seen various solutions, for directories in "well-known" locations (desktop on win, /tmp on unix)...
SGI IRIX did something similar on the multi-level OS back in the 90's with /tmp. Every app expected to use it as a scratch space, but users were separated by virtual walls -- so to user progs, they all saw /tmp, but the os multiplexed them to /tmp/<privilege-level+label>.
Linux is just now adding something similar -- the ability to virtually merge multiple directories -- so read-contents appear like one big dir, but private files and writes go to another private dir...but user will always see the public dir+their own private dir....
Not sure of the details, as I saw the summary notes on the last kernel release.
Interesting how security issues from the 80's in the DOD are just now getting to the consumer market 20-30 years later...
Phileosophos + 1
Had I been a Vista user I would find this behavior counter-intuitive, regardless how much sense the implementation makes.
Good thing I did not upgrade to Vista. Will wait for Windows 7, hopefully this problem (it is a bug, not a feature) will be fixed by then.
i thought one of the implemented features of virtualized folders was that Windows will present a unified view of the files when i browse to the "real" folder.
So if i save an image on my desktop: it will be saved on my desktop.
Is this not the case? Are files downloaded using IE lost to the user? Is that the intended behaviour?
i can barely explain the idea of folders to friends and family - let alone a folder that eats your files.
Sounds like a terrible overlook of usability imo, until which files get "virtualized" is clearly defined.
Are normally downloaded files stuck into the virtualized storage area? Or only files which are related to 3rd party ActiveX controls?
If a website launches a Java applet in IE7 PMIE mode on Vista then does IE further sandbox the applet i.e. on top of the security framework which the java runtime implements.
Thanks
Nice article, as always. There seem to be a number of methods of associating folders into a single view now.
quote: I think in the end my lecturing on those subjects actually subtracted points. /quote
I completely relate. I lose those same points nearly every day. :)
Is this only on Windows Vista without SP1..i have X64 SP 1 installed...and i can save things to e.g. the desktop because of the ieuser.exe thats running at medium IL and is the RPC Server for the IL Low iexplore.exe to serve for things like copy things to the PC...etc....P.S. PMIE is enabled......
What I don't get is how these files got into the virtualized drive in the 1st place.
Also, is there any way to clean virtualized drives?
While a very intelligent (and actually secure) way to do things, it's counter-intuitive. I understand why MS would choose this, but like Vista's UAC, the implementation is horrible. Like Mark's wife, it seems that the files are missing. Mark, many of the users on this blog, and myself could probably figure it out or at least find the "missing" files, but typical users probably wouldn't. They would just assume Vista lost their files or it's a bug or it's their computer. They wouldn't say "oh, this is good"...they don't even know it's a security mechanism.
Well designed, Microsoft, but horribly implemented.
hi Mark,
became a fan of your approach and mindset, through your blog. The dedication and love I see in you, is something I would like to have too.
primary reason for writing; is to let you know that the titles you choose are simply awesome, generates interest, old English style, and tells it wont be tough reading it. :)
All best! :)
Kamlesh Chandra
Hello.
This post reminds me a problem we have with few of our pcs (out of about few hundreds). Windows XP Pro, computers joined to a domain and some of them have troubles with refreshing the desktop (users have to right-click and choose refresh button). We investigated this issue for few months, checked most of our IT infrastructure, reinstalled, rejoined to a domain and found nothing... maybe you guys have any ideas?
Best regards.
Microsoft should have devised a new icon treatment or type-prefix to flag these to the user, along with mouse-over help. Why another layer of obscurity? To Microsoft's customers this is nothing more than a bug.
Implementation of virtual folders is a problem!
I almost think that this is the Microsoft's lawyer-ly approach to technology:
1. Put in a very secure way to do things you want to do -- like save a file from a Web site.
2. Implement same in the quickest style possible -- even highly experienced technical users have to use tools to find out what is happening.
3. Since implementation is inconvenient for users, tell them: you can turn off protected mode (or UAC or ...) as a "solution."
4. If they later complain that they were hacked, tell them that THEY chose to turn off the secure way to do things.
So, is there a way to mark "approved" controls as safe permanently, so they can function intuitively?
PMC
I'm wondering if the reason that the user can see these files is that like in Windows XP/2003, the Explorer view was changed to show all hidden files and folders and System files.
Most admins that I know turn this non-default view on for ease of administration and troubleshooting, but it can cause all kinds of issues when a non-tech users can see and manipulate these files, JUST LIKE MAKING ALL USERS MACHINE ADMINS CAN.