Thamim Karim on a virtual vibe...

Permissions in the PVAD and VFS with App-V 5.0

Permissions in the PVAD and VFS with App-V 5.0

  • Comments 26
  • Likes

This post has moved here

  • It's a shame that there's no way to open up these permissions - there will be plenty of badly written legacy applications that depend on quote access to certain locations.  With Windows Installer we could set permissions on install, with App-V 4 we could change permissions during sequencing and they would be captured, or we could disable security descriptors entirely... With App-V 5 it seems the only option we have is to use shims.  I hope that Microsoft take notice and provide a way to really alter permissions in a future update.  Until then, I have my own workaround!

  • quote access = write access


  • Hi Dan, thanks for sharing your blog post, the team are aware that the ability to modify permissions in the VE is highly desired with App-V 5.0. Sequencing to the PVAD or specifying it as the place you would like to be writable is one technique you may employ, although this isn't ideal for apps that have multiple locations. App-V 5.0 is really just keeping the default security of the folders that are outside of the package root but I do agree this does not give us as much flexibility as we had in previous versions.

  • Whatever descibed above , I tried to implement the same as an admin and non-admin and found was not positive.

    Please let me know, whether we could write or not as an admin or user in C:\ProgramData\App-V\71A57C9A-3E3F-4308-B8E1-3909096F02E6\C549E4AE-DEF3-4BD1-83EB-59639F648F44\Root and C:\ProgramData\App-V\71A57C9A-3E3F-4308-B8E1-3909096F02E6\C549E4AE-DEF3-4BD1-83EB-59639F648F44\Root\VFS


    C:\Users\ABCD\AppData\Local\Microsoft\AppV\Client\Integration\7532754F-9420-4D4E-B0F5-D55E94EB67EA\Root and C:\Users\Gautam\AppData\Local\Microsoft\AppV\Client\Integration\7532754F-9420-4D4E-B0F5-D55E94EB67EA\Root\VFS

    Please give brief descriptions based on above directory structure.

  • The thing to understand is the article relates to permissions the user has when running the application not the ability for a user to directly go and modify those locations outside of the application running in the VE.

    There is no documented or supported way to directly change either location you have specified, the cache holds a static state and is not writable, state changes are described in more detail here:

    This article describes what state changes are permitted across VFS and PVAD for non-admin and admin.

  • Thank you for your response Thamim

    As per above mentioned contents "PVAD has write access to both admin and non-admin and the VFS only gives write access to admin."  but when i checked , i found that both admin and non-admin have write access to PVAD , VFS in "C:\Programdata\APPV\............" on Client.

    Can you please let me know your thought on this?

  • First can you please clarify, in what context you are trying to make changes? Are you physically browsing to the cache location and trying to change files or are you running an App-V package that writes to these locations?

  • I installed the package and then launces shortcuts , then navigated File--->Open---> and reached to PVAD(root) and VFS location in VE and tried to create new folder in Root directory and in VFS directory as Admin and as Non Admin and in both cases , i was able to write.

  • Ah okay great. Is the VFS directory a user profile based location? If not, have you changed the default permissions on the root of the place where the VFS folder resides?

  • VFS directory have two other directories i.e; ProgramFilesCommonX86 , windows .

    I didn't alter permission , we are working with default permission only.

  • In that case, I cannot explain the behaviour you are seeing nor am I able to replicate it. Feel free to use the "Email Blog Author" button above if you would like to share the package with me to see if I can find anything.

  • Okay, further to our messages via email it looks like you have non-default permissions set on these directories as you can write to these places natively as a non-admin user. I'll explain what you are seeing in a post very soon.

  • Hmmmm I am assigning my PVAD during sequencing as the install directory but when I deploy my app, users are presented with an error cannot find C:\Myapp\Myapp (which I specified as the PVAD). When trying to browse to this location by typing it in manually (as I know it is hidden) it says that it doesn't exist. Am I missing something?

  • Here is a solid solution for the C:\ProgramData allowing write permissions for everyone Full. But I am unable to get write access to the C:\Users\admin\Appdata\Local\Microsoft\AppV\Client\VFS\"GUID"\Common  Appdata, now that being said, once the application is launched I can go in and manually add permissions which has resolved the issue for me 100% of the time, but I cannot do that for every user, ugh. Need help on that one.

    Here is the cure C:\ProgramData\.... Permissions

    Within the DeploymentConfig.xml file locate the Machine scripts, take out the "Comments"  <!-- and --> and the following lines.





     /c %SYSTEMROOT%\System32\icacls.exe "[{AppVPackageRoot}]\VFS\Common AppData" /grant Everyone:(OI)(CI)F


     <Wait RollbackOnError="true" Timeout="30"/>




  • I meant add the following lines :-)


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment