Tag Archives: Windows

Mohammad Elsheimy 1:38 PM on January 19, 2011
Tags: , , Windows   

Installing IIS on Windows XP, Vista, and Windows 7

هذه المقالة متوفرة أيضا باللغة العربية، اقرأها هنا.

Introduction

When you install Windows, it doesn’t automatically install IIS for you. Instead, you have to install it manually. If you have downloaded a new version of IIS from IIS website, you can use the setup file to install IIS on your machine. If you prefer the version of IIS that ships with your Windows edition, you can install it using Windows Components installer, and that what we are going to do next.

IIS on Windows XP

To install IIS on Windows XP follow those steps:

  1. Go to Control Panel -> Add or Remove Programs -> Add/Remove Windows Components.
  2. Go down in the list and check Internet Information Services (see figure 1.)
  3. You can also click Details to choose additional services and functionalities to install (e.g. SMTP service.)
  4. Click Next and provide your Windows CD or Windows installation files folder to continue.
Figure 1 - Installing IIS on Windows XP

Figure 1 - Installing IIS on Windows XP

Now you can go to Control Panel -> Administrative Tools and run IIS from there. You can also browse to http://localhost and see your new homepage (enjoy!)

IIS on Windows Vista and Windows 7

Installing IIS on Windows Vista/7 is very similar, just follow those steps:

  1. Go to Control Panel -> Programs and Features -> Turn Windows Features on or off.
  2. In the Windows Features dialog (see figure 2,) check Internet Information Services node.
  3. You can also select any additional services to install from the child nodes (e.g. FTP services.)
  4. Click OK to complete the installation. A system reboot might be required.
Figure 2 - Installing IIS on Windows Vista and Windows 7

Figure 2 - Installing IIS on Windows Vista and Windows 7

Now go to Control Panel -> Administrative Tools to run the IIS. You can also go to http://localhost to see your new homepage.

Running IIS

Personally, I don’t like running IIS from Administrative Tools. I like to use the Run command to run everything on my PC and that’s, on my opinion, 3 times faster than everything else (of course when using the keyboard not the mouse.)

To be able to launch IIS from the Run command, you need to add the IIS directory (%windir%System32inetsrv) to the command search path which is available in system environment variables, and that can be done using the following steps:

  1. Open System Settings (right click Computer and choose properties, or preferably by pressing Start + Pause Break buttons.)
  2. If you are using Windows Vista or Windows 7 choose Advanced System Settings from the left pane.
  3. Go to Advanced -> Environment Variables (see figure 3.)
  4. In the bottom list (System Variables) select Path and click Edit.
  5. Beware not to fail this step. In the Variable Value field, add the symbol ; to the end of the value (if it’s not already added) and then append the following text:
    %windir%System32inetsrv
  6. Click OK 3 times.
Figure 3 - Setting the Path Environment Variable

Figure 3 - Setting the Path Environment Variable

Now go to Run (Start + R) and write inetmgr (the name of the IIS Manager) to run the IIS Management tool.

Have a nice day!

Mohammad Elsheimy 11:34 PM on February 28, 2010
Tags: , , Windows   

Removing Hidden System Shares

هذه المقالة متوفرة أيضا باللغة العربية، اقرأها هنا.

Contents

Contents of this article:

  • Contents
  • Introduction
  • The Net Command (net.exe)
  • Starting Net Command
  • Listing Current Shares
  • Sharing a Resource
  • Removing a Share
  • Net Command Help

Introduction

Although, Windows helps you managing system shares via a great deal of tools and applications, it creates hidden shares for all your disk drives after you install a new fresh copy of Windows that are hidden and not accessible via these tools.

What does “hidden” means? It means that these shares are neither shown to the user nor marked with the sharing mark in Windows Explorer. Plus, they are not accessible via common tools like Computer Management MMC snap-in. Instead, you can control those shares only via command-line instructions. These shares are also hidden from other computers in the network. However, other users can access your computer via these shares using very simple instructions.

Why keeping these shares are considered very dangerous? Imagine what if some user in the network accesses your disk drives by writing a simple line like \C$ (to access the C: drive) in the Run utility (in the Start menu.) At least, he can steal your personal information and data and expose them to danger.

The Net Command (net.exe)

Windows comes with a very nice utility, Net Command (net.exe,) that is used for many purposes. We are not going to cover all uses of Net Command since it requires plenty of articles not one! Instead, we are going to talk about only one use of the Net Command; it is the Sharing Manager.

Starting the Net Command

Unfortunately, Net Command utility does not include a GUI (Graphical User Interface.) Thus, we will have to use the Command Prompt when working with Net Command (net.exe).

Follow these steps to start Command Prompt:

  1. Open the Start Menu
  2. Choose Run
  3. Type “cmd” in Run dialog box
  4. Click OK button

Listing Current Shares

After running the Command Prompt, you can type this command to list the current system shares:

net share

The previous command should display something like that:

Share name   Resource                        Remark

------------------------------------------------------------
d$           d:                             Default share
e$           e:                             Default share
f$           f:                             Default share
IPC$                                         Remote IPC
print$       C:Windowssystem32spooldrivers
                                             Printer Drivers
C$           C:                             Default share
Programs     D:Programs
The command completed successfully.

The display is divided into three columns, Share Name, Resource, and Remark. Share Name displays the name of the share that is visible to the user. Every share has a unique name and you can control a share only using that name. Resource column shows the path of the share. Remark shows some comments -which you can set manually- about the share.

The previous results from my machine show that all my drives, C, D, E, and F, are currently shared as hidden. They are named, c$, d$, e$, and f$ respectively. That’s the default naming convention used by Windows for hidden disk shares. In addition, the results show that I have shared the D:Programs directory.

Sharing a Resource

To share a new resource (e.g. directory,) you can use the following line:

net share =

Replace with the name of the new share and with the resource path. Again, share name should be unique or the operation would fail.

The following line shares the D:Products directory as the name Products (you may change the path to any other path exist in your machine):

net share Products=D:Products

Now, D:Products is shared successfully. Notice that it’s a normal share, not hidden.

Consider the following line:

net share "Hot Songs"="D:My Songs" /REMARK:"My Favorite Songs"

The previous line shares “D:My Songs” as the name “Hot Songs” (as it would appear in Windows Explorer.) In addition, it sets a remark “My Favorite Songs” that would be shown when you list the shared resources as we did in the previous section.

Note that, you can control share ACLs (Access Control Lists) using switches like /GRANT. See the last section.

Removing a Share

Now, it is the time for removing shares that we don’t need it. The following line removes the hidden share of C drive. Notice that we are referring to the share by its name.

net share C$ /d

The following line is the same:

net share c$ /delete

The following line removes the “Hot Songs” share that we have shared in the previous section:

net share "hot songs" /d

Notice that share name is case-insensitive.

Net Command Help

If you want to discover other features of Net Command or you want to display a command help, just add the /? switch to the end of the command. Consider the following line:

net share /?

It shows the help of the sharing command of the Net Command:

The syntax of this command is:

NET SHARE
sharename
 sharename=drive:path [/GRANT:user,[READ | CHANGE | FULL]]
                      [/USERS:number | /UNLIMITED]
                      [/REMARK:"text"]
                      [/CACHE:Manual | Documents| Programs | None ]
 sharename [/USERS:number | /UNLIMITED]
           [/REMARK:"text"]
           [/CACHE:Manual | Documents | Programs | None]
 {sharename | devicename | drive:path} /DELETE

Cool, ain’t it?

Welcome to your comments and feedbacks.

Mohammad Elsheimy 10:52 PM on February 20, 2010
Tags: , , Windows,   

Does cleaning Prefetch offers more performance?

هذه المقالة متوفرة أيضا باللغة العربية، اقرأها هنا.

It has been always said that when you clean the folder %windir%Prefetch you give your system and applications more performance.

Actually, thats one of the fables around Windows. Each time you start your computer and each time you open a program that you commonly use, Windows keeps track of information required to start the computer or that application and saves theses information in small files (called Prefetch entries) in the Prefetch folder to use it later to help speed up the computer start process or the application start time.

Thus, cleaning the Prefetch folder doesnt improve performance at all. Instead, it slows it down. It makes Windows uses longer time to start, and makes your favorite programs take longer time opening. An analysis did by TuneUp Systems results in a noticeable slowdown during Windows boot-up time and all applications that are commonly used took significantly longer to start after cleaning Prefetch.

Obviously, you do not need to deal with Prefetch entries manually, Windows handles them all. Actually, Windows Vista (and future systems that support UAC) helps protecting the Prefetch folder by using UAC (User Access Control, read more here) to prevent unauthorized access to this folder.

Mohammad Elsheimy 8:44 PM on May 26, 2009
Tags: , , , , Windows,   

Requesting Admin Approval at Application Start

Introduction

User Access Control (UAC) is a feature of Windows that can help prevent unauthorized changes to your computer. UAC does this by asking you for permission or an administrator password before performing actions that could potentially affect your computer’s operation or that change settings that affect other users.

With UAC, Administrator users, by default, don’t have administrative privileges. Every Windows process has two security tokens associated with it, one with normal user privileges and one with admin privileges. With applications that require administrative privileges, the user can change the application to run with Administrator rights. And that process called Elevation.

Therefore, when a normal user logs on to the system he assigned the standard user access security token that does not allow him to access administrator resources. On the other hand, when an administrator logs on to the system, Windows creates two security tokens for him: a standard user access token and an administrator access token. And he assigned the latter. When he tries to access a resource requires administrator privileges, he is asked for elevation. Unless he approved the elevation request, he cannot access that resource. It is worth mentioning that standard users cannot access protected resources. However, they are requested for the elevation, by entering an administrator username and password. Therefore, the administrator accesses the protected resource on behalf of the standard user.

Now, there is a question. Why I need administrator privileges? Means, what are the resources that are protected? The answer is very simple. Most operations that may affect the system or other users on the machine are access protected. For example, writing a file on the system drive requires admin approval, reading from the registry requires admin approval, and changing file association requires admin approval.

After all, in this lesson, we will learn how to request admin approval at the application start to allow the application to access protected administrator resources.

Requesting Admin Approval via a Manifest

To request the admin approval, you can need to embed a manifest with specific form to the application.

An application manifest is an XML file similar to the application configuration file but it has another construction.

To embed a manifest to the application, you will need to add it to the project and ask Visual Studio to embed it.

The Manifest Construction

The following is the manifest construction:

Download this file here.

You can also add this manifest file via the Add New Item dialog. However, VB.NET adds it automatically. But be sure to edit it.

This manifest should be named the way you name the configuration file. That means that its name should be app.manifest, so Visual Studio can treat it the right way.

This manifest is nothing more than a simple XML file with a specific construction. You cannot change any element name or a namespace. However, you can set the application required privileges through the attributes level and uiAccess of the requestedExecutionLevel element.

The level attribute specifies the security level that we need to grant the application. It can be one of three values:

  • requireAdministrator:
    Means that the application requires administrator privileges (elevation, in other words.) If this is an administrator, he will be asked for approval. If this is a standard user, he will be asked to provide an administrator’s username and password. Therefore, the administrator executes the application of behalf of the standard user.
  • highestAvailable:
    The application gets the privileges the user has but only after getting the consent from the user. Means that if the user is a standard user, the application gets standard user privileges. On the other hand, if the user is an administrator, the application gets the admin privileges but after the request for elevation.
  • asInvoker:
    The application is running with the security token of the user. Means that if the user is a standard user or an administrator, the application gets the standard user privileges without elevation, and does not request it.

While VB.NET automatically adds the manifest file, it sets requestedExecutionLevel to asInvoker.

The uiAccess option comes handy if your application requires input to a higher-privilege-level window on the desktop. For example, if your application is an onscreen keyboard. Set uiAccess to true to allow that type of input, or false otherwise.

Actually, you will not be granted the UIAccess privilege unless your application is installed in a secure location like the Program Files directory. If you need to allow all applications located in any place to be granted the UIAccess privilege, you will need to change system policy in the Local Security Policy MMC snap-in. Lean more here.

Automatically Creating the Manifest

To embed the manifest to your application, follow these steps:

  1. Add the manifest file (app.manifest) to the project.
  2. Open the Project Properties dialog.
  3. Switch to the Application tab.
  4. In the Resources section and in the Manifest field, you can choose to embed a default manifest to the application that has the asInvoker level set, to create the application without a manifest and that has the same effect as the previous option, or to choose from a list of manifest files added to the project.

Figure 1 shows how to embed the manifest file.

Figure 1. Embedding a Manifest
Figure 1. Embedding a Manifest

Trying the Example

Now, we are going to write a simple example illustrates how to request admin approval at the application how this affects the application progress.

For the example to work well, it is better not to start Visual Studio .NET with admin privileges because if you ran the application from the Visual Studio environment, it will be granted its permissions automatically. However, to see the results, run the application from its file.

Now, start a new project and add the following code to the Main() function:

static void Main()
{
    // Change the drive C to
    // the system drive
    System.IO.File.WriteAllText("C:\MyFile.txt", "Hello, World");
    Console.WriteLine("Completed");
    Console.ReadKey(true);
}

The last code tries to write a file to the system drive which is access protected and requires admin approval to allow the writing.

Now, try to run the application. Unfortunately, because you are not granted the administrator access token, the application will be failed you will be faced with System.UnauthorizedAccessException.

Again, if you started Visual Studio .NET with admin privileges, you will not see how the UAC affects the whole application. In that case, you will need to run the application from its file.

Now, add the manifest to the application and embed it and try to run the application again.

Cheers, succeeded. Now, you are faced with the admin approval message. The following figures show the two types of admin approval messages. Figure 2 shows the prompt for consent message for administrator users, while figure 3 shows the prompt for credentials message for standard users.

Figure 2. Prompt for Consent Message
Figure 2. Prompt for Consent Message
Figure 3. Prompt for Credentials Message
Figure 3. Prompt for Credentials Message

Requesting Admin Approval via the Registry

While you can easily request admin approval via a manifest file during the development process, it will not be the case if the application already deployed.

Actually, you can request an application to start with admin privileges by right-clicking the application file and choosing €œRun as Administrator€ item. However, you will need to do this every time you try to run the application.

Another way is to change the application to request admin approval every time you execute it. This is done through the compatibility options in the Properties dialog of the application file. See figure 4.

Figure 4. Compatibility Options
Figure 4. Compatibility Options

Setting this option adds the compatibility flag RUNASADMIN to the registry at SOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsLayers that resides in HKCU if you change current user settings or HKLM if you choose to change the settings for all users. Figure 5 shows our application item in the registry.

Figure 5. Compatibility Flags in Registry
Figure 5. Compatibility Flags in Registry

Therefore, you can register an application to run as administrator if you added the compatibility flag RUNASADMIN in the right place.

Actually, you can replace the manifest approach with this way. You make the application installer add this compatibility flag in the installation process which is -by default- runs in admin privileges mode.

The Last Word

It is worth mentioning that this does not apply to Windows Vista only, it applies to Windows 7 -and maybe later versions- also. Working with UAC is very exhausting. However, you should relax! Windows 7 fixes major UAC problems. Now, you are not required to grant the permission for such these simple operations like changing system date and time.

It is worth mentioning that it is better not to request admin approval for the whole application. It is recommended that you request admin approval for the specific operations that require it only. And this can be done through the Windows Vista SDK.

In addition, you can read more about UAC and how it affects your application flow in these articles:

Good day!

Mohammad Elsheimy 9:24 PM on April 11, 2009
Tags: , , Windows,   

Advanced Control of UAC

Here in this lesson we’ll learn some useful techniques for controlling the UAC (User Access Control.)

What is User Access Control?

User Access Control (UAC) is a feature of Windows that can help prevent unauthorized changes to your computer. UAC does this by asking you for permission or an administrator password before performing actions that could potentially affect your computer’s operation or that change settings that affect other users.

By default, Administrator users do not have administrative privileges. Every Windows process has two security tokens associated with it, one with normal user privileges and one with admin privileges. With applications that require administrative privileges, the user can elevate the application to run with Administrator rights. And that process called Elevation.

User can elevate an application either by clicking “Run as Administrator” from the context menu of the application icon, or by editing the Compatibility tab in the properties of the application file.
Also, while an application running, it can ask the user to provide administrative permission to complete a specific operation (a good example is switching to the All Users mode in Task Manager.)

Compatibility Options

Compatibility Options

Disabling or enabling UAC

You can disable or enable the UAC simply from the Control Panel from the User Accounts configuration.

Enabling-Disabling UAC

Enabling/Disabling UAC

By clicking the “Turn UAC on or off” option you can disable or enable the UAC.

Advanced Control of UAC

You can control every aspect of UAC using the Local Security Policy MMC snap-in. You can open this snap in from Administrative Tools in the Control Panel.

After opening Local Security Policy utility, step down to the Local Policies then to the Security Options node.

From the right you can find a list of security policies that you can take control of.

Advanced UAC

Local Security Policy - Advanced UAC

We are interested on the nine policies that are applied to the UAC, and these policies are:

Admin Approval Mode for the Built-in Administrator account

This policy specifies whether to enable Admin Approval Mode for the built-in Administrator account or not.

Admin Approval Mode means requiring the user via the UAC messages to approve administrative operations. In other words, it means enabling the elevation process.

This policy is disabled by default.

Behavior of the elevation prompt for administrators in Admin Approval Mode

This policy defines the behavior for the administrators while in Admin Approval Mode (while the previous policy is enabled.)

You can set this policy to one of three options:

  • Prompt for consent (default):
    Ask the user to provide the permission by clicking either Allow button (sometimes Continue) or Cancel button.
  • Prompt for credentials:
    Ask the user to enter his password.
  • Elevate without prompting:
    Grant the permission without asking the user.
Prompt for Consent Message

Prompt for Consent Message

Prompt for Credentials Message

Prompt for Credentials Message

Behavior of the elevation prompt for standard users

This policy defines the behavior for standard users (non-Administrator users) while elevation.

This policy can have one of two options:

  • Prompt for credentials (the default for home editions):
    Asking the user to provide administrator username and password.
  • Automatically deny elevation requests (the default for enterprise editions):
    Do not ask the user and automatically deny the elevation request.

Detect application installations and prompt for elevation

This policy defines whether to prompt for elevation for application installations or to allow them without asking.
By default, this policy is enabled for home editions, and disabled for enterprise editions.

Only elevate executables that are signed and validated

This policy defines whether to elevate only the applications from known vendors (like Microsoft of course), or prompting for elevation for all applications.

This policy is disabled by default.

Only elevate UIAccess applications that are installed in secure locations

If the application requests execution with the UIAccess integrity level, this policy defines whether to allow the application if it resides in secure locations (like Program Files), or not.

This policy is enabled by default.

Run all administrators in Admin Approval Mode

This policy defines the behavior of all UAC policies for the entire system.

If this policy is enabled, all administrators will run in Admin Approval Mode and you will be asked for elevation. Conversely, if this policy is disabled, then all administrators will be granted the permission by default.

This policy is enabled by default.

Switch to the secure desktop when prompting for elevation

This policy defines whether all elevation requests will go to the Secure Desktop or the Interactive Desktop.

Secure Desktop is the default option, and that means that you will not have the ability to interact with other applications until you allow or deny the elevation request. Interactive Desktop means that you have the ability to interact with other application while you are asked for the elevation.

Virtualizes file and registry write failures to per-user locations

This policy defines whether to use File and Registry Virtualization or not. File and Registry Virtualization means that application that are not running in administrator mode will redirected to a specific location if they try to write or read from/to a specific locations like the Program Files and Windows directories for the File Virtualization, and HKLM for the Registry Virtualization.

This policy is enabled by default.

Read about File and Registry Virtualization and see them in action.

Last word

For security reasons, it is recommended that you leave the UAC enabled and leave its default options. But, you must be very wise if you are going to change UAC options -or other security policies of course.-

Mohammad Elsheimy 9:04 PM on April 3, 2009
Tags: , Windows   

Changing the Windows Logon Screensaver

هذه المقالة متوفرة أيضا باللغة العربية، اقرأها هنا.

When you start Windows, you may be represented with the welcome screen, which prompts you to enter your username and password. If you leave the machine inactive for a specific time, the Windows logon screen saver starts. That screen saver is the Blank screen saver (Logon.scr) represents a blank black screen.

You can control the Windows logon screen saver from the registry options in HKEY_USERS.DefaultControl PanelDesktop.

Registry Editor + Logon Screen Saver

Changing the screen saver options

To change the logon screen saver options follow the following steps:

  1. Open the Registry Editor from Start -> Run -> regedit.exe.
  2. Locate the logon options in the registry key HKEY_USERS.DefaultControl PanelDesktop.

There, we are interested in three values:

  • SCRNSAVE.EXE:
    For changing the current screen saver.
    Set this value to the path of the new screen saver (relative paths allowed.)
    Note that, most screen savers are located in %windir%System32 (the default path) folder and they have the extension “scr”.
    The default screen saver is the Blank screen saver (Logon.scr).
  • ScreenSaveTimeOut:
    For changing the time that you must wait for the screen saver to start.
    Set this value to the number of seconds to wait. For example, 60 for a minute.
    The default timeout is 600 seconds for 10 minutes.
  • ScreenSaveActive:
    For turning the screen saver on or off.
    To turn off the screen saver set this value to 0. Conversely, set it to 1 for turning it on.

Actually, these options and others on “HKEY_USERS.DefaultControl Panel” are the default options for new users. For example, setting the Desktop/FontSmoothing to 2 means sets the screen font smoothing to ClearType for every new user. And changing the screen saver options also, affects all the new users not the logon screen only.

To be honest, the HKEY_USERS hive contains the customizations for every user on the machine based on his SID (Security Identifiers). So, you can find users’ customizations in this registry hive. Also, you can find current user’s customizations in HKEY_CURRENT_USER hive.

Mohammad Elsheimy 9:09 PM on March 6, 2009
Tags: , , , Virtualization, Windows,   

Windows Vista File and Registry Virtualization

Enabling UAC (User Access Control) feature in Windows Vista, Administrator users in Windows Vista, by default, don’t have administrative privileges. Every Windows process has two security tokens associated with it, one with normal user privileges and one with admin privileges. With applications that require administrative privileges, the user can elevate the application to run with Administrator rights. And that process called Elevation.

As you expect, it’s the least-privilege principle well-recognized for security pros and people who use Linux.

User can elevate an application either by clicking “Run as Administrator” from the context menu of the application icon, or even by editing the Compatibility tab in the properties of the application file.
Also, while an application running it can ask the user to provide administrative permission to complete a specific operation (a good example is switching to the All Users mode in Task Manager).

Compatibility Options

Windows Vista keeps track of the compatibility options edited for an application by adding a compatibility flag to the registry at HKCUSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsLayers.

Try changing any of the compatibility options for an application and see how Windows tracks that.

Because UAC feature of Windows Vista, it doesn’t allow users to access some folders like Program Files and Windows folder. Also it doesn’t allow them to access the registry without administrative permission.

But, there’re lots of applications that write lots of data to the Program Files folder for instance. And Windows Vista must keep them away from doing such these operations without administrative permission -you can imagine the amount of applications that require administrative privileges-. So to handle this dilemma, Windows Vista has a new technique called Virtualization.

When a program tries to write to the Program Files folder for instance, Windows Vista redirects it to a special virtual store so that the application can read/write data without generating errors (because of course it doesn’t have the permission).

As we would see in the next example Windows Vista uses this technique with registry too.

For folders, Virtualization called File Virtualization. For registry, it’s called Registry Virtualization.

File Virtualization

To see virtualization in action let’s try this example:

string programFiles =
    Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles);
string appDir = Path.Combine(programFiles, "MyApplication");

if (Directory.Exists(appDir) == false)
    Directory.CreateDirectory(appDir);

string file = Path.Combine(appDir, "SampleFile.txt");

File.WriteAllText(file, "Hello, World!");

When you run the example it doesn’t write to C:Program FilesMyApplication. Instead it writes to the Program Files virtual store in C:UsersAppDataLocalVirtualStoreProgram FilesMyApplication

Note that if you are running your Visual Studio instance in elevated mode and run your application it gets the elevated mode from Visual Studio. So you need to run it manually from its icon.

Try changing the application so it writes to Windows folder. And check the virtual store folder.

Registry Virtualization

Virtualization is not only done with folders but also with registry entries. If the application tries to write to the registry key Software in HKEY_LOCAL_MACHINE hive, it is redirected to the HKEY_CURRENT_USER hive. Instead of writing to HKLMSoftware{Manufacturer}, it writes to the registry Virtual Store HKCUSoftwareClassesVirtualStoreMACHINESOFTWARE{Manufacturer}.

File and registry virtualization is available only for 32-bit applications. This feature is not available for 64-bit applications on Windows Vista.

Don’t use virtualization as a feature of your application. It is better to fix your application than to write to Program Files folder and the HKLM hive without elevated user privileges. Redirection is only a temporary means to fix broken applications.