Shadow Key 2012 – Update for Windows Server x64 / 64bit
For those of you who remember the shadow key in terminal services, is it used anymore and if so how. Hopefully the following faqs will shed some light on the matter.
What is the Shadow Key?
When an application is installed onto a terminal server (either natively on Windows x64 or by Change User Install command), the terminal server monitors the system calls in a few keys areas.
Any registry keys added to HKCU\Software are “shadowed” (copied) to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software – this is typically known as the Shadow Key location.
Any registry keys added to HKLM are “shadowed” to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Machine
Any queries to the Windows directory return the %SYSTEMROOT% variable.
Any .ini file entries are added to the .ini files under the %SYSTEMROOT% directory.
The last 3 are not so much an issue for newer applications, the majority of applications that need to be aware have entries for HKCU\Software
Why is the Shadow Key needed?
So imagine what happens when you install an application on a server that has 1 HKCU location and multiple users will be connecting to it to launch a specific application.
Let’s take application X – this basic application installed onto a server that when installed writes a key to HKCU\Software\x\ImABadApp. This key is required for the application to run.
Now let’s see how it was installed, a service called domain\serviceinstall was used to install it. Well now you can see that the when installed the HKCU entry was added to the account that was logged on or run to install the application. So if user domain\sunil logs on, he has no entry in HKCU\Software\x and the application fails.
The change user install mechanism monitors this key and when an entry is added, it gets shadowed so now if user domain\sunil logs on, the shadow key area is checked and added to the HKCU of users domain\sunil.
Is it required for Windows x64?
Yes, although there are now 2 locations, one for 32bit (WoW64) and one for native 64bit processing. WoW64 is a subsystem within x64 that intercepts any 32bit calls and redirects them to an “emulator” capable of handling 32bit processing.
x86 : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
x64: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
What if both Shadow Key locations have the same entry x86/x64?
Any duplicate Shadow Keys are merged together, any direct conflicts are won by the 32bit location.
If you have anymore questions, let me know via the comments and I will get them added.
Regards
Chris
