I compliment Microsoft on UAC.  This is a painful problem, but somebody has to encourage application vendors to fix their stuff and the UAC dialogs seem to get that point across.  Complaining to the users forces the application vendors to fix the apps, but still allows the applications to run.

Here though, I am torn.  I make a living convincing poorly written applications to run in a XenApp world and if all the applications are fixed to make them runnable on normal user privilege, there won’t be as much magic to work.  Friends tell me to not get discouraged; application vendors will continue to produce poorly behaved software for eternity; please no comments about Citrix…

The common question

Can Application Streaming help convince this poorly behaving application to run successfully on XenApp hosted?  Answer: You betcha!

Applications can desire privilege for many reasons; some of those reasons are valid, but given the flury of UAC dialogs we saw when Vista shipped, many of them are invalid.  These invalid ones are great candidates for running under isolation because applications that want privilege, can be run under Application Streaming and then will successfully run in a terminal services world, without privilege and not complain about it.

Often, the incomptibiltiy is a small problem of the application wanting to write to protected spaces at runtime, such as \Program files or HKLM in the registry.   Windows programming 101 – you can’t do that, still many applications do, especially those with a long herritage on Windows 9x and then ported to NT.  The UAC dialogs are helping and we’re getting on a improved track to applications that are designed to work with users running on user privilege accounts and by inferance, becoming multi-user XenApp hosted execution friendly.  This is a great boon for application execution on TS/XenApp; more applications will “just work” even when locally installed.  Still, a large number of applications will continue to misbehave and this creates an endless need for running applications under isolation.

Give me an example please

What happens at runtime is that the applications writes to protected spaces end up writing to per-user spaces instead.  The isolation system layers all this back together to make the application THINK it wrote to the global space and the application pushes on blisfully unaware of the deception and you as the administrator push on gleefully happy about your ability to put ANYTHING into a hosted XenApp environment.

With multiple users, each user gets their own per-user version of the “global” space and the application – for each user – sees a world that is global, yet per-user in its structure.  This same thing happens for named objects (like pipes), the registry and file systems so that multiple misbehaving applications can all get along.

Here’s a graphic to get it across.

There’s no magic; only smoke and mirrors.  When you understand the smoke and mirrors, this isolation stuff becomes pretty plain to understand.   Application Streaming is a tool you can use to make your misbehaving applications behave.  Its been around for years now, it works and can solve some of your headaches. So, I say … Isolate and enjoy.

One last thing, in case anyone wanted to know, the above graphic is actually repeated for EACH sandbox on the server. Each 3 layer view is a sandbox supporting application execution for a given user.  Parts of the isolation space are “shared” between the users because there is no need to have multiple versions of the application content present, that would just waste space.  Take a heavily loaded XenApp server with 50 users; each running a variety of applications, all streamed.  150 different sandboxes would not be uncommon.   The isolation system has to keep track of all of that and not blow up even if Citrix has people on staff who do nothing other than try to break it.  Good fun and they don’t call it the “stress lab” for nothing.

Joe Nord

Product Architect for Application Streaming

Citrix Systems