by on March 20, 2012, in

Do Shadow Keys Still Work in Server 2008 R2?

Shadow keys have been around forever, since way before Terminal Services were renamed to Remote Desktop Services (does anybody use that name?). It seemed they would stay in the OS forever, too. Yet, when installing applications on Server 2008 R2 many people notice that the shadow key area does not get populated. Let us find out why that is the case and if shadow keys still work in Server 2008 R2.

Background

A quick refresher what I am talking about: badly written applications create the registry settings they need to run at install time and only for the user currently logged on. Two capital sins Microsoft tried to work around by creating shadow keys. The main idea is that writes to HKCU during setup are captured and replayed for every user logging on individually.

Terminal Servers operate in two modes: install and execute. In the wild old days one had to manually switch to install mode (using the command change user /install) before every installation, but for a long time the operating system has been clever enough to do that on its own reliably enough.

If install mode is enabled for a session, any changes to HKEY_CURRENT_USER are mirrored to the shadow key areas HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software (64-bit processes) and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software (32-bit processes).

In execute mode during logon, timestamps are compared to determine if application settings stored in HKLM need to be copied to HKCU. This happens for every application key individually.

To sum this up, shadow keys are a mechanism to distribute initial application configuration values to all users on a Terminal Server.

Experiment

In order to find out if the shadow key functionality is still present in Server 2008 R2 I executed the following commands:

  1. change user /install
  2. reg add HKCU\Software\Test /v test /d “test”
  3. change user /execute

This adds a registry key “Test” with a value of “test” in install mode. I checked the shadow key areas mentioned above for the Test key and found – nothing. Looks like shadow keys are gone, right?

Then I tried something else:

  1. change user /install
  2. tcmd757a.exe
  3. change user /execute

This runs the installer for Total Commander. The installer creates the key HKEY_CURRENT_USER\Software\Ghisler. I checked the shadow key areas for the Ghisler key and found – an exact copy of the key in HKCU. Apparently shadow keys are still functional.

But why did my first experiment fail?

TSAWARE

With the help of my new free tool IsTSAwareApp I found that reg.exe has the flag TSAWARE (i.e. a special bit in the header of the executable is enabled). This means that the developer of reg.exe says it is aware of terminal services. The installer for Total Commander, on the other hand, does not have the TSAWARE flag.

The conclusion is that shadow keys are enabled only if an executable is not marked as Terminal Services aware. To prove my conclusion I used the Visual C++ tool editbin to remove the TSAWARE flag from reg.exe – and, bingo, I could use the modified reg.exe to create shadow keys during install mode.

The reason why the shadow key areas in the registry are often empty today: most modern applications have the TSAWARE flag which tells the operating system they work correctly on Terminal Servers without crutches like shadow keys.

Windows 8

Is the shadow key functionality still present in Windows 8? I have bad news for some of you: nothing was changed. Shadow keys work the same way in Windows 8 (Beta) as in Server 2008 R2.

Further Reading

Brian Madden: How Applications use the Registry in Terminal Server Environments (Part 2 of 3)
Nicholas Dille’s three articles about shadow keys

Previous Article Windows 8 Storage Spaces - a First(-Hand) Look at Performance
Next Article Dead Simple Wake-on-LAN for Your Windows Server at Home