TN 3695: KeyAccess configuration for “Microsoft Application Virtualization”

KeyAccess (or better) provides full support for applications running in a Microsoft Application Virtualization environment (aka App-V, formerly SoftGrid). Under the following guidelines, both keyed and unkeyed program launches can be tracked.

2012.07.16 (reviewed)

For unkeyed executables running in the normal operating system environment, observing or managing these programs depends on the ability of the KeyAccess client to identify each program executable and take note of launch and quit events as appropriate. But when an unkeyed application is hidden within a virtual container, its identity becomes opaque. In the simplest case, KeyAccess may simply be able to read properties of executables within App-V just like it would for standard executables. In other cases, manual configuration is required.

No special configuration is necessary when:

When one of the above conditions is not met, KeyAccess needs a cooperating process to identify the application and report usage. By customizing a simple configuration option when preparing the App-V OSD, KeyAccess version (or better) can observe or manage the virtualized application just like its non-virtualized counterpart. Note that if you have a mixed environment where some clients meet the conditions above while others do not, you can modify the OSD and this will be tolerated transparently even with the newer clients for which the change is not necessary.

The basic idea is that you must modify the OSD file so that instead of launching the "real" program, it launches kass.exe which then sub-launches the "real" program. The instance of kass.exe launched using the OSD runs within the virtual application environment - therefore its interaction with KeyAccess is unhindered and it can observe and manage the sub-launched application. When attempting to launch such a specially configured OSD file on a computer that does not have keyacc32.exe installed (e.g. does not have the standard KeyAccess client installed), the launch will be denied in much the same way as an attempted launch of a keyed application would be denied.

To facilitate K2 management of a virtualized unkeyed application, a few attributes in its OSD file must be changed.

In the CODEBASE element, change the entry that looks something like:

   PARAMETERS="arg1 arg2" FILENAME="Q:\Program Files\foo.exe"


   PARAMETERS='--proxy "Q:\Program Files\foo.exe" arg1 arg2' FILENAME="C:\WINDOWS\kass.exe"

     (the single and double quotes in the PARAMETERS attribute must appear exactly as above! )


Within the <VM VALUE="Win32"> section, change from:

   <SUBSYSTEM VALUE="windows"/>


   <SUBSYSTEM VALUE="console"/>


Note: In the case of a keyed application (e.g. a KeyServer managed application that has been modified using the optional "keyed" attribute), bi-directional interaction between the application and KeyAccess will not be impeded by the virtualization since the interaction is initiated from code within the keyed executable itself. In the keyed case, there is no need to customize the OSD and the keyed program will be correctly managed even when using older versions of KeyAccess.