Vista in a Virtual Environment

  • Thread starter Thread starter Guest
  • Start date Start date
By "full VM implementation" I was meaning to indicate the (not
implemented) hosting of the OS within another by use of software
that presents a virtual (V) machine (M) image to the hosted OS.
This is not involved with Vista.

The 1 and 2 you mention seem to be the same.

The two aspects I was differentiating are
1. intercepting write failures to disk or registry (which is done by
intercepting failures)
2. user privilege level reduction (which is done by adjusting what
is in the user token)

digr said:
By "full VM implementation" do you mean 1)the File and Registry
virtualization that apparently will be included in the first customer
release; 2)the per user virtualization Szwarc's talking about; or 3)the
whole
Vista operating system in a virtual environment, like I'm asking about?

Also, are 1) and 2) the same thing?

Roger Abell said:
Well, I had my first briefing on Longhorn about two and a half years
ago and I have never had the impression that full VM implementation
was a planned architecture.

Pierre Szwarc said:
From what was said at last year's Windows Security conference, this was
the
original intent. The planned architecture of Vista was very reminiscent
of
IBM's VM/CP. However, this isn't what was done in the current release.
Only
session zero (login and services) is separate from the user application
space.
--
Pierre Szwarc
Paris, France
PGP key ID 0x75B5779B
------------------------------------------------
Multitasking: Reading in the bathroom !
------------------------------------------------

"digr" <[email protected]> a écrit dans le message de
(e-mail address removed)...
|I know there's file and/or registry virtualization and virtual folders
in
| Vista, but is it true Microsoft originally planned on running the
whole
Vista
| operating system in a virtual environment by default as an added
security
| feature?
[snip]
 
By "full VM implementation" I was meaning to indicate the (not
implemented) hosting of the OS within another by use of software
that presents a virtual (V) machine (M) image to the hosted OS.
This is not involved with Vista.

Ok. In other words, #3 in my last post - what I started this thread about,
which Swarc says is unnecessary if you have VM for each user.
The 1 and 2 you mention seem to be the same.

Does that mean then that the first customer versions of Vista released this
fall will essentially have VM for each user (#2 in my last post), which
according to Szwarc is just as safe as #3?
The two aspects I was differentiating are
1. intercepting write failures to disk or registry (which is done by
intercepting failures)
2. user privilege level reduction (which is done by adjusting what
is in the user token)

Oh, ok. There's obviously more to this than I learned about before starting
this thread.
 
Look, there are two aspects of this being thought of in your post.
There is the reduction in privileges used by an account when it
logs in, and then there is the virtualization that you directly have
indicated in your post by mentioning the file/reg redirection.

Really? I thought the reduction in privileges was part of the file/reg
virtualization. I guess I have some more reading to do. Do they work together
though, first the reduction in privileges, then the redirection to per user
file/reg virtualization? Maybe I should be reading more about these two
aspects instead of asking more questions, especially being the uninformed
intermediate user that I am.
Virtualization was not intended to be "the way" everything was
to be done. This was originally and always intended as a way
to intercept failures the user might otherwise experience.
The reduction of privilege on the other hand has from the
beginning been intended as a was to protect the system from
accounts that otherwise would have available more power
than necessary.

Neither of these are the sort of virtual machine implementation
that your posting envisions.

Huh. But if VM for each user is the same as file/reg virtualization, as it
seems to you they are, then if Szwarc's right, running the whole Vista
operating system in a VM in or on top of a real host Vista by default won't
be necessary, negating the need to add any further virtualization to Vista in
the future. Isn't that right? Or am I still confused and uninformed, and
need to go read some more about the subject?
 
I really have not clue what you are asking in your reply and am
at this point lost in the #1, #2, #3 s and am also at a loss as to
how I could express what I have said any more clearly or any
differently. One last time, the use of VM hosting of Vista built
into Vista, which I understood you to be theorizing about, just
plain is not there.
 
digr said:
Really? I thought the reduction in privileges was part of the file/reg
virtualization. I guess I have some more reading to do. Do they work
together
though, first the reduction in privileges, then the redirection to per
user
file/reg virtualization? Maybe I should be reading more about these two
aspects instead of asking more questions, especially being the uninformed
intermediate user that I am.


Huh. But if VM for each user is the same as file/reg virtualization, as it
seems to you they are, then if Szwarc's right, running the whole Vista

I have no idea why you would thing they seem to be so to me
operating system in a VM in or on top of a real host Vista by default
won't
be necessary, negating the need to add any further virtualization to Vista
in
the future. Isn't that right? Or am I still confused and uninformed, and
need to go read some more about the subject?

As in other post
Write attempt failures are trapped and made to happen in a temp area
(see, I intentionally avoided using the "virtualize" terminology).
This is just an error handler replacing the permission denied popup.
User privs are reduced at login by adjusting what is present in the user
token, and then there is code to trap failures that would not have happened
if privs had not been reduced and a dialog is presented so the user can
elect to make use of privs to which they are entitled.
None of these have anything in common with what VMware, or Virtual PC
do to virtualize and host.
 
Back
Top