6

We have a 3rd party native application (written in C I believe) which we want to run multiple instances of on a machine.

however the application reads and writes from one particular registry key in order to find the location of a config file. It reads this location continuously during its running. The registry key is in HKLM. this means that if we try and run 2 different instances of the app with 2 different locations for the config file the processes tread on each others toes.

Is it possible to 'virtualise' the registry (or run each process in a sandbox) that the processes are using so that they can both think they are writing to a single location, but actually they are writing and reading from somewhere different and they won't step on each others toes?

Ramon Poca
  • 1,889
  • 1
  • 10
  • 19
Sam Holder
  • 32,535
  • 13
  • 101
  • 181

4 Answers4

5

There are several options to virtualize a program:
https://en.wikipedia.org/wiki/Portable_application_creators

Creating your own virtualization software is much more complicated and would require an entire coarse on programming and hooking library calls using the windows SDK.

However an easier option that doesn't require setting up and running additional software for each copy of the program I suggest creating multiple copies of the program and hex editing each executable.

Make as many copies of the application as you need to run, then open the application file in a hex editor and search for the name of the registry key, ie:
HKLM\System\CurrentControlSet\Control\Session Manager

Then change the last byte to a digit for each different version (1 byte, 0-9) ie:
HKLM\System\CurrentControlSet\Control\Session Manage1
HKLM\System\CurrentControlSet\Control\Session Manage2
HKLM\System\CurrentControlSet\Control\Session Manage3

For more than 10 differences (2 bytes, 00-99) use the last two bytes:
HKLM\System\CurrentControlSet\Control\Session Manag01
HKLM\System\CurrentControlSet\Control\Session Manag02
HKLM\System\CurrentControlSet\Control\Session Manag03

Joshua Briefman
  • 3,783
  • 2
  • 22
  • 33
  • interesting idea. I've checked the dll and found the registry key in there so when I get a chance I'll test this out. Not an ideal solution (as we would like to be a bit more dynamic with our process creation) but this could work and could be simple – Sam Holder Jul 16 '13 at 08:48
  • I've just tested this and it seems to work. Thanks. I'll wait for other suggestions but this should sort out our issue even if no other solution is forthcoming. Thanks! – Sam Holder Jul 16 '13 at 16:07
  • I think you can create a script to create a new copy of the program and change the registry name automaticaly since you know the location of the sequence to change. and like that you automate the process a little – Swift Jul 19 '13 at 11:07
3

While the solution from Joshua will work for this particular application, it might not work for others (f.e. where the registry path is constructed in code or when the application is signed).

Therefore, I would suggest using DLL injection and intercept calls to RegOpenKey(Ex), RegCreateKey(Ex), etc. That way, you can fiddle with the registry path before passing the call down to the real Windows Advapi32.dll.

Some great articles about API hooking:

API Hooking and DLL Injection on Windows

API Hooking with MS Detours

huysentruitw
  • 27,376
  • 9
  • 90
  • 133
2

Yes, Sandboxie can run multiple instances of an app, each in it's own "Sandbox" which it believes to be the entire universe. But you can also access the data directly through the normal ways if you need to.

So in other words, Sandboxie lets you see all the registry changes that were made in the app's operations, and you can roll them back if you like.

David d C e Freitas
  • 7,481
  • 4
  • 58
  • 67
1

Yes, you can virtualize the application, this technology is called Application Virtualization. Try http://www.cameyo.com/. Cameyo is a software used to build virtual application.

A virtual application is a single EXE file that holds an entire application including files, DLLs and registry. Virtual apps are isolated from your system and can be copied & moved from one computer to another without installation.

Rajesh Hegde
  • 2,702
  • 1
  • 18
  • 23