Application Compatibility: Windows Resource Protection (WRP)

Feature Impact

High (might block the application from installing or running)

Brief Description

As an initiative to increase system stability, predictability and reliability, Windows Resource Protection (WRP) protects Windows read-only resources specifically OS files, folders, and registry keys that are non-configurable by design. See Protected Resource List for a full accounting of protected resources.

WRP enforces this protection using Windows Security by specifying special security descriptors on the resource. Any process, including those running as administrator or system, that does not have rights to make changes to WRP resources can only read and execute the resources. Full access to WRP resources is restricted to Windows Modules Installer service.

As a result, read-only system state is protected from the inadvertent impact of application installs and administrator modifications, which improves system stability.

Manifestation

Applications will not succeed in replacing or modifying protected OS resources (typically, during application installation and removal) with the following results:

  • Attempts to replace, modify, or delete OS files or registry keys that are protected by WRP might fail with an error message indicating that the resource could not be updated. This failure occurs because access to these resources is denied.

  • Attempts to write new registry keys or values to protected registry keys might fail with an error message that indicates that the change failed because access was denied.

  • Attempts to write to protected resources might fail if they rely on the application succeeding in writing to protected registry keys or values.

Because applications are prevented from making changes to WRP resources and related errors are suppressed, these failures might result in run-time errors.

Mitigations

Important noteImportant Note:

The following mitigation will not be applied if the application has a manifest that specifies requestedExecutionLevel as required by User Account Control (UAC).

For well-known installers, Access Denied errors resulting from attempts to create/modify/delete WRP resources will be suppressed, and no changes are applied to the WRP resource.

Remedies

  • Do not install or update system state (files and registry) on Windows Vista® and Windows Server® 2008 except when using Microsoft provided redistributable packages designed for Windows Vista and Windows Server 2008.

  • Do not install individual components of a whole Microsoft-provided redistributable designed for Windows Vista and Windows Server 2008.

  • Use the SfcIsFileProtected function to detect WRP-protected files. If a file is WRP, the application installer should not install or modify the file.

  • For registry keys protected by WRP, applications should gracefully handle Access Denied errors that are due to WRP.

  • Test and verify that legacy applications that rely on WRP mitigation are working properly by installing the application.

  • Use the SfcIsKeyProtected function to detect WRP-protected keys. If a key is WRP, the application installer should not install or modify the key.

WRP Protected Keys

It is expected that if an application attempts to create, modify, or delete a WRP key, that application will get an Access Denied error. When you encounter an Access Denied error, verify that the error is a result of a WRP Security Descriptor on the key (or a parent key) and not because the user does not having enough permissions to write to the key.

  • The decision on how to handle an Access Denied error message because of WRP will depend on the impact of this failure for the application:

  • If the application is trying to write a key or value that already exists, the application can ignore the error message.

  • If the key or value does not exist, as the developer you must decide the impact on your application. Is this key required for your application to run successfully on Vista? If not, you can ignore the error. If this key is required, you will need to redesign your application to write to an alternate key or use some alternate design.

How to Recognize if a Resource Is WRP

For the registry, you can use one of the following methods:

  • Through code, use the SfcIsKeyProtected function.

  • Use Regedit to check permissions on the key:

    1. Click Start and click Run.

    2. Type regedit and click OK

    3. Search for the key. Right-click the registry key. Click Permissions.

      Files that are WRP will show Trusted Installer with Full Control. SYSTEM, Administrators, and Users will have only Read permissions.

For files, you can use one of the following methods:

  • Through code, use the SfcIsFileProtected function.

  • Use Explorer to check permissions on the file:

    1. Open the folder that contains the file whose properties you want to see.

    2. Right-click the file whose properties you want to see and click Properties.

      Keys that are WRP will show Trusted Installer with Full Control. SYSTEM, Administrators, and Users will have only Read permissions.

Links to Other Resources

Community Additions

Show:
© 2014 Microsoft. All rights reserved.