Forum Discussion
MSIX write HKLM in the bubble?
Already trying for some days, but can't make it work. Or is it not possible al all?
I have MSIX in which (in the bubble!!!) i want to set hkcu and hklm registry settings. For hkcu it is working, but hklm is not writable. What i do wrong or is this not possible at all?
I first want to know if it should be possible. If so, i can share my psflauncher and config.json config files.
There is no support for this currently. It would be possible to extend the RegLegacyFixup to support this, but I have not seen enough demand to take on that work (probably more than a month of effort). The solution would be to redirect to HKCU (similar to App-V) but it isn't as simple as redirecting as enumeration support also needs to be addressed.
It would help to gather a list of apps that need it. Most seem to be "in-house" apps that nobody wants to touch. For major ecosystem apps, I am aware that Bloomberg Studio requires this.
There is no support for this currently. It would be possible to extend the RegLegacyFixup to support this, but I have not seen enough demand to take on that work (probably more than a month of effort). The solution would be to redirect to HKCU (similar to App-V) but it isn't as simple as redirecting as enumeration support also needs to be addressed.
It would help to gather a list of apps that need it. Most seem to be "in-house" apps that nobody wants to touch. For major ecosystem apps, I am aware that Bloomberg Studio requires this.
Hi Tim,
I already thought it was not possible. Could remember you told me earlier. But i wanted to try and see myself.
This is an application which require hklm odbc connection information for making connection to a back-end. Will test tomorrow if hkcu only also works in a local config.
Else for now i leave this application as appv and deploy that way from Intune.
Or need to dive into it to redirect to hkcu as you suggested.
Met een glimlach,
Johan
hey, why are my posts always awaiting approval
Good
Hi Pollewops,
Great question! Working with MSIX packages and registry settings can indeed be a bit tricky. To clarify, when running an MSIX application, the HKCU (HKEY_CURRENT_USER) hive is writable in the virtual environment (or "bubble"), but HKLM (HKEY_LOCAL_MACHINE) is generally not writable. This is due to the nature of how MSIX handles security and isolation—it’s designed to prevent system-wide changes, like writing to HKLM, to maintain the integrity of the host system.
Is It Possible?
Unfortunately, modifying HKLM directly within the MSIX bubble isn't supported by default. However, there are some workarounds depending on your scenario:
- Use a PSF Fixup (Package Support Framework):
The PSF can help redirect certain operations, including registry writes. While HKLM itself isn’t writable, you can configure redirection to achieve your desired behavior. If you haven’t already, you might want to review the PSF documentation to ensure your config.json file is properly set up for redirection. - Pre-Set HKLM Keys on the Host:
If the application depends on HKLM entries, you might need to create those registry keys as part of your deployment process outside the MSIX bubble (e.g., through a script or GPO). - Evaluate Application Needs:
If the application only reads from HKLM and doesn’t need to write to it, you can include the registry entries in the MSIX package manifest under the Registry section to predefine those keys.
Sharing Config Files
If you believe the PSF fixups could resolve your issue, feel free to share your psflauncher and config.json configurations here. We can take a look together and troubleshoot further. The fixup configuration is key, and sometimes even small details can make a big difference.
Hi 4Gia, thanks for your reply. Although I am not able to get my package working in MSIX, I really am very curious how the redirection takes place. So I will share files soon here so I can see how it works and others also can use that information if they want to redirect HKLM to HKCU. Follow up soon...
Hi 4Gia, thanks for trying helping out here. The PreLaunch.ps1 does contain entries to write to hklm:\software\odbc which does not work. Will redirection work?
Config.json
{
"enableReportError": true,
"applications": [
{
"id": "PSFLAUNCHEROne",
"executable": "VFS\\ProgramFilesX86\\vendor\\program.exe",
"arguments": "-argument",
"workingDirectory": "VFS\\ProgramFilesX86\\vendor\\",
"stopOnScriptError": false,
"startScript":
{
"scriptPath": "Prelaunch.ps1",
"runInVirtualEnvironment": true,
"showWindow": true,
"waitForScriptToFinish": true,
"runOnce": false
}
}
],
"processes": [
{
"executable": "^PsfLauncher.*"
},
{
"executable": "^[Pp]ower[Ss]hell.*"
},
{
"executable": ".*",
"fixups": [
{
"dll": "MFRFixup.dll",
"config": {
"ilvAware": "true",
"overrideCOW": "default"
}
},
{
"dll": "RegLegacyFixups.dll",
"config": [
{
"remediation": [
{
"type": "ModifyKeyAccess",
"hive": "HKCU",
"patterns": [
".*\\SOFTWARE\ODBC\.*"
],
"access": "Full2MaxAllowed"
},
{
"type": "ModifyKeyAccess",
"hive": "HKCU",
"patterns": [
".*\\SOFTWARE\ODBC\.*"
],
"access": "RW2MaxAllowed"
},
{
"type": "ModifyKeyAccess",
"hive": "HKLM",
"patterns": [
".*\\software\\odbc\\.*",
".*\\software\\wow6432node\\odbc\\.*",
],
"access": "Full2MaxAllowed"
},
{
"type": "ModifyKeyAccess",
"hive": "HKLM",
"patterns": [
".*\\software\\odbc\\.*",
".*\\software\\wow6432node\\odbc\\.*",
],
"access": "RW2MaxAllowed"
},
{
"type": "FakeDelete",
"hive": "HKCU",
"patterns": [
".*"
]
}
]
}
]
},
{
"dll": "EnvVarFixup.dll",
"config": {
"envVars": [
{
"name": "ELECTRON_DISABLE_SANDBOX",
"useregistry": "false",
"value": "1"
}
]
}
}
]
}
]
}
AppxManifest.xml
<uap10:Extension Category="windows.installedLocationVirtualization">
<uap10:InstalledLocationVirtualization>
<uap10:UpdateActions ModifiedItems="keep" AddedItems="keep" DeletedItems="keep" />
</uap10:InstalledLocationVirtualization>
</uap10:Extension>
</Extensions>
<Capabilities><rescap:Capability Name="runFullTrust" /></Capabilities>
- Use a PSF Fixup (Package Support Framework):
