In-Depth

Application Virtualization Hits Its Stride

Keeping a virtualized image clean just got a lot easier.

• By Peter Varhol
• 09/01/2007

What does this buy you? No more application incompatibilities. No more DLL hell. Every application just works because it's isolated from the system and other applications, which protects you from unforeseen conflicts. You can deploy and install applications in a snap without worrying about user rights and privileges. Update them by simply replacing one virtual envelope with another. This also greatly simplifies application testing prior to deployment. Desktop instability could be a thing of the past.

You could even go beyond individual applications to IT infrastructure. How about the virtual patch? Consider how many hours you spend testing and deploying patches, and how many times those patches have problems. If you could virtualize patches, you could patch your servers and desktops without worrying about the ill effects of untested or incompatible patches. The patch runs in isolation from the rest of the OS and other applications. A virtual patch may not be foolproof, but it will almost certainly be a significant improvement over today's process.

Redmond looked at two application-virtualization products: Altiris Software Virtualization Solution (SVS) and LANDesk Application Virtualization. Both can separate individual applications or groups of applications, though each uses a different technique. This comparison looks at the advantages and limitations of the technology and the technical approach taken by both Altiris and LANDesk.

Altiris Software Virtualization Solution
Altiris (now owned by Symantec Corp.) has long been known as a desktop-management vendor. It takes that one step further by providing a way to manage applications on systems by shielding them from the underlying OS. By placing applications and data into managed units called "Virtual Software Packages," Altiris SVS lets you instantly activate, deactivate or reset applications, and completely avoid application conflicts without altering the base Windows installation.

There are two versions of SVS. The free client version requires Windows XP Pro, Windows Server 2003, Windows 2000 Pro or Windows 2000 Advanced Server. The enterprise version incorporates a server side plus the client agent, and the server has to be Windows Server 2003. There's a 120-day free trial for the enterprise version, which is probably just long enough to get irrevocably hooked.

You can download the free personal version, along with a license key, from www.getsvs.com, www.downloads.com or from the Altiris Web site itself. It installs in just a minute or two and doesn't require any configuration.

For my first experiment with Altiris SVS, I turned to Firefox, the smallest and simplest image. I had an immediate need for an alternative browser, as I had to access a page that didn't work under IE. Firefox was installed on my Start Programs menu, so I launched it from there. It started up exactly as it would have if I had installed it directly on my machine, offering to transfer bookmarks from IE and make itself my preferred browser.

[Click on image for larger view.]

Figure 1. The Altiris Software Virtualization Solution Administration utility provides a simple interface for creating, deploying and activating virtualized applications.

Then I activated OpenOffice with the Admin utility. It also appeared in my Start Programs menu, so I launched the OpenOffice word processing program without difficulty. I created and stored documents directly on my hard disk, just as if the application was physically installed there.

The next thing to do is create your application packages. You can do this in three different ways. You can use the Admin utility, build from the command line or use the Wise Package Studio software (part of the Altiris family), which lets you create, edit and manage packages for virtual applications. Whichever way you choose, these packages let you run applications in a virtual environment with SVS. Creating packages is simply a matter of installing to the package, rather than to the system. I virtualized Office 2003 and Office 2007, which took some time, but I only had to do it once.

The results are impressive once you've set up your system and installed the software layers and packages. As an ultimate compatibility test, I installed Office 2003 and Office 2007 on the same computer, and ran them both at the same time. There were no conflicts, and I could copy data back and forth between the two.

One question that immediately came to mind was whether the applications were machine-specific or user-specific. To find out, I created another user account, which displayed Firefox as an installed application after I activated its layer. I launched Firefox from that account, and it captured and stored the data and settings on a per-user basis. Multiple users can have accounts on the same system, and not know or care that their applications are virtualized.

It Only Seems Like Magic
Altiris SVS works by creating virtualization layers. The layer represents all the files and registry settings that make up the virtualized application or data. The files and settings captured in a layer are stored in a redirection area on the hard drive. When a layer is active, the SVS file-system filter driver ensures that all files and settings appear on the system just as they would if the application was physically installed on the computer.

There are two sublayers within each application layer. The first is a read-only sublayer that stores files and static settings, like Registry keys. The writeable sublayer contains any files or settings you add. The virtualization software keeps track of all users, so each has their own unique configuration.

You shouldn't notice any difference between a virtual or physically installed application. Although you'd expect virtualization to burn more cycles, because there's more work going on mapping between the virtual and the physical, such a hit wasn't apparent in the applications I tested.

Once I reluctantly removed the application packages and the Altiris SVS, my system was the same as I had left it. The before and after images were virtually (no pun intended) -- if not exactly -- the same.

The technology isn't perfect, but there's enough here to get excited about its potential. There are three classes of applications it won't support. First, it won't virtualize device drivers, so printer and device installations will change the OS image. For now, it handles client and desktop applications, not the all-important server applications. And it doesn't support OS components.

Altiris says many applications in these categories actually do work, but the company hasn't been able to test enough to certify them as a class. In some cases, device drivers or OS components may load before the Altiris filter driver redirects. The company is exploring ways of addressing this, and anticipates having a comprehensive solution in the near future.

Windows Vista introduced a new device-driver model, so it doesn't yet support that OS, except in legacy mode. Altiris has been working with Microsoft on the new device-driver model, and expects to have its own mini filter driver to support Vista in the next release.

Every time I launched a virtualized application with Altiris SVS, my jaw dropped at the ease with which I could install and run new apps and have them appear as though they were physically installed on the system. It's good enough to put into place in the enterprise for many common desktop applications. Desktop administrators will love the ease of administration and maintenance.

LANDesk Application Virtualization
LANDesk Software takes a different approach to virtualization to generate a similar result. LANDesk Application Virtualization fully isolates the application from the underlying OS. It enables interaction, depending on the application's needs, but doesn't automatically provide the appearance of an actual, installed application.

LANDesk's Application Virtualization is based on software from Thinstall (www.thinstall.com). I installed LANDesk Application Virtualization from a USB drive, and it installed easily in just a few seconds. Then I turned to working with the applications.

My first experiment here was also with Firefox, which came prepackaged with my software. LANDesk Application Virtualization doesn't automatically install to the Start Programs menu, but it's easy enough to set it up that way. It didn't execute as an initial launch, or give me the option of transferring the existing bookmarks on my system to the Firefox menu. You could use CaptureSetup to transfer a given set of bookmarks to the virtual package during installation, and have that same set installed on every target system.

The process to create a virtual-application package using LANDesk Application Virtualization is a bit involved, but certainly not difficult. LANDesk recommends that you begin with a completely clean system, with nothing installed. Run the Application Virtualization utility across the network from another machine, launch the CaptureSetup utility and perform a pre-install scan. This scan, which proceeds quickly on a clean machine, captures the machine state. Then you install the application on that system, with CaptureSetup running. After you've finished installing and configuring the application, run a post-install scan.

[Click on image for larger view.]

Figure 2. The LANDesk Application Virtualization tool for creating virtualized applications lets you take a scan of your system to capture its configuration before and after installation.

Application Virtualization captures the differences in system configuration between the pre- and post-install scans, and saves those changes to the virtualized application. This only takes a few minutes longer than installing the application itself.

I created virtual-application packages for Office 2003 and Office 2007, copied them over to another system, and ran both simultaneously. I did have to manually configure the Start Programs menu or any other shortcut to access the application, but both launched and were able to run at the same time.

Under the Covers
LANDesk Application Virtualization practices isolation from the rest of the system as its way of virtualizing an application. It uses three types of isolation. Full Isolation makes system elements completely invisible to the application. The application can't see or modify any part of the system. It copies the appropriate Registry keys and directory locations to a sandbox that the application can use and modify.

LANDesk Application Virtualization uses WriteCopy Isolation if an application needs to write to nonstandard locations, or if it needs to modify files and Registry keys that will create changes for anyone using the application on that system. WriteCopy lets the application see the physical directory and Registry settings, but makes any changes to virtualized copies.

Merged Isolation lets the application see the system directory and Registry and make changes if necessary. This is appropriate for applications that may have to write directly to the Registry for some reason. It posts entries to both the virtual and physical Registry at the same time.

Applications virtualized using the WriteCopy approach will save user-specific data and let multiple users have their own unique configurations on the same machine. However, you have to specifically set up the application that way and manually configure the shortcuts and Start Menu link.

Because Application Virtualization doesn't use a filter driver to virtualize the Windows file system, LANDesk's solution works on Windows Vista. In fact, you can virtualize a single application and have that one package work on any Windows OS from Windows 2000 on up through Vista.

At the same time, it's unlikely that LANDesk Application Virtualization will be able to do virtual OS patches (at least not all of them), given its focus on user-mode components. It's unlikely that OS patches will be able to run from user mode, even virtualized. The same is true for device drivers. There are different classes of drivers, though, so you may be able to virtualize some of them.

LANDesk Application Virtualization is a good solution that lets you use virtualized application packages across the Windows family from Windows 2000 on. You don't drool over its potential quite as much, but it gets the job done today.

Weighing the Two Approaches
What both Altiris SVS and LANDesk Application Virtualization do has the potential to revolutionize application packaging, distribution and administration. Anyone who would like to reduce their desktop maintenance and help desktop expenses could benefit from either.

Each product has its strengths and weaknesses. The Altiris approach makes an application look more like an installed app, but it currently only supports desktop and client applications. The LANDesk solution will run applications on more versions of Windows, but you have to manually configure shortcuts.

The Altiris product seems to have greater future potential, because of the possibility of virtualizing OS patches. It's simply mind-boggling to watch virtualized applications simply appear in the Start Programs menu once you activate them.

The LANDesk product is also a solid contender, although configuring the application requires greater manual effort. LANDesk may be the better choice if you have to support a wide range of platforms.