Dan Gough

I was given an app to troubleshoot today, Becrypt Enterprise Manager Console, part of an enterprise disk encryption system. The application displays Windows events, much like the built-in event viewer, but within its own console window, but they were not showing up correctly in the sequenced application, displaying instead as:

“Message XXXX (Becrypt Enterprise Manager) could not be found.”

First step as always was to install it locally. The MSI puts down some keys in HKLM\System\CurrentControlSet\Services\Eventlog\Application, but these were not captured in the sequence. There was no exclusion for this path configured in the sequencer, but there is a checkbox ‘Allow Virtualization of Events’, which did nothing to fix it - probably because this app is displaying events from remote machines rather than producing its own.

Now I knew that these keys were the culprit, I tried to add the keys manually to the sequence, but after launching regedit in the bubble to confirm, they did not show up! If I tried to import them manually from there, it fixed the event messages, but upon further inspection I discovered that these keys had leaked from the virtual environment into the actual registry! Same thing happened if trying to import these keys via a pre-launch script. The solution was to use the good old <REGISTRY> tags in the OSD file:

<VIRTUALENV>
<REGISTRY>
  <REGKEY HIVE="HKLM" KEY="SYSTEM\CurrentControlSet\Services\Eventlog\Application\Becrypt Enterprise Manager">
    <REGVALUE REGTYPE="REG_DWORD" NAME="CategoryCount">1000</REGVALUE>
    <REGVALUE REGTYPE="REG_SZ" NAME="EventMessageFile">C:\Windows\System32\BEMEvents.dll</REGVALUE>
    <REGVALUE REGTYPE="REG_DWORD" NAME="TypesSupported">31</REGVALUE>
  </REGKEY>
  <REGKEY HIVE="HKLM" KEY="SYSTEM\CurrentControlSet\Services\Eventlog\Application\DISK Protect">
    <REGVALUE REGTYPE="REG_DWORD" NAME="CategoryCount">1000</REGVALUE>
    <REGVALUE REGTYPE="REG_SZ" NAME="EventMessageFile">C:\Windows\System32\BCDPES.dll</REGVALUE>
    <REGVALUE REGTYPE="REG_DWORD" NAME="TypesSupported">31</REGVALUE>
  </REGKEY>
</REGISTRY>
</VIRTUALENV>

Now, these keys show up inside the virtual environment rather than the real registry, and the events display correctly.

Tags:

Categories:

Updated:

Comments

You May Also Enjoy

Windows 11 Microsoft Store Announcements

24 June 2021

After a series of leaks, Microsoft have officially unveiled Windows 11 earlier today. While most of the reporting has been focussed on the UI changes, there was a huge reveal regarding the Microsoft Store that will prove to be very interesting for...

Nevergreen: My first Powershell module

10 May 2021

Nevergreen is a Powershell module that returns the latest version and download links for various Windows applications. It can be used as an alternative to Aaron Parker’s (and others) excellent Evergreen module.

Free ebook! MSIX Packaging Fundamentals

19 November 2020

A new MSIX book has been released as a free download - MSIX Packaging Fundamentals, a collaboration between Tim Mangan, Bogdan Mitrache and Kevin Kaminski.

App-V 5.1 Support Dates

17 March 2020

App-V is no longer under active development, but still supported. Microsoft have extended the support date for App-V 5.1 to April 2026: