11 Replies Latest reply on Aug 9, 2017 9:21 AM by Landon Winburn

    How to redirect non-redirectable folders

    Landon Winburn Expert
      I recently had an issue with an application that stored large amounts of data in appdata but the data was crucial to the functionality of the application. Personalizing the data was out of question as the files were over 50mb. 50mb+5 snapshots would have been 300mb per user. The solution was to use a symbolic link to redirect the folder.

      Symbolic links are basically just pointers to another folder. It works much like folder redirection but at the file system level. The issue with symbolic links is they require the SECreateSymbolicLink privilege or essentially admin rights to create them. The second issue is its not an actual application like regedit.exe but an actual command within cmd.exe much like dir, cd, or md. Also the command can't be "ran as system" using EM as the system account couldn't access the users home directory so the command would fail.

      The fix is to use AM to elevate cmd.exe but only if the proper command line switches are sent. Also we are only giving cmd.exe the proper privilege to create links and not full admin. Attached are sample AM and EM configs that redirect the "%appdata%\Test" folder to the users profile share.

      Landon.
        • 1. Re: How to redirect non-redirectable folders
          JoeNolte Rookie
          Was this application IE?
          • 2. Re: How to redirect non-redirectable folders
            Landon Winburn Expert
            It could be any application/folder but yes, it was the WebCache folder.

            Landon.
            • 3. Re: How to redirect non-redirectable folders
              gregf SupportEmployee
              I was playing around with something similar for Chrome and used a Custom Action as System to create the symbolic link - without the need for AM:

              # get the Session ID of this process - the same as that of the user
              $sessionId = Get-Process -id $pid | select-object -expand SessionId
              
              # get the output of 'query.exe user' for that session ID
              $quOutput = query.exe user $sessionId
              
              # parse the output of query.exe to get the user ID only
              $userId = $quOutput[1] -replace '^>([^\s]+)+.*$','$1'
              
              # get the SID based on that user ID
              $userSID = Get-WmiObject -Class win32_userprofile -filter "localpath LIKE '%\\users\\$userId%'" | select-object -expand sid 
              
              # retrieve the user's %localappdata% folder location
              $localAppData = (Get-ItemProperty "Registry::\HKEY_USERS\$userSID\Volatile Environment").LOCALAPPDATA
              
              # retrieve the user-specific environment variables we need for our command
              $uvAppData = (Get-ItemProperty "Registry::\HKEY_USERS\$userSID\Environment").AppSenseHome
              
              # execute whatever we need to execute as System
              cmd /c "mklink /d $localAppData\Chrome-Redir $uvAppData\Chrome"
              
              # return the result of running mklink - 0 for success, non-zero for failure
              return $LASTEXITCODE
              


              In this case I'm reading the value of the user's %AppSenseHome% environment variable and using that when creating the link within their local profile folder.
              • 4. Re: How to redirect non-redirectable folders
                Landon Winburn Expert
                Sounds to me like you have everyone full on the share. The system account doesn't have access to roaming profile shares by default and the mklink command will fail if it can't see the destination path.
                • 5. Re: How to redirect non-redirectable folders
                  gregf SupportEmployee

                  Landon wrote:

                   

                  Sounds to me like you have everyone full on the share. The system account doesn't have access to roaming profile shares by default and the mklink command will fail if it can't see the destination path.



                  mklink never fails for me, no matter how secure (or entirely fictional) the target path is!
                  • 6. Re: How to redirect non-redirectable folders
                    Landon Winburn Expert
                    You know what, your right and I have the two mixed up... mklink running as system fails to expand %appdata% and if the source doesn't exist then it fails with a cannot find the path specified. Since your pulling the environment variables via the registry it works.
                    • 7. Re: How to redirect non-redirectable folders
                      toms Apprentice
                      Hi Landon,

                      I'm trying to use your method for a customer that wants to manage One Note.

                      For some reason, the EM config wont create the Symbolic Link.

                      I've taken the AM config out the equation by simply elevating cmd.exe and using the run command passing the full command line when logged on as the user and this works.

                      If I try and get EM to do it (even piggy backing onto a Process Start trigger) it doesn't create it.

                      Any ideas?

                      I'd try Greggs method but again, I don't understand scripting

                      Thanks
                      • 8. Re: How to redirect non-redirectable folders
                        randyb1 Employee
                        I have a problem with the Powershell code:

                        $userSID = Get-WmiObject -Class win32_userprofile -filter "localpath LIKE '%\\users\\$userId%'" | select-object -expand sid

                        With the line above, if users with similar names have profiles on the machine (like RANDY & RANDY2 or USER1 & USER1-a), the $userSID value gets multiple SIDs assigned.

                        Instead of something like:

                        $userID = S-1-5-21-432281995-4013660446-3980412029-1001

                        I get:

                        $userID = S-1-5-21-432281995-4013660446-3980412029-1001S-1-5-21-432281995-4013660446-3980412029-1002

                        Which then errors out the script on the next line.  I tried changing LIKE to EQ, but that is apparently invalid.  Anyone have any other ideas?
                        • 9. Re: How to redirect non-redirectable folders
                          gregf SupportEmployee

                          Code from Ric Coady that could simplify things, once translated to PowerShell:

                           

                          Here’s an alternative way of doing it. I’ve ripped this out of a C# application I’m writing which needs to run as an admin but also needs to know who the logged on user is. I’m sure you could cannibalise it into a script. There’s an HKLM registry key that stores data about each session, including username and SID (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData). Under the SessionData key are subkeys for each session, named after the session number (eg …\SessionData\1).

                           

                          Once you know which session to look for you can query this registry key. This function uses GetCurrentProcess to see which session the current process is running in, adds this session number to the registry path and queries the session key for the logged on username.

                           

                          const string regKey = @"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData";

                          Process currentProc = Process.GetCurrentProcess();

                          string regSession = regKey + @"\" + currentProc.SessionId.ToString();

                          return (string)Registry.GetValue(regSession, "LoggedOnSAMUser", "");

                          • 10. Re: How to redirect non-redirectable folders
                            ldpingel Rookie

                            I use the Process Started trigger for Chrome and FireFox to create sym-links, but there seems to be maintenance run on the webcache database by the OS during logon that locks the files prior to IE being launched.  What logon trigger did you use to create the sym-link for WebCache (Pre-Session, Pre-Desktop)?

                            • 11. Re: How to redirect non-redirectable folders
                              Landon Winburn Expert

                              You would have to use pre-desktop as the file is locked by dllhost.