WIXLIB

Conceptual look at Layer Creation/Packaging MachineIn the above screen capture, the VMDK is thedisk from the VM as it shows up in the fileshare. During this process, App Layering converts the original OS Image into a new virtualdisk layer created for this OS. Once converted,the original VM used to create the OS image isno longer required.The contents of the file system and registryfrom that original VM are copied to a newvirtual disk. This new virtual disk is the actualOS Layer. As with all layers, it is a thin-provisioned disk and once the import is completed,it will be marked as read-only and can beused to create new App Layers, or to buildLayered Images for integration with otherprovisioning systems.Versioning (updating) an OS LayerUpdating OS Layers is a simple operationwith built-in version control. When you createa new version of the OS Layer, the latestversion of the layer is copied, and this copy ismarked as read-write. A special virtual machine called a “Packaging Machine” is createdon the infrastructure and the copy of the OSis attached. The machine is then booted withthis new writable version of the OS, and theadmin can update the OS Layer as needed.Once all of the changes are complete and anyrequired reboots are finished, the OS versioncan be assigned to Image templates and updated images can be published to your imageprovisioning system. App Layering will createupdated images with the new OS versionswhich can then be published to your definedtargets (such as the Citrix PVS Image Storedirectories).a block-based delta like a delta disk. Thesechanges are captured at the File System andRegistry level within Windows and redirected to this disk. One exception to this is thatboot level files or registry entries are allowedto pass through to the “Read only” volume.These changes will still be saved in the layer,but allow for the machine to reboot and function as it should with applications that requirea machine reboot during installation.Application LayersApplication layers are simply layers that contain the file system and registry objects forthat application (or group of applications). Thelayers are created by the App Layering ELMcreating a “packaging disk” This is a singlevirtual disk that contains two volumes. Thefirst volume (also the boot volume for the VM)contains the target Operating System layerand any pre-requisite / dependent layers.This disk also contains a second writablevolume where the new application will beinstalled.Once the machine boots, changes madewithin the VM (like the installation of the application) are directed to the writable volumeby the App Layering file system filter. This isnot a pre-scan/post-scan model, nor is thisCitrix.com White Paper A Technical Overview of Citrix App Layering6

Conceptual look at Layer Creation/Packaging MachineThe graphic above shows the conceptualcomponents of a Packaging Machine whencreating a new App Layer. The new App Layeris logically “above” the read-only OS Layer.Changes being made during the applicationinstallation are written to the new layer, whileall other layers are read-only.Packaging Machines also allow you to attachwhat are called Prerequisite Layers. Prerequisite Layers can be used when a new AppLayer is dependent on other applications toinstall or function properly. A good exampleof this is MS Office Plug-ins. In the imageWhether versioning or creating a new layer,once packaging is complete, the layer is finalized, the machine is powered down, and thenew App Layer is copied from the packagingdisk into its own virtual disk in the primaryLayer Repository.Citrix.com White Paper A Technical Overview of Citrix App Layeringabove, you can see the Windows OS Layerand a Prerequisite Layer with MS Office in theboot volume. When the machine is booted,the Windows environment will show MS Officeinstalled on the VM. When the admin installsa new application, the changes will be writtento the new App Layer, but the installationprocess will be able to “see” that Office isinstalled. This negates the need to packagetogether applications that are dependenton one another. This model also simplifiesapplication management by keeping organizations from including dependent applicationsin more than one package.Versioning (updating) an App LayerVersion control and the ability to update Appand OS Layers is a key Citrix App Layeringfeature. Not only does this allow admins tosimplify the deployments of app and OS updates, it also allows for IT staffs to “roll-back”to a previous version if there is a problemwith an update.7

Logical example of layer versioningWhen updating an App Layer, a copy of theexisting layer is made. The virtual disk of themost current version of the layer is copiedand attached to a App Layering PackagingMachine. The Admin would then update orpatch the layer as needed. Once the updateis complete the layer can be pushed out tousers as Elastic Layers, or assigned to existing Layered Images. When applications areversioned in this way it also ensures that twodifferent versions of the same application willnot be assigned to a virtual machine simultaneously.A note on versioning layers: A new layer version can be created for a layer when IT needsto modify the existing app installation, or theapplication needs to be upgraded. You cancreate a new App Layer for a major application version (such as moving from Office 2013to Office 2016) but in most instances AppLayers are simply versioned during upgrades.User LayerThe User Layer is a special layer attached to adesktop OS Virtual Machine during the logonprocess. The User Layer allows a user to savefiles, install applications, and customize avirtual machine the same way they would anyother dedicated machine.The User Layer is dedicated to an individualrather than a VM, and is the only read/writelayer. When the user logs into a Virtual Machine, the User Layer is added to the system.Any changes that are made by the user thatwould modify the registry or file system ofthe machine are then redirected by our filterdriver to the writable volume. When a userlogs off of a machine the User Layer is removed from that machine so that it can followa user to the next machine.Interactions with other layersSince the User Layer is read/write, userscannot only install standalone apps, but theycan also modify applications that have beenprovided by a layer. A common exampleis when a user modifies the dictionary forMicrosoft Word that has been provided by theOffice Layer. A copy of the dictionary is madeand placed in the user’s read/write Personalization Layer. The user can then modify thatdictionary as they see fit. The dictionary inthe User Layer will have a higher priority thanthe one in the Office layer. Layer priority willbe covered more in-depth in a later section.Platform LayersA Platform Layer is a special layer that contains all of the information about a particularhypervisor, the provisioning service to beused, and the connection broker. Since App,OS, and User Layers contain OS-specificinformation, it is very easy to use the conceptof a Platform Layer to move other layersbetween different hypervisors.Citrix.com White Paper A Technical Overview of Citrix App Layering8

Logical example of layer versioningPlatform Layers enable an administrator toupdate applications and operating systemsone time, and distribute them to multiplesites. It doesn’t matter if the sites are internalXenServer based environments, or if one isan on premise XenServer and the other anAzure cloud DR deployment, all deploymentswill use the same base layers in Citrix AppLayering.Understanding File SystemLayeringStart with the knowledge that the C:\ driveis just a virtual concept. Whether you arerunning a physical laptop, a server,or a virtual machine, C:\ is just a logicalassignment to whatever physical or virtual“drive” Windows can see at the hardwarelevel. The logical drive contains a hierarchy offolders and files to enable Windows to boot,services and applications to run, and users tointeract with them.at login as additional logical volumes mergedinto C:\ (Elastic Layers).Understanding that App Layeringlayers arestored in separate virtual disks, you can thenbegin to understand that a Virtual Machinemay have several virtual disks attached toit or may run from a single virtual disk thatcontains the contents of many layers. In anycase, the C:\ drive that the machine seesis really made up of one merged view of allthese layers. We will get to how this is accomplished shortly, but let’s understand theresults of this merging first.Starting with the image above, let’s assumethat these three layers make up a desktop.Each layer contains one application that hasonly two files: an EXE and a DLL.When these layers are assigned to a VM, theyare logically merged to make the applicationslook like they have just been installed into a“regular” C:\ drive, but underneath they actually reside in separate VHD files.Remember that to layer a C:\ drive is reallyto create a logical C: drive from a series ofLayers, either in a single virtual disk (as in thecase of Layered Images), or series of individual virtual disks that are added to the sessionCitrix.com White Paper A Technical Overview of Citrix App Layering9

Within Windows, if you were to browse the C:drive in explorer, you would see a structurelike the image above. The files and directoriesthat come from different layers are mergedtogether. Program Files is a great example ofthis layer merging. You can see AppA, AppBand the Common folders from numerous layers. You may also notice that in the Commondirectory there are DLLs from different layers.This is not simple Windows mount points in adirectory. This is a function of file system level virtualization, and the blending of differentfile systems.The file system virtualization is based aroundApp Layering conflict resolution logic anda Microsoft file system mini-filter driver.Logically, all of the "magic" lives at the filesystem. The layers themselves are NTFSwithin their virtual disks. App Layering is virtualizing the name space for the files systemto intercept I/O requests for files and directthem to the proper, layered file system.As an example, if you double-click a shortcut for AppA.exe (above), the call to the filesystem actually goes to our mini-filter, whichpasses the call to the proper virtual disk. Ifthat app then calls AppB, the same processoccurs again for the new files being sought, inthis case AppB.exe and possibly its DLL(s).Citrix.com White Paper A Technical Overview of Citrix App LayeringUnderstanding Layer PriorityIn the example used in the previous sectionyou may have noted a conflict between AppAand AppB. Both of these layers had a Common.DLL that was placed in the C:\ProgramFiles\Common directory. The conflict wasresolved by the system in such a way thatAppA layer’s DLL is taking priority over AppBand being presented to Windows.This priority mechanism begins at layercreation and is based on the order in whichthe layers are created. When Windows viewsthese layers, it is from a top-down modelwhere the highest priority wins. So if a file(or registry entry) exists in two layers, butonly one can be presented to an executingWindows environment, the layer with highestpriority “wins”.Before you dive into priority it is important tonote that the Personalization is always “ontop,” or the highest priority, and the OS Layeror Layered Image is always “on the bottom”or the lowest priority. App Layers are whatreceive specific priorities relative to eachother and not to the OS or User Layer.10

In the image above we can see a total of fourLayers: the User Layer, OS Layer, and two AppLayers. The conflict here is between App1 andApp2 with regards to “File 4”. In this defaultpriority, “File 4” from App2 “wins” and is pre-sented to Windows. But. let’s assume thereis a problem and we need to expose “File 4”from App1 to the Windows environment.This is where layer priority overrides comeinto play. The IT admin can adjust thepriorities so App1 is a higher priority thanApp2. Thus “File 4” from App1 is presented toWindows.can be understood. Let’s use a corrupt ormissing file from a user’s desktop:Object Delete TokensUnderstanding how items are “deleted” in alayered world is not as simple as it seems. Inorder to fully understand it we have to createa situation where App Layering delete tokensCitrix.com White Paper A Technical Overview of Citrix App LayeringLet’s assume a user corrupts or overwrites a file on their desktop. The file inquestion was from an App Layer. At thispoint, can’t you just delete the offendingfile from the User Layer since, becauseof layering, if the file doesn’t exist in theUser Layer, the lower level layer’s fileshould “show through” to Windows?11

In the situation described above, we arearticulating this as a “problem” to be solved.We need to delete the file from the UserLayer so the lower level layer shows through.And while this is possible in our interface, itis actually done by the App Layering systemand not by deleting a file from the User Layer.Here is how this works.Whether the file is just a flag that is deletedwhen the file is launched by the app, or it isa script that runs the first time a machine isbooted and then is deleted, or it is a functionwithin an app that you configure by removingthe files or registry entries, or it is a shortcutthat is in the All Users\Desktop folder that auser deletes and doesn’t want to come back,the layering system understands deleted objects vs objects that don’t exist in a layer. AppLayering does that by using something calleda Delete Token. Here’s how Delete Tokenswork. Say you have two App Layers and aUser Layer, all with delete tokens in them.In this scenario, the App2 Layer deleted “File1” when it was created as a new App Layer.Then, somewhere in the process of using theapplication or desktop, “File 4” was deletedin the User Layer. While the file is “deleted”and gone from view in both cases, what reallyhappens is that a Delete Token is left in itsplace. This tells the Composite File Systemthat the file is not there, and the runningWindows environment “sees” this:Here the Delete Token from the App2 Layerhas “deleted” File 1 and the Delete Token fromthe User’s User Layer has “deleted” File 4. Inthe event that App 1 was given an increasedpriority (stacked higher than App2), File 1would then be presented to the Windows environment, as the Delete Token in App2 wouldbe lower in the layer conflict resolution logic.The answer is NO. Just deleting the file fromwithin Windows in the desktop or sessiondoes not allow the file in the lower level layerto just pass through. And this is because ofsomething called a Delete Token.Citrix.com White Paper A Technical Overview of Citrix App Layering12

Understanding Registry LayeringWhen you interact with the registry, the hivesyou see, such as HKLM\SYSTEM or HKLM\SOFTWARE, are stored in files on the C: drive.There are also some registry hives that arevolatile and are created purely in memory, butthe major ones you see, and we interact with,all have files associatedFiles associated with registry hives:HKEY LOCAL MACHINE \SYSTEM\system32\config\systemHKEY LOCAL MACHINE \SAM\system32\config\samHKEY LOCAL MACHINE \SECURITY\system32\config\securityHKEY LOCAL MACHINE \SOFTWARE\system32\config\softwareHKEY USERS \UserProfile\winnt\profiles\usernameHKEY USERS.DEFAULT\system32\config\defaultKnowing how App Layering merges the filesystem, you quickly realize that the registryfiles can’t simply be replaced and presentedto the C: drive like other files. If that were tooccur, a file from one layer would “win” andyou would only have registry entries from asingle layer, when you actually need themfrom the OS and all of the App Layers.Citrix.com White Paper A Technical Overview of Citrix App LayeringTo solve this problem, App Layering useswhat is called a Composite Registry. Registrymerges are handled based on how the layeris being deployed. If the layers are beingdeployed into a Layered Image, say for deployment by a provisioning system like CitrixPVS, App Layering will actually build thesefiles with the contents of the registry changesfrom each layer merged into the properregistry files. The result is that the registry inthe image is a complete registry merged fromregistry components of each assigned layer.A benefit of creating the registry this way isthat the files are there pre-boot, meaningservices and drivers all work as expected,regardless of which layer these hard-to-virtualize items are located in.How elastic layering loads a registryWhen an elastic layer is added to a virtualmachine, the registry hive is loaded in fromthe layer on the layer repository. The hive isthen mounted in memory. Once the hive hasbeen mounted, the operating system canaccess the registry data as if the applicationhad actually been installed on that virtualmachine.How the registry merging is like and not likethe file system mergeThe registry merge process is not unlike theApp Layering composite file system. Objectsfrom different layers have to reside in theregistry in the proper location. Below is anexample of how layers show up in HKLM:13

Here in HKLM\SOFTWARE\RegisteredApplications you can see registry entries from bothGoogle Chrome and Internet Explorer. In thisexample the registry entries are containedin the file “\system32\config\software,”but because App Layering merges inside theregistry and not just the registry files, youcan see results here loaded into Windows. Internet Explorer entries are from the OS Layer,and Chrome is its own App Layer.Registry merge that is not simple overrideIf multiple App Layers have modified the System Path by appending extra directories to it,rather than a simple overwrite of the entirePath value, intelligent registry composition isrequired to append the changes to a Multistring registry entry. This registry-aware intelligence is critical throughout the Windowsworld. Some of the key intelligence in AppLayering is proprietary, but we can share afew examples of how our composition modelimpacts your desktops. In .NET applications, Microsoft relies heavily on Fusion keys, and their index values, toexecute the applications. If you layer .NETapplications, App Layering will intelligentlymerge their information, which allows appslike Microsoft Office, Office Plug-ins, VisualStudio, Visio and Project to be layeredseparately, yet still function on a singledesktop. App Layering allows drivers to be installedin different layers by merging the WindowsDriver store and placing the references tothe drivers in the registry. This allows youto layer as many apps as you want withdrivers and not have to place them in theOS image or a specific “drivers layer”.Citrix.com White Paper A Technical Overview of Citrix App LayeringThe App Layering process for building theComposite Registry is actually much morecomplex than the example above conveys,and it is more complex than the file systemmerging process. This is because the registryuses things like Multi-String (REG MULTI SZ)Values, where registry virtualization cannotbe a simple replacement based on priority.Let’s use the example of the entry for SystemPath variable shown below:14

Understanding How App Layering Layers Are DeployedThe contents of a virtual machine using AppLayering Layers is a composite of layers thatprovide the operating system, applications,and personalization data. App Layering cancreate Layered Images that can be deployedvia existing image management tools, suchas Citrix PVS and View Composer, and alsosupports more App Layers, attached at login,based on user identity. In this section we willreview the unique layer deployment characteristics and processes.App Layering supports two models for layerdeployment in Windows-based virtual machines. The first is a Layered Image, where avirtual disk image is created from a combination of OS and App Layers. This image is thenused by an image provisioning system, suchas Citrix Provisioning Server or VMware ViewComposer, as the base image for a pool orcatalog of VMs. The second supported modelis the dynamic assignment of an App Layerat login. This is accomplished by Layeringsoftware that presents the application tothe users’ desktop or session, based on ADcredentials and group membership.Using the example above, we have 3 different Citrix Delivery Groups. All three deliverygroups are using Windows Server 2016, buthave differing application requireme

VMware and Host Integration Services for Hyper-V) In environments where the native provision-ing mechanism does not manage domain Join, machine naming, and the like, you can use an unattend.xml for mini-setup to set up domain join, type of licensing, etc. Because App Layering can layer any appli-cation, there is no need for applications to