If AAV logging is enabled for a Cloudhouse Alchemy Compatibility Package (which it isn't by default) whenever AAV runs, two logs are created:
Log for AAV
When AAV runs, it creates a log named:
reversedate-time-PID-AAV.log
where:
- reversedate is the date in reverse format (e.g. YYYYMMDD)
- time is the time (e.g. HHMM)
- PID is the Process ID of AAV
- AAV means AAV created the log
For example, if you run AAV on the 12th November 2021 at 18:59 and AAV has a PID of 1234, the following log is created:
20211112-1859-1234-AAV.log
Log Entries for AAV
The following lists the typical entries you will find in the AAV Log.
Created process
Indicates a process has just been created, including its architecture (32-bit or 64-bit). For example, if a 32-bit process called App.exe has been created, you will see:
Created process App.exe; 32 bit
Detaches
Lists the processes to be detached from AAV as a debugger.
For example:
2022-06-28T12:12:55.913, 31348, 12160, INFO, AAV INTERNAL, Detaches: 2022-06-28T12:12:55.914, 31348, 12160, INFO, AAV INTERNAL, Excel.exe
Execute
At the start of the AAV log, the command used to execute the application is shown. For example:
022-05-23T09:54:48.667, 7316, 8272, INFO, AAV INTERNAL, Execute ["C:\PathToApp\Application.exe" Argument1 Argument2 Argument3]
where:
- C:\PathToApp\Application.exe – is the path to the application being virtualised
- Argumentx – are any arguments being passed to the application.
Exclusions
Lists the processes to be excluded from being virtualised by AAV.
For example:
2022-07-20T12:53:46.764, 14000, 5200, INFO, AAV INTERNAL, Exclusions: 2022-07-20T12:53:46.776, 14000, 5200, INFO, AAV INTERNAL, notepad.exe
Features enabled for all processes:
Lists the Compatibility Feature(s) which have been activated globally (i.e. to all processes spawned by AAV under the current configuration). For example:
Features enabled for all processes : NarrowDEP, NotWow64Process
This entry can also tell you about Compatibility Features that have or have not been activated for specific processes.
For example:
Features enabled for App.exe : NarrowDEP
Hiding debugging behaviour
By default, AAV attempts to hide from the virtualised software as a debugger. As a result, you will see log entries similar to the following:
Attempting to patch PEB to hide debugger Successfully patched PEB flags Attempting to patch WOW64 PEBLog for Child Process
These entries indicate the high-level steps AAV goes through to hide its presence from the virtualised application.
IL flags not set
Indicates whether the Intermediate Flags (IL) are set. This only applies to .NET applications and is mostly commonly used for debugging purposes and can be safely ignored.
License verification
Indicates whether licensing verification is on or off.
For example, if licensing verification is on , the log entry states:
Valid license found!
Otherwise, it will state the following if licensing verification is off:
License verification is OFF!
Loaded dll
Indicates when a DLL has been loaded into the virtualised process and whether there are any functions that require hooking. In the following example, Kernel32 has 59 functions that AAV will try hooking:
Loaded dll at 0000000076040000. Name "KERNEL32.dll"; 59 functions of interest. In process App.exe
No processes remaining; exiting
This entry usually occurs at the end of the log to indicate that all virtualised processes have been closed and as such AAV will exit itself.
Process Mitigation Policies
After virtualising a process, AAV reports the current active mitigation policies, for example:
Process Mitigation Policies for (App.exe): Permanent DEP Enabled, ATLThunkEmulation Disabled, BottomUpRandomization Enabled, CetDynamicApisOutOfProcOnly Enabled
This entry lists all of the process mitigation policies Windows has applied.
The virtualised application does not require elevated privileges.
This entry is shown if elevated privileges are not required to run the application.
Virtualising applications
The following entries are used for debugging the steps AAV performs to virtualise an application and can be safely ignored:
- Injected code
- Import Descriptors set successfully
- AAV Dll Injected Successfully
- Enabled child debugging
- Ignoring 1st break point seen
- Pre-main break point seen
- Using Thread Hijack Method
- End of AAV dll initialisation signal thread spotted
- EFS FuncPointer [IGNORING ] - as Function redirects outside dll
- Opcode XYZ not implemented yet
- Cannot hook XYZ.
Warning: This application may require elevated privileges. If you experience any issues, try rerunning AAV as the Administrator.
This entry indicates the application needs to be run as an administrator, and the account you are using does not have administrative rights.
Log for Child Process
When AAV redirects a Child Process, it creates a log named:
reversedate-time-parentPID-PID-ExecutableName.log
where:
- reversedate is the date in reverse format (e.g. YYYYMMDD)
- time is the time (e.g. HHMM)
- parentPID is the Process ID of AAV
- PID is the Process ID of the application/process
- ExecutableName means the log was created by an executable
For example, assume:
- You run AAV on the 12th November 2021
- At 18:59
- AAV has a PID of 1234
- AAV redirects Notepad.EXE, which itself has a PID of 5678;
then the following log is created:
20211112-1859-1234-5678-notepad.log
Log Entries for Child Processes
The following lists the typical entries in an AAV log for a Child Process.
Architecture
Indicates whether the virtualised process is 32 or 64-bit.
For example:
Architecture: 32 bit
Detached
Indicates if the process has been automatically detached from AAV or not.
For example:
Detached: false
Elevated
Indicates whether the process has been launched with elevated privileges (as admin) or not.
For example:
Elevated: true
Enabled Deprecated Features
Lists any deprecated Compatibility Features that have been enabled for this process
For example:
Enabled Deprecated Features:
Dep Please use ForceATLThunkEmulation or NarrowDEP instead DEPOptOut Please use ForceATLThunkEmulation or NarrowDEP instead
Enabled Features
Lists the Compatibility Features enabled for this process.
For example:
Enabled Features: NarrowDEP
Environment Variables
Lists all of the user and system environment variables.
For example:
Environment variables: =::=::\ =C:=C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE ALLUSERSPROFILE=C:\ProgramData ...etc...
Logging
Indicates whether verbose or non-verbose logging is active.
For example:
Logging: Non-Verbose
Operating System
Indicates the Operating System this process was run on (ignoring any settings from the ForceWindowsVersion Compatibility Feature.
For example:
Operating System: Windows 10 Enterprise Release: 2009, Build: 10.0.19041.1766, Architecture: 64 bit
PID
The process ID of the child process. For example:
PID: 31696
Process Name
The name of the child process to which the log file belongs. For example:
Process Name: notepad
Process Version
Shows the version of the application. If no version information can be found, this simply logs three question marks ("???").
For example:
Process Version: 10.0.19041.1
or
Process Version: ???