Virtual PC Security options

Virtual PC has a set of build in security options.  What this allows you to do is to restrict access to various parts of the application for non-Administrative users*.  When all the options are enabled – all that a non-administrative user can do is to launch preconfigured virtual machines.

Now the problem is that this setting has to be configured by an Administrator on the computer in question.  If you are doing a large deployment you can avoid this by simply placing the correct value in the registry.  The Virtual PC security options are stored in a hexadecimal DWORD called ‘Locks’ under HKEY_LOCAL_MACHINESOFTWAREMicrosoftVirtual PC5.0Security.  The value of the DWORD determines what is restricted.  The values are as follows:

0x001 = Disable access to the Virtual PC Options
0x002 = Disable access to virtual machine settings
0x008 = Disable access to the new virtual machine wizard
0x020 = Disable access to the virtual disk wizard

If you want to disable multiple items – you just add the values.  So a value of 0x00A would mean that the settings and new virtual machine wizard were not accessible.  And a value of 0x02B would mean that everything possible was disabled.

You might notice that the numbers for these options are not a strict binary progression (4 and 16 are missing).  This is because of security options that were attempted in earlier builds of Virtual PC that did not prove to be useful or reliable.


* Connectix versions of Virtual PC used to use a password rather than the account type for these security options.  However as part of the Microsoft security evaluation we found a large number of problems with this approach (and potential ways to bypass this feature), so the decision was made to move to using the built-in Windows credentials for this purpose.