On Spoofs, Redirections, and Overlays

Virtualization, Layering, and Containerization all employ similar techniques to achieve their goals. The details of how and when these techniques are used vary, but first, you need to have an understanding of the basic techniques that they employ.

We will refer to them as Spoofs, Redirections, and Overlays. In essence, Redirections are a specific form of Spoof, and Overlays are an application of redirections, so technically, we could just use a single term - but as we will see, there is value in separating them out into three terms.


In reality, everything done in modern application runtimes falls under the “spoof” category. We can define a spoof as something that intercepts an action (function call, for example) and alters the requested action or result. In MSIX terms, a Package Support Framework shim, which intercepts a Windows API call and modifies it, implements various kinds of spoofs.

Modern application runtimes routinely implement spoofs for file redirection, changing a COM GUID, or renaming a semaphore for isolation purposes.


A particularly popular form of spoof is the redirection spoof. Used against calls to the file system or registry, it takes a file path or registry key path as requested by the application and in essence, it says: “I know you asked for this, but I’m going to give you this other thing instead”.

Fundamentally, this allows for traditional code to not know that it is not running in a modern environment. It might think that it is installed to the default “C:\Program Files\VendorName” folder, while all of the files are located wherever the modern app runtime puts them.

A common use of Redirection used in several modern systems involves a folder called VFS (for Virtual File System) along with subfolders with specific names that refer to an equivalent “un-redirected” location. Thus “VFS\ProgramFIlesX64\VendorName” equates to the “C:\Program Files\VendorName” folder that the app might request.


Layers are a visual analogy used to describe the concept of how the modern runtime systems act.

The visualization we use to describe the layering concept is called panes of glass, whereby a piece of software, depicted in the image as an Application, sees the system through a series of glass panes. When items are placed on a glass pane, they can add to, or replace parts of what the application would see without them.

Illustration of a virtual application
Illustration of a virtual application

In application runtime systems, we usually think of a model such as the one shown above, where the application is working with three layers. Drawn horizontally, the rightmost layer is the operating system with its file system and registry. Just left of that is the application layer, containing additional and/or replacement files and registry entries. The application layer is immutable, meaning that the runtime system does not allow changes to occur in that layer when the user runs the application. Instead, changes to the application are made to the third layer, shown left of it. We can call this third layer: the user settings and data layer for that application.

This makes a nice visual, but of course, things are always more complicated! Items written to the upper layer can be used only by the application, and often we want settings and data to be usable outside of this application. So while some information needs to be written to that layer, other pieces need to be allowed to be written to system locations, such as the Documents folder, cloud sharing folders, home drives, and network shares. As a general rule, the runtime systems generally use the presence of items in the application layer to make this determination.

The layering concept is implemented by using redirections. Redirections may be implemented in the runtime as user mode intercepts (added to the application process by dll injection) or kernel filter drivers. Some runtime systems employ both techniques in different areas. In a redirection, the request by an application to perform an operation, such as opening a file with a certain file path, is examined and the request is redirected to a different location, which we think of like one of those panes of glass. In reality, this is just a different location on the system, but it is easier to just think of it as that glass pane.

Combining these techniques to solve application challenges

While the effect of redirecting a file or registry call is simply giving the application the best location choice, internally it is much more complicated. Consider the following case:

  • The OS has a folder with some files in it.
  • The application layer has additional files in its overlay folder.
  • When running the application, the end-user added a new file to that folder or modified an existing one, from the third layer.
  • If the application then makes a request to find files in that folder, the redirection software must query folders on all three layers to form the query reply.

Such a situation requires a combination of spoofing, redirection, and layering and is just one example of how modernizing applications alters what the application sees and does.