AAV Logs

If AAV logging is enabled for a Cloudhouse Alchemy Compatibility Package (which it isn't by default) whenever AAV runs, two logs are created:

Note: See Enabling AAV Logging for an Alchemy Compatibility Package for details on how to enable logging.

Also, AAV does not perform any housekeeping for the logs it generates. A new log file is created every time AAV runs without deleting previous versions. You should therefore perform periodic housekeeping of the AAV logs.

Log for AAV

When AAV runs, it creates a log named:

reversedate-time-PID-AAV.log

where:

  • reversedate is the date in reverse format (e.g. YYYYMMDD).

  • time is the time (e.g. HHMM).

  • PID is the process ID of AAV.

  • AAV means AAV created the log.

For example, if you run AAV on the 12th November 2021 at 18:59 and AAV has a PID of 1234, the following log is created:

20211112-1859-1234-AAV.log

Log Entries for AAV

The following lists the typical entries you will find in the AAV Log.

Note: In addition to the log entries listed below, certain Compatibility Features may create their own log entries detailed in the relevant Compatibility Feature article.

Created Process

Indicates a process has just been created, including its architecture (32-bit or 64-bit). For example, if a 32-bit process called App.exe has been created, you will see: Created process App.exe; 32 bit

Detaches

Lists the processes to be detached from AAV as a debugger. For example:

2022-06-28T12:12:55.913, 31348, 12160, INFO, AAV INTERNAL, Detaches:
2022-06-28T12:12:55.914, 31348, 12160, INFO, AAV INTERNAL,   Excel.exe

Execute

At the start of the AAV log, the command used to execute the application is shown. For example:

022-05-23T09:54:48.667, 7316, 8272, INFO, AAV INTERNAL, Execute ["C:\PathToApp\Application.exe" Argument1 Argument2 Argument3]

where:

  • C:\PathToApp\Application.exe – is the path to the application being virtualised.

  • Argument x – are any arguments being passed to the application.

Exclusions

Lists the processes to be excluded from being virtualised by AAV. For example:

2022-07-20T12:53:46.764, 14000, 5200, INFO, AAV INTERNAL, Exclusions:
2022-07-20T12:53:46.776, 14000, 5200, INFO, AAV INTERNAL,    notepad.exe

Features Enabled For All Processes

Lists the Compatibility Feature(s) which have been activated globally (i.e. to all processes spawned by AAV under the current configuration). For example:

Features enabled for all processes: NarrowDEP, NotWow64Process

This entry can also tell you about Compatibility Features that have or have not been activated for specific processes. For example:

Features enabled for App.exe: NarrowDEP.

Hiding Debugging Behavior

By default, AAV attempts to hide from the virtualised software as a debugger. As a result, you will see log entries similar to the following:

Attempting to patch PEB to hide debugger
Successfully patched PEB flags
Attempting to patch WOW64 PEBLog for Child Process

These entries indicate the high-level steps AAV goes through to hide its presence from the virtualised application.

IL Flags Not Set

Indicates whether the Intermediate Flags (IL) are set. This only applies to .NET applications and is mostly commonly used for debugging purposes and can be safely ignored.

Note: See Microsoft's What is "managed code"? article for more details.

License Verification

Indicates whether licensing verification is on or off. For example, if licensing verification is on, the log entry states:

Valid license found!

Otherwise, it will state the following if licensing verification is off:

License verification is OFF!

Loaded DLL

Indicates when a DLL has been loaded into the virtualised process and whether there are any functions that require hooking. In the following example, Kernel32 has 59 functions that AAV will try hooking:

Loaded dll at 0000000076040000. Name "KERNEL32.dll"; 59 functions of interest. In process App.exe

No Processes Remaining; Exiting

This entry usually occurs at the end of the log to indicate that all virtualised processes have been closed and as such AAV will exit itself.

Process Mitigation Policies

After virtualising a process, AAV reports the current active mitigation policies, for example:

Process Mitigation Policies for (App.exe): Permanent DEP Enabled, ATLThunkEmulation Disabled, BottomUpRandomization Enabled, CetDynamicApisOutOfProcOnly Enabled

This entry lists all of the process mitigation policies Windows has applied.

Note: See Microsoft's GetProcessMitigationPolicy function (processthreadsapi.h) article for more details.

The Virtualised Application Does Not Require Elevated Privileges.

This entry is shown if elevated privileges are not required to run the application.

Virtualising Applications

The following entries are used for debugging the steps AAV performs to virtualise an application and can be safely ignored:

  1. Injected code.

  2. Import Descriptors set successfully.

  3. AAV Dll Injected Successfully.

  4. Enabled child debugging.

  5. Ignoring 1st break point seen.

  6. Pre-main break point seen.

  7. Using Thread Hijack Method.

  8. End of AAV dll initialisation signal thread spotted.

  9. EFS FuncPointer [IGNORING ] - as Function redirects outside dll.

  10. Opcode XYZ not implemented yet.

  11. Cannot hook XYZ.

Warning: This Application May Require Elevated Privileges. If You Experience Any Issues, Try Rerunning AAV as the Administrator.

This entry indicates the application needs to be run as an administrator, and the account you are using does not have administrative rights.

Log for Child Process

When AAV redirects a child process, it creates a log named:

reversedate-time-parentPID-PID-ExecutableName.log

where:

  • reversedate is the date in reverse format (e.g. YYYYMMDD).

  • time is the time (e.g. HHMM).

  • parentPID is the process ID of AAV.

  • PID is the process ID of the parent (this is usually AAV, except when multiple processes are launched in a nested manner, e.g. '1234').

  • ExecutableName means the log was created by an executable.

For example, assume:

  • You run AAV on the 12th November 2021

  • At 18:59

  • AAV has a PID of 1234

  • AAV redirects Notepad.EXE, which itself has a PID of 5678;

then the following log is created:

20211112-1859-1234-5678-notepad.log 

Log Header Entries for Child Processes

The following section lists the typical header entries included in an AAV log for child processes.

Note: AAV does not perform any housekeeping for the logs it generates. A new log file is created every time AAV runs, without deleting previous versions.

Date/Time

The date and time the log was initially created. This should match the timestamp in the filename. For example: 2025-4-24, 9:13:17.54

AAV Version

The version of Alchemy used to virtualize the process. For example: 4.7.2501.28265

Logging

Indicates whether verbose logging is enabled. For example: Logging: Non-Verbose

Process Name

The name of the child process associated with the log file. For example: Process Name: notepad

Arguments

The full command-line arguments that were passed in when the process was created. For example: Arguments: notepad.exe "C:\my files\textfile.txt"

PID

The process ID of the child process. For example: PID: 31696

Architecture

Indicates whether the virtualized process is 32-bit or 64-bit. For example: Architecture: 32 bit

Process Version

Displays the version of the application. If no version information is found, this field displays three question marks (???). For example: Process Version: 10.0.19041.1 or Process Version: ???.

Elevated

Indicates whether the process was launched with elevated privileges (e.g., as administrator). For example: Elevated: true

Detached

Indicates whether the process was automatically detached from AAV. For example:

Detached: false

Operating System

Displays the operating system that the process was run on, ignoring any values set by the ForceWindowsVersion Compatibility Feature. For example: Operating System: Windows 10 Enterprise Release: 2009, Build: 10.0.19041.1766, Architecture: 64 bit

Enabled Features

Lists the Compatibility Features enabled for this process. For example: Enabled Features: NarrowDEP

Enabled Deprecated Features

Lists any deprecated Compatibility Features that were enabled for this process. For example:

Enabled Deprecated Features: 
     Dep        Please use ForceATLThunkEmulation or NarrowDEP instead
     DEPOptOut  Please use ForceATLThunkEmulation or NarrowDEP instead

Environment Variables

Lists all user and system environment variables available to the process. For example:

Environment variables:
=::=::\
=C:=C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\IDE
ALLUSERSPROFILE=C:\ProgramData
...etc...