What Exactly Gets Exported
This page explains exactly what data AppProfileSafe captures during an export, how it is stored, and how errors are handled.
Registry Data
For each application, AppProfileSafe reads the registry entries defined in the <Registry> section of the application definition and exports them into an XML file.
Supported Hives
All standard Windows registry hives are supported:
| Hive | Description |
|---|---|
HKCU |
Current user settings |
HKLM |
Local machine settings |
HKCR |
Classes root (file associations, COM registrations) |
HKU |
All user profiles |
HKCC |
Current hardware configuration |
RegKey Entries
For a <RegKey> definition, AppProfileSafe recursively reads the specified key and all subkeys. For each subkey, all values are exported with their name, type, and data.
RegValue Entries
For a <RegValue> definition, only the specific key and value name are read.
Value Types
The following Windows registry value types are captured:
| Registry Type | XML Element |
|---|---|
| REG_SZ, REG_EXPAND_SZ | <StringValue> |
| REG_MULTI_SZ | Multiple <StringValue> elements |
| REG_DWORD | <NumberValue> (unsigned 32-bit integer) |
| REG_QWORD | <NumberValue> (unsigned 64-bit integer) |
| REG_BINARY | <BinaryValue> (hexadecimal string) |
Storage
Registry data is saved as {AppName}.xml in the Registry\ subdirectory of the application's export folder. The XML uses namespace urn:appprofilesafe:registry:v1 and includes a CreatedUtc timestamp. The file is validated against AppProfileSafe.Registry-v1.0.0.xsd after writing.
Files and Folders
For each application, AppProfileSafe copies the files and folders defined in the <Files> section of the definition.
Folder Entries
For a <Folder> definition, AppProfileSafe recursively traverses the entire directory. Each file and subfolder is copied individually and tracked in the manifest. Empty folders are preserved.
File Entries
For a <File> definition, the single specified file is copied.
Environment Variable Resolution
Paths containing environment variables (e.g. %APPDATA%) are expanded at runtime to locate the actual files on the current system. The original unexpanded path is stored in the manifest as OriginPath, which ensures that the backup is portable across systems.
Storage
Files are copied to the Files\ subdirectory of the application's export folder. The internal folder structure mirrors the source hierarchy using a safe, hashed path scheme to avoid conflicts.
ACL Preservation (SDDL)
AppProfileSafe extracts the NTFS security descriptor (ACL) from each exported file and folder and stores it as an SDDL string in the manifest. This allows the original permissions to be restored during import.
The scope of ACL data captured depends on whether AppProfileSafe is running with administrator privileges:
| Privilege Level | ACL Scope | What is captured |
|---|---|---|
| Administrator | Owner + DACL + SACL | Full security descriptor including file owner, access permissions, and audit policies |
| Standard User | Owner + DACL | File owner and access permissions. Audit policies (SACL) are not included because they require the SeSecurityPrivilege. |
In both cases, ACL extraction is performed without warnings or errors. The application automatically detects the available privilege level at startup and adjusts the scope accordingly. Standard user exports are fully functional — the only difference is that system audit policies are not included in the backup.
Best-Effort Behavior
The export uses a best-effort strategy. This means that individual failures do not abort the entire export:
| Failure Type | Behavior |
|---|---|
| Registry key not found | Warning logged, key is skipped. Other keys in the same definition continue. |
| Registry access denied | Warning logged, key is skipped. Other keys continue. |
| File not found | Failed count is incremented. Other files continue. |
| File copy failure (locked, permission denied) | Failed count is incremented. Other files continue. |
| ACL extraction failure | Warning logged. File is exported without SDDL. Other files continue. |
| Entire definition fails to load | Error logged. Other application definitions continue. |
When some items fail, the audit log records the operation as ExportCompletedWithErrors instead of ExportCompleted. The progress window and run report show the result for each individual item.
Handling of Existing Data
If a data folder with the same name as the manifest already exists at the target location, AppProfileSafe deletes it entirely before starting the export. This ensures a clean backup without leftover files from a previous run.
Manifest File
After all applications have been processed, AppProfileSafe creates a manifest XML file that documents what was exported. The manifest includes:
- List of exported applications
- For each application: registry export status and a list of file/folder entries with origin path, safe path, item type, and SDDL
- Metadata such as machine name, user, and timestamps
For full details, see Understanding the Manifest File.
Audit and Reporting
Every export operation is recorded in the audit log with detailed information including:
- Application names, manifest path, and operation result
- Duration in milliseconds
- Total file count and data size in bytes
- Total registry value count
- Detailed lists of all exported file paths and registry values
A run report (JSON) is also generated and saved in the Report folder.