AppProfileSafe - Support Portal

General FAQ

Answers to the most common questions about AppProfileSafe. Use the sections below to find topics by category.


System Requirements

What are the system requirements?

AppProfileSafe requires Windows 10 or later (64-bit) with .NET 8.0 runtime installed. Administrator privileges are not required for standard operation — the application runs under the current user's context. Some operations on protected registry keys (e.g. HKLM) or system folders may require elevation.

Does AppProfileSafe work on Windows Server?

Yes. AppProfileSafe runs on Windows Server 2016 and later with the Desktop Experience feature enabled (required for the GUI). The CLI works on Server Core installations.

Can multiple users run AppProfileSafe at the same time on the same machine?

No. Only one instance of AppProfileSafe (GUI or CLI) can run at a time per machine. A global mutex enforces this. If a second instance is started, it exits immediately with exit code 2.


Editions & Licensing

Can I use AppProfileSafe without a license?

Yes. The Community Edition is free and runs without a license file. It provides the full GUI experience — export, import, mapping, simulation, DryRun, preflight, local audit logging, and run reports — with unlimited applications. Enterprise-only features (CLI, SIEM/webhook delivery, compliance reports) require a license. See How Licensing Works for the full feature comparison.

What happens when my license expires?

A 30-day grace period begins. During this period, all Enterprise features remain fully available, but the GUI displays a yellow warning on the Dashboard and a reminder dialog on startup. After the grace period ends, the application falls back to Community Edition. The CLI returns exit code 3. Renew at the license portal at any time — there is no lockout for late renewal.

Is the license tied to a specific machine?

No. The license is bound to an Azure AD tenant (by GUID) or an Active Directory domain (by DNS domain name). Any machine in the licensed scope can use it. A GUID binding requires an exact match; a domain binding uses suffix matching. See How Licensing Works.

Where do I place the license files?

Place License.json and AppProfileSafe.pem in the application's installation directory, or configure custom paths in settings.xml. See Installing or Updating a License.


Export & Import

What does AppProfileSafe export?

AppProfileSafe exports application settings as defined in application definitions — this includes files (AppData, configuration files), folders, and registry keys. Exports are stored alongside a manifest XML file that describes the backup contents.

Can I export to a network share?

Yes. Specify a UNC path as the manifest file location (e.g. \\server\share\Manifest.xml). See Working with UNC Paths for authentication options.

Can I import settings from one machine to a different machine?

Yes — this is a core use case. Export on the source machine, then import on the target machine. If user names or paths differ between machines, create a mapping file to translate paths during import.

Does importing overwrite existing settings?

Yes. Registry values and files are overwritten if they already exist. Use DryRun analysis before importing to see exactly what would change. A system restore point is created by default before every import for rollback safety.

Can I export/import only specific applications?

Yes. In the GUI, select the applications you want from the list. In the CLI, specify them with --apps "App1,App2". Only the selected applications are processed.


Automation

Can I automate exports and imports?

Yes. Use the CLI (AppProfileSafe.CLI.exe) in batch scripts, PowerShell scripts, scheduled tasks, SCCM task sequences, or GPO logon/logoff scripts. Combine with --silentMode for unattended operation and check exit codes for success/failure. Note: the CLI requires an Enterprise license.

How do I schedule a nightly export?

Create a Windows Scheduled Task that runs under a dedicated service account. Use AppProfileSafe.CLI.exe with --unc-credential-store for network share authentication and --silentMode to suppress console output. See Silent Mode Behavior for troubleshooting guidance.

Can I run a preflight check without performing an operation?

Yes. Use --preflight with --export or --import to validate all prerequisites without making any changes. The CLI exits with code 0 if all checks pass. See What Preflight Checks Validate.


Security & Compliance

Is the audit log tamper-proof?

The audit log uses a SHA-256 hash chain where each entry's hash depends on the previous entry. This makes tampering detectable — any modification breaks the chain. The HMAC key is stored in Windows Credential Manager. Integrity can be verified in the Audit Log Viewer.

Does AppProfileSafe send data externally?

Not by default. If you configure a SIEM endpoint or webhooks (Enterprise Edition), event data is sent to those endpoints. Redaction rules can mask sensitive fields before delivery. In Community Edition, events are written to the local queue but not delivered externally.

Which compliance standards does AppProfileSafe support?

The audit log and compliance reports (Enterprise Edition) are designed to address requirements from GDPR (personal data operation tracking), ISO 27001 (access and change logging), SOC 2 (non-repudiation via hash chain), and HIPAA (immutable audit trail). AppProfileSafe provides the technical controls — mapping to specific compliance requirements is the responsibility of your compliance team.


Troubleshooting

Where do I find log files?

The application log is at %ProgramData%\IT-Consulting Kinner\AppProfileSafe\Log\app.csv by default. Audit logs are in the Audit subfolder. See Where to Find Logs.

How do I create a support bundle?

On the Dashboard, click the Health tile → Diagnose → Export Diagnostics. This creates a ZIP file on your Desktop with logs, configuration, health data, and environment info. See Creating a Diagnostics Bundle.

The GUI shows "Community Edition" even though I have a license.

The license file was not found or failed validation. Check that License.json and AppProfileSafe.pem are in the correct location and review the application log for error codes APS-1000 through APS-1002. See License Troubleshooting.

My scheduled task exits with a non-zero code.

Check the exit code reference: 1 = invalid arguments, 2 = system error, 3 = license error (Enterprise license required for CLI), 4 = SIEM unreachable, 5 = audit integrity failure. Then check app.csv in the log folder for detailed error messages — the log is written regardless of silent mode.

My antivirus is blocking AppProfileSafe.

AppProfileSafe performs high-volume file I/O and registry operations that may trigger behavioral detection. Add process and folder exclusions as described in Antivirus / EDR Considerations.