Pages

Understanding Execution Contexts

AppProfileSafe can run as different Windows principals. Each context determines which registry hives are accessible, how environment variables resolve, and which file system locations can be read or written. Choosing the right context — and sometimes splitting work across multiple contexts — is critical for reliable backup and restore.

SYSTEM Account

Used by: Scheduled Tasks (run as SYSTEM), SCCM task sequences, Intune Win32 apps, MDT steps.

Aspect	Behavior
Registry — HKLM	Full read/write access.
Registry — HKCU	Resolves to the SYSTEM profile (`S-1-5-18`), not the logged-in user. Reading or writing HKCU under SYSTEM captures the wrong data.
Environment variables	`%APPDATA%`, `%LOCALAPPDATA%`, `%USERPROFILE%` resolve to `C:\Windows\system32\config\systemprofile`. User-specific paths are not available.
File system	Full access to `%ProgramData%`, `%ProgramFiles%`, and all user profile folders when referenced by absolute path in app definitions.

Use for: Machine-level exports and imports — HKLM registry keys, ProgramData files, ProgramFiles configuration, shared settings.

Do not use for: Any app definition that references %APPDATA%, %LOCALAPPDATA%, %USERPROFILE%, or HKCU. These resolve to the SYSTEM profile, not the user's profile.

Administrator Account (Elevated)

Used by: Scheduled Tasks with "Run only when user is logged on" and "Run with highest privileges", GPO logon scripts with admin rights, elevated command prompts.

Aspect	Behavior
Registry — HKLM	Full read/write access.
Registry — HKCU	Full read/write access. Resolves to the logged-in user's hive.
Environment variables	All user variables (`%APPDATA%`, `%LOCALAPPDATA%`, `%USERPROFILE%`) resolve correctly to the logged-in user's profile.
File system	Full access to user profile, `%ProgramData%`, `%ProgramFiles%`, and other users' profiles.

Use for: Combined exports/imports that cover both user-level and machine-level data in a single operation. This is the most capable context but requires the user to be logged in.

Limitation: Requires the user to be actively logged in. Cannot run on an idle machine at night unless "Run whether user is logged on or not" is selected — but that switches the context to a non-interactive session where HKCU and user environment variables behave differently (similar to SYSTEM).

Standard User (Non-Elevated)

Used by: GPO logon scripts without elevation, user-triggered batch files, desktop shortcuts.

Aspect	Behavior
Registry — HKLM	Read-only. Write attempts fail with Access Denied.
Registry — HKCU	Full read/write access.
Environment variables	All user variables resolve correctly.
File system	Read/write to own profile only. No access to other users' profiles, `%ProgramFiles%`, or `%ProgramData%` (write).

Use for: User-level imports where no machine-level changes are needed — HKCU registry keys, %APPDATA% files, %LOCALAPPDATA% files. This is the safest context for user self-service restore scenarios.

Limitation: App definitions that write to HKLM or system-level file paths will fail. AppProfileSafe logs access-denied errors per entry but continues with the remaining entries. If your definitions contain a mix of HKCU and HKLM entries, the HKLM entries are skipped with errors.

Context Comparison

Capability	SYSTEM	Admin (elevated)	Standard User
Read HKLM	✓	✓	✓
Write HKLM	✓	✓	✗
Read/Write HKCU (user's hive)	✗ (wrong hive)	✓	✓
`%APPDATA%` resolves to user	✗	✓	✓
Write to `%ProgramFiles%`	✓	✓	✗
Write to `%ProgramData%`	✓	✓	✗
Runs without user logon	✓	✗	✗
UNC credential store	✓ (machine account)	✓ (user account)	✓ (user account)

Key Takeaway