Having not used Windows 7 much (and having skipped over Vista), I was rather surprised to discover that I was unable to locate files that were saved by a particular program. In this case, the program saved the files in its application folder, under %programfiles%.
Now, having no clue about the virtualization in effect, I looked for the files in what I deem to be ‘traditional’ ways (although, I did skip over the obvious).
After the cursory look through the Program Files folder, and a quick attempt at running Windows Search on the same folder, I moved onto things that typically have a better success rate.
Firstly, trying SysInternals Process Monitor – this lovely program will identify file and registry activity filtered by specific parameters. To my surprize however, it showed that the files I was looking for were being accessed from the %programfiles% folder (even though there were no files there).
My next idea of files hidden with rootkits was easily disproven, but left me no closer to finding the files I sought.
At the time, I found it interesting to note that deleting the folder (in %programfiles%) that I expected to contain the files, did in fact make them inaccessible to the program that was using them. However, recreating that (empty) folder, once again made the files accessible.
It was quite some time before I came across the solution – Windows 7 (and Vista) do not allow programs to save data in the %programfiles% folder – instead a virtualization driver stores the files under the user’s profile. This results in files saved by the program to %programfiles% ending up in: %username%\AppData\Local\VirtualStore\
It should be mentioned, that the way I eventually found the files in question was by doing a full drive search by date modified and the folder name (both of which I knew – although, I did not know the file names).
Microsoft has sufficiently detailed notes on VirtualStore http://support.microsoft.com/kb/927387
As often seems to be the case, a simple lack of knowledge makes it exceptionally difficult to solve a simple problem. Not knowing about the virtualization makes it very unlikely that one will come across it by chance.