question

AlexCrane-1485 avatar image
0 Votes"
AlexCrane-1485 asked AlexCrane-1485 edited

Starting a process in an AppContainer from a service (LOCAL_SYSTEM)

Hello,

I am trying to run a process in an AppContainer. This process is created from a service, so is in session 0 running as LOCAL_SYSTEM.

I have also tried CreateProcessAsUser to run it as LOCAL_SERVICE (also in session 0) and it doesn't work.

If I use WTSQueryUserToken to get the token of a logged in user, the process in the AppContainer does work. Also if I run my code as a logged in user rather than from a service, it works.

Finally, curiously running "cmd.exe" as the process in the AppContainer works in all cases. But "powershell.exe" does not and "java.exe --version" does not. With the latter I have ensured that the correct ACL (read/execute) is set on JAVA_HOME (and as mentioned, all of these cases work when run as a logged in user)

In the cases where the processes don't work the error code is 0xC0000142

What am I missing here? Do AppContainers not work with services by design? Is there any way I can get better debug on why the processes are failing to start? I'm presuming a file permission issue on a runtime dependency, but what it could be is beyond me

Thanks,
Alex



Appendix:
cmd.exe
- LOCAL_SYSTEM - yes
- LOCAL_SERVICE - yes
- logged in admin - yes

powershell.exe
- LOCAL_SYSTEM - no
- LOCAL_SERVICE - no
- logged in admin - yes

java.exe --version
- LOCAL_SYSTEM - no
- LOCAL_SERVICE - no
- logged in admin - yes

windows-app-sdk
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AlexCrane-1485 Hope you are well. Have you checked @XiaopoYang-MSFT 's reply? Is it helpful to your issue?

0 Votes 0 ·
AlexCrane-1485 avatar image
0 Votes"
AlexCrane-1485 answered AlexCrane-1485 edited

Thank you, yes further investigation with procmon showed it was user32.dll that was failing to initialise

This led me to various forum posts about increasing the size of the non-interactive desktop heap. This unfortunately did not work.

What I found did work was that the AppContainer needed to have read access assigned to it for session 0s desktop and winstation. Presumably it was this lack of access (by design with AppContainers? But perhaps interactive desktops have the "ALL APPLICATION PACKAGES" group??) which meant that desktop heap allocations failed

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered

According to the question, some Dynamic Link Libraries which powershell.exe loaded need desktop heap to function.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.