Starting a process in an AppContainer from a service (LOCAL_SYSTEM)

Alex Crane 96 Reputation points
2021-09-17T10:25:50.1+00:00

Hello,

I am trying to run a process in an AppContainer. This process is created from a service, so is in session 0 running as LOCAL_SYSTEM.

I have also tried CreateProcessAsUser to run it as LOCAL_SERVICE (also in session 0) and it doesn't work.

If I use WTSQueryUserToken to get the token of a logged in user, the process in the AppContainer does work. Also if I run my code as a logged in user rather than from a service, it works.

Finally, curiously running "cmd.exe" as the process in the AppContainer works in all cases. But "powershell.exe" does not and "java.exe --version" does not. With the latter I have ensured that the correct ACL (read/execute) is set on JAVA_HOME (and as mentioned, all of these cases work when run as a logged in user)

In the cases where the processes don't work the error code is 0xC0000142

What am I missing here? Do AppContainers not work with services by design? Is there any way I can get better debug on why the processes are failing to start? I'm presuming a file permission issue on a runtime dependency, but what it could be is beyond me

Thanks,
Alex

Appendix:
cmd.exe

  • LOCAL_SYSTEM - yes
  • LOCAL_SERVICE - yes
  • logged in admin - yes

powershell.exe

  • LOCAL_SYSTEM - no
  • LOCAL_SERVICE - no
  • logged in admin - yes

java.exe --version

  • LOCAL_SYSTEM - no
  • LOCAL_SERVICE - no
  • logged in admin - yes
Windows App SDK
Windows App SDK
A set of Microsoft open-source libraries, frameworks, components, and tools to be used in apps to access Windows platform functionality on many versions of Windows. Previously known as Project Reunion.
814 questions
{count} votes

Accepted answer
  1. Alex Crane 96 Reputation points
    2021-10-22T18:17:11.31+00:00

    Thank you, yes further investigation with procmon showed it was user32.dll that was failing to initialise

    This led me to various forum posts about increasing the size of the non-interactive desktop heap. This unfortunately did not work.

    What I found did work was that the AppContainer needed to have read access assigned to it for session 0s desktop and winstation. Presumably it was this lack of access (by design with AppContainers? But perhaps interactive desktops have the "ALL APPLICATION PACKAGES" group??) which meant that desktop heap allocations failed


1 additional answer

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.