Service: Best-effort grant of VMWP access to user-supplied VHDs#40485
Open
Copilot wants to merge 1 commit into
Open
Service: Best-effort grant of VMWP access to user-supplied VHDs#40485Copilot wants to merge 1 commit into
Copilot wants to merge 1 commit into
Conversation
2 tasks
Copilot
AI
changed the title
[WIP] Fix access denied error for custom kernel modules in WSL 2.7.3.0
Fix custom kernel modules VHD boot ACL grant for user-profile paths
May 10, 2026
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
2e27dbe to
56bac44
Compare
benhillis
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Aligns WSL VM boot-time behavior to grant HCS/VMWP access for user-supplied VHD paths (notably under C:\Users\...) to prevent E_ACCESSDENIED during VM creation, and updates Windows tests to cover the user-profile repro scenario.
Changes:
- Add optional pre-start
GrantVmAccessto SCSI VHD attach flow and trackAccessGrantedfor teardown. - Extend test config generation to support
systemDistro=.... - Update the existing custom VHD test to place VHDs under the user profile and harden cleanup.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| test/windows/UnitTests.cpp | Updates/renames the test to stage VHDs under the user profile and remove ACL entries to reproduce the regression. |
| test/windows/Common.h | Adds systemDistro to the test config defaults struct. |
| test/windows/Common.cpp | Emits systemDistro=... into generated .wslconfig content for tests. |
| src/windows/service/exe/WslCoreVm.cpp | Adds optional pre-start VM access grant when attaching VHDs and records access-granted state for later revoke. |
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
56bac44 to
8787a50
Compare
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
8787a50 to
99d61b1
Compare
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
99d61b1 to
e57a596
Compare
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
e764ae1 to
e22f943
Compare
benhillis
changed the title
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
e22f943 to
23b0efe
Compare
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
23b0efe to
11d834a
Compare
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
11d834a to
5bd8d73
Compare
HCS fails with E_ACCESSDENIED when starting a VM whose user-supplied kernelModules or systemDistro VHDs live somewhere VMWP cannot read (e.g. under the user profile). Eagerly call HcsGrantVmAccess on those paths while impersonating the user, before the VM is started. The grant is best-effort: it requires WRITE_DAC on the file (typically via ownership), which the impersonated user may lack for VHDs they only have READ access to (e.g. SYSTEM-owned VHDs reachable via inherited folder ACLs). Failures are logged via CATCH_LOG; if VMWP truly cannot read the VHD, StartComputeSystem will still surface a clear E_ACCESSDENIED. Adds two regression tests: - CustomVhdsInUserProfile: VHDs under %TEMP%, exercises the grant path. - CustomVhdsAccessibleViaInheritedAcls: VHDs in the install dir launched as a non-elevated user, exercises the swallowed-grant-failure path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
benhillis
force-pushed
the
copilot/fix-wsl-access-denied-error
branch
from
5bd8d73 to
a2d62d5
Compare
Member
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
HCS fails with
E_ACCESSDENIEDwhen starting a VM whose user-suppliedkernelModulesorsystemDistroVHDs live somewhere VMWP cannot read (e.g. under the user profile). Eagerly callHcsGrantVmAccesson those paths while impersonating the user, before the VM is started.The grant is best-effort: it requires
WRITE_DACon the file (typically via ownership), which the impersonated user may lack for VHDs they only have READ access to (e.g. SYSTEM-owned VHDs reachable via inherited folder ACLs). Failures are logged viaCATCH_LOG; if VMWP truly cannot read the VHD,StartComputeSystemwill still surface a clearE_ACCESSDENIED.Tests
CustomVhdsInUserProfile: VHDs under%TEMP%, exercises the grant path.CustomVhdsAccessibleViaInheritedAcls: VHDs in the install dir launched as a non-elevated user, exercises the swallowed-grant-failure path.