Add admin protection error message for shadow admin scenarios#40170
Open
Add admin protection error message for shadow admin scenarios#40170
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds clearer user-facing guidance for “shadow admin” scenarios when Windows Admin Protection causes WSL distributions to appear missing under the elevated token.
Changes:
- Adds Admin Protection-aware messaging when a named distro isn’t found and when no distros are registered.
- Introduces
IsAdminProtectionEnabled()helper inWslSecuritythat detects shadow admin mode via a dynamically loaded API. - Adds a new localized string resource for the Admin Protection informational message.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/windows/service/exe/LxssUserSession.cpp | Attempts to surface an Admin Protection info message when a requested distro name can’t be found. |
| src/windows/common/wslutil.cpp | Extends GetErrorString() to prepend Admin Protection info when no default distro is found. |
| src/windows/common/WslSecurity.h | Declares new IsAdminProtectionEnabled() API. |
| src/windows/common/WslSecurity.cpp | Implements Admin Protection detection (elevation + dynamically loaded shadow admin check). |
| localization/strings/en-US/Resources.resw | Adds MessageAdminProtectionEnabled localized string. |
benhillis
force-pushed
the
user/benhill/admin_protection
branch
from
4824178 to
424f4dc
Compare
benhillis
force-pushed
the
user/benhill/admin_protection
branch
from
424f4dc to
8bcabe1
Compare
benhillis
force-pushed
the
user/benhill/admin_protection
branch
from
8bcabe1 to
5951c58
Compare
added 2 commits
April 13, 2026 12:51
When Windows Admin Protection is enabled, the elevated process runs as a shadow admin with a different SID, so distributions registered under the real user are not visible. Surface an informational message in two cases: 1. Launching a distribution by name that is not found (WSL_E_DISTRO_NOT_FOUND) 2. Listing distributions when none are registered (WSL_E_DEFAULT_DISTRO_NOT_FOUND)
benhillis
force-pushed
the
user/benhill/admin_protection
branch
from
5951c58 to
84407b1
Compare
OneBlue
previously approved these changes
Apr 13, 2026
benhillis
commented
Apr 13, 2026
| bool IsAdminProtectionEnabled() | ||
| { | ||
| const auto token = wil::open_current_access_token(); | ||
| if (!wsl::windows::common::security::IsTokenElevated(token.get())) |
Member
Author
There was a problem hiding this comment.
@OneBlue - Perhaps we should return this error in both cases? (even non-admin)
Collaborator
There was a problem hiding this comment.
This would only apply in the case where the user is elevated right ? If the other was not found and the user was non-elevated, then we know for sure that it's a user error, so probably best not to display this imo
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When Windows Admin Protection is enabled, the elevated process runs as a shadow admin with a different SID, so distributions registered under the real user are not visible.
This adds an informational message explaining Admin Protection in two cases:
The message links to https://aka.ms/apdevguide for more details.