Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support AppLocker

See original GitHub issue

=> done - not fixed, seems to be even worse, as VSCode does only show black Window when started as admin.

VSCode Version: 1.52.0, Electron 9.3.5
OS Version: 2004

Steps to Reproduce:

Activate AppLocker with Default Rules
Start VSCode elevated
Look at the AppLocker Logs - you will see 50/50 denied/allowed events: Good and normal: %OSDRIVE%\USERS\ADMIN\APPDATA\LOCAL\PROGRAMS\MICROSOFT VS CODE INSIDERS\CODE - INSIDERS.EXE was allowed to run. Bad: %OSDRIVE%\USERS\ADMIN\APPDATA\LOCAL\PROGRAMS\MICROSOFT VS CODE INSIDERS\CODE - INSIDERS.EXE was prevented from running.

Does this issue occur when all extensions are disabled?: Yes

Problem seems to be the way code.exe does launch itself on startup, using the API CreateProcessAsUserW() (50%) in a special way. (dwCreationFlags as per debug: 0x8040c + dwflags of startupinfo 0x180) But this seems not to be the only differnence as this is not causing an issue on a little test-program. The (and those are the allowed events) process creates which are done using API CreateProcessW() (50%) do not cause an issue.

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:7 (1 by maintainers)

Top GitHub Comments

4reactions

vscode-triage-botcommented, Dec 18, 2020

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 20 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

0reactions

altoniuscommented, Apr 27, 2021

I agree with you that we should not run vscode as Admin.

Any documentation that highlights this would be appreciated.

On Wed, 28 Apr 2021, 05:48 Chuck Lantz, @.***> wrote:

@altonius https://github.com/altonius Yes, but we wouldn’t want to run this way by default unfortunately. While --no-sandbox might be a reasonable workaround in some cases, doing that does have a security impact. This only seems to occur when running as admin, which we generally do not recommend doing since this would also give anything you run rights to modify things like the contents of the Windows folder without your knowledge. VS Code has built-in escalation support save operations that need to updating files that require escalated administrator privileged files on an as-needed basis for this reason.

Under the hood, VS Code uses Electron which in turn uses Chromium so the problem is the same. I don’t believe there’s another resolution here since this seems very specific to running as admin with AppLocker like Chrome. We could in concept document it, but honestly this setup adds risk on its own.

Thoughts on documenting @kieferrm https://github.com/kieferrm @chrisdias https://github.com/chrisdias given risks?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/microsoft/vscode/issues/112538#issuecomment-827881495, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABQ4QBHFGZ2NJWAMZ5AJWBDTK4IJDANCNFSM4U4AMD5A .