-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebView2 can't run as SYSTEM - CreateCoreWebView2Controller fails with error 0x800700aa - The requested resource is in use. #1907
Comments
I have noticed this issue as well when I upgraded to the latest WebView2 runtime. I was using WebView2 in a credential provider (same as @yuriy-sha) when it stopped working after the update. Same error and everything, only difference is that I'm running the credential provider on Windows 11 and not Windows 10. I also think it's worth noting that it doesn't seem to be the credential provider that's at fault here, since I tested running a WebView2 application as SYSTEM by using Process Hacker and it yielded the same result. |
I did some more digging and found out that the |
Hey @yuriy-sha and @Teitoku42 - I found the change that introduced this behavior, and looks like it was checked in for security reasons. I'll see if we can either turn it off when running as WebView2 or maybe give app devs a way to turn off this check. Thanks! |
What is the check inside base::win::IsCurrentProcessRunningAsLocalSystem? I try impersonation but it didnt work for me. |
@niryanowsky Here is the pseudocode for IsCurrentProcessRunningAsLocalSystem:
|
After discussing this further with our security team, we've come to the decision to continue to disallow running WebView2 in the context of SYSTEM, as this poses too great a risk if compromised. We won't be doing a quick workaround like a flag at this time. However, we are looking into other solutions for this scenario. Many apologies for this disruptive change, we should have blocked this sooner. |
@champnic Thanks for the feedback. |
I was facing the exact error when I was trying to launch a webview2 from Credential Provider. I have an urgent requirement to run webview2 as system user for credential provider so kindly tell me whether there is any workaround for achieving it. |
Hi, @champnic To follow up on this topic. The security concern is understandable. At the same time, there are important cases such as SBL (aka Prelogon) which require use of CredentialsProvider framework. Preventing from using webview in cases like Prelogon or other CredentialsProvider-based cases, makes it impossible to offer web-based OIDC/SAML. Could there be a reconsideration of the security concern and can Microsoft team allow usage of webview with system user to address such specific scenarios? Resorting to IE based webview or using special non OIDC or non-SAML based AAA flows are really cumbersome workarounds. |
Yes, we are considering what the path forwards is here. One potential option is to make enabling running as SYSTEM an opt-in option/flag, so that we know the dev is purposefully choosing to enable this behavior and is hopefully doing it while aware of the security implications of running potentially untrusted code. |
Hi, @champnic Thank you! How can we stay informed on the progress of such decision and whether/when it can be made? |
We'll use this issue to track and update when we have more info. We haven't dug into this issue deeply yet, but it's relatively high on our backlog. Thanks! |
Thank you @champnic ! I will continue watching this issue for updates. Hopefully, Webview2 team will be able to offer an opt-in mechanism soon! |
Hi, @champnic After having spent a month disabling and preventing all the "dangerous" things, The idea with an opt-in option/flag is a possibility, with a large WARNING sign attached. I would like to suggest another alternative, how about "downgrading" the access token to a "safer" token? One could for example remove all the Administrator privileges, here in a shorter "pseudocode" form: And since your WebView2 UI Thread is single-threaded, you could use the lesserToken for impersonation: Please consider, and I hope the WebView2 Team can find a compromise that makes the Security Group happy, |
Thanks for the suggestions here @lightheart33 - we'll consider this when we start working on this scenario. |
@champnic Thank you @lightheart33 : would have been great if this soloution were there from the beginning! |
@champnic |
Anyone find any alternative to run from the system user? |
@mpalanis Unfortunately not, and I have tried many things with access tokens. |
Hello all, So upon further investigation it seems like a switch/command-line arg that enables this may have already been implemented. Try running your WebVew2 applications with the following If the issue still persists, could you provide a repro application where this issue is present, it would be helpful to understand your use case. |
Hello @tochukwulbeEkeo, Thank a lot for looking into this, but be warned, it might not be easy. I have tried your suggestion with --enable-features=allow-run-as-system, The use case Simply explained: Observations: At one time I thought it could perhaps not create the EBWebView, so I started it with an User Data Folder under C:\Windows\Temp\Testfolder, and starting the application in windows prelogon it creates the EBWebView folder, Another clue could be what @yuriy-sha wrote in the beginning, for I have been able to reproduce this myself with SDK: I cannot seem to get closer to the WebView2 version where the issue was build in, as I don't have the fixed version Please write if I can provide any other relevant information, or trying out things... |
@tochukwulbeEkeo: Instructions: To reproduce the issue, you need a Windows Credential Provider:
Select Guest and Press the Arrow => Opens up a command prompt in system context: Observation: This system user has less privileges than a system user opened with psexec inside an Administrator session.
Now we need an Application with WebView2, we can just use the one from the MicrosoftEdge/WebView2Samples,
Close afterwards the WebView2APISample.exe again, and delete folder
Observation: It created a folder WebView2APISample.exe.WebView2\EBWebView2, but which only has a Crashpad folder.
The result is unfortunately the same, and as you clearly can see the error is 0x80080005, I hope this helps in locating and solving the real issue. |
Hello all. A quick progress update. First off , I made a mistake when explaining how to specify the flag that allows you to run Webview2 as system. The proper command line flag/switch usage is as follows: This should already work if all you need to do is run as system under the context of a logged in user. However, for those building credential providers where there is no logged in user, other issues still exist. We are currently working on resolving them. |
Hello, Quick questions for those of you who are building Credential Providers. How essential is being able to download content to the user's machine, what kind of data are you planning to download? |
Its very important to download content, with the page having access to websockets. |
Hello, |
I could be mistaken, but WebSocket usage shouldn't require access to store data as a file in a directory on the user's machine. If you're use case does require this, could you elaborate on the type of data you will be storing, and why you need to persist it on the user's machine @AndrewMagpie. |
I need to connect to a web service that has page content and status updates by WebSockets. |
Could you let us know what the MSFT team is prepared to support? :) But perhaps there could be cases where some writing to a temp file (perhaps with explicit (non-DPAPI) crypto for extra protection).... |
Hey, There will be no support for downloads to the user's machine. |
@tochukwuIbeEkeocha Is there any updated documentation you can point to that will outline what is/isn't allowed with webview2 when used in a credential provider? |
Hello everyone. After talking about all the risks and intended features, we have unfortunately decided not to support this use case at all. Third party credential providers are not supposed to be able to implement custom UI, rather you are encouraged to use built in APIs that the Credential Provider feature exposes. See these for example; ICredentialProvider and ICredentialProvderCredential |
@tochukwuIbeEkeocha Does the switch --allow-run-as-system remain or will it be removed? |
@rruprai1 From what I understand the flag will remain, however it isn't intended to and does not provide support for running WV2 as a credential provider. |
@tochukwuIbeEkeocha Thanks for that info. What would be MS guidance for creating a credential provider that supports OIDC? |
"Third party credential providers are not supposed to be able to implement custom UI" Yet Microsoft themselves do it with Web-based logon? |
@Teitoku42 What's the level of support then for Edge to be run in the logon process, not to log into windows, but to fetch tokens for a 3rd party app? |
Not currently supported. We've reached out to the credential provider folks for more details on these scenarios, but have yet to hear back from them. |
@tochukwuIbeEkeocha and @champnic |
@manoharc1999 The documentation is correct. Due to security concerns, we are not planning to add official support for that flag, and recommend you don't use it. |
@champnic For my application im trying to launch a webview2 window in background even before users logs in. And this worked only when i passed the above flag. If there is any alternative approach for this i would be very happy to know. |
@champnic & @tochukwuIbeEkeocha |
@champnic & @tochukwuIbeEkeocha Hopefully this flag could be under official support but can be enabled only by developers choice. |
I would be open to know if there are any workarounds for loading web app before user logs in. My web app does not have any UI and will run in background. |
I had similar issue. I moved away from the WebView2 to CEF. |
Unfortunately migrating to cef is not solution for me. |
Description
I was trying to launch the WebView2 from the credential provider (LogonUI) process (which is executed in the context of SYSTEM user) and noticed that it stopped working recently.
I am getting the following error in the callback while calling the method CreateCoreWebView2Controller: 0x800700aa - The requested resource is in use.
However, the same stuff works perfectly when being executed in the context of logged in user.
There is no issue if I downgrade WebView2 Runtime to the older version 94.0.992.31.
Note: CreateCoreWebView2EnvironmentWithOptions is called with nullptr for browserExecutableFolder and nullptr for environmentOptions parameters. userDataFolder points to the directory in the Local App Data folder.
Passing nullptr for userDataFolder parameter does not help unfortunately - the same issue persists.
Could you please help me to understand what's wrong and how I can fix it on my side?
Version
SDK: 1.0.1020.30
Runtime: 95.0.1020.40
Framework: Win32
OS: Win10
AB#37319893
The text was updated successfully, but these errors were encountered: