[Problem/Bug]: --disable features=RenderCodeIntegrity, starting from v118 version, no longer functional

[sln162]

What happened?

Starting from version 118, the -disable features=RenderCodeIntegrity parameter no longer works, but the RendererCodeIntegrityEnabled registry policy is still valid, so I think this is a regression.
Although I saw the release announcement for v118: The RendererCodeIntegrityEnabled policy is outdated and will be ignored from v119, why did the -disable features=RenderCodeIntegrity parameter cease to work from v118?
v119 removed the RendererCodeIntegrityEnabled policy. So how can users disable RendererCodeIntegrity when encountering this issue?
I have some users, and we have tracked down the event log and found that it was caused by the injection of tsafedoc64.dll. The event file has been uploaded.
evtx.zip

After investigating the cause, it was found that the company they worked for had installed the IP-guard SafeDoc software, which is a file encryption and protection program. Users of the company's computers were not allowed to uninstall it, and when I searched for tsafedoc64.dll on the search engine, I found that many users had encountered the same problem. Their Edge could not be opened, and many solutions were also the RendererCodeIntegrityEnabled policy.Now that v119 is going to be removed, where will they go?

Importance

Important. My app's user experience is significantly compromised.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

118.0.2088.61

SDK Version

1.0.2045.28

Framework

Winforms

Operating System

Windows 10

OS Version

No response

Repro steps

from http://www.hailong-info.com/server/test.html#downlaod Download the trial version using IP guard SafeDoc. After installation, there will be a Create Client Installation program on the Start menu. After creation, run the Install Client and restart the computer.
After WV2 initialization, the process immediately exited with ExitCode=-1073740760, and the integrity check did not pass.

Regression

Regression in newer Runtime

Last working version (if regression)

117.0.2045.60

[sln162]

Use WEBVIEW2_RELEASE_CHANNEL_PREFERENCE,tested many WV2 versions, the stable version v118, --disable features=RenderCodeIntegrity does not work, but the RendererCodeIntegrityEnabled strategy still works.
Beta and Dev will crash, --disable features=RenderCodeIntegrity, and the RendererCodeIntegrityEnabled strategy will not work.
Canary can be initialized normally without crashing, ver: 120.0.2173.0, why? Have you noticed this problem?@LiangTheDev

[victorhuangwq]

@vbryh-msft could you take a look at this?

[LiangTheDev]

Short answer: please see this page for how to update IP-Guard to resolve the issue: https://www.tecsols.com/231016-2/.

More details:
You would have similar issue for Chrome browser (https://bugs.chromium.org/p/chromium/issues/detail?id=1491703&q=status_invalid_image_hash&can=2) and Edge browser.
Chromium removed support for RenderCodeIntegrity in 118 and always enforce it and therefore --disable features=RenderCodeIntegrity doesn't work anymore. Chromium also always force enabling it and ignore the RendererCodeIntegrityEnabled policy in 118, but Edge delayed it to 119 due to app compat concern.
Due to all these, we are working on solution to alleviate the compat problem and try to get things work automatically. However, the best solution would be for third party software not to inject dlls into browser renderer processes.

[sln162]

@LiangTheDev At that time, I asked the client that their IP Guard is the latest version v4.8.1

Edge and WV2 have different performances. Whether it is the stable version or Dev, Beta, or Canary, Edge can run normally, with an incompatible page flashing by and then running normally. Edge excels in this aspect compared to Chrome, which always displays crash pages, and the Canary channel is the same.
WV2 only runs normally through the Canary channel, and other versions cannot. v118 has removed the support for disable features=RenderCodeIntegrity, but retains the RenderCodeIntegrityEnabled policy. Beta's v119 did indeed remove the RenderCodeIntegrityEnabled policy and can only be initialized successfully through -- no sandbox. Although it is not secure, there is another way to set the compatibility mode of msedgewebview2.exe to Win8RTM, But the settings will be deleted after each initialization.
I have been researching for two days and I understand everything you said, but I am not sure if you understand the test results I mentioned. I think WV2 should have the same performance as Edge, and I am worried about the upcoming v119 version of WV2. What should I do.

[LiangTheDev]

@sln162 for IP Guard, if we see WebView2 behave differently than Edge/Chrome browser, it would mean that they only did something for chrome.exe and msedge.exe and missed msedgewebview2.exe. You might want to send feedback to IP Guard. It would be an easy change for them if they already did it for browser.

[sln162]

@LiangTheDev I will try to contact them, but I think if it is the targeted processing done by them, they should not only focus on Edge special processing and ignore Chrome, so I always thought it was an additional processing from Edge. Thank you for your patience in answering.

[LiangTheDev]

@sln162 , it seems that the issue for WV2 with IP Guard should have been resolved in latest version (4.82 ?). Could you please advice customer to update to latest and try again?

[sln162]

@LiangTheDev Thank you for your quick response. After testing the IP Guard upgrade to v4.82, the issue has been resolved. The v118 version of WV2 no longer encounters the crash condition of ExitCode == -1073740760.

In addition, Beta (119.0.2151.38) still encounters a crash issue, and RendererCodeIntegrityEnabled does not work. Dev (120.0.2172.1)/Canary (120.2194.0) can be initialized normally, and will not encounter the crash condition of ExitCode == -1073740760, which is the same as the stable version of v118.
This is Edge Beta

[LiangTheDev]

@sln162 did you test 119 and 120 on the same device, or 119 was tested on an enterprise device where group policy RendererCodeIntegrityEnabled was applied to the domain joined machine while 120 was tested on a consumer device (where there is no domain)? We expect 119 to behave the same as 120.

[sln162]

@LiangTheDev received an official response from IP guard, who stated that my IP guard version(4.
82.610.0) is not the latest yet. I downloaded their latest version 4.82.624.0 again and upgraded the client to this version, which resolved the issue, edge beta version no longer crashes