Store WSL isn't accessible from Session 0

[OneBlue]

Version

Multiple versions are affected

WSL Version

• WSL 2
• WSL 1

Kernel Version

No response

Distro Version

No response

Other Software

No response

Repro Steps

Store WSL currently isn't accessible from session 0 contexts.
This means that it's not possible to interact with WSL from remote sessions such as ssh or psremote.

If wsl.exe is called from session 0, it will exit and display:

Access is denied.

on stdout.

[yanorei32]

I think this issue is already tracked internally.
However, this problem continues even now.

Release Notes for Windows Subsystem for Linux in the Microsoft Store

...

Known Issues:

• Launching Windows Subsystem for Linux from session zero does not currently work (for example from an ssh connection).

https://learn.microsoft.com/en-us/windows/wsl/store-release-notes#known-issues

[benhillis]

Known issue, we're working on a solution.

[bagong]

This is a deal breaker for some. Would be nice to get notice when it is solved. Thanks!

[vakata]

Please fix this - I cannot remotely login to WSL using the builtin OpenSSH server, my scheduled tasks also stopped working.

[brentmjohnson]

Impact of this issue is complicated by the fact the store packaged version appears to now be required on the latest windows 11 insiders build (10.0.25267). Still looking for workarounds...

#9355
#9373

[enachi]

Please fix this - I cannot remotely login to WSL using the builtin OpenSSH server, my scheduled tasks also stopped working.

I had to uninstall store version of WSL to be able to run ssh server at system startup again

[bagong]

If policies make it difficult to enable Windows openssh to run WSL, an alternative/workaround might be to run a second openssh server (using a different port) within WSL. At the moment this seems not to be possible. But maybe that possibility can be enabled?

[rfc2119]

I am surprised by this. By default, I can access wsl from the native OpenSSH server by setting HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH to C:\Windows\System32\wsl.exe. I am using the store version with Ubuntu LTS 22.04

My problem is actually this: every time I initiate a SSH connection, I get a new WSL shell. I am unable to return back to the same session in case of disconnection events; all my background processes are gone. Each connection is therefore a new WSL instance.

Should I open another ticket for this ?

[bagong]

I am surprised by this. By default, I can access wsl from the native OpenSSH server by setting HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH to C:\Windows\System32\wsl.exe. I am using the store version with Ubuntu LTS 22.04

I've tried it back and forth on different installs several times, and it never worked. It's a few months ago - should it be fixed and noone here knows? Many have the issue, and it's even acknnowledged by MS... Weird!

My problem is actually this: every time I initiate a SSH connection, I get a new WSL shell. I am unable to return back to the same session in case of disconnection events; all my background processes are gone. Each connection is therefore a new WSL instance.

Should I open another ticket for this ?

I don't think so: interrupted ssh sessions are like logoffs, like closing a terminal emulator (historically speaking closing a terminal emulator is like logging off ;-) ) - you wouldn't expect to get your jobs back there, right... You want to look into tmux or something alike. They keep processes running wile you're off, and you can attach back to them from another shell...

[rfc2119]

I've tried it back and forth on different installs several times, and it never worked. It's a few months ago - should it be fixed and noone here knows? Many have the issue, and it's even acknnowledged by MS... Weird!

This looks weird indeed. Let me know if any of you would like more details. I just installed the "Ubuntu" app in the store using a local account.

You want to look into tmux or something alike. They keep processes running wile you're off, and you can attach back to them from another shell

It's exactly that! I don't find my tmux sessions when I log back in. In fact, I don't find the tmux process at all!

[bagong]

It's exactly that! I don't find my tmux sessions when I log back in. In fact, I don't find the tmux process at all!

I have no experience with tmux in WSL, so I can't comment from experience. But I'd think about whether your WSL - instance keeps running all the time, or wheter it has had a "reboot" in your time off - even tmux doesn't survive that ;-) Though maybe it can be made to autostart and continue processes? Dunno. I know that WSL's wakeup behavior from suspend is broken (it was in my version) - maybe another reason why tmux might vanish?

Or maybe you need to start your tmux processes in a local shell and let that run? Maybe you can then attach to running tmux from ssh and not shut WSL down by logging off?

And just to let others know: I did install the MS Store update again, and was immediately cut out of ssh-ing in. Fortunately it is enough to uninstall via the App-Icon that appears after the update, and the previous state returns... (i.e. no total reinstall of WSL required)

And yes, if I started tmux in a local shell and kept it running, I can ssh in and out multiple times and see that tmux live on happily...

Final remark for others like me who didn't realize (what for again others is likely self-evident): if it's just about ssh-ing into a running WSL from the outside (i.e. not about actually "booting" wsl): that is possible with the store version of wsl too. You access the host into a shell that doesn't depend on wsl, and from there you ssh into the running wsl: ssh -p n localhost. I guess sshd inside wsl needs to listen on a different port (n) than "outer"-Window's sshd (edit /etc/ssh/sshd_config). For my requirements that's actually tolerable ;-) , and one might consider the inability to start/stop wsl in a ssh-schell a protection of running processes inside wsl.

[joes]

As @bagong mentioned it is possible to install and run a second OpenSSH server (using a different port) in your WSL instance as a workaround.

This can then be combined with using the ProxyJump directive to transparently connect to the second OpenSSH server by jumping through the win32 OpenSSH server. The directive can be added to the remote system's ~/.ssh/config:

Host openssh_win32
    Hostname your_computer.local
    User windows_username

Host openssh_wsl
   ProxyJump openssh_win32
   User wsl_username
   HostName localhost
   Port 2222

The above example assumes that the second OpenSSH server in wsl is running on port 2222.

Using this configuration it is then possible to connect to the wsl instance via the hostname openssh_wsl:

ssh openssh_wsl

[ParagDoke]

While it is possible to get inside the WSL instance based on the proxy jump idea from @joes, this issue still needs to be fixed for use cases such as attempts to install a new WSL distribution on a remote Windows system over SSH.

In other words anything involving the WSL executable besides getting into an instance.

[yo1dog]

My use case is accessing WSL remotely after a cold boot.

I can turn on the PC remotely via WOL and SSH into a win32 OpenSSH server, but cannot start WSL from said SSH connection (session 0). Nor is it possible to start WSL automatically on boot before a user logs in to Windows (also session 0?). For example, you cannot use Task Scheduler's "Run whether user is logged on or not" option to start wsl.exe.

My workaround has been to use RDP just to login remotely and start WSL (which is started automatically on user login by Task Scheduler). Then I can SSH directly into WSL.

---

Does anyone know of a solution for either remotely initiating a Windows user login or remotely obtaining session 1 without the GUI overhead of the RDP/Remote Desktop app? Ideally command-line only.

[ParagDoke]

@yo1dog In an entirely different context, I know of a solution (batch file) that runs from the command line with GUI overhead, but:

• No certificate prompt on RDP client (no blanket suppression, suppress only for the IP / FQDN of your server)
• No wait on prompt for things like privacy settings, etc ... some 6 radio buttons that appear on an OOB Windows deployment

This batch file uses openssl, sed to obtain, mangle and register the cert hash for a given server to avoid that cert warning.

On the server, I place a different batch file in the Startup folder (your idea uses Task Scheduler). This could use the timeout command to sleep for a bit, and then logoff from the server (to gracefully terminate the RDP client) after your WSL instance has started.

%1 is the IP / FQDN of your server.

openssl s_client -connect %1:3389 < NUL 2>NUL | openssl x509 -fingerprint -noout | sed -e 's/://g' > %TEMP%\%1-rdp-fingerprint.txt
for /f "tokens=2 delims==" %%a in ('type %TEMP%\%1-rdp-fingerprint.txt') do (
    reg add "HKCU\Software\Microsoft\Terminal Server Client\Servers\%1" /v CertHash /t REG_BINARY /d %%a /f
)
start mstsc /f /v %1

To avoid OOB prompts, this needs to run even before the logon:

reg add "HKLM\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /d 1

For the script to be run at logon, I believe you already have one.

cmdkey /generic:TERMSRV/<IP or FQDN> /user:<username> /pass:<passwd> will let you save the password for logging in using an RDP client automatically.

[gmax9803]

@benhillis Has the team made any progress on this issue? And if not is there any quick fix to make this work?

[arrmo]

Also curious here - this is a bit painful, can't execute a WSL (bash) script from a service (Session ID 0).

Thanks!

[arrmo]

For anyone who ends up finding this and is looking for a quick resolution:

There is a fix in the WSL September 2023 update.

Steps to solve the issue:

1. Upgrade WSL to the latest (pre-release) version with wsl --update --pre-release
2. Point the Task Scheduler executable directly at "C:\Program Files\WSL\wsl.exe". IMPORTANT: There are multiple locations for the WSL executable with this update - the one under Program Files is the only one that will work. ¯_(ツ)_/¯

Confirmed working for me on Win10 and WSL 2.0.1.

Trying this! 😆. This is the one that gives me the error,

Access is denied. 
Error code: Wsl/E_ACCESSDENIED

Not running it from Task Scheduler, rather telegraf (service) is calling it. Different for some reason?

FYI, just tried updating again, but see ...

>wsl --update --pre-release
Checking for updates.
Updating Windows Subsystem for Linux to version: 2.0.2.
Update failed (exit code: 1603).
Log file: C:\Users\micro\OneDrive\DOCUME~1\MobaXterm\slash\micro_russell\var\log\xwin\wsl-install-logs.txt
Error code: Wsl/UpdatePackage/E_ABORT

Thanks!

[OneBlue]

@arrmo: Could you share the log file please ? I'd be curious to see why the installation failed on your machine.

[arrmo]

Absolutely! Here you go,
wsl-install-logs.zip

Let me know if you want me to try anything ... and of course, how to get past the ACCESSDENIED error when running wsl from telegraf 😄

Thanks!

[OneBlue]

@arrmo: You're hitting the elevation issue:

Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine. Log on as administrator and then retry this installation.

Running wsl --update as administrator should solve the issue.

[arrmo]

That was it - thanks! My bad ... I thought I was, wrong window 🤣.

Hmm - wondering if that's somehow related to my telegraf issue (and ACCESSDENIED)? The service runs as Local System Account ... thinking that should be fine?

[arrmo]

And that's it! Service was running as Local System Account ... manually changed it, to my account => works now. Nice!

Thanks for the pointers!

[eur2fe]

When I run WSL 2.0.2 from the local system account it shows

Running WSL as local system is not supported.
Error code: Wsl/WSL_E_LOCAL_SYSTEM_NOT_SUPPORTED

So, running WSL as a service (or task scheduler job) under the local system account is apparently out of the scope of this fix. The supported scenario is to run WSL under a regular user account in session 0.

I can confirm, with WSL 2.0.2, I am able to create a task scheduler job that runs WSL without a user being logged on to the desktop. In our scenario, we run WSL GitHub runners on Windows Server VMs, which can now successfully start up automatically using the user account of a technical user (i.e. using the option -AtStartup):

$trigger = New-ScheduledTaskTrigger -AtStartup
$trigger.Delay = "PT60S"

$action = New-ScheduledTaskAction -Execute "C:\Program Files\WSL\wsl.exe" -Argument "-- /bin/bash -i ~/runners/some-runner/actions-runner/run.sh"
Register-ScheduledTask -TaskName "Start WSL GitHub Runner" -User "some-user" -Password "some-password" -Action $action -Trigger $trigger

Thanks for making this work, @OneBlue!

[arrmo]

So, running WSL as a service (or task scheduler job) under the local system account is apparently out of the scope of this fix. The supported scenario is to run WSL under a regular user account in session 0.

Just to make sure I understand 🤣. So you see the same as I noted above - you can't run this as a Local System Account, rather it has to be a "defined" user ... correct?

Do we know if a fix is coming for this?

Thanks!

[aki-k]

I switched from C:\Windows\System32\wsl.exe to "C:\Program Files\WSL\wsl.exe" for the Task Scheduler task.

The Ubuntu-22.04 instance still starts up "At system startup", but when I use the psexec64.exe command "C:\PSTools\PsExec64.exe -i runas /profile /env /user:username c:\windows\system32\cmd.exe", and run "wsl -l -v", it reports that the instance is "Stopped".

When I use C:\Windows\System32\wsl.exe for the Task Scheduler task, and run the psexec64.exe command and "wsl -l -v", it reports that the instance is "Running".

I'm really confused what is happening with it.

[Ansuel]

I would like to report that updating from 2.0.0 to 2.0.3 resulted in WSL disappearing from File Explorer and all my pinned directory pointing to WSL 9p share wiped :(

[materigoprecitec]

For those who wan't to use WSL on a jenkins windows agent, here is my workaround.

Instead of connecting via a task scheduler to the jenkins controller, after the startup of the machine, I have a jenkins job running on a linux agent, which initiates a remote desktop connection to the windows agent.

In the windows task scheduler I have a task, which is started whenever a remote connection is made. This is then able to start the jenkins agent under a normal session, where wsl does in fact work.

The pipeline looks something like this:

pipeline {
    agent { label 'linux' }
    stages {
        stage('CheckAndStart') {
            steps {
                script {
                online_nodes = nodesByLabel 'windows'
                    if (online_nodes) {
                        echo "online, nothing to do"
                    } else {
                        echo "offline, therefore starting by connection with rdp"
                        sh "timeout 30 xvfb-run xfreerdp -v jenkins.agent.com -u user -p password -cert-ignore"
                    }
                }
            }
        }
    }
}

[LvffY]

From my side, seems like upgrading to wsl 2.0.6 (through wsl --update --pre-release) as made the issue disappear.

My setup :

• Remote connexion through SSH to my workstation
• run wsl -l -v
• Had the same result by the command run on my Windows workstation directly

(Will try other tests, but it's encouraging !)

[arrmo]

OK, this is really screwy. I previously ran wsl --update --pre-release, no issues. Tried it today, to get the latest, but now --update doesn't seem to be an available option for wsl?!?!

Thanks!

[ToeKneeFan]

OK, this is really screwy. I previously ran wsl --update --pre-release, no issues. Tried it today, to get the latest, but now --update doesn't seem to be an available option for wsl?!?!

Thanks!

@arrmo Are you running in an elevated terminal?

There is more than one wsl.exe binary. Perhaps try pointing directly to "C:\Program Files\WSL\wsl.exe" instead of just wsl.

[arrmo]

@arrmo Are you running in an elevated terminal?

Yep!

Very odd ... but I had to --install (again), then could update. Weird. Thanks!

[hezhaozhao-git]

Is there any progress on this issue? I still can't use wsl with ssh

[LvffY]

From my side, seems like upgrading to wsl 2.0.6 (through wsl --update --pre-release) as made the issue disappear.

My setup :

• Remote connexion through SSH to my workstation

• run wsl -l -v

• Had the same result by the command run on my Windows workstation directly

(Will try other tests, but it's encouraging !)

Just to precise my answer : I found that this seems to work on all W11 workstation but only on some W10 ones.

So the issue seems not resolve for every configurations 😒

[hezhaozhao-git]

从我的角度来看，似乎升级到 wsl 2.0.6 （通过wsl --update --pre-release）使问题消失。
我的设置：

• 通过 SSH 远程连接到我的工作站
• 跑步wsl -l -v
• 直接在我的 Windows 工作站上运行命令得到了相同的结果

（会尝试其他测试，但这是令人鼓舞的！）

只是为了准确回答我的问题：我发现这似乎适用于所有 W11 工作站，但仅适用于某些 W10 工作站。

所以这个问题似乎并不能解决所有配置的问题😒

I run wsl --version,get:

WSL 版本： 2.0.9.0
内核版本： 5.15.133.1-1
WSLg 版本： 1.0.59
MSRDC 版本： 1.2.4677
Direct3D 版本： 1.611.1-81528511
DXCore 版本： 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows 版本： 10.0.22621.2715

but this problem still exists.

[litian1992]

This is my setup:
wsl --version
WSL version: 2.0.11.0
Kernel version: 5.15.133.1-1
WSLg version: 1.0.59
MSRDC version: 1.2.4677
Direct3D version: 1.611.1-81528511
DXCore version: 10.0.25131.1002-220531-1700.rs-onecore-base2-hyp
Windows version: 10.0.22621.2715

I tried:

1. Explicitly calling 'C:\Users\Administrator\AppData\Local\Microsoft\WindowsApps\wsl.exe' or 'C:\Windows\System32\wsl.exe'
2. DISM.exe /Online /Cleanup-image /Restorehealth
3. Hit 'reset' and 'repair' buttons in WSL2 app
   which did NOT work.

What actually WORK for me:

1. Explicitly call 'C:\Program Files\WSL\WSL.exe'
   OR 2. Upgrade from 2.0.9 to pre-release 2.0.11

[rgl]

@litian1992 upgrading to 2.0.11 and executing c:\windows\system32\wsl.exe from within an ssh interactive session did not work here. calling C:\Program Files\WSL\WSL.exe worked, for 2.0.9 and 2.0.11.

still, there's use-case that is not working here. using an ssh client from linux to remotely invoke wsl as ssh Administrator@192.168.1.23 '"c:/Program Files/WSL/wsl.exe"' does not work here, it never shows the bash shell prompt that should be running inside the wsl distro. thou, when running ssh Administrator@192.168.1.23 to open a cmd.exe shell and then calling "c:/Program Files/WSL/wsl.exe" works, so something funky is still going on.

[montvid]

@rgl New install after upgrade to 2.0.11 works fine with microsoft ssh server - 2.0.9 does not work. Connecting from Linux with ssh -t administrator@ip "wsl ~" or with ssh administrator@ip and executing wsl ~.

[rgl]

@montvid ah, without -t it seemed not to work because there is no shell prompt for some reason, but typing a command does in fact work (e.g. ssh Administrator@192.168.1.23 '"c:/Program Files/WSL/wsl.exe"' --version). thanks for pointing that out!

[bayeslearner]

Here is a summary of a method I've been experimenting with to access WSL remotely via SSH, particularly effective post-reboot. Hopefully, this might be helpful for others:

1. Update to the Latest WSL Version (Dev Channel): Ensure you're running the latest WSL version from the dev channel for better compatibility and features. Check this with wsl --version. Example output should include 'WSL version: 2.1.0.0' and relevant kernel and Windows versions.

2. Configure WSL with NSSM: I've configured WSL to start under a specific user account using NSSM (Non-Sucking Service Manager). The command I used is something like -d Ubuntu -u root service dbus start. This helps in keeping WSL operational and accessible after your machine restarts.

3. SSH into Windows and Access WSL: After remotely connecting to the Windows host via SSH, I execute the wsl command to switch to the WSL shell. This method assumes WSL is continuously running in the background.