Windows: improve wording when running as admin fails

[Treit]

Type: Bug

Recently when I attempted to launch vscode from a terminal window running as administrator on Windows, I received the following error:

Running as administrator is not supported
Please try again without administrator privileges.

It was completely unclear why I was suddenly no longer able to run a vscode instance as administrator. The error message here is unhelpful as it does not provide any hints as to why this restriction is happening.

After several days of trying to track this down, I was able to compare my installation with that of another user who was able to run as admin just fine, using the same vscode version. I noticed in the Help | About dialog that mine said "Sandboxed: yes" and theirs said "Sandboxed: no"

This lead me to the "window.experimental.useSandbox": true setting, which I set to false to fix the issue.

The error message should say something like "Running as administrator is not supported when useSandbox is set to true" or something like that to make it much more apparent that VSCode is running in a restricted sandbox.

I don't know how that setting got enabled, but I wasted quite a bit of time trying to understand what was going on.

VS Code version: Code 1.74.1 (1ad8d51, 2022-12-14T10:30:51.966Z)
OS version: Windows_NT x64 10.0.25272
Modes:
Sandboxed: Yes

System Info

Item	Value
CPUs	Intel(R) Xeon(R) W-2123 CPU @ 3.60GHz (8 x 3600)
GPU Status	2d_canvas: enabled canvas_oop_rasterization: disabled_off direct_rendering_display_compositor: disabled_off_ok gpu_compositing: enabled multiple_raster_threads: enabled_on opengl: enabled_on rasterization: enabled raw_draw: disabled_off_ok skia_renderer: enabled_on video_decode: enabled video_encode: enabled vulkan: disabled_off webgl: enabled webgl2: enabled webgpu: disabled_off
Load (avg)	undefined
Memory (System)	47.44GB (27.74GB free)
Process Argv	--crash-reporter-id c01529e5-6eec-49b3-8891-23ca5239ee2c
Screen Reader	no
VM	0%

Extensions (35)

Extension	Author (truncated)	Version
doxdocgen	csc	1.4.0
vbscript	Dar	1.0.4
gitlens	eam	13.1.1
vsc-material-theme	Equ	33.6.0
vsc-material-theme-icons	equ	2.5.0
Ionide-fsharp	Ion	7.4.0
cmake-language-support-vscode	jos	0.0.7
vscode-leetcode	Lee	0.18.1
vscode-azurefunctions	ms-	1.9.0
vscode-azureresourcegroups	ms-	0.5.6
vscode-docker	ms-	1.23.3
csharp	ms-	1.25.2
vscode-dotnet-pack	ms-	1.0.12
vscode-dotnet-runtime	ms-	1.6.0
isort	ms-	2022.8.0
python	ms-	2022.20.1
vscode-pylance	ms-	2022.12.20
jupyter	ms-	2022.11.1003412109
jupyter-keymap	ms-	1.0.0
jupyter-renderers	ms-	1.0.12
vscode-jupyter-cell-tags	ms-	0.1.6
vscode-jupyter-slideshow	ms-	0.1.5
remote-containers	ms-	0.266.1
remote-ssh	ms-	0.94.0
remote-wsl	ms-	0.72.0
azure-account	ms-	0.11.2
cmake-tools	ms-	1.12.27
cpptools	ms-	1.13.8
cpptools-extension-pack	ms-	1.3.0
powershell	ms-	2022.12.1
remote-explorer	ms-	0.0.3
azurerm-vscode-tools	msa	0.15.8
vscode-print	pdc	0.10.20
vscode-autohotkey	sle	0.2.2
cmake	twx	0.0.17

(5 theme extensions excluded)

A/B Experiments

vsliv368:30146709
vsreu685:30147344
python383cf:30185419
vspor879:30202332
vspor708:30202333
vspor363:30204092
vslsvsres303:30308271
pythonvspyl392:30443607
vserr242cf:30382550
pythontb:30283811
vsjup518:30340749
pythonptprofiler:30281270
vsdfh931cf:30280410
vshan820:30294714
vstes263:30335439
vscorecescf:30445987
pythondataviewer:30285071
vscod805cf:30301675
binariesv615:30325510
bridge0708:30335490
bridge0723:30353136
cmake_vspar411:30581797
vsaa593:30376534
pythonvs932:30410667
cppdebug:30492333
vsclangdf:30486550
c4g48928:30535728
dsvsc012:30540252
azure-dev_surveyonecf:30548226
pyindex848:30577860
nodejswelcome1:30587005
282f8724:30602487
gswce1:30612156
3d0df643:30613357
89544117:30613380
fim-prod:30623723
vscsb:30628654

[JunielKatarn]

Same here.

Disabling it also fixed the issue for me.

[bpasero]

@Treit @JunielKatarn do you work in an environment where Applocker is enabled on Windows? And where VS Code is blocked for your normal user, so you run as Admin?

Bottom line: the sandbox option will soon be default with no way to disable it and then this scenario is no longer supported. But the wording should probably contain a button to more information about the Bitlocker problem.

//cc @deepak1556

[Treit]

I do not work in an environment where Applocker is enabled. However, I sometimes need to work from a terminal window that is running as administrator as certain folders I work in require administrative privileges.

Not being able to launch vscode from such a terminal window means I have to resort to other editors instead, which have no problem running from such a window.

Why would there not be a way to disable this in the future? If I have to go out of my way to change the default behavior and run non-sandboxed, that should be my choice as the developer who knows my own risk tolerance.

[bpasero]

@deepak1556 I might need you here to better understand what environment the user is in. The above message will only appear based on this condition:

vscode/src/vs/platform/windows/electron-main/windowImpl.ts

Line 746 in e1b6f8f

if (isWindows && details?.reason === 'launch-failed' && details.exitCode === 18 && await this.nativeHostMainService.isAdmin(undefined)) {

Which I had thought to be AppLocker only.

[Treit]

I wasn't aware of any AppLocker policies, but I double-checked with Get-AppLockerPolicy -Effective -Xml and our corporate IT (this is at Microsoft) does appear to have some policies enabled.

I don't see anything that looks related to VSCode though. Do you know what that would look like?

[JunielKatarn]

@Treit @JunielKatarn do you work in an environment where Applocker is enabled on Windows? And where VS Code is blocked for your normal user, so you run as Admin?

@bpasero VSCode is not explicitly blocked to run either as normal user nor admin on my machine.
Removing the Sandbox flag worked.

Bottom line: the sandbox option will soon be default with no way to disable it and then this scenario is no longer supported. But the wording should probably contain a button to more information about the Bitlocker problem.

(Did you mean AppLocker instead of BitLocker?)
I think running VS Code from an admin terminal session is a very valid and likely expected use case for developers and power users.
Making this impossible can be concerning for many users.
Is there any sort of open discussion for this feature and the ability to override it?

[bpasero]

The sandbox option is nothing a user will be able to disable, see https://code.visualstudio.com/blogs/2022/11/28/vscode-sandbox for motivations. It is currently behind a setting only to test it. It will be the default soon.

Given you found AppLocker policies, this issue is a duplicate of #122951 and related to #112538. Please refer to these issues for more details.

I still think we can improve the wording of the message though, maybe even point to some docs on our end.

[bpasero]

Given we are now working on the docs, can people try to

• set window.experimental.useSandbox to true again
• quit VS Code
• run code --no-sandbox --disable-gpu-sandbox from the command line

Does it work then?