New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't activate sudo in settings #25

Closed

flobo09 opened this issue Feb 9, 2024 · 15 comments

Assignees

Labels

Issue-Bug Resolution-Fix-Committed Tracking-External

Milestone

flobo09 commented Feb 9, 2024

Clicking the button in setting does nothing and it reverts a few seconds later.

See video of issue at https://t.co/wKHQ9o7Mm6

Also nothing seems to be in registry.

Thank you all !

Author

flobo09 commented Feb 9, 2024 •

edited

Loading

Update : https://twitter.com/joadoumie/status/1755682864555823394

Jordi had me command line activate it with sudo config --enable forceNewWindow

and it is now working

Still seem to be an issue with the original toggle in settings though, i have two more computer to upgrade to the same build, i will see if i hit the same issue.

Author

flobo09 commented Feb 9, 2024 •

edited

Loading

Another update, i upgraded my two other machines (samsung galaxybook3 pro 360 on dev & dell inspirion 14 2021 on canary) to the build and i'm hitting the same issue.

The toggle in setting is not working :

I'm pretty sure sudo config --enable forceNewWindow in an elevated terminal would fix those as well (@joadoumie gave me the command on twitter) as it worked on machine 1 (custom build desktop on canary) but i'm not doing it for now in case you want me to do some troubleshooting / log gathering into why exactly the toggle is not working.

zadjii-msft added the Needs-Triage label

Member

zadjii-msft commented Feb 9, 2024 •

edited

Loading

Okay, I've got an idea. Can you go enable logging process creation events, as this page describes: https://logrhythm.com/blog/how-to-enable-process-creation-events-to-track-malware-and-threat-actor-activity/? And also make sure to log the command-line params. Then, when you turn on the setting in the settings app, you should get one that's like consent.exe, then SystemSettingsAdminFlows.exe EnableSudo or something like that. Can you share the "admin flows" one that you see?

If you don't see anything like that, well, that'd be important to know too.

(i'll reach out in the meantime, see if there's other settings app traces I can have you gather)

zadjii-msft added Issue-Bug Tracking-External Needs-Author-Feedback labels

Author

flobo09 commented Feb 18, 2024 •

edited

Loading

Apologies about the delay, i was on a work trip all week.

Just did it, i'm seeing consent.exe

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0x8624
New Process Name: C:\Windows\System32\consent.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x3794
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: consent.exe 14228 570 000001D9E30522A0

Then the second one :

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: BOOK360\flo
Account Name: flo
Account Domain: BOOK360
Logon ID: 0x3D0FE

Process Information:
New Process ID: 0x35c8
New Process Name: C:\Windows\System32\SystemSettingsAdminFlows.exe
Token Elevation Type: TokenElevationTypeFull (2)
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x4264
Creator Process Name: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Process Command Line: "C:\WINDOWS\system32\SystemSettingsAdminFlows.exe" EnableSudo

Then a third one :

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0xff0
New Process Name: C:\Windows\System32\svchost.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x5cc
Creator Process Name: C:\Windows\System32\services.exe
Process Command Line: C:\WINDOWS\System32\svchost.exe -k WerSvcGroup

THen a 4th one :

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0x7a58
New Process Name: C:\Windows\System32\WerFault.exe
Token Elevation Type: TokenElevationTypeDefault (1)
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xff0
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\WINDOWS\system32\WerFault.exe -pss -s 460 -p 13768 -ip 13768

Then a 5th one

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: BOOK360\flo
Account Name: flo
Account Domain: BOOK360
Logon ID: 0x3D0FE

Process Information:
New Process ID: 0x6584
New Process Name: C:\Windows\System32\SystemSettingsAdminFlows.exe
Token Elevation Type: TokenElevationTypeFull (2)
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x35c8
Creator Process Name: C:\Windows\System32\SystemSettingsAdminFlows.exe
Process Command Line: "C:\WINDOWS\system32\SystemSettingsAdminFlows.exe" EnableSudo

Then a 7th one : A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: BOOK360\flo
Account Name: flo
Account Domain: BOOK360
Logon ID: 0x3D0FE

Process Information:
New Process ID: 0x80cc
New Process Name: C:\Windows\System32\WerFault.exe
Token Elevation Type: TokenElevationTypeFull (2)
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x35c8
Creator Process Name: C:\Windows\System32\SystemSettingsAdminFlows.exe
Process Command Line: C:\WINDOWS\system32\WerFault.exe -u -p 13768 -s 2132

And finally an 8th one (i think that one is unrelated and just happened at the same time).

A new process has been created.

Creator Subject:
Security ID: SYSTEM
Account Name: BOOK360$
Account Domain: WORKGROUP
Logon ID: 0x3E7

Target Subject:
Security ID: BOOK360\flo
Account Name: flo
Account Domain: BOOK360
Logon ID: 0x3D342

Process Information:
New Process ID: 0x5dc4
New Process Name: C:\Windows\System32\drivers\Intel\ICPS\IDBWM.exe
Token Elevation Type: TokenElevationTypeLimited (3)
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x2ad8
Creator Process Name: C:\Windows\System32\drivers\Intel\ICPS\IDBWM.exe
Process Command Line: IDBWM.exe -m -n 1

In the end, sudo wasnt activated.

WerFault means an error was logged somewhere maybe ?

Author

flobo09 commented Feb 18, 2024 •

edited

Loading

Got it :

Faulting application name: SystemSettingsAdminFlows.exe, version: 10.0.26058.1000, time stamp: 0xe94af5ec
Faulting module name: SystemSettingsAdminFlows.exe, version: 10.0.26058.1000, time stamp: 0xe94af5ec
Exception code: 0xc0000005
Fault offset: 0x000000000000a7e8
Faulting process id: 0x35C8
Faulting application start time: 0x1DA628824396DA5
Faulting application path: C:\WINDOWS\system32\SystemSettingsAdminFlows.exe
Faulting module path: C:\WINDOWS\system32\SystemSettingsAdminFlows.exe
Report Id: 908b4953-2476-4a5b-be5a-d532f3e52749
Faulting package full name:
Faulting package-relative application ID:

so 0xc0000005

As it's happening on 3 devices, i guess we can rule out faulty hardware.

Could it be a permission issue?

Member

zadjii-msft commented Feb 20, 2024

OOoh oh okay. That does at least point in the right direction. The fact that SystemSettingsAdminFlows.exe spawned is good. At least that narrows down the problem space. And the fact that it's in Faulting module path: C:\WINDOWS\system32\SystemSettingsAdminFlows.exe, I'm guessing it's my code (and not like, a crash from XAML or something). This does narrow it down to like, 8 crash signatures in the backend.

Now, I'm gonna go check those each individually, but it'd be helpful to be able to exactly cross-reference your crash. I don't think I could just find it from Report Id: 908b4953-2476-4a5b-be5a-d532f3e52749. But, I bet if you used the Feedback Hub to record the problem, I could use that to find your crash.

Use this area:

make sure to hit Start Recording, then try to enable sudo in the settings app:

Then make sure to share the aka.ms link generated by the "Share my feedback" button here. I can use that to definitely find your crash.

zadjii-msft removed Needs-Author-Feedback Needs-Triage labels

Member

zadjii-msft commented Feb 20, 2024

omg I found it

zadjii-msft added this to the 24H1 milestone

zadjii-msft self-assigned this

Author

flobo09 commented Feb 21, 2024

That was funny seeing a "omg I found it" notification in my mail box :D .

So i guess you don't need me to log anything more ?

Just for curiosity, why does this only affect me and my machines? Do i have some rare software configuration somewhere on my machines affecting me ?

Member

zadjii-msft commented Feb 21, 2024

why does this only affect me and my machines

That is a great question. The faulting line looks like it's from some vestigial code that's now trying to construct a wstring from a wchar_t* that's nullptr. By all accounts, that should be fine, and just return an empty string.

On the bright side, since it's vestigial, I think I can just remove the entire thing 😄

Contributor

kennykerr commented Feb 21, 2024

The behavior is undefined if the input is a null pointer.

https://en.cppreference.com/w/cpp/string/basic_string/basic_string

Author

flobo09 commented Feb 21, 2024

I'm going on a slight tangent here but the reason i asked for details is that i have been having a very similar issue on the same 3 machines for over a year with the toggle to activate defender button.

It does nothing and reverts. I had filled feedback on FB hub a long time ago but never heard anything back / found a solution and eventually just used a third party AV since Defender can't be activated on my machines.

I'm now wondering if it could be the same issue / related.

Back then, i tried to understand it via a lot of trial and error myself in virtual machines and it "looked to me" like it happened if you created a local account and then connected a MSA afterward which i always do to have a better username folder in C:\users\ but well, without having access to your internal stuff, i could never really confirm the inch and the behaviour wasn't always consistant.

I could be totally off there but mentionning that just in case it's related.

Member

zadjii-msft commented Feb 21, 2024

the toggle to activate defender button

I can try and take a spin through the OS code, see if I see something similar. Which button in particular is that?

Author

flobo09 commented Feb 22, 2024

It's this one :

joadoumie added the Resolution-Fix-Committed label

Contributor

joadoumie commented Feb 28, 2024

Closing issue with 'Resolution-Fix-Committed'

joadoumie closed this as completed

Member

zadjii-msft commented Feb 28, 2024 •

edited

Loading

For my own record, this was fixed in MSFT:48806021 (and fixed EVEN MORE fixed in MSFT:49122115)

I did not get a chance to loop around on that button in the security app yet, sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment