Windows.Storage.StorageFile GetFileFromPathAsync E_ACCESSDENIED within AppContainer

[dkattan]

I'm not sure if this is really an issue with Privexec but I figured if anybody had any clue what was going on here it'd be @WildByDesign @fcharlie or @forderud

I'm trying to write a PowerShell script that can use the Windows.Networking.BackgroundTransfer.BackgroundDownloader class from WinRT.

However, this class appear to only be accessible from within an App Container

If you run the following code from a normal PowerShell window

[Windows.Networking.BackgroundTransfer, Windows.Networking.BackgroundTransfer.BackgroundDownloader, ContentType=WindowsRuntime] | Out-Null
[Windows.Networking.BackgroundTransfer.BackgroundDownloader]::new() 

you get

Exception calling ".ctor" with "0" argument(s): "This operation is only valid in the context of an app container. (Exception from 
HRESULT: 0x8007109A)"
At C:\Users\DKattan\Immense Networks\Immense Networks Intranet - Powershell Scripts\Test-DeliveryOptimizationMinimal.ps1:2 char:1   
+ [Windows.Networking.BackgroundTransfer.BackgroundDownloader]::new()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : Exception

If I use Privexec to spawn Powershell it constructs the object

FailureToastNotification : 
SuccessTileNotification  : 
SuccessToastNotification : 
TransferGroup            : 
FailureTileNotification  : 
CompletionGroup          : 
CostPolicy               : Default
Group                    : 
Method                   : 
ProxyCredential          : 
ServerCredential         : 

Naturally the next thing I need to do is give the class I constructed a Windows.Storage.StorageFile object that points to the download destination.

I do this with the following code, which works as expected from within normal PowerShell

Add-Type -AssemblyName System.Runtime.WindowsRuntime
[Windows.Storage.StorageFile,Windows.Storage,ContentType=WindowsRuntime] | Out-Null
$asTaskGeneric = ([System.WindowsRuntimeSystemExtensions].GetMethods() | ? { $_.Name -eq 'AsTask' -and $_.GetParameters().Count -eq 1 -and $_.GetParameters()[0].ParameterType.Name -eq 'IAsyncOperation`1' })[0]
Function Await($WinRtTask, $ResultType) {
    $asTask = $asTaskGeneric.MakeGenericMethod($ResultType)
    $netTask = $asTask.Invoke($null, @($WinRtTask))
    try
    {
        $netTask.Wait(-1)
    }
    catch
    {
        Write-Error ($_.Exception.InnerException.InnerException)
    }
    $netTask.Result
}
Await ([Windows.Storage.StorageFile]::GetFileFromPathAsync("C:\temp\test.ps1")) ([Windows.Storage.StorageFile])

However, it seems like no matter what path I specify or what capabilities I give the App Container, I always get

Await : System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:17 char:1
+ Await ([Windows.Storage.StorageFile]::GetFileFromPathAsync("C:\temp\t ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Await

Things I've tried:

• Pre-Creating the file
• Giving the AppContainer broadFileSystemAccess
• Putting the destination inside of the AppContainer's AppData
• Putting the destination inside of the User's profile
• Running icacls "C:\temp\test.txt" /grant *S-1-15-2-1:(OI)(CI)(F) /T && icacls "C:\temp\test.txt" /grant *S-1-15-2-2:(OI)(CI)(F) /T

When I run Procmon, no activity is generated when it fails in the AppContainer.

I know Procmon is working because I see lots of activity when I run the same code in normal PowerShell.

My speculation is that this is one of the WinRT APIs that requires an Appx package manifest in addition to being run in an App Container. However I find it odd that the code works fine outside of an AppContainer.

I'm hoping there's something obvious I'm missing.

[fcharlie]

Reference: #31