WSL Plugin: Issue with WSLSessionInformation -> UserToken Not Being a Valid User Token

[ssijbabu]

Description
I'm working with the OnVmStarted function in the context of handling WSL sessions. I'm encountering an issue where the Session->UserToken is not a valid user token. As a result, attempts to retrieve user-related information such as the user profile directory, user SID, or the list of Active Directory (AD) groups the user is a member of are failing.

Code Snippet
Here's the relevant part of the code I'm using:

HRESULT OnVmStarted(const WSLSessionInformation* Session, const WSLVmCreationSettings* Settings)
{
    g_logfile << "VM created. SessionId=" << Session->SessionId
              << ", CustomConfigurationFlags=" << Settings->CustomConfigurationFlags << std::endl;

    // Get user profile directory
    WCHAR profileDir[MAX_PATH];
    DWORD size = MAX_PATH;
    if (GetUserProfileDirectoryW(Session->UserToken, profileDir, &size))
    {
        g_logfile << "User Profile Directory: " << std::wstring_convert<std::codecvt_utf8<wchar_t>>().to_bytes(profileDir) << std::endl;
    }
    else
    {
        g_logfile << "Failed to get user profile directory. Error: " << GetLastError() << std::endl;
    }

    // Get user SID string
    LPWSTR sidString = nullptr;
    if (ConvertSidToStringSidW(Session->UserSid, &sidString))
    {
        g_logfile << "User SID: " << std::wstring_convert<std::codecvt_utf8<wchar_t>>().to_bytes(sidString) << std::endl;
        LocalFree(sidString);
    }
    else
    {
        g_logfile << "Failed to convert SID to string. Error: " << GetLastError() << std::endl;
    }

    // Get user group information
    DWORD groupInfoSize = 0;
    GetTokenInformation(Session->UserToken, TokenGroups, nullptr, 0, &groupInfoSize);
    PTOKEN_GROUPS groupInfo = (PTOKEN_GROUPS)malloc(groupInfoSize);
    if (groupInfo && GetTokenInformation(Session->UserToken, TokenGroups, groupInfo, groupInfoSize, &groupInfoSize))
    {
        for (DWORD i = 0; i < groupInfo->GroupCount; ++i)
        {
            LPWSTR groupSidString = nullptr;
            if (ConvertSidToStringSidW(groupInfo->Groups[i].Sid, &groupSidString))
            {
                g_logfile << "Group SID: " << std::wstring_convert<std::codecvt_utf8<wchar_t>>().to_bytes(groupSidString) << std::endl;
                LocalFree(groupSidString);
            }
        }
    }
    else
    {
        g_logfile << "Failed to get user group information. Error: " << GetLastError() << std::endl;
    }
    free(groupInfo);

    return S_OK;
}

Issue Details
When calling functions like GetUserProfileDirectoryW or GetTokenInformation, they fail with an invalid token error (GetLastError() -> 6). For example:

• GetUserProfileDirectoryW fails with error code: ERROR_INVALID_HANDLE.
• GetTokenInformation fails with error code: ERROR_INVALID_HANDLE.

Questions

1. How can I ensure that Session->UserToken is a valid user token for retrieving user-related information?
2. Are there specific configurations or steps required in WSL or the host environment to ensure the UserToken is properly populated?
3. Once the UserToken issue is resolved, is this the correct approach for retrieving:
   • The user's profile directory?
   • The list of AD groups the user belongs to?

[github-actions]

Logs are required for review from WSL team

If this a feature request, please reply with '/feature'. If this is a question, reply with '/question'.
Otherwise please attach logs by following the instructions below, your issue will not be reviewed unless they are added. These logs will help us understand what is going on in your machine.

How to collect WSL logs

Download and execute collect-wsl-logs.ps1 in an administrative powershell prompt:

Invoke-WebRequest -UseBasicParsing "https://raw.githubusercontent.com/microsoft/WSL/master/diagnostics/collect-wsl-logs.ps1" -OutFile collect-wsl-logs.ps1
Set-ExecutionPolicy Bypass -Scope Process -Force
.\collect-wsl-logs.ps1

The script will output the path of the log file once done.

If this is a networking issue, please use collect-networking-logs.ps1, following the instructions here

Once completed please upload the output files to this Github issue.

Click here for more info on logging
If you choose to email these logs instead of attaching to the bug, please send them to [email protected] with the number of the github issue in the subject, and in the message a link to your comment in the github issue and reply with '/emailed-logs'.

[ssijbabu]

/question

[github-actions]

Diagnostic information

Found '/question', adding tag 'question'

[ssijbabu]

Tagging @OneBlue @benhillis

The following function call returns an "Invalid Token" error. I am trying to retrieve the Active Directory group of a user by using:

GetTokenInformation(Session->UserToken, TokenGroups, groupInfo, groupInfoSize, &groupInfoSize)

[OneBlue]

Thank you for reporting this @ssijbabu. This is indeed a bug in the plugin API. It will be fixed in the next release