Uap16/17 BaseNamedObjectsIsolation

Fiza_Azmi 

Some early feedback.

 

The latest Windows SDK includes a few new schema extensions.  Documentation on these new extensions are not yet posted, and I assume that implementation is a work-in-progress and not released yet, but I am concerned that perhaps one of the items needs more thought before finalization.

 

Assuming that the new BasedNamedObjectsIsolation is an intended new feature to rename kernel named objects (like semaphores, mutexes, and other types) needed by software in the package, this would be a feature similar to that previously available via Microsoft App-V to help with running certain apps on multi-user operating systems or even multiple versions of the same app in parallel on a single user OS.

 

The schema for this element appears only to allow the specification to enable it for the package, and I am concerned that this is an insufficient level of control.

 

The equivalent feature in App-V included a system implemented (but registry editable) list of names to be excluded from the name spoofing.  Furthermore, on a package basis the AppXManifest supported an override to include/exclude items.

 

The general system exclusion was a list of nearly 100 names.  These exclusions were needed because the objects would also need to be recognized by name by an OS component that was not in the App-V container, so renaming one end would not work.

 

While Microsoft maintained this exclusion list (see HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Subsystem\ObjExclusions) there was at least one time that IT Pros had to locally add to the exclusion list when Microsoft made a security change to RDS that broke almost half of App-V packages. 

 

There was also a case where I helped a vendor with a package customization to the list because there were components in their package that ran outside of the App-V container (an out of process COM object)  and needed to communicate using a name with a component running inside of the container.

 

Given that MSIX services might not be running inside the same container as the packaged app (I'm not sure about that) there might be more issues.

 

The bottom line is that there needs to be some exclusions applied somewhere, and overrides to the exclusion, at least on a system level, would be wise.