Add admin protection error message for shadow admin scenarios

Ben Hillis · Ben Hillis · commit 4824178ee2d2 · 2026-04-13T09:27:54.000-07:00
When Windows Admin Protection is enabled, the elevated process runs as a
shadow admin with a different SID, so distributions registered under the
real user are not visible. Surface an informational message in two cases:

1. Launching a distribution by name that is not found (WSL_E_DISTRO_NOT_FOUND)
2. Listing distributions when none are registered (WSL_E_DEFAULT_DISTRO_NOT_FOUND)
diff --git a/localization/strings/en-US/Resources.resw b/localization/strings/en-US/Resources.resw
@@ -744,6 +744,11 @@ For information please visit https://aka.ms/wslinstall</value>
   <data name="MessageAdministratorAccessRequiredForDebugShell" xml:space="preserve">
     <value>Running the debug shell requires running wsl.exe as Administrator.</value>
   </data>
+  <data name="MessageAdminProtectionEnabled" xml:space="preserve">
+    <value>Windows Admin Protection is enabled and your distributions may be registered under a different account.
+For more information on Admin Protection, please visit https://aka.ms/apdevguide</value>
+    <comment>{Locked="Admin Protection"}{Locked="https://aka.ms/apdevguide"}Command line arguments, file names and string inserts should not be translated</comment>
+  </data>
   <data name="MessageInstallProcessFailed" xml:space="preserve">
     <value>The installation process for distribution '{}' failed with exit code: {}.</value>
     <comment>{FixedPlaceholder="{}"}Command line arguments, file names and string inserts should not be translated</comment>
diff --git a/src/windows/common/WslSecurity.cpp b/src/windows/common/WslSecurity.cpp
@@ -135,6 +135,24 @@ bool wsl::windows::common::security::IsTokenElevated(_In_ HANDLE token)
     return (GetUserBasicIntegrityLevel(token) == SECURITY_MANDATORY_HIGH_RID);
 }
 
+bool wsl::windows::common::security::IsAdminProtectionEnabled()
+{
+    const auto token = wil::open_current_access_token();
+    if (!IsTokenElevated(token.get()))
+    {
+        return false;
+    }
+
+    using ShadowAdminEnabledFn = BOOL(WINAPI)();
+    LxssDynamicFunction<ShadowAdminEnabledFn> isShadowAdminEnabled{DynamicFunctionErrorLogs::None};
+    if (FAILED(isShadowAdminEnabled.load(L"SecurityHealthUdk.dll", "Shield_LUAIsShadowAdminEnabled")))
+    {
+        return false;
+    }
+
+    return isShadowAdminEnabled();
+}
+
 wil::unique_handle wsl::windows::common::security::GetUserToken(_In_ TOKEN_TYPE tokenType, _In_ RPC_BINDING_HANDLE handle)
 {
     wil::unique_handle contextToken;
diff --git a/src/windows/common/WslSecurity.h b/src/windows/common/WslSecurity.h
@@ -107,6 +107,11 @@ wil::unique_handle GetUserToken(_In_ TOKEN_TYPE tokenType, _In_ RPC_BINDING_HAND
 /// </summary>
 bool IsTokenElevated(_In_ HANDLE token);
 
+/// <summary>
+/// Returns true if the current token is elevated and Windows Admin Protection (shadow admin) is enabled.
+/// </summary>
+bool IsAdminProtectionEnabled();
+
 /// <summary>
 /// Returns true if the provided token is a member of the localsystem group
 /// </summary>
diff --git a/src/windows/common/wslutil.cpp b/src/windows/common/wslutil.cpp
@@ -545,7 +545,22 @@ std::wstring wsl::windows::common::wslutil::GetErrorString(HRESULT result)
         return Localization::MessageHigherIntegrity();
 
     case WSL_E_DEFAULT_DISTRO_NOT_FOUND:
-        return Localization::MessageNoDefaultDistro();
+    {
+        auto errorString = Localization::MessageNoDefaultDistro();
+        try
+        {
+            if (wsl::windows::common::security::IsAdminProtectionEnabled())
+            {
+                errorString = Localization::MessageAdminProtectionEnabled();
+                errorString += L"\n\n";
+                errorString += Localization::MessageNoDefaultDistro();
+                return errorString;
+            }
+        }
+        CATCH_LOG()
+
+        return errorString;
+    }
 
     case HRESULT_FROM_WIN32(WSAECONNABORTED):
     case HRESULT_FROM_WIN32(ERROR_SHUTDOWN_IN_PROGRESS):
diff --git a/src/windows/service/exe/LxssUserSession.cpp b/src/windows/service/exe/LxssUserSession.cpp
@@ -1246,7 +1246,23 @@ try
     }
 
     // Return an error if no distribution was found with a matching name.
-    RETURN_HR_IF(WSL_E_DISTRO_NOT_FOUND, !distroFound);
+    if (!distroFound)
+    {
+        try
+        {
+            auto runAsUser = wil::CoImpersonateClient();
+            if (wsl::windows::common::security::IsAdminProtectionEnabled())
+            {
+                auto message = wsl::shared::Localization::MessageAdminProtectionEnabled();
+                message += L"\n\n";
+                message += wsl::shared::Localization::MessageDistroNotFound();
+                THROW_HR_WITH_USER_ERROR(WSL_E_DISTRO_NOT_FOUND, std::move(message));
+            }
+        }
+        CATCH_LOG()
+
+        return WSL_E_DISTRO_NOT_FOUND;
+    }
 
     return S_OK;
 }
