Add admin protection error message for shadow admin scenarios

Ben Hillis · Ben Hillis · commit 424f4dcd3ca6 · 2026-04-13T10:05:07.000-07:00
When Windows Admin Protection is enabled, the elevated process runs as a
shadow admin with a different SID, so distributions registered under the
real user are not visible. Surface an informational message in two cases:

1. Launching a distribution by name that is not found (WSL_E_DISTRO_NOT_FOUND)
2. Listing distributions when none are registered (WSL_E_DEFAULT_DISTRO_NOT_FOUND)
diff --git a/localization/strings/en-US/Resources.resw b/localization/strings/en-US/Resources.resw
@@ -744,6 +744,11 @@ For information please visit https://aka.ms/wslinstall</value>
   <data name="MessageAdministratorAccessRequiredForDebugShell" xml:space="preserve">
     <value>Running the debug shell requires running wsl.exe as Administrator.</value>
   </data>
+  <data name="MessageAdminProtectionEnabled" xml:space="preserve">
+    <value>Windows Admin Protection is enabled and your distributions may be registered under a different account.
+For more information on Admin Protection, please visit https://aka.ms/apdevguide</value>
+    <comment>{Locked="Admin Protection"}{Locked="https://aka.ms/apdevguide"}Command line arguments, file names and string inserts should not be translated</comment>
+  </data>
   <data name="MessageInstallProcessFailed" xml:space="preserve">
     <value>The installation process for distribution '{}' failed with exit code: {}.</value>
     <comment>{FixedPlaceholder="{}"}Command line arguments, file names and string inserts should not be translated</comment>
diff --git a/src/windows/common/WslSecurity.cpp b/src/windows/common/WslSecurity.cpp
@@ -135,6 +135,24 @@ bool wsl::windows::common::security::IsTokenElevated(_In_ HANDLE token)
     return (GetUserBasicIntegrityLevel(token) == SECURITY_MANDATORY_HIGH_RID);
 }
 
+bool wsl::windows::common::security::IsAdminProtectionEnabled()
+{
+    const auto token = wil::open_current_access_token();
+    if (!IsTokenElevated(token.get()))
+    {
+        return false;
+    }
+
+    using ShadowAdminEnabledFn = BOOL(WINAPI)();
+    LxssDynamicFunction<ShadowAdminEnabledFn> isShadowAdminEnabled{DynamicFunctionErrorLogs::None};
+    if (FAILED(isShadowAdminEnabled.load(L"SecurityHealthUdk.dll", "Shield_LUAIsShadowAdminEnabled")))
+    {
+        return false;
+    }
+
+    return isShadowAdminEnabled();
+}
+
 wil::unique_handle wsl::windows::common::security::GetUserToken(_In_ TOKEN_TYPE tokenType, _In_ RPC_BINDING_HANDLE handle)
 {
     wil::unique_handle contextToken;
diff --git a/src/windows/common/WslSecurity.h b/src/windows/common/WslSecurity.h
@@ -107,6 +107,11 @@ wil::unique_handle GetUserToken(_In_ TOKEN_TYPE tokenType, _In_ RPC_BINDING_HAND
 /// </summary>
 bool IsTokenElevated(_In_ HANDLE token);
 
+/// <summary>
+/// Returns true if the current token is elevated and Windows Admin Protection (shadow admin) is enabled.
+/// </summary>
+bool IsAdminProtectionEnabled();
+
 /// <summary>
 /// Returns true if the provided token is a member of the localsystem group
 /// </summary>
diff --git a/src/windows/common/wslutil.cpp b/src/windows/common/wslutil.cpp
@@ -526,6 +526,7 @@ std::wstring wsl::windows::common::wslutil::GetErrorString(HRESULT result)
 {
     ULONG buildNumber = 0;
     std::wstring kbUrl;
+    std::wstring errorString;
 
     switch (result)
     {
@@ -545,14 +546,16 @@ std::wstring wsl::windows::common::wslutil::GetErrorString(HRESULT result)
         return Localization::MessageHigherIntegrity();
 
     case WSL_E_DEFAULT_DISTRO_NOT_FOUND:
-        return Localization::MessageNoDefaultDistro();
+        errorString = Localization::MessageNoDefaultDistro();
+        break;
 
     case HRESULT_FROM_WIN32(WSAECONNABORTED):
     case HRESULT_FROM_WIN32(ERROR_SHUTDOWN_IN_PROGRESS):
         return Localization::MessageInstanceTerminated();
 
     case WSL_E_DISTRO_NOT_FOUND:
-        return Localization::MessageDistroNotFound();
+        errorString = Localization::MessageDistroNotFound();
+        break;
 
     case HRESULT_FROM_WIN32(ERROR_ALREADY_EXISTS):
         return Localization::MessageDistroNameAlreadyExists();
@@ -695,7 +698,26 @@ std::wstring wsl::windows::common::wslutil::GetErrorString(HRESULT result)
     }
     }
 
-    return GetSystemErrorString(result);
+    if (errorString.empty())
+    {
+        return GetSystemErrorString(result);
+    }
+
+    // If Admin Protection is enabled, prepend an informational message for
+    // errors that may be caused by the shadow admin's separate registry hive.
+    try
+    {
+        if (wsl::windows::common::security::IsAdminProtectionEnabled())
+        {
+            auto message = Localization::MessageAdminProtectionEnabled();
+            message += L"\n\n";
+            message += errorString;
+            return message;
+        }
+    }
+    CATCH_LOG()
+
+    return errorString;
 }
 
 std::optional<std::pair<std::wstring, GitHubReleaseAsset>> wsl::windows::common::wslutil::GetGitHubAssetFromRelease(const GitHubRelease& Release)
