windowsfilesystemswinui-3windows-11junction

Deploy and test WinUI3 app from an untrusted mount point


I have a MAUI app that I would like to test on Windows (which uses WinUI3 under the hood). However it uses a library with a very long path file that I cannot deploy (reported Github issue). I cannot shorten the folder any longer because it's inside a larger project structure.

I thought about using Junction to shorten it:

New-Item New-Item -ItemType Junction -Path "D:\MyLongProjectPath" -Target "D:\Temp\Proj"

The build was successful but when deploying, I encounter another problem:

DEP0700: Registration of the app failed. [0x80073CF0] error 0x800701C0: Opening file from location: AppxManifest.xml failed with error: The path cannot be traversed because it contains an untrusted mount point.

How do I make a junction "trusted", or allow registering it from an untrusted mount point?

Note: I only need to do this for testing, it's not for production.


Solution

  • The problem you are facing is related to https://unit42.paloaltonetworks.com/junctions-windows-redirection-trust-mitigation/ .

    One solution is to have some system process create this junction point for you. Note that simply running an elevated application may be not enough; by a system process, I mean some kernel-mode code able to create a point under a system process. We have just recently added a similar workaround for this "problem" (a security measure in fact, but for our customers it is a problem) to the CBFS Connect product.

    What you may try to do for testing is redirect a request going to D:\Temp\Proj* to D:\MyLongProjectPath dynamically using CBFS Filter (a trial version will suffice). For this, you can add a reparse rule which will redirect requests. CBFS Filter doesn't use reparse points on the disk and just returns STATUS_REPARSE to a file open request. I presume that this should be enough to prevent the OS from blocking the request due to the above-referenced mitigation.

    IIRC, there are no samples for such reparsing, but the operation is trivial - a call to AddReparseRule and another call to start operations (you would need to install the driver that comes with CBFS Filter though, as it does all the heavy lifting).