Skip to content

Add learning-mode broker Windows service and host-prep plumbing#599

Open
richiemsft wants to merge 7 commits into
mainfrom
user/saulg/learning-mode-broker-service
Open

Add learning-mode broker Windows service and host-prep plumbing#599
richiemsft wants to merge 7 commits into
mainfrom
user/saulg/learning-mode-broker-service

Conversation

@richiemsft

@richiemsft richiemsft commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Introduces the privileged learning-mode broker service (mxc-learning-mode-broker), which brokers ETW-based access-denial capture over a named pipe, plus the wxc-host-prep install/uninstall/dump plumbing to register it as a Windows service.

This is the producer half of the captureDenials feature and is inert until the consumer (CLI) side lands: it installs but nothing invokes it yet, so it merges first as a self-contained building block.

  • New crate learning_mode_broker_protocol: the named-pipe RPC wire protocol (pure serde), decoupled so the privileged service does not pull in the consumer-side ETW backend.
  • New crate mxc_learning_mode_broker: the service (main/service/pipe_server/ etw_session/caller_context).
  • wxc-host-prep: install-/uninstall-/dump-learning-mode-broker subcommands and --broker-path; LSA privilege grant plumbing.
  • Workspace/build/CI wiring: members, windows-service + Win32_Security_Authentication_Identity, build.bat copy step, and signPattern entry.
  • Docs: deployment-and-lifecycle.md and host-prep.md updates.

Hardening:

  • Pipe DACL denies FILE_CREATE_PIPE_INSTANCE to Interactive Users and adds an explicit LocalService ACE, preventing pipe-squatting and fixing a latent "serves only one connection per start" bug. Clients must open the pipe with the explicit access mask 0x0012019b (not GENERIC_WRITE).
  • Free the SDDL-derived security descriptor (LocalFree) after CreateNamedPipeW.
  • Stop/Shutdown wakes the blocked ConnectNamedPipe via a self-connect so the service stops promptly instead of hanging until the next client.

📖 Description

🔗 References

🔍 Validation

✅ Checklist

📋 Issue Type

  • Bug fix
  • Feature
  • Task

GitHub Actions runs the PR validation build automatically. The ADO pipeline
(MXC-PR-Build) is the official build pipeline that signs the binaries; it
runs on merge to main and nightly, and Microsoft reviewers can trigger it
on a PR with /azp run. See docs/pull-requests.md.

Microsoft Reviewers: Open in CodeFlow

Introduces the privileged learning-mode broker service (mxc-learning-mode-broker),
which brokers ETW-based access-denial capture over a named pipe, plus the
wxc-host-prep install/uninstall/dump plumbing to register it as a Windows service.

This is the producer half of the captureDenials feature and is inert until the
consumer (CLI) side lands: it installs but nothing invokes it yet, so it merges
first as a self-contained building block.

- New crate learning_mode_broker_protocol: the named-pipe RPC wire protocol
  (pure serde), decoupled so the privileged service does not pull in the
  consumer-side ETW backend.
- New crate mxc_learning_mode_broker: the service (main/service/pipe_server/
  etw_session/caller_context).
- wxc-host-prep: install-/uninstall-/dump-learning-mode-broker subcommands and
  --broker-path; LSA privilege grant plumbing.
- Workspace/build/CI wiring: members, windows-service + Win32_Security_Authentication_Identity,
  build.bat copy step, and signPattern entry.
- Docs: deployment-and-lifecycle.md and host-prep.md updates.

Hardening (post-review):
- Pipe DACL denies FILE_CREATE_PIPE_INSTANCE to Interactive Users and adds an
  explicit LocalService ACE, preventing pipe-squatting and fixing a latent
  "serves only one connection per start" bug. Clients must open the pipe with the
  explicit access mask 0x0012019b (not GENERIC_WRITE).
- Free the SDDL-derived security descriptor (LocalFree) after CreateNamedPipeW.
- Stop/Shutdown now wakes the blocked ConnectNamedPipe via a self-connect so the
  service stops promptly instead of hanging until the next client.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 1, 2026 21:42
@richiemsft richiemsft requested a review from a team as a code owner July 1, 2026 21:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the Windows “learning-mode” broker producer components: a new privileged Windows service (mxc-learning-mode-broker) that brokers ETW session creation over a hardened named pipe, plus wxc-host-prep subcommands to install/uninstall/inspect the service and grant LocalService the needed LSA privilege.

Changes:

  • Introduces learning_mode_broker_protocol (serde-only) and mxc_learning_mode_broker (Windows service + named pipe server + ETW session management).
  • Extends wxc-host-prep with install-learning-mode-broker, uninstall-learning-mode-broker, and dump-learning-mode-broker and wires in windows-service.
  • Updates build/signing wiring and documentation, including a new lifecycle/deployment design doc.

Reviewed changes

Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/host/wxc_host_prep/src/main.rs Adds Windows-only module wiring for learning-mode broker commands.
src/host/wxc_host_prep/src/cli.rs Adds CLI subcommands for install/uninstall/dump of the broker service.
src/host/wxc_host_prep/src/learning_mode_broker/mod.rs Implements service registration and broker binary staging into %ProgramFiles%\Mxc.
src/host/wxc_host_prep/src/learning_mode_broker/privilege.rs Grants SeSystemProfilePrivilege to LocalService via LSA APIs.
src/host/wxc_host_prep/Cargo.toml Adds windows-service dependency on Windows.
src/host/mxc_learning_mode_broker/src/main.rs Adds the Windows-only broker service entrypoint with --debug mode.
src/host/mxc_learning_mode_broker/src/service.rs Adds SCM service dispatcher/control-handler wiring.
src/host/mxc_learning_mode_broker/src/pipe_server.rs Implements hardened named-pipe accept loop and request handling.
src/host/mxc_learning_mode_broker/src/etw_session.rs Implements privileged ETW session creation and PID-filter updates.
src/host/mxc_learning_mode_broker/src/caller_context.rs Implements per-connection caller SID identification and PID access checks via impersonation.
src/host/mxc_learning_mode_broker/Cargo.toml Declares the new Windows-only broker binary crate.
src/core/learning_mode_broker_protocol/src/lib.rs Adds the shared request/response wire shapes, constants, and error codes.
src/core/learning_mode_broker_protocol/Cargo.toml Adds the new protocol crate (serde-only).
src/Cargo.toml Wires new crates into the workspace and adds required Windows feature/deps.
src/Cargo.lock Records new crates and windows-service dependency.
docs/learning-mode/deployment-and-lifecycle.md Adds a detailed draft design for deployment/lifecycle of the broker and capture flow.
docs/host-prep.md Documents new host-prep subcommands for the broker service.
build.bat Copies mxc-learning-mode-broker.exe into the SDK bin output.
.azure-pipelines/templates/Rust.Build.Job.yml Adds the broker binary to the signing pattern.

Comment thread docs/host-prep.md Outdated
Comment thread src/core/learning_mode_broker_protocol/src/lib.rs Outdated
Comment thread src/host/mxc_learning_mode_broker/src/pipe_server.rs Outdated
Comment thread src/host/mxc_learning_mode_broker/src/pipe_server.rs Outdated
Comment thread src/host/mxc_learning_mode_broker/Cargo.toml Outdated
Comment thread src/host/mxc_learning_mode_broker/src/service.rs Outdated
richiemsft and others added 4 commits July 1, 2026 14:52
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The review bot's auto-fixes covered the doc/comment findings; these are
the three substantive ones it left open:

- pipe_server: reassemble message-mode requests that span multiple reads
  (ERROR_MORE_DATA), bounded by MAX_REQUEST_SIZE, replying with a
  structured BAD_REQUEST instead of dropping oversized connections
- service/main: single-source the SCM service name so the dispatcher and
  control-handler registrations cannot desync
- protocol: correct framing docs (message-mode pipe, not newline-delimited)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@richiemsft

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

The Service PR's build.bat copies mxc-learning-mode-broker.exe into
sdk/bin/<arch>/, but the SDK integration 'should not contain unexpected
binaries' test flagged it. Add it to EXPECTED_WINDOWS_BINARIES alongside
wxc-host-prep.exe (both host binaries copied with the same if-exist guard).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

The broker is only copied into sdk/bin when it is built (full build.bat);
some CI SDK builds (GitHub Actions Windows) do not produce it. Marking it
required in EXPECTED_WINDOWS_BINARIES broke 'should have all Windows
binaries present' there. Move it to OPTIONAL_BINARIES: allowed if present
(so 'no unexpected binaries' passes on Azure) but not required (so
'all present' passes where it is absent).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@richiemsft

Copy link
Copy Markdown
Contributor Author

/azp run

@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants