Add learning-mode broker Windows service and host-prep plumbing#599
Open
richiemsft wants to merge 7 commits into
Open
Add learning-mode broker Windows service and host-prep plumbing#599richiemsft wants to merge 7 commits into
richiemsft wants to merge 7 commits into
Conversation
Introduces the privileged learning-mode broker service (mxc-learning-mode-broker), which brokers ETW-based access-denial capture over a named pipe, plus the wxc-host-prep install/uninstall/dump plumbing to register it as a Windows service. This is the producer half of the captureDenials feature and is inert until the consumer (CLI) side lands: it installs but nothing invokes it yet, so it merges first as a self-contained building block. - New crate learning_mode_broker_protocol: the named-pipe RPC wire protocol (pure serde), decoupled so the privileged service does not pull in the consumer-side ETW backend. - New crate mxc_learning_mode_broker: the service (main/service/pipe_server/ etw_session/caller_context). - wxc-host-prep: install-/uninstall-/dump-learning-mode-broker subcommands and --broker-path; LSA privilege grant plumbing. - Workspace/build/CI wiring: members, windows-service + Win32_Security_Authentication_Identity, build.bat copy step, and signPattern entry. - Docs: deployment-and-lifecycle.md and host-prep.md updates. Hardening (post-review): - Pipe DACL denies FILE_CREATE_PIPE_INSTANCE to Interactive Users and adds an explicit LocalService ACE, preventing pipe-squatting and fixing a latent "serves only one connection per start" bug. Clients must open the pipe with the explicit access mask 0x0012019b (not GENERIC_WRITE). - Free the SDDL-derived security descriptor (LocalFree) after CreateNamedPipeW. - Stop/Shutdown now wakes the blocked ConnectNamedPipe via a self-connect so the service stops promptly instead of hanging until the next client. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds the Windows “learning-mode” broker producer components: a new privileged Windows service (mxc-learning-mode-broker) that brokers ETW session creation over a hardened named pipe, plus wxc-host-prep subcommands to install/uninstall/inspect the service and grant LocalService the needed LSA privilege.
Changes:
- Introduces
learning_mode_broker_protocol(serde-only) andmxc_learning_mode_broker(Windows service + named pipe server + ETW session management). - Extends
wxc-host-prepwithinstall-learning-mode-broker,uninstall-learning-mode-broker, anddump-learning-mode-brokerand wires inwindows-service. - Updates build/signing wiring and documentation, including a new lifecycle/deployment design doc.
Reviewed changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/host/wxc_host_prep/src/main.rs | Adds Windows-only module wiring for learning-mode broker commands. |
| src/host/wxc_host_prep/src/cli.rs | Adds CLI subcommands for install/uninstall/dump of the broker service. |
| src/host/wxc_host_prep/src/learning_mode_broker/mod.rs | Implements service registration and broker binary staging into %ProgramFiles%\Mxc. |
| src/host/wxc_host_prep/src/learning_mode_broker/privilege.rs | Grants SeSystemProfilePrivilege to LocalService via LSA APIs. |
| src/host/wxc_host_prep/Cargo.toml | Adds windows-service dependency on Windows. |
| src/host/mxc_learning_mode_broker/src/main.rs | Adds the Windows-only broker service entrypoint with --debug mode. |
| src/host/mxc_learning_mode_broker/src/service.rs | Adds SCM service dispatcher/control-handler wiring. |
| src/host/mxc_learning_mode_broker/src/pipe_server.rs | Implements hardened named-pipe accept loop and request handling. |
| src/host/mxc_learning_mode_broker/src/etw_session.rs | Implements privileged ETW session creation and PID-filter updates. |
| src/host/mxc_learning_mode_broker/src/caller_context.rs | Implements per-connection caller SID identification and PID access checks via impersonation. |
| src/host/mxc_learning_mode_broker/Cargo.toml | Declares the new Windows-only broker binary crate. |
| src/core/learning_mode_broker_protocol/src/lib.rs | Adds the shared request/response wire shapes, constants, and error codes. |
| src/core/learning_mode_broker_protocol/Cargo.toml | Adds the new protocol crate (serde-only). |
| src/Cargo.toml | Wires new crates into the workspace and adds required Windows feature/deps. |
| src/Cargo.lock | Records new crates and windows-service dependency. |
| docs/learning-mode/deployment-and-lifecycle.md | Adds a detailed draft design for deployment/lifecycle of the broker and capture flow. |
| docs/host-prep.md | Documents new host-prep subcommands for the broker service. |
| build.bat | Copies mxc-learning-mode-broker.exe into the SDK bin output. |
| .azure-pipelines/templates/Rust.Build.Job.yml | Adds the broker binary to the signing pattern. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The review bot's auto-fixes covered the doc/comment findings; these are the three substantive ones it left open: - pipe_server: reassemble message-mode requests that span multiple reads (ERROR_MORE_DATA), bounded by MAX_REQUEST_SIZE, replying with a structured BAD_REQUEST instead of dropping oversized connections - service/main: single-source the SCM service name so the dispatcher and control-handler registrations cannot desync - protocol: correct framing docs (message-mode pipe, not newline-delimited) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
The Service PR's build.bat copies mxc-learning-mode-broker.exe into sdk/bin/<arch>/, but the SDK integration 'should not contain unexpected binaries' test flagged it. Add it to EXPECTED_WINDOWS_BINARIES alongside wxc-host-prep.exe (both host binaries copied with the same if-exist guard). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
The broker is only copied into sdk/bin when it is built (full build.bat); some CI SDK builds (GitHub Actions Windows) do not produce it. Marking it required in EXPECTED_WINDOWS_BINARIES broke 'should have all Windows binaries present' there. Move it to OPTIONAL_BINARIES: allowed if present (so 'no unexpected binaries' passes on Azure) but not required (so 'all present' passes where it is absent). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces the privileged learning-mode broker service (mxc-learning-mode-broker), which brokers ETW-based access-denial capture over a named pipe, plus the wxc-host-prep install/uninstall/dump plumbing to register it as a Windows service.
This is the producer half of the captureDenials feature and is inert until the consumer (CLI) side lands: it installs but nothing invokes it yet, so it merges first as a self-contained building block.
Hardening:
📖 Description
🔗 References
🔍 Validation
✅ Checklist
📋 Issue Type
GitHub Actions runs the PR validation build automatically. The ADO pipeline
(
MXC-PR-Build) is the official build pipeline that signs the binaries; itruns on merge to
mainand nightly, and Microsoft reviewers can trigger iton a PR with
/azp run. See docs/pull-requests.md.Microsoft Reviewers: Open in CodeFlow