Fix catalog connection failure due to AppCapability::CreateWithProcessIdForUser throwing E_INVALIDARG when called with a null user on Windows 10 v1903 (#5475)

Fulgen301 · web-flow · commit 68e3fc2979b1 · 2025-05-27T10:18:29.000-07:00
`AppCapability::CreateWithProcessIdForUser` does not accept a null user
on Windows 10 v1903. Treat this case as if the API didn't exist.
diff --git a/src/Microsoft.Management.Deployment/Helpers.cpp b/src/Microsoft.Management.Deployment/Helpers.cpp
@@ -78,26 +78,36 @@ namespace winrt::Microsoft::Management::Deployment::implementation
             // Get the caller process id and use it to check if the caller has permissions to access the feature.
             winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapabilityAccessStatus status = winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapabilityAccessStatus::DeniedBySystem;
 
-            auto capability = winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapability::CreateWithProcessIdForUser(nullptr, GetStringForCapability(requiredCapability), callerProcessId);
-            status = capability.CheckAccess();
+            winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapability capability{ nullptr };
 
-            allowed = (status == winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapabilityAccessStatus::Allowed);
-        }
-        else
-        {
-            // If AppCapability is not present, require at least medium IL callers
-            auto requiredIntegrityLevel = AppInstaller::Security::IntegrityLevel::Medium;
-
-            if (callerProcessId != GetCurrentProcessId())
+            try
+            {
+                capability = winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapability::CreateWithProcessIdForUser(nullptr, GetStringForCapability(requiredCapability), callerProcessId);
+            }
+            catch (const winrt::hresult_invalid_argument&)
             {
-                allowed = AppInstaller::Security::IsCOMCallerIntegrityLevelAtLeast(requiredIntegrityLevel);
             }
-            else
+
+            if (capability)
             {
-                allowed = AppInstaller::Security::IsCurrentIntegrityLevelAtLeast(requiredIntegrityLevel);
+                status = capability.CheckAccess();
+
+                return ((status == winrt::Windows::Security::Authorization::AppCapabilityAccess::AppCapabilityAccessStatus::Allowed) ? S_OK : E_ACCESSDENIED);
             }
         }
 
+        // If AppCapability is not present, require at least medium IL callers
+        auto requiredIntegrityLevel = AppInstaller::Security::IntegrityLevel::Medium;
+
+        if (callerProcessId != GetCurrentProcessId())
+        {
+            allowed = AppInstaller::Security::IsCOMCallerIntegrityLevelAtLeast(requiredIntegrityLevel);
+        }
+        else
+        {
+            allowed = AppInstaller::Security::IsCurrentIntegrityLevelAtLeast(requiredIntegrityLevel);
+        }
+
         return (allowed ? S_OK : E_ACCESSDENIED);
     }
 
