[Problem/Bug]: Load failure from UNC path

[bstordrup]

What happened?

After getting the KB5036893 patch installed on a Windows 11 23H2 64 bit computer, some customers experience load errors when trying to start a Native application (MFC C++) that uses WebView2 as internal browser. The error occur before the main entry point is hit in our code. The error is complaining about not being able to load the WebView2Loader.dll with the error code 0xc0000428 (STATUS_INVALID_IMAGE_HASH)

The error occur when the app is loaded from a UNC path.

It works from a local path.

It starts working from UNC path also after uninstalling the KB5036893 patch.

Importance

Blocking. My app's basic functions are not working due to this issue.

Runtime Channel

Stable release (WebView2 Runtime)

Runtime Version

124.0.2478.97

SDK Version

1.0.1072.54

Framework

Win32

Operating System

Windows 11

OS Version

22631.3447

Repro steps

Not sure as I'm not able to reproduce locally. According to partner:

• Have the mentioned KB5036893 patch installed on the client computer
• Launch the native app from a network share (UNC path)
• Result: A Message box with an error and the error code 0xc0000428

Repros in Edge Browser

No, issue does not reproduce in the corresponding Edge version

Regression

Don't know

Last working version (if regression)

Working if the KB5036893 is uninstalled

[LiangTheDev]

If the error happens before any code is run, no WebView2 code is run either and it is likely something went wrong with the OS and we might have to get help from Windows support.

Have you checked Code Integrity Event Log Messages, which is Microsoft-Windows-CodeIntegrity/Operational in eventvwr and events in file %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx. There might be some clues on why the Code Integrity check failed.

[bstordrup]

@LiangTheDev, thank you for the link.

I digged into the page and some of the other pages available, and that leads me to a new question:

Is WebView2Loader.dll compiled with Code Integrity Guard? I found a description that Code Integrity events could be triggered if code compiled with Code Integrity Guard tried to load code that is not compiled with Code Integrity Guard (1).

And that is implemented to prevent code exploits by returning the error code STATUS_INVALID_IMAGE_HASH (2), which is exactly the error the customer gets.

1. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations#wdac-block-events-for-executables-dlls-and-drivers:~:text=This%20event%20also%20occurs%20if%20code%20compiled%20with%20Code%20Integrity%20Guard%20(CIG)%20tries%20to%20load%20other%20code%20that%20doesn%27t%20meet%20the%20CIG%20requirements.
2. https://learn.microsoft.com/en-us/defender-endpoint/exploit-protection-reference#code-integrity-guard

[LiangTheDev]

WebView2Loader.dll is digitally signed by Microsoft. If it is not, we should also have problem with local path.

However, I noticed that the SDK version used is very old, and I remember that the signing cert was not be that strong with the old SDK. Try to update to the latest WebView2 SDK and see whether it works better.

[bstordrup]

@LiangTheDev, updating the WebView2Loader.dll solved the problem. Closing this issue.