Windows Controlled Folder Access (and autoupdate)

[directionless]

We occasionally get reports of launcher encountering a permissions denied error. It sometimes looks like:

ts=2020-01-10T15:25:21.7871962Z caller=svc_windows.go:106 severity=info msg="runLauncher exited" err="open launcher db: open C:\\Program Files\\Kolide\\Launcher-kolide-k2\\data\\launcher.db: Access is denied." 
stack="open C:\\Program Files\\Kolide\\Launcher-kolide-k2\\data\\launcher.db: Access is denied.
open launcher db
main.runLauncher
  /Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/launcher.go:89
main.*winSvc).Execute.func1
   /Users/seph/go/src/github.com/kolide/launcher/cmd/launcher/svc_windows.go:104
runtime.goexit
    /usr/local/Cellar/go/1.12.9/libexec/src/runtime/asm_amd64.s:1337"

This can be resolved by using the file explorer to grant the end user permissions to the kolide folders. It might also be fixed when people run launcher in the foreground.

We're theorizing that this is due to the windows 10 Controlled Folder setting. Possible because launcher stores it's data in Program Files, and not in ProgramData.

Still researching

[directionless]

On possible workaround, which I don't love, would be to have launcher add itself to the whitelist, or to exclude it's data directory. Might be able to poke around these possible powershell commands:

Disable-MpPreference -ControlledFolderAccessProtectedFolders "D:\folder\path\to\remove"
Add-MpPreference -ControlledFolderAccessAllowedApplications "D:\path\to\app\app.exe"

[directionless]

I haven't seen this in ages