Win32 apps are no longer required to be UWP apps to support LPAC (Less Privileged AppContainer). LPAC can be integrated into legacy applications, some of which, such a Chromium/Chrome, already do it for a long time. During my tweaking I manage to somehow disable/break Chromium's/Chrome's "Network Service" Sandbox that uses LPAC and can be verified in "chrome://sandbox/". How am I to find out which of my tweaks does it exactly? I know that one of the requirements is to allow read permission to "ALL APPLICATION PACKAGES" and "ALL RESTRICTED APPLICATION PACKAGES" for Chromium's/Chrome's directory, but that is the default for software installed to "Program Files" and is assigned for Chromium's/Chrome's directory. When Chromium/Chrome uses "Network Service" sandbox, it creates a directory in "C:\Users\*Username*\AppData\Local\Packages", but some tweak I perform manages to stop creating of that directory. It is probably what breaks the sandbox and I am just trying to figure out what is without having to go through manual trial and error of every tweak I apply. I am concerned I may somehow be breaking "Network Service" Sandbox/AppContainer for other LPAC's, but how can I check that?
I've got a few points that might help. Sometime within the last year, the Chromium team pushed a change that made the network service stop using LPAC and only use regular AppContainer. There was a few outstanding issues that caused them to make this change, unfortunately. So LPAC is not default anymore for the time being. You can trigger LPAC though. I was able to confirm that it does launch the network service in LPAC on my system, but network functionality was non-functional. I'd have to test it more to see what's going on. Anyway, it can be triggered with the Code: WinSboxNetworkServiceSandboxIsLPAC feature. For example: Code: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --enable-features=WinSboxNetworkServiceSandboxIsLPAC That's for Edge, but you can modify for Chrome. Also of importance, in your profile directory, there is a Network folder (likely Default\Network) although Default may be named differently. It should have the following capability ACL: Code: S-1-15-3-1024-1528657515-1944437972-2795272136-1227674495-293963776-353393192-4060142787-1908764039 What did you tweak exactly? That might help me figure out what could have gone wrong.