Troubleshooting Windows Subsystem for Linux
We have covered some common troubleshooting scenarios associated with WSL below, but please consider searching the issues filed in the WSL product repo on GitHub as well.
The WSL product repo issues enables you to:
- Search existing issues to see if there are any associated with a problem that you are having. Note that in the search bar, you can remove "is:open" to include issues that have already been resolved in your search. Please consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority.
- File a new issue. If you have found a problem with WSL and there does not appear to be an existing issue, you can select the green New issue button and then choose WSL - Bug Report. You will need to include a title for the issue, your Windows build number (run
cmd.exe /c ver
to see your current build #), whether you're running WSL 1 or 2, your current Linux Kernel version # (runwsl.exe --status
orcat /proc/version
), the version # of your distribution (runlsb_release -r
), any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate. For more info, see contributing to WSL. - File a feature request by selecting the green New issue button and then select Feature request. You will need to address a few questions describing your request.
You can also:
- File a documentation issue using the WSL docs repo. To contribute to the WSL docs, see the Microsoft Docs contributor guide.
- File a Windows Terminal issue using the Windows Terminal product repo if your problem is related more to the Windows Terminal, Windows Console, or the command-line UI.
Installation failed with error 0x80070003
- The Windows Subsystem for Linux only runs on your system drive (usually this is your
C:
drive). Make sure that distributions are stored on your system drive: - On Windows 10 open Settings -> System -> Storage -> More Storage Settings: Change where new content is saved
- On Windows 11 open Settings -> System -> Storage -> Advanced storage settings -> Where new content is saved
- The Windows Subsystem for Linux only runs on your system drive (usually this is your
WslRegisterDistribution failed with error 0x8007019e
- The Windows Subsystem for Linux optional component is not enabled:
- Open Control Panel -> Programs and Features -> Turn Windows Feature on or off -> Check Windows Subsystem for Linux or using the PowerShell cmdlet mentioned at the beginning of this article.
Installation failed with error 0x80070003 or error 0x80370102
- Please make sure that virtualization is enabled inside of your computer's BIOS. The instructions on how to do this will vary from computer to computer, and will most likely be under CPU related options.
- WSL2 requires that your CPU supports the Second Level Address Translation (SLAT) feature, which was introduced in Intel Nehalem processors (Intel Core 1st Generation) and AMD Opteron. Older CPUs (such as the Intel Core 2 Duo) will not be able to run WSL2, even if the Virtual Machine Platform is successfully installed.
Error when trying to upgrade:
Invalid command line option: wsl --set-version Ubuntu 2
- Ensure that you have the Windows Subsystem for Linux enabled, and that you're using Windows Build version 18362 or later. To enable WSL run this command in a PowerShell prompt with admin privileges:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
.
- Ensure that you have the Windows Subsystem for Linux enabled, and that you're using Windows Build version 18362 or later. To enable WSL run this command in a PowerShell prompt with admin privileges:
The requested operation could not be completed due to a virtual disk system limitation. Virtual hard disk files must be uncompressed and unencrypted and must not be sparse.
- Deselect "Compress contents" (as well as "Encrypt contents" if that’s checked) by opening the profile folder for your Linux distribution. It should be located in a folder on your Windows file system, something like:
%USERPROFILE%\AppData\Local\Packages\CanonicalGroupLimited...
- In this Linux distro profile, there should be a LocalState folder. Right-click this folder to display a menu of options. Select Properties > Advanced and then ensure that the "Compress contents to save disk space" and "Encrypt contents to secure data" checkboxes are unselected (not checked). If you are asked whether to apply this to just to the current folder or to all subfolders and files, select "just this folder" because you are only clearing the compress flag. After this, the
wsl --set-version
command should work.
- Deselect "Compress contents" (as well as "Encrypt contents" if that’s checked) by opening the profile folder for your Linux distribution. It should be located in a folder on your Windows file system, something like:
Note
In my case, the LocalState folder for my Ubuntu 18.04 distribution was located at C:\Users<my-user-name>\AppData\Local\Packages\CanonicalGroupLimited.Ubuntu18.04onWindows_79rhkp1fndgsc
Check WSL Docs GitHub thread #4103 where this issue is being tracked for updated information.
The term 'wsl' is not recognized as the name of a cmdlet, function, script file, or operable program.
- Ensure that the Windows Subsystem for Linux Optional Component is installed. Additionally, if you are using an ARM64 device and running this command from PowerShell, you will receive this error. Instead run
wsl.exe
from PowerShell Core, or Command Prompt.
- Ensure that the Windows Subsystem for Linux Optional Component is installed. Additionally, if you are using an ARM64 device and running this command from PowerShell, you will receive this error. Instead run
Error: Windows Subsystem for Linux has no installed distributions.
- If you receive this error after you have already installed WSL distributions:
- Run the distribution at least once before invoking it from the command line.
- Check whether you may be running separate user accounts. Running your primary user account with elevated permissions (in admin mode) should not result in this error, but you should ensure that you aren't accidentally running the built-in Administrator account that comes with Windows. This is a separate user account and will not show any installed WSL distributions by design. For more info, see Enable and Disable the Built-in Administrator Account.
- The WSL executable is only installed to the native system directory. When you’re running a 32-bit process on 64-bit Windows (or on ARM64, any non-native combination), the hosted non-native process actually sees a different System32 folder. (The one a 32-bit process sees on x64 Windows is stored on disk at \Windows\SysWOW64.) You can access the "native" system32 from a hosted process by looking in the virtual folder:
\Windows\sysnative
. It won’t actually be present on disk, mind you, but the filesystem path resolver will find it.
Error: This update only applies to machines with the Windows Subsystem for Linux.
- To install the Linux kernel update MSI package, WSL is required and should be enabled first. If it fails, it you will see the message:
This update only applies to machines with the Windows Subsystem for Linux
. - There are three possible reason you see this message:
You are still in old version of Windows which doesn't support WSL 2. See step #2 for version requirements and links to update.
WSL is not enabled. You will need to return to step #1 and ensure that the optional WSL feature is enabled on your machine.
After you enabled WSL, a reboot is required for it to take effect, reboot your machine and try again.
- To install the Linux kernel update MSI package, WSL is required and should be enabled first. If it fails, it you will see the message:
Error: WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel .
- If the Linux kernel package is missing in the %SystemRoot%\system32\lxss\tools folder, you will encounter this error. Resolve it by installing the Linux kernel update MSI package in step #4 of these installation instructions. You may need to uninstall the MSI from 'Add or Remove Programs', and install it again.
This is likely because your machine has not yet taken the backport for WSL 2. The simplest way to resolve this is by going to Windows Settings and clicking 'Check for Updates' to install the latest updates on your system. See the full instructions on taking the backport.
If you hit 'Check for Updates' and still do not receive the update you can install KB KB4566116 manually.
This may happen when 'Display Language' or 'System Locale' setting is not English.
wsl --set-default-version 2
Error: 0x1bc
For information on key differences with WSL 2 please visit https://aka.ms/wsl2
The actual error for 0x1bc
is:
WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel
For more information, please refer to issue 5749
A 9p protocol file server provides the service on the Linux side to allow Windows to access the Linux file system. If you cannot access WSL using \\wsl$
on Windows, it could be because 9P did not start correctly.
To check this, you can check the start up logs using: dmesg |grep 9p
, and this will show you any errors. A successful output looks like the following:
[ 0.363323] 9p: Installing v9fs 9p2000 file system support
[ 0.363336] FS-Cache: Netfs '9p' registered for caching
[ 0.398989] 9pnet: Installing 9P2000 support
Please see this GitHub thread for further discussion on this issue.
If your display language is not English, then it is possible you are seeing a truncated version of an error text.
C:\Users\me>wsl
WSL 2
To resolve this issue, please visit https://aka.ms/wsl2kernel
and install the kernel manually by following the directions on that doc page.
Users can run Windows executables like notepad.exe directly from Linux. Sometimes, you may hit "command not found" like below:
$ notepad.exe
-bash: notepad.exe: command not found
If there are no Win32 paths in your $PATH, interop isn't going to find the .exe.
You can verify it by running echo $PATH
in Linux. It's expected that you will see a Win32 path (for example, /mnt/c/Windows) in the output.
If you can't see any Windows paths then most likely your PATH is being overwritten by your Linux shell.
Here is an example that /etc/profile on Debian contributed to the problem:
if [ "`id -u`" -eq 0 ]; then
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
fi
The correct way on Debian is to remove above lines. You may also append $PATH during the assignment like below, but this lead to some other problems with WSL and VSCode..
if [ "`id -u`" -eq 0 ]; then
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:$PATH"
fi
For more information, see issue 5296 and issue 5779.
"Error: 0x80370102 The virtual machine could not be started because a required feature is not installed."
Please enable the Virtual Machine Platform Windows feature and ensure virtualization is enabled in the BIOS.
Check the Hyper-V system requirements
If your machine is a VM, enable nested virtualization manually. Launch powershell with admin, and run the following command, replacing
<VMName>
with the name of the virtual machine on your host system (you can find the name in your Hyper-V Manager):Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
Please follow guidelines from your PC's manufacturer on how to enable virtualization. In general, this can involve using the system BIOS to ensure that these features are enabled on your CPU. Instructions for this process can vary from machine to machine, please see this article from Bleeping Computer for an example.
Restart your machine after enabling the
Virtual Machine Platform
optional component.Make sure that the hypervisor launch is enabled in your boot configuration. You can validate this by running (elevated powershell):
bcdedit /enum | findstr -i hypervisorlaunchtype
If you see
hypervisorlaunchtype Off
, then the hypervisor is disabled. To enable it run in an elevated powershell:bcdedit /set hypervisorlaunchtype Auto
Additionally, if you have 3rd party hypervisors installed (Such as VMware or VirtualBox) then please ensure you have these on the latest versions which can support HyperV (VMware 15.5.5+ and VirtualBox 6+) or are turned off.
If you are receiving this error on an Azure Virtual Machine, check to ensure that Trusted Launch is disabled. Nested Virtualization is not supported on Azure virtual machines with Trusted Launch.
Learn more about how to Configure Nested Virtualization when running Hyper-V in a Virtual Machine.
Business or Enterprise environments may have Windows Defender Firewall settings configured to block unauthorized network traffic. If local rule merging is set to "No" then WSL networking will not work by default, and your administrator will need to add a firewall rule to allow it.
You can confirm local rule merging's setting by following these steps:
- Open "Windows Defender Firewall with advanced security" (this is different than "Windows Defender Firewall" in the Control Panel)
- Right-click on the "Windows Defender Firewall with advanced security on Local Computer" tab
- Select "Properties"
- Select the "Public Profile" tab on the new Window that opens
- Select "Customize" under the "Settings" section
- Check in the "Customize Settings for the Public Profile" window that opens to see if "Rule Merging" is set to "No". This will block access to WSL.
You can find instructions on how to change this Firewall setting in Configure Hyper-V firewall.
If after connecting to a VPN on Windows, bash loses network connectivity, try this workaround from within bash. This workaround will allow you to manually override the DNS resolution through /etc/resolv.conf
.
- Take a note of the DNS server of the VPN from doing
ipconfig.exe /all
- Make a copy of the existing resolv.conf
sudo cp /etc/resolv.conf /etc/resolv.conf.new
- Unlink the current resolv.conf
sudo unlink /etc/resolv.conf
sudo mv /etc/resolv.conf.new /etc/resolv.conf
- Edit
/etc/wsl.conf
and add this content to the file. (More info on this set up can be found in Advanced settings configuration)
[network]
generateResolvConf=false
- Open
/etc/resolv.conf
and
a. Delete the first line from the file which has a comment describing automatic generation
b. Add the DNS entry from (1) above as the very first entry in the list of DNS servers.
c. Close the file.
Once you have disconnected the VPN, you will have to revert the changes to /etc/resolv.conf
. To do this, do:
cd /etc
sudo mv resolv.conf resolv.conf.new
sudo ln -s ../run/resolvconf/resolv.conf resolv.conf
The Cisco AnyConnect VPN modifies routes in a way which prevents NAT from working. There is a workaround specific to WSL 2: See Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.10 - Troubleshoot AnyConnect.
Mirrored networking mode is currently an experimental setting in the WSL Configuration. The traditional NAT networking architecture of WSL can be updated to an entirely new networking mode called “Mirrored networking mode”. When the experimental networkingMode
is set to mirrored
, the network interfaces that you have on Windows are mirrored into Linux to improve compatibility. Learn more in the Command Line blog: WSL September 2023 update.
Some VPNs have been tested and confirmed to be incompatible with WSL, including:
- "Bitdefender" version 26.0.2.1
- "OpenVPN" version 2.6.501
- "Mcafee Safe Connect" version 2.16.1.124
HTTP/S proxy mirroring can be configured using the autoProxy
setting in the experimental section of the WSL Configuration file. When applying this setting, note these considerations:
- PAC Proxy: WSL will configure the setting in Linux by Setting the "WSL_PAC_URL" environment variable. Linux does not support PAC proxies by default.
- Interactions with WSLENV: User defined environment variables take precedence over those specified by this feature.
When enabled, the following apply to proxy settings on your Linux distributions:
- The Linux environment variable,
HTTP_PROXY
, is set to the one or more HTTP proxies found installed in the Windows HTTP proxy configuration. - The Linux environment variable,
HTTPS_PROXY
, is set to the one or more HTTPS proxies found installed in the Windows HTTP proxy configuration. - The Linux environment variable,
NO_PROXY
, is set to bypass any HTTP/S proxies found in the Windows configuration targets. - Every environment variable, except
WSL_PAC_URL
, is set to both lower case and upper case. For example:HTTP_PROXY
andhttp_proxy
.
There is a known issue caused by ZScaler configurations, where ZScaler repeatedly enables and disables Windows proxy configurations, leading to WSL repeatedly showing the "An Http proxy change has been detected on the host" notification.
Learn more in the Command Line blog: WSL September 2023 update.
When WSL can’t connect to the internet, it might be because the DNS call to the Windows host is blocked. This is because the networking packet for DNS sent by the WSL VM to the Windows host is blocked by the existing networking configuration. DNS tunneling fixes this by using a virtualization feature to communicate with Windows directly, allowing the DNS name to be resolved without sending a networking packet. This feature should improve network compatibility and allow you to get better internet connectivity even if you have a VPN, specific firewall setup, or other networking configurations.
DNS Tunneling can be configured using the dnsTunneling
setting in the experimental section of the WSL Configuration file. When applying this setting, note these considerations:
- If you use a VPN with WSL, turn on DNS tunneling. Many VPNs use NRPT policies, which are only applied to WSL DNS queries when DNS tunneling is enabled.
- The
/etc/resolv.conf
file in your Linux distribution has a 3 DNS servers maximum limitation, while Windows may use more than 3 DNS servers. Using DNS tunneling removes this limitation – all Windows DNS servers can now be used by Linux. - WSL will use Windows DNS suffixes in the following order (similar to the order used by the Windows DNS client):
- Global DNS suffixes
- Supplemental DNS suffixes
- Per-interface DNS suffixes
- If DNS encryption (DoH, DoT) is enabled on Windows, encryption will be applied to DNS queries from WSL. If users want to enable DoH, DoT inside Linux, they need to disable DNS tunneling.
- DNS queries from Docker containers managed by Docker Desktop will bypass DNS tunneling. Docker Desktop has its own way (different from DNS tunneling) of applying host DNS settings and policies to DNS queries from Docker containers.
- In order for DNS tunneling to be succesfully enabled, the generateResolvConf option in the wsl.conf file should not be disabled.
- When DNS tunneling is enabled, the generateHosts option in the wsl.conf file is ignored (the Windows DNS hosts file is not copied in the Linux /etc/hosts file). The policies in the Windows hosts file will be applied to DNS queries from Linux, without the need for the file to be copied in Linux.
Learn more in the Command Line blog: WSL September 2023 update.
When using Mirrored networking mode (the experimental networkingMode
set to mirrored
), some inbound traffic received by the Windows host will never be steered to the Linux VM. This traffic is as follows:
- UDP port 68 (DHCP)
- TCP port 135 (DCE endpoint resolution)
- TCP port 1900 (UPnP)
- TCP port 2869 (SSDP)
- TCP port 5004 (RTP)
- TCP port 3702 (WSD)
- TCP port 5357 (WSD)
- TCP port 5358 (WSD)
WSL will automatically configure certain Linux networking settings when using mirrored networking mode. Any user configurations of these settings while using mirrored networking mode is not supported. Here is the list of settings WSL will configure:
Setting Name | Value |
---|---|
https://sysctl-explorer.net/net/ipv4/accept_local/ | Enabled (1) |
https://sysctl-explorer.net/net/ipv4/route_localnet/ | Enabled (1) |
https://sysctl-explorer.net/net/ipv4/rp_filter/ | Disabled (0) |
https://sysctl-explorer.net/net/ipv6/accept_ra/ | Disabled (0) |
https://sysctl-explorer.net/net/ipv6/autoconf/ | Disabled (0) |
https://sysctl-explorer.net/net/ipv6/use_tempaddr/ | Disabled (0) |
addr_gen_mode | Disabled (0) |
disable_ipv6 | Disabled (0) |
https://sysctl-explorer.net/net/ipv4/arp_filter/ | Enabled (1) |
Docker container issues in WSL2 with Mirrored networking mode enabled when running under the default networking namespace
There is a known issue in which Docker Desktop containers with published ports (docker run –publish/-p) will fail to be created. The WSL team is working with the Docker Desktop team to address this issue. To work around the issue, use the host’s networking namespace in the Docker container. Set the network type via the "--network host" option used in the "docker run" command. An alternative workaround is to list the published port number in the ignoredPorts
setting of the experimental section in the WSL Configuration file.
There is a known issue with Docker containers which have the Network Manager service running. Symptoms include failures when trying to make loopback connections to the host. It is recommended to stop the Network Manager service for WSL networking to be configured properly.
sudo systemctl disable network-manager.service
To resolve hostnames to IP addresses within a local network without the need for a conventional DNS server, .local names are often used. This is achieved through the mDNS (Multicast DNS) protocol, which relies on multicast traffic to function.
networkingMode set to NAT:
Currently, this feature is not supported when DNS tunneling is enabled. To enable the resolution of .local names, we recommend the following solutions:
- Disable DNS tunneling.
- Use mirrored networking mode.
networkingMode set to Mirrored:
Note: You need to be on WSL build 2.3.17 or higher in order to have the functionality below.
Since Mirrored mode supports multicast traffic, the mDNS (Multicast DNS) protocol can be used to resolve .local names. Linux must be configured to support mDNS, as it does not do so by default. One way to configure it is using the following these two steps:
- Install the "libnss-mdns" package
sudo apt-get install libnss-mdns
*The "libnss-mdns" package is a plugin for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc) that provides hostname resolution via Multicast DNS (mDNS). This package effectively allows common Unix/Linux programs to resolve names in the ad-hoc mDNS domain .local.
- Configure the
/etc/nsswitch.conf
file to enable the "mdns_minimal" setting in the "hosts" section. Example content of the file:
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd
group: compat systemd
shadow: compat
gshadow: files
hosts: files mdns_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Depending on the configurations in the .wslconfig file, WSL will have the following behavior wrt DNS suffixes:
When networkingMode is set to NAT:
Case 1) By default no DNS suffix is configured in Linux
Case 2) If DNS tunneling is enabled (dnsTunneling is set to true in .wslconfig) All Windows DNS suffixes are configured in Linux, in the "search" setting of /etc/resolv.conf
The suffixes are configured in /etc/resolv.conf in the following order, similar to the order in which Windows DNS client tries suffixes when resolving a name: global DNS suffixes first, then supplemental DNS suffixes, then per-interface DNS suffixes.
When there is a change in the Windows DNS suffixes, that change will be automatically reflected in Linux
Case 3) If DNS tunneling is disabled and SharedAccess DNS proxy is disabled (dnsTunneling is set to false and dnsProxy is set to false in .wslconfig) A single DNS suffix is configured in Linux, in the "domain" setting of /etc/resolv.conf
When there is a change in the Windows DNS suffixes, that change is not reflected in Linux
The single DNS suffix configured in Linux is chosen from the per-interface DNS suffixes (global and supplemental suffixes are ignored)
if Windows has multiple interfaces, a heuristic is used to choose the single DNS suffix that will be configured in Linux. For example if there is a VPN interface on Windows, the suffix is chosen from that interface. If no VPN interface is present, the suffix is chosen from the interface that is most likely to give Internet connectivity.
When networkingMode is set to Mirrored:
All Windows DNS suffixes are configured in Linux, in the "search" setting of /etc/resolv.conf
The suffixes are configured in /etc/resolv.conf in the same order as in case 2) from NAT mode
When there is a change in the Windows DNS suffixes, that change will be automatically reflected in Linux
Note: supplemental DNS suffixes can be configured in Windows using SetInterfaceDnsSettings - Win32 apps | Microsoft Learn, with the flag DNS_SETTING_SUPPLEMENTAL_SEARCH_LIST set in the Settings parameter
The default DNS configuration when WSL starts a container in NAT mode is to have the NAT device on the Windows Host serve as the DNS ‘server’ for the WSL container. When DNS queries are sent from the WSL container to that NAT device on the Windows Host, the DNS packet is forwarded from the NAT device to the shared access service on the Host; the response is sent in the reverse direction back to the WSL container. This packet forwarding process to shared access requires a Firewall rule to allow that inbound DNS packet, which is created by the HNS service when WSL initially asks HNS to create the NAT virtual network for its WSL container.
Due to this NAT - shared access design, there are a few known configurations which can break name resolution from WSL.
1. An Enterprise can push policy that does not allow locally defined Firewall rules, only allowing Enterprise-policy defined rules.
When this is set by an Enterprise, the HNS-created Firewall rule is ignored, as it’s a locally defined rule. For this configuration to work the Enterprise must create a Firewall rule to allow UDP port 53 to the shared access service, or WSL can be set to use DNS Tunneling. One can see if this is configured to not allow locally defined Firewall rules by running the following. Note that this will show settings for all 3 profiles: Domain, Private, and Public. If it’s set on any profile, then packets will be blocked if the WSL vNIC is assigned that profile (default is Public). This is only a snippet of the first Firewall profile that is returned in Powershell:
PS C:\> Get-NetFirewallProfile -PolicyStore ActiveStore
Name : Domain
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Allow
AllowInboundRules : True
AllowLocalFirewallRules : False
AllowLocalFirewallRules:False means the locally defined firewall rules, like that by HNS, will not be applied or used.
2. And Enterprise can push down Group Policy and MDM policy settings that block all inbound rules.
These settings override any Allow-Inbound Firewall rule. This setting will thus block the HNS-created UDP Firewall rule, and thus will prevent WSL from resolving names. For this configuration to work, WSL must be set to use DNS Tunneling. This setting will always block the NAT DNS proxy.
From Group Policy:
Computer Configuration \ Administrative Templates \ Network \ Network Connections \ Windows Defender Firewall \ Domain Profile | Standard Profile
"Windows Defender Firewall: Do not allow exceptions" - Enabled
From MDM Policy:
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/Shielded
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/Shielded
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/Shielded
One can see if this is configured to not allow any inbound Firewall rules by running the following (see above caveats on Firewall Profiles). This is only a snippet of the first Firewall profile that is returned in Powershell:
PS C:\> Get-NetFirewallProfile -PolicyStore ActiveStore
Name : Domain
Enabled : True
DefaultInboundAction : Block
DefaultOutboundAction : Allow
AllowInboundRules : False
AllowInboundRules: False means that no inbound Firewall rules will be applied.
3. A user goes through the Windows Security setting apps and checks the control for "Blocks all incoming connections, including those in the list of allowed apps."
Windows supports a user-opt-in for the same setting that can be applied by an Enterprise referenced in #2 above. Users can open the “Windows Security” settings page, selects the “Firewall & network protection” option, selects the Firewall Profile they want to configure (Domain, Private, or Public), and under “Incoming connections” check the control labeled "Blocks all incoming connections, including those in the list of allowed apps."
If this is set for the Public profile (this is the default profile for the WSL vNIC), the Firewall rule created by HNS to allow the UDP packets to shared access will be blocked.
This must be unchecked for the NAT DNS proxy configuration to work from WSL, or WSL can be set to use DNS Tunneling.
4. The HNS Firewall rule to allow the DNS packets to shared access can become invalid, referencing a previous WSL interface identifier. This is a flaw within HNS which has been fixed with the latest Windows 11 release. On earlier releases, if this occurs, it’s not easily discoverable, but it has a simple work around:
Stop WSL
wsl.exe –shutdown
Delete the old HNS Firewall rule. This Powershell command should work in most cases:
Get-NetFirewallRule -Name "HNS*" | Get-NetFirewallPortFilter | where Protocol -eq UDP | where LocalPort -eq 53 | Remove-NetFirewallRule
Remove all HNS endpoints. Note: if HNS is used to manage other containers, such as MDAG or Windows Sandbox, those should also be stopped.
hnsdiag.exe delete all
Reboot or restart the HNS service
Restart-Service hns
When WSL is restarted, HNS will create new Firewall rules, correctly targeting the WSL interface.
If you have no network access, it might be due to a misconfiguration. Please see if the FSE driver is running: ‘sc queryex FSE’. If that does not show FSE running, please check if the PortTrackerEnabledMode registry value exits under this registry key: reg query HKLM\System\CurrentControlSet\Services\Tcpip\Parameters. If FSE is not running or installed, and PortTrackerEnabledMode exists, please delete that registry value and reboot
Ghost adapters, or phantom Plug and Play (PnP) devices, refer to hardware components that appear in your system but are not physically connected. These “ghost” devices can cause confusion and clutter in your system settings. If you see ghost adapters when running WSL in a Virtual Machine (VM), follow these manual steps to find and delete these Phantom PnP devices. Microsoft is working on an automated solution that will not require manual intervention. More information will be coming soon.
- Open Device Manager
- View > Show hidden devices
- Open Network adapters
- Right-click over the Ghosted network adapter and select Uninstall Device
Follow the instructions to Collect WSL logs in the WSL repo on GitHub to collect detailed logs and file an issue on our GitHub.
There are two components of Windows Subsystem for Linux that can require updating.
To update the Windows Subsystem for Linux itself, use the command
wsl --update
in PowerShell or CMD.To update the specific Linux distribution user binaries, use the command:
apt-get update | apt-get upgrade
in the Linux distribution that you are seeking to update.
Some packages use features that we haven't implemented yet. udev
, for example, isn't supported yet and causes several apt-get upgrade
errors.
To fix issues related to udev
, follow the following steps:
Write the following to
/usr/sbin/policy-rc.d
and save your changes.#!/bin/sh exit 101
Add execute permissions to
/usr/sbin/policy-rc.d
:chmod +x /usr/sbin/policy-rc.d
Run the following commands:
dpkg-divert --local --rename --add /sbin/initctl ln -s /bin/true /sbin/initctl
This has to do with the fact that we do not support legacy console. To turn off legacy console:
- Open cmd.exe
- Right click title bar -> Properties -> Uncheck Use legacy console
- Click OK
The Windows Subsystem for Linux feature may be disabled during a Windows update. If this happens the Windows feature must be re-enabled. Instructions for enabling the Windows Subsystem for Linux can be found in the Manual Installation Guide.
WSL install will try to automatically change the Ubuntu locale to match the locale of your Windows install. If you do not want this behavior you can run this command to change the Ubuntu locale after install completes. You will have to relaunch bash.exe for this change to take effect.
The below example changes to locale to en-US
:
sudo update-locale LANG=en_US.UTF8
- Delete the
%windir%\System32\Tasks\Microsoft\Windows\Windows Subsystem for Linux
folder.
Note: Do not do this if your optional feature is fully installed and working. - Enable the WSL optional feature (if not already)
- Reboot
- lxrun /uninstall /full
- Install bash
Some users have reported issues with specific firewall applications blocking internet access in WSL. The firewalls reported are:
- Kaspersky
- AVG
- Avast
- Symantec Endpoint Protection
In some cases turning off the firewall allows for access. In some cases simply having the firewall installed looks to block access.
If you are using Microsoft Defender Firewall, unchecking "Blocks all incoming connections, including those in the list of allowed apps." allows for access.
For Windows Anniversary Update, version 1607, administrator privileges in Windows are required to run ping in WSL. To run ping, run Bash on Ubuntu on Windows as an administrator, or run bash.exe from a CMD/PowerShell prompt with administrator privileges.
For later versions of Windows, Build 14926+, administrator privileges are no longer required.
If while working with bash, you find that bash is hung (or deadlocked) and not responding to inputs, help us diagnose the issue by collecting and reporting a memory dump. Note that these steps will crash your system. Do not do this if you are not comfortable with that or save your work prior to doing this.
To collect a memory dump
Change the memory dump type to "complete memory dump". While changing the dump type, take a note of your current type.
Use the steps to configure crash using keyboard control.
Repro the hang or deadlock.
Crash the system using the key sequence from (2).
The system will crash and collect the memory dump.
Once the system reboots, report the memory.dmp to secure@microsoft.com. The default location of the dump file is %SystemRoot%\memory.dmp or C:\Windows\memory.dmp if C: is the system drive. In the email, note that the dump is for the WSL or Bash on Windows team.
Restore the memory dump type to the original setting.
To find your PC's architecture and Windows build number, open
Settings > System > About
Look for the OS Build and System Type fields.
To find your Windows Server build number, run the following in PowerShell:
systeminfo | Select-String "^OS Name","^OS Version"
You can confirm that the Windows Subsystem for Linux is enabled by running the following in an elevated PowerShell window:
Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
Trying to connect your SSH server is failed with the following error: "Connection closed by 127.0.0.1 port 22".
Make sure your OpenSSH Server is running:
sudo service ssh status
and you've followed this tutorial: https://ubuntu.com/server/docs/service-openssh
Stop the sshd service and start sshd in debug mode:
sudo service ssh stop sudo /usr/sbin/sshd -d
Check the startup logs and make sure HostKeys are available and you don't see log messages such as:
debug1: sshd version OpenSSH_7.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: key_load_private: incorrect passphrase supplied to decrypt private key debug1: key_load_public: No such file or directory Could not load host key: /etc/ssh/ssh_host_rsa_key debug1: key_load_private: No such file or directory debug1: key_load_public: No such file or directory Could not load host key: /etc/ssh/ssh_host_dsa_key debug1: key_load_private: No such file or directory debug1: key_load_public: No such file or directory Could not load host key: /etc/ssh/ssh_host_ecdsa_key debug1: key_load_private: No such file or directory debug1: key_load_public: No such file or directory Could not load host key: /etc/ssh/ssh_host_ed25519_key
If you do see such messages and the keys are missing under /etc/ssh/
, you will have to regenerate the keys or just purge&install openssh-server:
sudo apt-get purge openssh-server
sudo apt-get install openssh-server
This error is related to being in a bad install state. Please complete the following steps to try and fix this issue:
If you are running the enable WSL feature command from PowerShell, try using the GUI instead by opening the start menu, searching for 'Turn Windows features on or off' and then in the list select 'Windows Subsystem for Linux' which will install the optional component.
Update your version of Windows by going to Settings, Updates, and clicking 'Check for Updates'
If both of those fail and you need to access WSL please consider upgrading in place by reinstalling Windows using installation media and selecting 'Keep Everything' to ensure your apps and files are preserved. You can find instructions on how to do so at the Reinstall Windows 10 page.
If you're seeing this error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0777 for '/home/user/.ssh/private-key.pem' are too open.
To fix this, append the following to the /etc/wsl.conf
file:
[automount]
enabled = true
options = metadata,uid=1000,gid=1000,umask=0022
Please note that adding this command will include metadata and modify the file permissions on the Windows files seen from WSL. Please see the File System Permissions for more information.
If you are using openssh-server on Windows and trying to access WSL remotely, you many see this error:
The file cannot be accessed by the system.
It's a known issue, when using the Store version of WSL. You can work around this today by using WSL 1, or by using the in-Windows version of WSL. See https://aka.ms/wslstoreinfo for more info.
Some distributions available in Microsoft Store are yet not fully compatible to run Windows commands out of the box. If you get an error -bash: powershell.exe: command not found
running powershell.exe /c start .
or any other Windows command, you can resolve it following these steps:
- In your WSL distribution run
echo $PATH
.
If it does not include:/mnt/c/Windows/system32
something is redefining the standard PATH variable. - Check profile settings with
cat /etc/profile
.
If it contains assignment of the PATH variable, edit the file to comment out PATH assignment block with a # character. - Check if wsl.conf is present
cat /etc/wsl.conf
and make sure it does not containappendWindowsPath=false
, otherwise comment it out. - Restart distribution by typing
wsl -t
followed by distribution name or runwsl --shutdown
either in cmd or PowerShell.
We are aware of an issue affecting users where they are unable to boot after installing WSL 2. While we fully diagnose those issue, users have reported that changing the buffer size or installing the right drivers can help address this. Please view this GitHub issue to see the latest updates on this issue.
Internet Connection Sharing (ICS) is a required component of WSL 2. The ICS service is used by the Host Network Service (HNS) to create the underlying virtual network which WSL 2 relies on for NAT, DNS, DHCP, and host connection sharing.
Disabling the ICS service (SharedAccess) or disabling ICS through group policy will prevent the WSL HNS network from being created. This will result in failures when creating a new WSL version 2 image, and the following error when trying to convert a version 1 image to version 2.
There are no more endpoints available from the endpoint mapper.
Systems that require WSL 2 should leave the ICS service (SharedAccess) in it's default start state, Manual (Trigger Start), and any policy that disables ICS should be overwritten or removed. While disabling the ICS service will break WSL 2, and we do not recommend disabling ICS, portions of ICS can be disabled using these instructions
There are several differences to note if you're running an older version of Windows and WSL, like the Windows 10 Creators Update (Oct 2017, Build 16299) or Anniversary Update (Aug 2016, Build 14393). We recommend that you update to the latest Windows version, but if that's not possible, we have outlined some of the differences below.
Interoperability command differences:
bash.exe
has been replaced withwsl.exe
. Linux commands can be run from the Windows Command Prompt or from PowerShell, but for early Windows versions, you may need to use thebash
command. For example:C:\temp> bash -c "ls -la"
. The WSL commands passed intobash -c
are forwarded to the WSL process without modification. File paths must be specified in the WSL format and care must be taken to escape relevant characters. For example:C:\temp> bash -c "ls -la /proc/cpuinfo"
orC:\temp> bash -c "ls -la \"/mnt/c/Program Files\""
.- To see what commands are available for a particular distribution, run
[distro.exe] /?
. For example, with Ubuntu:C:\> ubuntu.exe /?
. - Windows path is included in the WSL
$PATH
. - When calling a Windows tool from a WSL distribution in an earlier version of Windows 10, you will need to specify the directory path. For example, to call the Windows Notepad app from your WSL command line, enter:
/mnt/c/Windows/System32/notepad.exe
- To change the default user to
root
use this command in PowerShell:C:\> lxrun /setdefaultuser root
and then run Bash.exe to log in:C:\> bash.exe
. Reset your password using the distributions password command:$ passwd username
and then close the Linux command line:$ exit
. From Windows command prompt or Powershell, reset your default user back to your normal Linux user account:C:\> lxrun.exe /setdefaultuser username
.
If you originally installed WSL on a version of Windows 10 prior to Creators update (Oct 2017, Build 16299), we recommend that you migrate any necessary files, data, etc. from the older Linux distribution you installed, to a newer distribution installed via the Microsoft Store. To remove the legacy distribution from your machine, run the following from a Command Line or PowerShell instance: wsl --unregister Legacy
. You also have the option to manually remove the older legacy distribution by deleting the %localappdata%\lxss\
folder (and all it's sub-contents) using Windows File Explorer or with PowerShell: rm -Recurse $env:localappdata/lxss/
.
Windows Subsystem for Linux feedback
Windows Subsystem for Linux is an open source project. Select a link to provide feedback: