Namespace Separation registry inquiry

asked 2021-04-11T20:31:10.377+00:00
HE Fong 21 Reputation points

Hi, I hope this is the right place to ask...

Is there any documentation, known reasons, or use cases as to why these particular registry entries exist:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\NamespaceSeparation

DWORD AppcontainerUserSeparation
DWORD InteractiveUserSeparation

by default, they are both set at zero.

The names themselves imply some sort of barrier or security setting but I do not want to make any assumptions between (some namespaces? but where or is this farfetched).

Testing them seems to indicate that if I enable (i.e. set to 1) InteractiveUserSeparation my graphics and general user experience completely breaks (errors on disk access and black background screen etc...). I wish I had a screenshot. (on restart)

However, enabling AppContainerUserSeparation does not (so far) seem to cause any errors or any applications to break so far.
Running Process Explorer doesn't yield much information as most of the Windows store apps I have seem to be in working shape still even after the restart.
I do not know where to start looking either as a preliminary search on the web fares me nothing.

If there is no value in having it (from any standpoint) enabled, I see fair point to leave it untouched.

Forgive my curiosity in advance.
Thanks for all your help.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
5,882 questions
Windows Sysinternals
Windows Sysinternals
A website that offers technical information and advanced system utilities to manage, troubleshoot, and diagnose Windows systems and applications.
839 questions
No comments
{count} votes

Accepted answer
  1. answered 2021-04-12T09:07:27.277+00:00
    JiayaoZhu 3,881 Reputation points

    Hi,

    Thank you for your posting!

    Based on your descriptions, I suppose you would like to know why your computer is installed namespace separation service and what is namespace separation's functions.

    There are many reasons why you have namespace separation (p.s. like @S.Sengupta said, isolation and separation are identical), such as the docker configuration, the use of appcontainer, etc. However, you will not be panic after you get a brief insight for namespace isolation.

    -What is namespace isolation/separation and how does it work?
    The user namespace allows a process to have root privileges within the namespace, without giving it that access to processes outside of the namespace. Isolating a process by the IPC namespace gives it its own interprocess communication resources, for example, System V IPC and POSIX messages.

    More information can be found in this article:
    https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    And this video:
    https://www.youtube.com/watch?v=mlm4OBNwJPQ

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    -What are these two items:
    DWORD AppcontainerUserSeparation
    DWORD InteractiveUserSeparation

    As I have explained before, namespace isolation is used to separate different processes, otherwise system corruption may occur on your computer. However, as you can see in the introduction, namespace isolation service belongs to Linux and is firstly introduced in Windows Server 2016. So, your win 10 system may not allow this service applicable to the whole system, to some extent. In Windows, windows container and Hyper-V container are enabled so you can see there is no error message occur when you enable AppcontainerUserSeparation. The article is just the one that @S.Sengupta has introduced:

    https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation#:~:text=The%20AppContainer%20environment%20creates%20an,application%20cannot%20impersonate%20the%20user.

    Thank you for your support!

    Best regards
    Joan

    --------------------------------------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    No comments

1 additional answer

Sort by: Most helpful
  1. answered 2021-04-12T01:44:05.647+00:00
    S.Sengupta 5,461 Reputation points Microsoft MVP

    You are right, I have checked my system's registry.

    I have got a reference on AppContainer Isolation

    Seems isolation and seperation are identical.

    No comments