Fix this test

Co-authored-by: Carlos Zamora <carlos.zamora@microsoft.com>

.github/actions/spelling/allow/allow.txt

@@ -1,3 +1,4 @@
+admins
 apc
 calt
 ccmp

.github/actions/spelling/allow/apis.txt

@@ -1,5 +1,7 @@
 ACCEPTFILES
 ACCESSDENIED
+acl
+aclapi
 alignas
 alignof
 APPLYTOSUBMENUS
@@ -21,6 +23,7 @@ commandlinetoargv
 cstdint
 CXICON
 CYICON
+Dacl
 dataobject
 dcomp
 DERR
@@ -117,15 +120,19 @@ OSVERSIONINFOEXW
 otms
 OUTLINETEXTMETRICW
 overridable
+PACL
 PAGESCROLL
+PEXPLICIT
 PICKFOLDERS
 pmr
+ptstr
 rcx
 REGCLS
 RETURNCMD
 rfind
 roundf
 RSHIFT
+SACL
 schandle
 semver
 serializer

.github/actions/spelling/allow/names.txt

@@ -9,6 +9,7 @@ Diviness
 dsafa
 duhowett
 ekg
+eryksun
 ethanschoonover
 Firefox
 Gatta

OpenConsole.sln

@@ -336,6 +336,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WpfTerminalTestNetCore", "s
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wt", "src\cascadia\wt\wt.vcxproj", "{506FD703-BAA7-4F6E-9361-64F550EC8FCA}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "elevate-shim", "src\cascadia\ElevateShim\elevate-shim.vcxproj", "{416FD703-BAA7-4F6E-9361-64F550EC8FCA}"
+EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Microsoft.Terminal.Settings.Editor", "src\cascadia\TerminalSettingsEditor\Microsoft.Terminal.Settings.Editor.vcxproj", "{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}"
 	ProjectSection(ProjectDependencies) = postProject
 		{CA5CAD1A-082C-4476-9F33-94B339494076} = {CA5CAD1A-082C-4476-9F33-94B339494076}
@@ -400,6 +402,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WindowsTerminal.UIA.Tests",
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "api-ms-win-core-synch-l1-2-0", "src\api-ms-win-core-synch-l1-2-0\api-ms-win-core-synch-l1-2-0.vcxproj", "{9CF74355-F018-4C19-81AD-9DC6B7F2C6F5}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Utils", "Utils", "{61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		AuditMode|Any CPU = AuditMode|Any CPU
@@ -2803,6 +2807,43 @@ Global
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.Build.0 = Release|x64
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.ActiveCfg = Release|Win32
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.Build.0 = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|Any CPU.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM64.ActiveCfg = AuditMode|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM64.Build.0 = AuditMode|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|DotNet_x64Test.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|DotNet_x86Test.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x64.ActiveCfg = AuditMode|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x64.Build.0 = AuditMode|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x86.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x86.Build.0 = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|Any CPU.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM64.Build.0 = Debug|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|DotNet_x64Test.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|DotNet_x86Test.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x64.ActiveCfg = Debug|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x64.Build.0 = Debug|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x86.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x86.Build.0 = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|Any CPU.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|ARM.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|ARM64.ActiveCfg = Fuzzing|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|DotNet_x64Test.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|DotNet_x86Test.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|x64.ActiveCfg = Fuzzing|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|x86.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|Any CPU.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM64.ActiveCfg = Release|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM64.Build.0 = Release|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|DotNet_x64Test.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|DotNet_x86Test.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.ActiveCfg = Release|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.Build.0 = Release|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.Build.0 = Release|Win32
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.ActiveCfg = Release|x64
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.Build.0 = Release|x64
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.Deploy.0 = Release|x64
@@ -3403,7 +3444,7 @@ Global
 		{CA5CAD1A-9A12-429C-B551-8562EC954746} = {59840756-302F-44DF-AA47-441A9D673202}
 		{CA5CAD1A-B11C-4DDB-A4FE-C3AFAE9B5506} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{48D21369-3D7B-4431-9967-24E81292CF63} = {05500DEF-2294-41E3-AF9A-24E580B82836}
-		{CA5CAD1A-039A-4929-BA2A-8BEB2E4106FE} = {59840756-302F-44DF-AA47-441A9D673202}
+		{CA5CAD1A-039A-4929-BA2A-8BEB2E4106FE} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{B0AC39D6-7B40-49A9-8202-58549BAE1FB1} = {59840756-302F-44DF-AA47-441A9D673202}
 		{58A03BB2-DF5A-4B66-91A0-7EF3BA01269A} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
 		{A22EC5F6-7851-4B88-AC52-47249D437A52} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
@@ -3416,10 +3457,11 @@ Global
 		{D3EF7B96-CD5E-47C9-B9A9-136259563033} = {04170EEF-983A-4195-BFEF-2321E5E38A1E}
 		{95B136F9-B238-490C-A7C5-5843C1FECAC4} = {05500DEF-2294-41E3-AF9A-24E580B82836}
 		{024052DE-83FB-4653-AEA4-90790D29D5BD} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
-		{067F0A06-FCB7-472C-96E9-B03B54E8E18D} = {59840756-302F-44DF-AA47-441A9D673202}
+		{067F0A06-FCB7-472C-96E9-B03B54E8E18D} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{6BAE5851-50D5-4934-8D5E-30361A8A40F3} = {81C352DB-1818-45B7-A284-18E259F1CC87}
 		{1588FD7C-241E-4E7D-9113-43735F3E6BAD} = {4DAF0299-495E-4CD1-A982-9BAC16A45932}
-		{506FD703-BAA7-4F6E-9361-64F550EC8FCA} = {59840756-302F-44DF-AA47-441A9D673202}
+		{506FD703-BAA7-4F6E-9361-64F550EC8FCA} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
 		{CA5CAD1A-D7EC-4107-B7C6-79CB77AE2907} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
 		{CA5CAD1A-082C-4476-9F33-94B339494076} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
@@ -3438,6 +3480,7 @@ Global
 		{C323DAEE-B307-4C7B-ACE5-7293CBEFCB5B} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{F19DACD5-0C6E-40DC-B6E4-767A3200542C} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{9CF74355-F018-4C19-81AD-9DC6B7F2C6F5} = {89CDCC5C-9F53-4054-97A4-639D99F169CD}
+		{61901E80-E97D-4D61-A9BB-E8F2FDA8B40C} = {59840756-302F-44DF-AA47-441A9D673202}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3140B1B7-C8EE-43D1-A772-D82A7061A271}

src/cascadia/CascadiaPackage/CascadiaPackage.wapproj

@@ -68,6 +68,7 @@
     <ProjectReference Include="..\TerminalAzBridge\TerminalAzBridge.vcxproj" />
     <ProjectReference Include="..\ShellExtension\WindowsTerminalShellExt.vcxproj" />
     <ProjectReference Include="..\wt\wt.vcxproj" />
+    <ProjectReference Include="..\ElevateShim\elevate-shim.vcxproj" />
   </ItemGroup>
 
   <Target Name="OpenConsoleStompSourceProjectForWapProject" BeforeTargets="_ConvertItems">

src/cascadia/ElevateShim/elevate-shim.cpp

@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+#include <string>
+#include <filesystem>
+
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <wil/stl.h>
+#include <wil/resource.h>
+#include <wil/win32_helpers.h>
+#include <shellapi.h>
+
+// BODGY
+//
+// If we try to do this in the Terminal itself, then there's a bunch of weird
+// things that can go wrong and prevent the elevated Terminal window from
+// getting created. Specifically, if the origin Terminal exits right away after
+// spawning the elevated WT, then ShellExecute might not successfully complete
+// the elevation. What's even more, the Terminal will mysteriously crash
+// somewhere in XAML land.
+//
+// To mitigate this, the Terminal will call into us with the commandline it
+// wants elevated. We'll hang around until ShellExecute is finished, so that the
+// process can successfully elevate.
+
+#pragma warning(suppress : 26461) // we can't change the signature of wWinMain
+int __stdcall wWinMain(HINSTANCE, HINSTANCE, LPWSTR pCmdLine, int)
+{
+    // All of the args passed to us (something like `new-tab -p {guid}`) are in
+    // pCmdLine
+
+    // Get the path to WindowsTerminal.exe, which should live next to us.
+    std::filesystem::path module{ wil::GetModuleFileNameW<std::wstring>(nullptr) };
+    // Swap elevate-shim.exe for WindowsTerminal.exe
+    module.replace_filename(L"WindowsTerminal.exe");
+
+    // Go!
+    SHELLEXECUTEINFOW seInfo{ 0 };
+    seInfo.cbSize = sizeof(seInfo);
+    seInfo.fMask = SEE_MASK_DEFAULT;
+    seInfo.lpVerb = L"runas"; // This asks the shell to elevate the process
+    seInfo.lpFile = module.c_str(); // This is `...\WindowsTerminal.exe`
+    seInfo.lpParameters = pCmdLine; // This is `new-tab -p {guid}`
+    seInfo.nShow = SW_SHOWNORMAL;
+    LOG_IF_WIN32_BOOL_FALSE(ShellExecuteExW(&seInfo));
+}

src/cascadia/ElevateShim/elevate-shim.rc

@@ -0,0 +1,69 @@
+// Microsoft Visual C++ generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "winres.h"
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// English (United States) resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
+LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
+#pragma code_page(1252)
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE 
+BEGIN
+    "#include ""winres.h""\0"
+END
+
+3 TEXTINCLUDE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Icon
+//
+
+// Icon with lowest ID value placed first to ensure application icon
+// remains consistent on all systems.
+IDI_APPICON             ICON                    "..\\..\\..\\res\\terminal.ico"
+
+#endif    // English (United States) resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+

src/cascadia/ElevateShim/elevate-shim.vcxproj

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{416fd703-baa7-4f6e-9361-64f550ec8fca}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>elevate-shim</RootNamespace>
+    <ProjectName>elevate-shim</ProjectName>
+    <TargetName>elevate-shim</TargetName>
+    <ConfigurationType>Application</ConfigurationType>
+  </PropertyGroup>
+
+  <Import Project="..\..\..\common.openconsole.props" Condition="'$(OpenConsoleDir)'==''" />
+  <Import Project="$(OpenConsoleDir)src\common.build.pre.props" />
+
+  <!-- Source Files -->
+  <ItemGroup>
+    <ClCompile Include="elevate-shim.cpp">
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ResourceCompile Include="elevate-shim.rc" />
+  </ItemGroup>
+
+  <Import Project="$(OpenConsoleDir)src\common.build.post.props" />
+
+  <ItemDefinitionGroup>
+    <Link>
+      <!-- Remove all non-onecore dependencies -->
+      <AdditionalDependencies>onecore.lib</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+</Project>

src/cascadia/ElevateShim/resource.h

@@ -0,0 +1,16 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Visual C++ generated include file.
+// Used by wt.rc
+//
+#define IDI_APPICON 101
+
+// Next default values for new objects
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+#define _APS_NEXT_RESOURCE_VALUE 102
+#define _APS_NEXT_COMMAND_VALUE 40001
+#define _APS_NEXT_CONTROL_VALUE 1001
+#define _APS_NEXT_SYMED_VALUE 101
+#endif
+#endif

src/cascadia/LocalTests_SettingsModel/pch.h

@@ -61,6 +61,9 @@ Author(s):
 // Manually include til after we include Windows.Foundation to give it winrt superpowers
 #include "til.h"
 
+#include <til/mutex.h>
+#include <til/throttled_func.h>
+
 // Common includes for most tests:
 #include "../../inc/argb.h"
 #include "../../inc/conattrs.hpp"

src/cascadia/LocalTests_TerminalApp/SettingsTests.cpp

@@ -69,6 +69,8 @@ namespace TerminalAppLocalTests
 
         TEST_METHOD(TestIterableColorSchemeCommands);
 
+        TEST_METHOD(TestElevateArg);
+
         TEST_CLASS_SETUP(ClassSetup)
         {
             return true;
@@ -1267,4 +1269,264 @@ namespace TerminalAppLocalTests
         }
     }
 
+    void SettingsTests::TestElevateArg()
+    {
+        static constexpr std::wstring_view settingsJson{ LR"(
+        {
+            "defaultProfile": "{6239a42c-0000-49a3-80bd-e8fdd045185c}",
+            "profiles": [
+                {
+                    "name": "profile0",
+                    "guid": "{6239a42c-0000-49a3-80bd-e8fdd045185c}",
+                    "commandline": "cmd.exe"
+                },
+                {
+                    "name": "profile1",
+                    "guid": "{6239a42c-1111-49a3-80bd-e8fdd045185c}",
+                    "elevate": true,
+                    "commandline": "pwsh.exe"
+                },
+                {
+                    "name": "profile2",
+                    "guid": "{6239a42c-2222-49a3-80bd-e8fdd045185c}",
+                    "elevate": false,
+                    "commandline": "wsl.exe"
+                }
+            ],
+            "keybindings": [
+                { "keys": ["ctrl+a"], "command": { "action": "newTab", "profile": "profile0" } },
+                { "keys": ["ctrl+b"], "command": { "action": "newTab", "profile": "profile1" } },
+                { "keys": ["ctrl+c"], "command": { "action": "newTab", "profile": "profile2" } },
+
+                { "keys": ["ctrl+d"], "command": { "action": "newTab", "profile": "profile0", "elevate": false } },
+                { "keys": ["ctrl+e"], "command": { "action": "newTab", "profile": "profile1", "elevate": false } },
+                { "keys": ["ctrl+f"], "command": { "action": "newTab", "profile": "profile2", "elevate": false } },
+
+                { "keys": ["ctrl+g"], "command": { "action": "newTab", "profile": "profile0", "elevate": true } },
+                { "keys": ["ctrl+h"], "command": { "action": "newTab", "profile": "profile1", "elevate": true } },
+                { "keys": ["ctrl+i"], "command": { "action": "newTab", "profile": "profile2", "elevate": true } },
+            ]
+        })" };
+
+        const winrt::guid guid0{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-0000-49a3-80bd-e8fdd045185c}") };
+        const winrt::guid guid1{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-1111-49a3-80bd-e8fdd045185c}") };
+        const winrt::guid guid2{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-2222-49a3-80bd-e8fdd045185c}") };
+
+        CascadiaSettings settings{ settingsJson, {} };
+
+        auto keymap = settings.GlobalSettings().ActionMap();
+        VERIFY_ARE_EQUAL(3u, settings.ActiveProfiles().Size());
+
+        const auto profile2Guid = settings.ActiveProfiles().GetAt(2).Guid();
+        VERIFY_ARE_NOT_EQUAL(winrt::guid{}, profile2Guid);
+
+        VERIFY_ARE_EQUAL(9u, keymap.KeyBindings().Size());
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=nullopt: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('A'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=nullopt: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('B'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=nullopt: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('C'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('D'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('E'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('F'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=true: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('G'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=true: DO auto elevate");
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('H'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=true: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('I'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+    }
+
 }

src/cascadia/TerminalApp/AdminWarningPlaceholder.cpp

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+#pragma once
+
+#include "pch.h"
+#include "AdminWarningPlaceholder.h"
+#include "AdminWarningPlaceholder.g.cpp"
+#include <LibraryResources.h>
+using namespace winrt::Windows::UI::Xaml;
+
+namespace winrt::TerminalApp::implementation
+{
+    AdminWarningPlaceholder::AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline) :
+        _control{ control },
+        _Commandline{ cmdline }
+    {
+        InitializeComponent();
+        // If the content we're hosting is a TermControl, then use the control's
+        // BG as our BG, to give the impression that it's there, under the
+        // dialog.
+        if (const auto termControl{ control.try_as<winrt::Microsoft::Terminal::Control::TermControl>() })
+        {
+            RootGrid().Background(termControl.BackgroundBrush());
+        }
+    }
+    void AdminWarningPlaceholder::_primaryButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                      RoutedEventArgs const& e)
+    {
+        _PrimaryButtonClickedHandlers(*this, e);
+    }
+    void AdminWarningPlaceholder::_cancelButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                     RoutedEventArgs const& e)
+    {
+        _CancelButtonClickedHandlers(*this, e);
+    }
+    winrt::Windows::UI::Xaml::Controls::UserControl AdminWarningPlaceholder::Control()
+    {
+        return _control;
+    }
+
+    // Method Description:
+    // - Move the focus to the cancel button by default. This has the LOAD
+    //   BEARING side effect of also triggering Narrator to read out the
+    //   contents of the dialog. It's unclear why doing this works, but it does.
+    // - Using a LayoutUpdated event to trigger the focus change when we're
+    //   added to the UI tree did not seem to work.
+    // - Whoever is adding us to the UI tree is responsible for calling this!
+    // Arguments:
+    // - <none>
+    // Return Value:
+    // - <none>
+    void AdminWarningPlaceholder::FocusOnLaunch()
+    {
+        CancelButton().Focus(FocusState::Programmatic);
+    }
+
+    winrt::hstring AdminWarningPlaceholder::ControlName()
+    {
+        return RS_(L"AdminWarningPlaceholderName");
+    }
+
+    void AdminWarningPlaceholder::_keyUpHandler(IInspectable const& /*sender*/,
+                                                Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e)
+    {
+        // If the user presses escape, close the dialog (without confirming)
+        const auto key = e.OriginalKey();
+        if (key == winrt::Windows::System::VirtualKey::Escape)
+        {
+            _CancelButtonClickedHandlers(*this, e);
+            e.Handled(true);
+        }
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.h

@@ -0,0 +1,51 @@
+/*++
+Copyright (c) Microsoft Corporation
+Licensed under the MIT license.
+
+Module Name:
+- AdminWarningPlaceholder
+
+Abstract:
+- The AdminWarningPlaceholder is a control used to fill space in a pane and
+  present a warning to the user. It holds on to a real control that it should be
+  replaced with. It looks just like a ContentDialog, except it exists per-pane,
+  whereas a ContentDialog can only be added to take up the whole window.
+- The caller should make sure to bind our PrimaryButtonClicked and
+  CancelButtonClicked events, to be informed as to which was pressed.
+
+Author(s):
+- Mike Griese - September 2021
+
+--*/
+
+#pragma once
+
+#include "AdminWarningPlaceholder.g.h"
+#include "../../cascadia/inc/cppwinrt_utils.h"
+
+namespace winrt::TerminalApp::implementation
+{
+    struct AdminWarningPlaceholder : AdminWarningPlaceholderT<AdminWarningPlaceholder>
+    {
+        AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline);
+        void FocusOnLaunch();
+        winrt::Windows::UI::Xaml::Controls::UserControl Control();
+        winrt::hstring ControlName();
+        WINRT_CALLBACK(PropertyChanged, Windows::UI::Xaml::Data::PropertyChangedEventHandler);
+        WINRT_OBSERVABLE_PROPERTY(winrt::hstring, Commandline, _PropertyChangedHandlers);
+        TYPED_EVENT(PrimaryButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+        TYPED_EVENT(CancelButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+
+    private:
+        friend struct AdminWarningPlaceholderT<AdminWarningPlaceholder>; // friend our parent so it can bind private event handlers
+
+        winrt::Microsoft::Terminal::Control::TermControl _control{ nullptr };
+
+        void _primaryButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                 winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _cancelButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _keyUpHandler(Windows::Foundation::IInspectable const& sender,
+                           Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e);
+    };
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.idl

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+namespace TerminalApp
+{
+    [default_interface] runtimeclass AdminWarningPlaceholder : Windows.UI.Xaml.Controls.UserControl,
+                                                               Windows.UI.Xaml.Data.INotifyPropertyChanged
+    {
+        String Commandline { get; };
+        String ControlName { get; };
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.xaml

@@ -0,0 +1,97 @@
+<!--
+    Copyright (c) Microsoft Corporation. All rights reserved. Licensed under
+    the MIT License. See LICENSE in the project root for license information.
+-->
+<UserControl x:Class="TerminalApp.AdminWarningPlaceholder"
+             xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
+             xmlns:local="using:TerminalApp"
+             xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
+             xmlns:mux="using:Microsoft.UI.Xaml.Controls"
+             AutomationProperties.AccessibilityView="Content"
+             AutomationProperties.IsDialog="True"
+             AutomationProperties.Name="{x:Bind ControlName, Mode=OneWay}"
+             PreviewKeyUp="_keyUpHandler"
+             mc:Ignorable="d">
+
+    <!--
+        We have to use two grids to be tricky here:
+        - The outer grid will get its background from the control it hosts, and
+        expands to fit its container. This will make it look like the background
+        fills the space available.
+        - The inner grid is set to Center,Center, so that the "dialog" appears
+        centered
+    -->
+
+    <Grid x:Name="RootGrid"
+          HorizontalAlignment="Stretch"
+          VerticalAlignment="Stretch">
+        <Grid HorizontalAlignment="Center"
+              VerticalAlignment="Center">
+            <Border Margin="8,8,8,8"
+                    Padding="16,8,16,8"
+                    AllowFocusOnInteraction="True"
+                    AutomationProperties.AccessibilityView="Raw"
+                    AutomationProperties.IsDialog="True"
+                    Background="{ThemeResource SystemControlBackgroundAltHighBrush}"
+                    BorderBrush="{ThemeResource SystemAccentColor}"
+                    BorderThickness="2,2,2,2"
+                    CornerRadius="{ThemeResource OverlayCornerRadius}">
+                <StackPanel Orientation="Vertical">
+                    <TextBlock x:Name="ApproveCommandlineWarningTitle"
+                               x:Uid="ApproveCommandlineWarningTitle"
+                               Padding="0,0,0,16"
+                               HorizontalAlignment="Left"
+                               FontSize="20"
+                               FontWeight="Normal"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="PrefixTextBlock"
+                               x:Uid="ApproveCommandlineWarningPrefixTextBlock"
+                               HorizontalAlignment="Left"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="CommandlineText"
+                               Margin="0,16,0,16"
+                               HorizontalAlignment="Left"
+                               FontFamily="Cascadia Mono"
+                               IsTextSelectionEnabled="True"
+                               Text="{x:Bind Commandline, Mode=OneWay}"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="SuffixTextBlock"
+                               x:Uid="ApproveCommandlineWarningSuffixTextBlock"
+                               HorizontalAlignment="Left"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+                    <Grid Margin="0,8,0,8"
+                          HorizontalAlignment="Stretch"
+                          XYFocusKeyboardNavigation="Enabled">
+                        <Grid.ColumnDefinitions>
+                            <ColumnDefinition Width="*" />
+                            <ColumnDefinition Width="*" />
+                        </Grid.ColumnDefinitions>
+                        <Button x:Name="PrimaryButton"
+                                x:Uid="ApproveCommandlineWarning_PrimaryButton"
+                                Grid.Column="0"
+                                Margin="0,0,8,0"
+                                HorizontalAlignment="Stretch"
+                                Click="_primaryButtonClick"
+                                IsTabStop="True"
+                                Style="{StaticResource AccentButtonStyle}" />
+                        <Button x:Name="CancelButton"
+                                x:Uid="ApproveCommandlineWarning_CancelButton"
+                                Grid.Column="1"
+                                HorizontalAlignment="Stretch"
+                                Click="_cancelButtonClick"
+                                IsTabStop="True" />
+                    </Grid>
+                </StackPanel>
+            </Border>
+        </Grid>
+    </Grid>
+
+</UserControl>

src/cascadia/TerminalApp/AppLogic.cpp

@@ -12,6 +12,8 @@
 #include <WtExeUtils.h>
 #include <wil/token_helpers.h >
 
+#include "../../types/inc/utils.hpp"
+
 using namespace winrt::Windows::ApplicationModel;
 using namespace winrt::Windows::ApplicationModel::DataTransfer;
 using namespace winrt::Windows::UI::Xaml;
@@ -131,38 +133,6 @@ static Documents::Run _BuildErrorRun(const winrt::hstring& text, const ResourceD
     return textRun;
 }
 
-// Method Description:
-// - Returns whether the user is either a member of the Administrators group or
-//   is currently elevated.
-// - This will return **FALSE** if the user has UAC disabled entirely, because
-//   there's no separation of power between the user and an admin in that case.
-// Return Value:
-// - true if the user is an administrator
-static bool _isUserAdmin() noexcept
-try
-{
-    wil::unique_handle processToken{ GetCurrentProcessToken() };
-    const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
-    const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
-    if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
-    {
-        // In this case, the user has UAC entirely disabled. This is sort of
-        // weird, we treat this like the user isn't an admin at all. There's no
-        // separation of powers, so the things we normally want to gate on
-        // "having special powers" doesn't apply.
-        //
-        // See GH#7754, GH#11096
-        return false;
-    }
-
-    return wil::test_token_membership(nullptr, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS);
-}
-catch (...)
-{
-    LOG_CAUGHT_EXCEPTION();
-    return false;
-}
-
 namespace winrt::TerminalApp::implementation
 {
     // Function Description:
@@ -214,7 +184,7 @@ namespace winrt::TerminalApp::implementation
         // The TerminalPage has to be constructed during our construction, to
         // make sure that there's a terminal page for callers of
         // SetTitleBarContent
-        _isElevated = _isUserAdmin();
+        _isElevated = ::Microsoft::Console::Utils::IsElevated();
         _root = winrt::make_self<TerminalPage>();
 
         _reloadSettings = std::make_shared<ThrottledFuncTrailing<>>(winrt::Windows::System::DispatcherQueue::GetForCurrentThread(), std::chrono::milliseconds(100), [weakSelf = get_weak()]() {
@@ -910,8 +880,6 @@ namespace winrt::TerminalApp::implementation
     void AppLogic::_RegisterSettingsChange()
     {
         const std::filesystem::path settingsPath{ std::wstring_view{ CascadiaSettings::SettingsPath() } };
-        const std::filesystem::path statePath{ std::wstring_view{ ApplicationState::SharedInstance().FilePath() } };
-
         _reader.create(
             settingsPath.parent_path().c_str(),
             false,
@@ -920,14 +888,29 @@ namespace winrt::TerminalApp::implementation
             // editors, who will write a temp file, then rename it to be the
             // actual file you wrote. So listen for that too.
             wil::FolderChangeEvents::FileName | wil::FolderChangeEvents::LastWriteTime,
-            [this, settingsBasename = settingsPath.filename(), stateBasename = statePath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
-                const auto modifiedBasename = std::filesystem::path{ fileModified }.filename();
+            [this, settingsBasename = settingsPath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
+                // DO NOT create a static reference to ApplicationState::SharedInstance here.
+                //
+                // ApplicationState::SharedInstance already caches its own
+                // static ref. If _we_ keep a static ref to the member in
+                // AppState, then our reference will keep ApplicationState alive
+                // after the `ActionToStringMap` gets cleaned up. Then, when we
+                // try to persist the actions in the window state, we won't be
+                // able to. We'll try to look up the action and the map just
+                // won't exist. We'll explode, even though the Terminal is
+                // tearing down anyways. So we'll just die, but still invoke
+                // WinDBG's post-mortem debugger, who won't be able to attach to
+                // the process that's already exiting.
+                //
+                // So DON'T ~give a mouse a cookie~ take a static ref here.
+
+                const winrt::hstring modifiedBasename{ std::filesystem::path{ fileModified }.filename().c_str() };
 
                 if (modifiedBasename == settingsBasename)
                 {
                     _reloadSettings->Run();
                 }
-                else if (modifiedBasename == stateBasename)
+                else if (ApplicationState::SharedInstance().IsStatePath(modifiedBasename))
                 {
                     _reloadState();
                 }

src/cascadia/TerminalApp/Pane.cpp

@@ -34,7 +34,7 @@ static const Duration AnimationDuration = DurationHelper::FromTimeSpan(winrt::Wi
 winrt::Windows::UI::Xaml::Media::SolidColorBrush Pane::s_focusedBorderBrush = { nullptr };
 winrt::Windows::UI::Xaml::Media::SolidColorBrush Pane::s_unfocusedBorderBrush = { nullptr };
 
-Pane::Pane(const Profile& profile, const TermControl& control, const bool lastFocused) :
+Pane::Pane(const Profile& profile, const Controls::UserControl& control, const bool lastFocused) :
     _control{ control },
     _lastActive{ lastFocused },
     _profile{ profile }
@@ -42,8 +42,11 @@ Pane::Pane(const Profile& profile, const TermControl& control, const bool lastFo
     _root.Children().Append(_borderFirst);
     _borderFirst.Child(_control);
 
-    _connectionStateChangedToken = _control.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
-    _warningBellToken = _control.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    if (const auto& termControl{ _control.try_as<TermControl>() })
+    {
+        _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+        _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    }
 
     // On the first Pane's creation, lookup resources we'll use to theme the
     // Pane, including the brushed to use for the focused/unfocused border
@@ -125,11 +128,23 @@ NewTerminalArgs Pane::GetTerminalArgsForPane() const
     assert(_IsLeaf());
 
     NewTerminalArgs args{};
-    auto controlSettings = _control.Settings().as<TerminalSettings>();
+    auto termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        if (auto adminWarning{ _control.try_as<AdminWarningPlaceholder>() })
+        {
+            termControl = adminWarning.Content().try_as<TermControl>();
+        }
+    }
+    if (!termControl)
+    {
+        return nullptr;
+    }
+    auto controlSettings = termControl.Settings().as<TerminalSettings>();
 
     args.Profile(controlSettings.ProfileName());
     // If we know the user's working directory use it instead of the profile.
-    if (const auto dir = _control.WorkingDirectory(); !dir.empty())
+    if (const auto dir = termControl.WorkingDirectory(); !dir.empty())
     {
         args.StartingDirectory(dir);
     }
@@ -832,6 +847,40 @@ bool Pane::SwapPanes(std::shared_ptr<Pane> first, std::shared_ptr<Pane> second)
     return false;
 }
 
+Controls::UserControl Pane::ReplaceControl(const Controls::UserControl& control)
+{
+    if (!_IsLeaf())
+    {
+        return nullptr;
+    }
+
+    // Remove old control's event handlers
+    const auto& oldControl = _control;
+    _gotFocusRevoker.revoke();
+    _lostFocusRevoker.revoke();
+    if (const auto& oldTermControl{ _control.try_as<TermControl>() })
+    {
+        oldTermControl.ConnectionStateChanged(_connectionStateChangedToken);
+        oldTermControl.WarningBell(_warningBellToken);
+    }
+
+    _control = control;
+
+    _borderFirst.Child(_control);
+
+    // Register an event with the control to have it inform us when it gains focus.
+    _gotFocusRevoker = _control.GotFocus(winrt::auto_revoke, { this, &Pane::_ControlGotFocusHandler });
+    _lostFocusRevoker = _control.LostFocus(winrt::auto_revoke, { this, &Pane::_ControlLostFocusHandler });
+
+    if (const auto& termControl{ _control.try_as<TermControl>() })
+    {
+        _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+        _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    }
+
+    return oldControl;
+}
+
 // Method Description:
 // - Given two panes' offsets, test whether the `direction` side of first is adjacent to second.
 // Arguments:
@@ -1079,8 +1128,12 @@ void Pane::_ControlConnectionStateChangedHandler(const winrt::Windows::Foundatio
     {
         return;
     }
-
-    const auto newConnectionState = _control.ConnectionState();
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        return;
+    }
+    const auto newConnectionState = termControl.ConnectionState();
     const auto previousConnectionState = std::exchange(_connectionState, newConnectionState);
 
     if (newConnectionState < ConnectionState::Closed)
@@ -1123,7 +1176,9 @@ void Pane::_ControlWarningBellHandler(const winrt::Windows::Foundation::IInspect
     {
         return;
     }
-    if (_profile)
+
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (_profile && termControl)
     {
         // We don't want to do anything if nothing is set, so check for that first
         if (static_cast<int>(_profile.BellStyle()) != 0)
@@ -1137,7 +1192,7 @@ void Pane::_ControlWarningBellHandler(const winrt::Windows::Foundation::IInspect
 
             if (WI_IsFlagSet(_profile.BellStyle(), winrt::Microsoft::Terminal::Settings::Model::BellStyle::Window))
             {
-                _control.BellLightOn();
+                termControl.BellLightOn();
             }
 
             // raise the event with the bool value corresponding to the taskbar flag
@@ -1197,7 +1252,11 @@ void Pane::Shutdown()
     std::unique_lock lock{ _createCloseLock };
     if (_IsLeaf())
     {
-        _control.Close();
+        const auto& termControl{ _control.try_as<TermControl>() };
+        if (termControl)
+        {
+            termControl.Close();
+        }
     }
     else
     {
@@ -1207,7 +1266,7 @@ void Pane::Shutdown()
 }
 
 // Method Description:
-// - Get the root UIElement of this pane. There may be a single TermControl as a
+// - Get the root UIElement of this pane. There may be a single UserControl as a
 //   child, or an entire tree of grids and panes as children of this element.
 // Arguments:
 // - <none>
@@ -1266,7 +1325,7 @@ TermControl Pane::GetLastFocusedTerminalControl()
             {
                 if (p->_IsLeaf())
                 {
-                    return p->_control;
+                    return p->GetTerminalControl();
                 }
                 pane = p;
             }
@@ -1274,7 +1333,7 @@ TermControl Pane::GetLastFocusedTerminalControl()
         }
         return _firstChild->GetLastFocusedTerminalControl();
     }
-    return _control;
+    return GetTerminalControl();
 }
 
 // Method Description:
@@ -1283,8 +1342,15 @@ TermControl Pane::GetLastFocusedTerminalControl()
 // Arguments:
 // - <none>
 // Return Value:
-// - nullptr if this Pane is a parent, otherwise the TermControl of this Pane.
-TermControl Pane::GetTerminalControl()
+// - nullptr if this Pane is a parent or isn't hosting a Terminal, otherwise the
+//   TermControl of this Pane.
+TermControl Pane::GetTerminalControl() const
+{
+    auto control{ GetUserControl() };
+    return control ? control.try_as<TermControl>() : nullptr;
+}
+
+Controls::UserControl Pane::GetUserControl() const
 {
     return _IsLeaf() ? _control : nullptr;
 }
@@ -1457,9 +1523,13 @@ void Pane::_FocusFirstChild()
 void Pane::UpdateSettings(const TerminalSettingsCreateResult& settings, const Profile& profile)
 {
     assert(_IsLeaf());
-
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        return;
+    }
     _profile = profile;
-    auto controlSettings = _control.Settings().as<TerminalSettings>();
+    auto controlSettings = termControl.Settings().as<TerminalSettings>();
     // Update the parent of the control's settings object (and not the object itself) so
     // that any overrides made by the control don't get affected by the reload
     controlSettings.SetParent(settings.DefaultSettings());
@@ -1472,8 +1542,8 @@ void Pane::UpdateSettings(const TerminalSettingsCreateResult& settings, const Pr
         // sure the unfocused settings inherit from that.
         unfocusedSettings.SetParent(controlSettings);
     }
-    _control.UnfocusedAppearance(unfocusedSettings);
-    _control.UpdateSettings();
+    termControl.UnfocusedAppearance(unfocusedSettings);
+    termControl.UpdateSettings();
 }
 
 // Method Description:
@@ -1614,8 +1684,12 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
         _id = remainingChild->Id();
 
         // Add our new event handler before revoking the old one.
-        _connectionStateChangedToken = _control.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
-        _warningBellToken = _control.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+        const auto& termControl{ _control.try_as<TermControl>() };
+        if (termControl)
+        {
+            _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+            _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+        }
 
         // Revoke the old event handlers. Remove both the handlers for the panes
         // themselves closing, and remove their handlers for their controls
@@ -1629,8 +1703,11 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
             closedChild->WalkTree([](auto p) {
                 if (p->_IsLeaf())
                 {
-                    p->_control.ConnectionStateChanged(p->_connectionStateChangedToken);
-                    p->_control.WarningBell(p->_warningBellToken);
+                    if (const auto& closedControl{ p->_control.try_as<TermControl>() })
+                    {
+                        closedControl.ConnectionStateChanged(p->_connectionStateChangedToken);
+                        closedControl.WarningBell(p->_warningBellToken);
+                    }
                 }
                 return false;
             });
@@ -1638,15 +1715,19 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
 
         closedChild->Closed(closedChildClosedToken);
         remainingChild->Closed(remainingChildClosedToken);
-        remainingChild->_control.ConnectionStateChanged(remainingChild->_connectionStateChangedToken);
-        remainingChild->_control.WarningBell(remainingChild->_warningBellToken);
+
+        if (const auto& remainingControl{ remainingChild->_control.try_as<TermControl>() })
+        {
+            remainingControl.ConnectionStateChanged(remainingChild->_connectionStateChangedToken);
+            remainingControl.WarningBell(remainingChild->_warningBellToken);
+        }
 
         // If we or either of our children was focused, we want to take that
         // focus from them.
         _lastActive = _lastActive || _firstChild->_lastActive || _secondChild->_lastActive;
 
         // Remove all the ui elements of the remaining child. This'll make sure
-        // we can re-attach the TermControl to our Grid.
+        // we can re-attach the UserControl to our Grid.
         remainingChild->_root.Children().Clear();
         remainingChild->_borderFirst.Child(nullptr);
 
@@ -1657,7 +1738,7 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
         _root.ColumnDefinitions().Clear();
         _root.RowDefinitions().Clear();
 
-        // Reattach the TermControl to our grid.
+        // Reattach the UserControl to our grid.
         _root.Children().Append(_borderFirst);
         _borderFirst.Child(_control);
 
@@ -1719,8 +1800,11 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
             closedChild->WalkTree([](auto p) {
                 if (p->_IsLeaf())
                 {
-                    p->_control.ConnectionStateChanged(p->_connectionStateChangedToken);
-                    p->_control.WarningBell(p->_warningBellToken);
+                    if (const auto& closedControl{ p->_control.try_as<TermControl>() })
+                    {
+                        closedControl.ConnectionStateChanged(p->_connectionStateChangedToken);
+                        closedControl.WarningBell(p->_warningBellToken);
+                    }
                 }
                 return false;
             });
@@ -2468,11 +2552,14 @@ std::pair<std::shared_ptr<Pane>, std::shared_ptr<Pane>> Pane::_Split(SplitDirect
 
     if (_IsLeaf())
     {
-        // revoke our handler - the child will take care of the control now.
-        _control.ConnectionStateChanged(_connectionStateChangedToken);
-        _connectionStateChangedToken.value = 0;
-        _control.WarningBell(_warningBellToken);
-        _warningBellToken.value = 0;
+        if (const auto& termControl{ _control.try_as<TermControl>() })
+        {
+            // revoke our handler - the child will take care of the control now.
+            termControl.ConnectionStateChanged(_connectionStateChangedToken);
+            termControl.WarningBell(_warningBellToken);
+            _connectionStateChangedToken.value = 0;
+            _warningBellToken.value = 0;
+        }
 
         // Remove our old GotFocus handler from the control. We don't want the
         // control telling us that it's now focused, we want it telling its new
@@ -2482,7 +2569,7 @@ std::pair<std::shared_ptr<Pane>, std::shared_ptr<Pane>> Pane::_Split(SplitDirect
     }
 
     // Remove any children we currently have. We can't add the existing
-    // TermControl to a new grid until we do this.
+    // UserControl to a new grid until we do this.
     _root.Children().Clear();
     _borderFirst.Child(nullptr);
     _borderSecond.Child(nullptr);
@@ -2860,8 +2947,13 @@ float Pane::CalcSnappedDimension(const bool widthOrHeight, const float dimension
 //   If requested size is already snapped, then both returned values equal this value.
 Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const float dimension) const
 {
+    const auto& termControl{ _control.try_as<TermControl>() };
     if (_IsLeaf())
     {
+        if (!termControl)
+        {
+            return { dimension, dimension };
+        }
         // If we're a leaf pane, align to the grid of controlling terminal
 
         const auto minSize = _GetMinSize();
@@ -2872,7 +2964,7 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
             return { minDimension, minDimension };
         }
 
-        float lower = _control.SnapDimensionToGrid(widthOrHeight, dimension);
+        float lower = termControl.SnapDimensionToGrid(widthOrHeight, dimension);
         if (widthOrHeight)
         {
             lower += WI_IsFlagSet(_borders, Borders::Left) ? PaneBorderSize : 0;
@@ -2892,7 +2984,7 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
         }
         else
         {
-            const auto cellSize = _control.CharacterDimensions();
+            const auto cellSize = termControl.CharacterDimensions();
             const auto higher = lower + (widthOrHeight ? cellSize.Width : cellSize.Height);
             return { lower, higher };
         }
@@ -2937,26 +3029,39 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
 // - <none>
 void Pane::_AdvanceSnappedDimension(const bool widthOrHeight, LayoutSizeNode& sizeNode) const
 {
+    const auto& termControl{ _control.try_as<TermControl>() };
     if (_IsLeaf())
     {
-        // We're a leaf pane, so just add one more row or column (unless isMinimumSize
-        // is true, see below).
-
-        if (sizeNode.isMinimumSize)
+        if (termControl)
         {
-            // If the node is of its minimum size, this size might not be snapped (it might
-            // be, say, half a character, or fixed 10 pixels), so snap it upward. It might
-            // however be already snapped, so add 1 to make sure it really increases
-            // (not strictly necessary but to avoid surprises).
-            sizeNode.size = _CalcSnappedDimension(widthOrHeight, sizeNode.size + 1).higher;
+            // We're a leaf pane, so just add one more row or column (unless isMinimumSize
+            // is true, see below).
+
+            if (sizeNode.isMinimumSize)
+            {
+                // If the node is of its minimum size, this size might not be snapped (it might
+                // be, say, half a character, or fixed 10 pixels), so snap it upward. It might
+                // however be already snapped, so add 1 to make sure it really increases
+                // (not strictly necessary but to avoid surprises).
+                sizeNode.size = _CalcSnappedDimension(widthOrHeight, sizeNode.size + 1).higher;
+            }
+            else
+            {
+                const auto cellSize = termControl.CharacterDimensions();
+                sizeNode.size += widthOrHeight ? cellSize.Width : cellSize.Height;
+            }
         }
         else
         {
-            const auto cellSize = _control.CharacterDimensions();
-            sizeNode.size += widthOrHeight ? cellSize.Width : cellSize.Height;
+            // If we're a leaf that didn't have a TermControl, then just increment
+            // by one. We have to increment by _some_ value, because this is used in
+            // a while() loop to find the next bigger size we can snap to. But since
+            // a non-terminal control doesn't really care what size it's snapped to,
+            // we can just say "one pixel larger is the next snap point"
+            sizeNode.size += 1;
         }
     }
-    else
+    else // !_IsLeaf()
     {
         // We're a parent pane, so we have to advance dimension of our children panes. In
         // fact, we advance only one child (chosen later) to keep the growth fine-grained.
@@ -3058,7 +3163,8 @@ Size Pane::_GetMinSize() const
 {
     if (_IsLeaf())
     {
-        auto controlSize = _control.MinimumSize();
+        const auto& termControl{ _control.try_as<TermControl>() };
+        auto controlSize = termControl ? termControl.MinimumSize() : Size{ 1, 1 };
         auto newWidth = controlSize.Width;
         auto newHeight = controlSize.Height;
 
@@ -3244,7 +3350,10 @@ std::optional<SplitDirection> Pane::PreCalculateAutoSplit(const std::shared_ptr<
 // - Returns true if the pane or one of its descendants is read-only
 bool Pane::ContainsReadOnly() const
 {
-    return _IsLeaf() ? _control.ReadOnly() : (_firstChild->ContainsReadOnly() || _secondChild->ContainsReadOnly());
+    const auto& termControl{ GetTerminalControl() };
+    return termControl ?
+               termControl.ReadOnly() :
+               (_IsLeaf() ? false : (_firstChild->ContainsReadOnly() || _secondChild->ContainsReadOnly()));
 }
 
 // Method Description:
@@ -3257,13 +3366,14 @@ bool Pane::ContainsReadOnly() const
 // - <none>
 void Pane::CollectTaskbarStates(std::vector<winrt::TerminalApp::TaskbarState>& states)
 {
-    if (_IsLeaf())
+    const auto& termControl{ GetTerminalControl() };
+    if (termControl)
     {
-        auto tbState{ winrt::make<winrt::TerminalApp::implementation::TaskbarState>(_control.TaskbarState(),
-                                                                                    _control.TaskbarProgress()) };
+        auto tbState{ winrt::make<winrt::TerminalApp::implementation::TaskbarState>(termControl.TaskbarState(),
+                                                                                    termControl.TaskbarProgress()) };
         states.push_back(tbState);
     }
-    else
+    else if (!_IsLeaf())
     {
         _firstChild->CollectTaskbarStates(states);
         _secondChild->CollectTaskbarStates(states);

src/cascadia/TerminalApp/Pane.h

@@ -56,7 +56,7 @@ class Pane : public std::enable_shared_from_this<Pane>
 {
 public:
     Pane(const winrt::Microsoft::Terminal::Settings::Model::Profile& profile,
-         const winrt::Microsoft::Terminal::Control::TermControl& control,
+         const winrt::Windows::UI::Xaml::Controls::UserControl& control,
          const bool lastFocused = false);
 
     Pane(std::shared_ptr<Pane> first,
@@ -66,8 +66,9 @@ public:
          const bool lastFocused = false);
 
     std::shared_ptr<Pane> GetActivePane();
+    winrt::Windows::UI::Xaml::Controls::UserControl GetUserControl() const;
     winrt::Microsoft::Terminal::Control::TermControl GetLastFocusedTerminalControl();
-    winrt::Microsoft::Terminal::Control::TermControl GetTerminalControl();
+    winrt::Microsoft::Terminal::Control::TermControl GetTerminalControl() const;
     winrt::Microsoft::Terminal::Settings::Model::Profile GetFocusedProfile();
 
     // Method Description:
@@ -126,6 +127,8 @@ public:
                                      winrt::Microsoft::Terminal::Settings::Model::SplitDirection splitType);
     std::shared_ptr<Pane> DetachPane(std::shared_ptr<Pane> pane);
 
+    winrt::Windows::UI::Xaml::Controls::UserControl ReplaceControl(const winrt::Windows::UI::Xaml::Controls::UserControl& control);
+
     int GetLeafPaneCount() const noexcept;
 
     void Maximize(std::shared_ptr<Pane> zoomedPane);
@@ -200,7 +203,8 @@ private:
     winrt::Windows::UI::Xaml::Controls::Grid _root{};
     winrt::Windows::UI::Xaml::Controls::Border _borderFirst{};
     winrt::Windows::UI::Xaml::Controls::Border _borderSecond{};
-    winrt::Microsoft::Terminal::Control::TermControl _control{ nullptr };
+    winrt::Windows::UI::Xaml::Controls::UserControl _control{ nullptr };
+
     winrt::Microsoft::Terminal::TerminalConnection::ConnectionState _connectionState{ winrt::Microsoft::Terminal::TerminalConnection::ConnectionState::NotConnected };
     static winrt::Windows::UI::Xaml::Media::SolidColorBrush s_focusedBorderBrush;
     static winrt::Windows::UI::Xaml::Media::SolidColorBrush s_unfocusedBorderBrush;

src/cascadia/TerminalApp/Resources/en-US/Resources.resw

@@ -504,6 +504,24 @@
   <data name="MultiLinePasteDialog.Title" xml:space="preserve">
     <value>Warning</value>
   </data>
+  <data name="ApproveCommandlineWarningPrefixTextBlock.Text" xml:space="preserve">
+    <value>You are about to execute the following command-line:</value>
+  </data>
+  <data name="ApproveCommandlineWarningSuffixTextBlock.Text" xml:space="preserve">
+    <value>Do you wish to continue?</value>
+  </data>
+  <data name="ApproveCommandlineWarning_PrimaryButton.Content" xml:space="preserve">
+    <value>Allow command-line</value>
+  </data>
+  <data name="ApproveCommandlineWarning_CancelButton.Content" xml:space="preserve">
+    <value>Cancel</value>
+  </data>
+  <data name="ApproveCommandlineWarningTitle.Text" xml:space="preserve">
+    <value>Warning</value>
+  </data>
+  <data name="AdminWarningPlaceholderName" xml:space="preserve">
+    <value>Elevated command-line warning</value>
+  </data>
   <data name="CommandPalette_SearchBox.PlaceholderText" xml:space="preserve">
     <value>Type a command name...</value>
   </data>

src/cascadia/TerminalApp/TabManagement.cpp

@@ -16,6 +16,7 @@
 #include <LibraryResources.h>
 
 #include "TabRowControl.h"
+#include "AdminWarningPlaceholder.h"
 #include "ColorHelper.h"
 #include "DebugTapConnection.h"
 #include "SettingsTab.h"
@@ -68,6 +69,17 @@ namespace winrt::TerminalApp::implementation
         const auto profile{ _settings.GetProfileForArgs(newTerminalArgs) };
         const auto settings{ TerminalSettings::CreateWithNewTerminalArgs(_settings, newTerminalArgs, *_bindings) };
 
+        // Try to handle auto-elevation
+        if (_maybeElevate(newTerminalArgs, settings, profile))
+        {
+            return S_OK;
+        }
+        // We can't go in the other direction (elevated->unelevated)
+        // unfortunately. This seems to be due to Centennial quirks. It works
+        // unpackaged, but not packaged.
+        //
+        // This call to _MakePane won't return nullptr, we already checked that
+        // case above with the _maybeElevate call.
         _CreateNewTabFromPane(_MakePane(newTerminalArgs, false, existingConnection));
 
         const uint32_t tabCount = _tabs.Size();
@@ -240,8 +252,11 @@ namespace winrt::TerminalApp::implementation
     // - pane: The pane to use as the root.
     void TerminalPage::_CreateNewTabFromPane(std::shared_ptr<Pane> pane)
     {
-        auto newTabImpl = winrt::make_self<TerminalTab>(pane);
-        _InitializeTab(newTabImpl);
+        if (pane)
+        {
+            auto newTabImpl = winrt::make_self<TerminalTab>(pane);
+            _InitializeTab(newTabImpl);
+        }
     }
 
     // Method Description:

src/cascadia/TerminalApp/TerminalAppLib.vcxproj

@@ -63,6 +63,9 @@
     <Page Include="CommandPalette.xaml">
       <SubType>Designer</SubType>
     </Page>
+    <Page Include="AdminWarningPlaceholder.xaml">
+      <SubType>Designer</SubType>
+    </Page>
   </ItemGroup>
   <!-- ========================= Headers ======================== -->
   <ItemGroup>
@@ -141,6 +144,9 @@
     <ClInclude Include="AppLogic.h">
       <DependentUpon>AppLogic.idl</DependentUpon>
     </ClInclude>
+    <ClInclude Include="AdminWarningPlaceholder.h">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+    </ClInclude>
     <ClInclude Include="Toast.h" />
   </ItemGroup>
   <!-- ========================= Cpp Files ======================== -->
@@ -234,6 +240,9 @@
     <ClCompile Include="AppLogic.cpp">
       <DependentUpon>AppLogic.idl</DependentUpon>
     </ClCompile>
+    <ClCompile Include="AdminWarningPlaceholder.cpp">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+    </ClCompile>
     <ClCompile Include="$(GeneratedFilesDir)module.g.cpp" />
     <ClCompile Include="Toast.cpp" />
   </ItemGroup>
@@ -295,6 +304,10 @@
       <DependentUpon>CommandPalette.xaml</DependentUpon>
       <SubType>Code</SubType>
     </Midl>
+    <Midl Include="AdminWarningPlaceholder.idl">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+      <SubType>Code</SubType>
+    </Midl>
     <Midl Include="FilteredCommand.idl" />
     <Midl Include="EmptyStringVisibilityConverter.idl" />
   </ItemGroup>

src/cascadia/TerminalApp/TerminalPage.cpp

@@ -12,11 +12,14 @@
 #include "TerminalPage.g.cpp"
 #include <winrt/Windows.Storage.h>
 
+#include "../WinRTUtils/inc/WtExeUtils.h"
+
 #include "TabRowControl.h"
 #include "ColorHelper.h"
 #include "DebugTapConnection.h"
 #include "SettingsTab.h"
 #include "RenameWindowRequestedArgs.g.cpp"
+#include "AdminWarningPlaceholder.h"
 #include "../inc/WindowingBehavior.h"
 
 #include <til/latch.h>
@@ -300,10 +303,7 @@ namespace winrt::TerminalApp::implementation
     // - true if the ApplicationState should be used.
     bool TerminalPage::ShouldUsePersistedLayout(CascadiaSettings& settings) const
     {
-        // GH#5000 Until there is a separate state file for elevated sessions we should just not
-        // save at all while in an elevated window.
         return Feature_PersistedWindowLayout::IsEnabled() &&
-               !IsElevated() &&
                settings.GlobalSettings().FirstWindowPreference() == FirstWindowPreference::PersistedWindowLayout;
     }
 
@@ -551,7 +551,24 @@ namespace winrt::TerminalApp::implementation
     void TerminalPage::_CompleteInitialization()
     {
         _startupState = StartupState::Initialized;
-        _InitializedHandlers(*this, nullptr);
+
+        // GH#632 - It's possible that the user tried to create the terminal
+        // with only one tab, with only an elevated profile. If that happens,
+        // we'll create _another_ process to host the elevated version of that
+        // profile. This can happen from the jumplist, or if the default profile
+        // is `elevate:true`, or from the commandline.
+        //
+        // However, we need to make sure to close this window in that scenario.
+        // Since there aren't any _tabs_ in this window, we won't ever get a
+        // closed event. So do it manually.
+        if (_tabs.Size() == 0)
+        {
+            _LastTabClosedHandlers(*this, nullptr);
+        }
+        else
+        {
+            _InitializedHandlers(*this, nullptr);
+        }
     }
 
     // Method Description:
@@ -867,6 +884,13 @@ namespace winrt::TerminalApp::implementation
         else
         {
             const auto newPane = _MakePane(newTerminalArgs);
+            // If the newTerminalArgs caused us to open an elevated window
+            // instead of creating a pane, it may have returned nullptr. Just do
+            // nothing then.
+            if (!newPane)
+            {
+                return;
+            }
             if (altPressed && !debugTap)
             {
                 this->_SplitPane(SplitDirection::Automatic,
@@ -1486,6 +1510,311 @@ namespace winrt::TerminalApp::implementation
         return true;
     }
 
+    // Function Description:
+    // - Returns true if this commandline is a commandline that we know is safe.
+    //   Generally, this is true for any executables in system32. We can use
+    //   this to bypass the elevated state check, because we're confident that
+    //   executables in that path won't have been hijacked.
+    //   - TECHNICALLY a user can take ownership of a file in system32 and
+    //     replace it as the system administrator. You could say it's OK though
+    //     because you'd already have to have had admin rights to mess that
+    //     folder up or something.
+    // - Will attempt to resolve environment strings.
+    // - Will also manually allow commandlines as generated for the default WSL
+    //   distros.
+    // - Will also trust %ProgramFiles%\Powershell\...\pwsh.exe paths, for
+    //   PowerShell Core.
+    // Arguments:
+    // - commandLine: the command to check.
+    // Return Value (example):
+    // - C:\windows\system32\cmd.exe -> returns true
+    // - cmd.exe -> returns false
+    // - C:\windows\system32\cmd.exe /k echo sneaky sneak -> returns false
+    // - %SystemRoot%\System32\cmd.exe -> returns true
+    // - %SystemRoot%\System32\wsl.exe -d <distro name> -> returns true
+    static bool _isTrustedCommandline(std::wstring_view commandLine)
+    {
+        // use C++11 magic statics to make sure we only do this once.
+        static std::wstring systemDirectory = []() -> std::wstring {
+            // *** THIS IS A SINGLETON ***
+            static std::wstring sys32{};
+            if (FAILED(wil::GetSystemDirectoryW(sys32)))
+            {
+                // we couldn't look up where system32 is?? Then it's definitely not
+                // in System32
+                return {};
+            }
+            return sys32;
+        }();
+
+        if (systemDirectory.empty())
+        {
+            return false;
+        }
+
+        const std::filesystem::path fullCommandlinePath{
+            wil::ExpandEnvironmentStringsW<std::wstring>(commandLine.data())
+        };
+
+        if (fullCommandlinePath.wstring().size() > systemDirectory.size())
+        {
+            // Get the first part of the executable path
+            const auto start = fullCommandlinePath.wstring().substr(0, systemDirectory.size());
+            // Doing this as an ASCII only check might be wrong, but I'm
+            // guessing if system32 isn't at X:\windows\system32... this isn't
+            // the only thing that is going to be sad in Windows.
+            const auto pathEquals = til::equals_insensitive_ascii(start, systemDirectory);
+            if (pathEquals && std::filesystem::exists(fullCommandlinePath))
+            {
+                return true;
+            }
+        }
+
+        // Also, if the path is literally
+        //   %SystemRoot%\System32\wsl.exe -d <distro name>
+        // then allow it.
+
+        // Largely stolen from _tryMangleStartingDirectoryForWSL in ConptyConnection.
+        // Find the first space, quote or the end of the string -- we'll look
+        // for wsl before that.
+        const auto terminator{ commandLine.find_first_of(LR"(" )", 1) }; // look past the first character in case it starts with "
+        const auto start{ til::at(commandLine, 0) == L'"' ? 1 : 0 };
+        const std::filesystem::path executablePath{ commandLine.substr(start, terminator - start) };
+        const auto executableFilename{ executablePath.filename().wstring() };
+
+        if (executableFilename == L"wsl" || executableFilename == L"wsl.exe")
+        {
+            // We've got a WSL -- let's just make sure it's the right one.
+            if (executablePath.has_parent_path())
+            {
+                if (executablePath.parent_path().wstring() != systemDirectory)
+                {
+                    return false; // it wasn't in system32!
+                }
+            }
+            else
+            {
+                // Unqualified WSL, this is dangerous, so return false.
+                return false;
+            }
+
+            // Get everything after the wsl.exe
+            const auto arguments{ terminator == std::wstring_view::npos ?
+                                      std::wstring_view{} :
+                                      commandLine.substr(terminator + 1) };
+            const auto dashD{ arguments.find(L"-d ") };
+
+            // If we found a "-d " IMMEDIATELY AFTER wsl.exe. If it wasn't
+            // immediately after, it could have been `wsl.exe --doSomethingEvil`
+            if (dashD == 0)
+            {
+                // Using the string following "-d "...
+                const auto afterDashD{ arguments.substr(dashD + 3) };
+                // Find the next space
+                const auto afterFirstWord = afterDashD.find(L" ");
+                // if that space _wasn't_ at the end of the commandline, then
+                // there were some other args. That means it was `wsl -d distro
+                // anything`, and we should ask the user.
+                //
+                // So if it was at the end of the commandline, then there were
+                // no other args besides the distro name.
+                if (afterFirstWord == std::wstring::npos)
+                {
+                    return true;
+                }
+            }
+        }
+        else if (executableFilename == L"pwsh" || executableFilename == L"pwsh.exe")
+        {
+            // is does executablePath start with %ProgramFiles%\\PowerShell?
+            const std::filesystem::path powershellCoreRoot
+            {
+                wil::ExpandEnvironmentStringsW<std::wstring>(
+#if defined(_M_AMD64) || defined(_M_ARM64) // No point in looking for WOW if we're not somewhere it exists
+                    L"%ProgramFiles(x86)%\\PowerShell"
+#elif defined(_M_ARM64) // same with ARM
+                    L"%ProgramFiles(Arm)%\\PowerShell"
+#else
+                    L"%ProgramFiles%\\PowerShell"
+#endif
+                )
+            };
+
+            // Is the path to the commandline actually exactly one of the
+            // versions that exists in this directory?
+            for (const auto& versionedDir : std::filesystem::directory_iterator(powershellCoreRoot))
+            {
+                const auto versionedPath = versionedDir.path();
+                if (executablePath.parent_path() == versionedPath)
+                {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    // Method Description:
+    // - For a given commandline, determines if we should prompt the user for
+    //   approval. We only do this check when elevated. This will check the
+    //   AllowedCommandlines in `elevated-state.json`, to see if the commandline
+    //   already exists in that list.
+    // Arguments:
+    // - cmdline: The commandline to check
+    // Return Value:
+    // - true if we should prompt the user for approval.
+    bool TerminalPage::_shouldPromptForCommandline(const winrt::hstring& cmdline) const
+    {
+        // NOTE: For debugging purposes, changing this to `true || IsElevated()`
+        // is a handy way of forcing the elevation logic, even when unelevated.
+        if (IsElevated())
+        {
+            // If the cmdline is EXACTLY an executable in
+            // `C:\WINDOWS\System32`, then ignore this check.
+            if (_isTrustedCommandline(cmdline))
+            {
+                return false;
+            }
+
+            if (const auto& allowedCommandlines{ ApplicationState::SharedInstance().AllowedCommandlines() })
+            {
+                for (const auto& approved : allowedCommandlines)
+                {
+                    if (approved == cmdline)
+                    {
+                        return false;
+                    }
+                }
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    void TerminalPage::_adminWarningPrimaryClicked(const TerminalApp::AdminWarningPlaceholder& sender,
+                                                   const winrt::Windows::UI::Xaml::RoutedEventArgs& /*args*/)
+    {
+        auto warningControl{ winrt::get_self<AdminWarningPlaceholder>(sender) };
+        const auto& cmdline{ warningControl->Commandline() };
+        // Look through the tabs and panes to look for us. Whichever pane had us
+        // as content - replace their content with the TermControl we were
+        // holding on to.
+        for (const auto& tab : _tabs)
+        {
+            if (const auto& tabImpl{ _GetTerminalTabImpl(tab) })
+            {
+                tabImpl->GetRootPane()->WalkTree([warningControl, cmdline, tabImpl](std::shared_ptr<Pane> pane) -> bool {
+                    const auto& projectedWarningControl{ pane->GetUserControl().try_as<TerminalApp::AdminWarningPlaceholder>() };
+                    // If it was a warning control, then get our implementation
+                    // type out of it.
+                    if (const auto& otherWarning{ winrt::get_self<AdminWarningPlaceholder>(projectedWarningControl) })
+                    {
+                        // This pane had a warning in it.
+                        // Was it a warning for the same commandline that we
+                        // just approved?
+                        if (otherWarning->Commandline() == cmdline)
+                        {
+                            // Go ahead and allow them. Swap the control into
+                            // the pane, which will initialize and start it.
+                            tabImpl->ReplaceControl(pane, otherWarning->Control());
+                        }
+                        // Don't return true here. We want to make sure to check
+                        // all the panes for the same commandline we just
+                        // approved.
+                    }
+                    // return false so we make sure to iterate on every leaf.
+                    return false;
+                });
+            }
+        }
+
+        // Update the list of approved commandlines.
+        auto allowedCommandlines{ ApplicationState::SharedInstance().AllowedCommandlines() };
+        if (!allowedCommandlines)
+        {
+            allowedCommandlines = winrt::single_threaded_vector<winrt::hstring>();
+        }
+
+        // But of course, we don't need to add this commandline if it's already
+        // in the list of approved commandlines.
+        bool foundCopy = false;
+        for (const auto& approved : allowedCommandlines)
+        {
+            if (approved == cmdline)
+            {
+                foundCopy = true;
+                break;
+            }
+        }
+        if (!foundCopy)
+        {
+            allowedCommandlines.Append(cmdline);
+        }
+        ApplicationState::SharedInstance().AllowedCommandlines(allowedCommandlines);
+    }
+
+    void TerminalPage::_adminWarningCancelClicked(const TerminalApp::AdminWarningPlaceholder& sender,
+                                                  const winrt::Windows::UI::Xaml::RoutedEventArgs& /*args*/)
+    {
+        auto warningControl{ winrt::get_self<AdminWarningPlaceholder>(sender) };
+
+        for (const auto& tab : _tabs)
+        {
+            if (const auto& tabImpl{ _GetTerminalTabImpl(tab) })
+            {
+                tabImpl->GetRootPane()->WalkTree([warningControl](std::shared_ptr<Pane> pane) -> bool {
+                    if (pane->GetUserControl() == *warningControl)
+                    {
+                        pane->Close();
+                        return true;
+                    }
+                    // We're not going to auto-close all the other panes with
+                    // the same commandline warning, akin to what we're doing in
+                    // the approve handler. If they want to reject one pane, but
+                    // accept the next one, that's okay.
+                    return false;
+                });
+            }
+        }
+    }
+
+    // Method Description:
+    // - If the requested settings want us to elevate this new terminal
+    //   instance, and we're not currently elevated, then open the new terminal
+    //   as an elevated instance (using _OpenElevatedWT). Does nothing if we're
+    //   already elevated, or if the control settings don't want to be elevated.
+    // Arguments:
+    // - newTerminalArgs: The NewTerminalArgs for this terminal instance
+    // - controlSettings: The constructed TerminalSettingsCreateResult for this Terminal instance
+    // - profile: The Profile we're using to launch this Terminal instance
+    // Return Value:
+    // - true iff we tossed this request to an elevated window. Callers can use
+    //   this result to early-return if needed.
+    bool TerminalPage::_maybeElevate(const NewTerminalArgs& newTerminalArgs,
+                                     const TerminalSettingsCreateResult& controlSettings,
+                                     const Profile& profile)
+    {
+        // Try to handle auto-elevation
+        const bool requestedElevation = controlSettings.DefaultSettings().Elevate();
+        const bool currentlyElevated = IsElevated();
+
+        // We aren't elevated, but we want to be.
+        if (requestedElevation && !currentlyElevated)
+        {
+            // Manually set the Profile of the NewTerminalArgs to the guid we've
+            // resolved to. If there was a profile in the NewTerminalArgs, this
+            // will be that profile's GUID. If there wasn't, then we'll use
+            // whatever the default profile's GUID is.
+
+            newTerminalArgs.Profile(::Microsoft::Console::Utils::GuidToString(profile.Guid()));
+            _OpenElevatedWT(newTerminalArgs);
+            return true;
+        }
+        return false;
+    }
+
     // Method Description:
     // - Split the focused pane either horizontally or vertically, and place the
     //   given pane accordingly in the tree
@@ -1499,13 +1828,6 @@ namespace winrt::TerminalApp::implementation
                                   std::shared_ptr<Pane> newPane)
     {
         const auto focusedTab{ _GetFocusedTabImpl() };
-
-        // Do nothing if no TerminalTab is focused
-        if (!focusedTab)
-        {
-            return;
-        }
-
         _SplitPane(*focusedTab, splitDirection, splitSize, newPane);
     }
 
@@ -1523,6 +1845,14 @@ namespace winrt::TerminalApp::implementation
                                   const float splitSize,
                                   std::shared_ptr<Pane> newPane)
     {
+        // If the caller is calling us with the return value of _MakePane
+        // directly, it's possible that nullptr was returned, if the connections
+        // was supposed to be launched in an elevated window. In that case, do
+        // nothing here. We don't have a pane with which to create the split.
+        if (!newPane)
+        {
+            return;
+        }
         const float contentWidth = ::base::saturated_cast<float>(_tabContent.ActualWidth());
         const float contentHeight = ::base::saturated_cast<float>(_tabContent.ActualHeight());
         const winrt::Windows::Foundation::Size availableSpace{ contentWidth, contentHeight };
@@ -2148,7 +2478,13 @@ namespace winrt::TerminalApp::implementation
     //   a duplicate of the currently focused pane
     // - existingConnection: optionally receives a connection from the outside
     //   world instead of attempting to create one
-    std::shared_ptr<Pane> TerminalPage::_MakePane(const NewTerminalArgs& newTerminalArgs, const bool duplicate, TerminalConnection::ITerminalConnection existingConnection)
+    // Return Value:
+    // - If the newTerminalArgs required us to open the pane as a new elevated
+    //   connection, then we'll return nullptr. Otherwise, we'll return a new
+    //   Pane for this connection.
+    std::shared_ptr<Pane> TerminalPage::_MakePane(const NewTerminalArgs& newTerminalArgs,
+                                                  const bool duplicate,
+                                                  TerminalConnection::ITerminalConnection existingConnection)
     {
         TerminalSettingsCreateResult controlSettings{ nullptr };
         Profile profile{ nullptr };
@@ -2179,6 +2515,12 @@ namespace winrt::TerminalApp::implementation
             controlSettings = TerminalSettings::CreateWithNewTerminalArgs(_settings, newTerminalArgs, *_bindings);
         }
 
+        // Try to handle auto-elevation
+        if (_maybeElevate(newTerminalArgs, controlSettings, profile))
+        {
+            return nullptr;
+        }
+
         auto connection = existingConnection ? existingConnection : _CreateConnectionFromSettings(profile, controlSettings.DefaultSettings());
         if (existingConnection)
         {
@@ -2202,7 +2544,21 @@ namespace winrt::TerminalApp::implementation
         const auto control = _InitControl(controlSettings, connection);
         _RegisterTerminalEvents(control);
 
-        auto resultPane = std::make_shared<Pane>(profile, control);
+        WUX::Controls::UserControl controlToAdd{ control };
+
+        // Check if we should warn the user about running a new unelevated
+        // commandline.
+        const auto& cmdline{ controlSettings.DefaultSettings().Commandline() };
+        const auto doAdminWarning{ _shouldPromptForCommandline(cmdline) };
+        if (doAdminWarning)
+        {
+            auto warningControl{ winrt::make_self<implementation::AdminWarningPlaceholder>(control, cmdline) };
+            warningControl->PrimaryButtonClicked({ get_weak(), &TerminalPage::_adminWarningPrimaryClicked });
+            warningControl->CancelButtonClicked({ get_weak(), &TerminalPage::_adminWarningCancelClicked });
+            controlToAdd = *warningControl;
+        }
+
+        auto resultPane = std::make_shared<Pane>(profile, controlToAdd);
 
         if (debugConnection) // this will only be set if global debugging is on and tap is active
         {
@@ -2223,6 +2579,17 @@ namespace winrt::TerminalApp::implementation
             original->SetActive();
         }
 
+        if (doAdminWarning)
+        {
+            // We know this is safe - we literally just added the
+            // AdminWarningPlaceholder as the controlToAdd like 20 lines up.
+            //
+            // Focus the warning here. The LayoutUpdated within the dialog
+            // itself isn't good enough. That, for some reason, fires _before_
+            // the dialog is in the UI tree, which is useless for us.
+            controlToAdd.try_as<implementation::AdminWarningPlaceholder>()->FocusOnLaunch();
+        }
+
         return resultPane;
     }
 
@@ -3337,6 +3704,63 @@ namespace winrt::TerminalApp::implementation
         return profile;
     }
 
+    // Function Description:
+    // - Helper to launch a new WT instance elevated. It'll do this by spawning
+    //   a helper process, who will asking the shell to elevate the process for
+    //   us. This might cause a UAC prompt. The elevation is performed on a
+    //   background thread, as to not block the UI thread.
+    // Arguments:
+    // - newTerminalArgs: A NewTerminalArgs describing the terminal instance
+    //   that should be spawned. The Profile should be filled in with the GUID
+    //   of the profile we want to launch.
+    // Return Value:
+    // - <none>
+    // Important: Don't take the param by reference, since we'll be doing work
+    // on another thread.
+    void TerminalPage::_OpenElevatedWT(NewTerminalArgs newTerminalArgs)
+    {
+        // BODGY
+        //
+        // We're going to construct the commandline we want, then toss it to a
+        // helper process called `elevate-shim.exe` that happens to live next to
+        // us. elevate-shim.exe will be the one to call ShellExecute with the
+        // args that we want (to elevate the given profile).
+        //
+        // We can't be the one to call ShellExecute ourselves. ShellExecute
+        // requires that the calling process stays alive until the child is
+        // spawned. However, in the case of something like `wt -p
+        // AlwaysElevateMe`, then the original WT will try to ShellExecute a new
+        // wt.exe (elevated) and immediately exit, preventing ShellExecute from
+        // successfully spawning the elevated WT.
+
+        std::filesystem::path exePath = wil::GetModuleFileNameW<std::wstring>(nullptr);
+        exePath.replace_filename(L"elevate-shim.exe");
+
+        // Build the commandline to pass to wt for this set of NewTerminalArgs
+        std::wstring cmdline{
+            fmt::format(L"new-tab {}", newTerminalArgs.ToCommandline().c_str())
+        };
+
+        wil::unique_process_information pi;
+        STARTUPINFOW si{};
+        si.cb = sizeof(si);
+
+        LOG_IF_WIN32_BOOL_FALSE(CreateProcessW(exePath.c_str(),
+                                               cmdline.data(),
+                                               nullptr,
+                                               nullptr,
+                                               FALSE,
+                                               0,
+                                               nullptr,
+                                               nullptr,
+                                               &si,
+                                               &pi));
+
+        // TODO: GH#8592 - It may be useful to pop a Toast here in the original
+        // Terminal window informing the user that the tab was opened in a new
+        // window.
+    }
+
     // Method Description:
     // - Handles the change of connection state.
     // If the connection state is failure show information bar suggesting to configure termination behavior
@@ -3472,4 +3896,5 @@ namespace winrt::TerminalApp::implementation
 
         applicationState.DismissedMessages(std::move(messages));
     }
+
 }

src/cascadia/TerminalApp/TerminalPage.h

@@ -207,6 +207,7 @@ namespace winrt::TerminalApp::implementation
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowCloseReadOnlyDialog();
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowMultiLinePasteWarningDialog();
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowLargePasteWarningDialog();
+        winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowCommandlineApproveWarning();
 
         void _CreateNewTabFlyout();
         void _OpenNewTabDropdown();
@@ -403,6 +404,17 @@ namespace winrt::TerminalApp::implementation
 
         winrt::Microsoft::Terminal::Settings::Model::Profile GetClosestProfileForDuplicationOfProfile(const winrt::Microsoft::Terminal::Settings::Model::Profile& profile) const noexcept;
 
+        bool _maybeElevate(const winrt::Microsoft::Terminal::Settings::Model::NewTerminalArgs& newTerminalArgs,
+                           const winrt::Microsoft::Terminal::Settings::Model::TerminalSettingsCreateResult& controlSettings,
+                           const winrt::Microsoft::Terminal::Settings::Model::Profile& profile);
+        void _OpenElevatedWT(winrt::Microsoft::Terminal::Settings::Model::NewTerminalArgs newTerminalArgs);
+
+        bool _shouldPromptForCommandline(const winrt::hstring& cmdline) const;
+        void _adminWarningPrimaryClicked(const winrt::TerminalApp::AdminWarningPlaceholder& sender,
+                                         const winrt::Windows::UI::Xaml::RoutedEventArgs& args);
+        void _adminWarningCancelClicked(const winrt::TerminalApp::AdminWarningPlaceholder& sender,
+                                        const winrt::Windows::UI::Xaml::RoutedEventArgs& args);
+
         winrt::fire_and_forget _ConnectionStateChangedHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;
         void _CloseOnExitInfoDismissHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;
         void _KeyboardServiceWarningInfoDismissHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;

src/cascadia/TerminalApp/TerminalTab.cpp

@@ -426,7 +426,10 @@ namespace winrt::TerminalApp::implementation
     winrt::fire_and_forget TerminalTab::Scroll(const int delta)
     {
         auto control = GetActiveTerminalControl();
-
+        if (!control)
+        {
+            co_return;
+        }
         co_await winrt::resume_foreground(control.Dispatcher());
 
         const auto currentOffset = control.ScrollOffset();
@@ -511,7 +514,11 @@ namespace winrt::TerminalApp::implementation
             if (p->_IsLeaf())
             {
                 p->Id(_nextPaneId);
-                _AttachEventHandlersToControl(p->Id().value(), p->_control);
+                if (auto termControl{ p->_control.try_as<TermControl>() })
+                {
+                    _AttachEventHandlersToControl(p->Id().value(), termControl);
+                }
+
                 _nextPaneId++;
             }
             return false;
@@ -856,6 +863,10 @@ namespace winrt::TerminalApp::implementation
     // - <none>
     void TerminalTab::_AttachEventHandlersToControl(const uint32_t paneId, const TermControl& control)
     {
+        if (!control)
+        {
+            return;
+        }
         auto weakThis{ get_weak() };
         auto dispatcher = TabViewItem().Dispatcher();
         ControlEventTokens events{};
@@ -1744,6 +1755,19 @@ namespace winrt::TerminalApp::implementation
         return Title();
     }
 
+    void TerminalTab::ReplaceControl(std::shared_ptr<Pane> pane, const Controls::UserControl& control)
+    {
+        pane->ReplaceControl(control);
+
+        if (auto termControl{ pane->_control.try_as<TermControl>() })
+        {
+            _AttachEventHandlersToControl(pane->Id().value(), termControl);
+        }
+
+        // Update the title manually.
+        UpdateTitle();
+    }
+
     DEFINE_EVENT(TerminalTab, ActivePaneChanged, _ActivePaneChangedHandlers, winrt::delegate<>);
     DEFINE_EVENT(TerminalTab, ColorSelected, _colorSelected, winrt::delegate<winrt::Windows::UI::Color>);
     DEFINE_EVENT(TerminalTab, ColorCleared, _colorCleared, winrt::delegate<>);

src/cascadia/TerminalApp/TerminalTab.h

@@ -93,6 +93,9 @@ namespace winrt::TerminalApp::implementation
 
         std::shared_ptr<Pane> GetRootPane() const { return _rootPane; }
 
+        void ReplaceControl(std::shared_ptr<Pane> pane,
+                            const winrt::Windows::UI::Xaml::Controls::UserControl& control);
+
         winrt::TerminalApp::TerminalTabStatus TabStatus()
         {
             return _tabStatus;

src/cascadia/TerminalControl/TermControl.cpp

@@ -2648,4 +2648,9 @@ namespace winrt::Microsoft::Terminal::Control::implementation
     {
         return _core.ReadEntireBuffer();
     }
+
+    Media::Brush TermControl::BackgroundBrush()
+    {
+        return RootGrid().Background();
+    }
 }

src/cascadia/TerminalControl/TermControl.h

@@ -111,6 +111,8 @@ namespace winrt::Microsoft::Terminal::Control::implementation
 
         hstring ReadEntireBuffer() const;
 
+        Windows::UI::Xaml::Media::Brush BackgroundBrush();
+
         // -------------------------------- WinRT Events ---------------------------------
         // clang-format off
         WINRT_CALLBACK(FontSizeChanged, Control::FontSizeChangedEventArgs);

src/cascadia/TerminalControl/TermControl.idl

@@ -71,5 +71,7 @@ namespace Microsoft.Terminal.Control
         void ToggleReadOnly();
 
         String ReadEntireBuffer();
+
+        Windows.UI.Xaml.Media.Brush BackgroundBrush { get; };
     }
 }

src/cascadia/TerminalSettingsModel/ActionArgs.h

@@ -110,6 +110,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         ACTION_ARG(winrt::hstring, Profile, L"");
         ACTION_ARG(Windows::Foundation::IReference<bool>, SuppressApplicationTitle, nullptr);
         ACTION_ARG(winrt::hstring, ColorScheme);
+        ACTION_ARG(Windows::Foundation::IReference<bool>, Elevate, nullptr);
 
         static constexpr std::string_view CommandlineKey{ "commandline" };
         static constexpr std::string_view StartingDirectoryKey{ "startingDirectory" };
@@ -119,6 +120,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         static constexpr std::string_view ProfileKey{ "profile" };
         static constexpr std::string_view SuppressApplicationTitleKey{ "suppressApplicationTitle" };
         static constexpr std::string_view ColorSchemeKey{ "colorScheme" };
+        static constexpr std::string_view ElevateKey{ "elevate" };
 
     public:
         hstring GenerateName() const;
@@ -136,6 +138,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
                        otherAsUs->_ProfileIndex == _ProfileIndex &&
                        otherAsUs->_Profile == _Profile &&
                        otherAsUs->_SuppressApplicationTitle == _SuppressApplicationTitle &&
+                       otherAsUs->_Elevate == _Elevate &&
                        otherAsUs->_ColorScheme == _ColorScheme;
             }
             return false;
@@ -152,6 +155,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             JsonUtils::GetValueForKey(json, TabColorKey, args->_TabColor);
             JsonUtils::GetValueForKey(json, SuppressApplicationTitleKey, args->_SuppressApplicationTitle);
             JsonUtils::GetValueForKey(json, ColorSchemeKey, args->_ColorScheme);
+            JsonUtils::GetValueForKey(json, ElevateKey, args->_Elevate);
             return *args;
         }
         static Json::Value ToJson(const Model::NewTerminalArgs& val)
@@ -170,6 +174,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             JsonUtils::SetValueForKey(json, TabColorKey, args->_TabColor);
             JsonUtils::SetValueForKey(json, SuppressApplicationTitleKey, args->_SuppressApplicationTitle);
             JsonUtils::SetValueForKey(json, ColorSchemeKey, args->_ColorScheme);
+            JsonUtils::SetValueForKey(json, ElevateKey, args->_Elevate);
             return json;
         }
         Model::NewTerminalArgs Copy() const
@@ -183,11 +188,20 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             copy->_Profile = _Profile;
             copy->_SuppressApplicationTitle = _SuppressApplicationTitle;
             copy->_ColorScheme = _ColorScheme;
+            copy->_Elevate = _Elevate;
             return *copy;
         }
         size_t Hash() const
         {
-            return ::Microsoft::Terminal::Settings::Model::HashUtils::HashProperty(Commandline(), StartingDirectory(), TabTitle(), TabColor(), ProfileIndex(), Profile(), SuppressApplicationTitle(), ColorScheme());
+            return ::Microsoft::Terminal::Settings::Model::HashUtils::HashProperty(Commandline(),
+                                                                                   StartingDirectory(),
+                                                                                   TabTitle(),
+                                                                                   TabColor(),
+                                                                                   ProfileIndex(),
+                                                                                   Profile(),
+                                                                                   SuppressApplicationTitle(),
+                                                                                   ColorScheme(),
+                                                                                   Elevate());
         }
     };
 

src/cascadia/TerminalSettingsModel/ActionArgs.idl

@@ -117,13 +117,20 @@ namespace Microsoft.Terminal.Settings.Model
         String TabTitle;
         Windows.Foundation.IReference<Windows.UI.Color> TabColor;
         String Profile; // Either a GUID or a profile's name if the GUID isn't a match
+
+        // We use IReference<> to treat some args as nullable where null means
+        // "use the inherited value". See ProfileIndex,
+        // SuppressApplicationTitle, Elevate. Strings that behave this way just
+        // use `null` as "use the inherited value".
+
         // ProfileIndex can be null (for "use the default"), so this needs to be
         // a IReference, so it's nullable
         Windows.Foundation.IReference<Int32> ProfileIndex { get; };
-
         Windows.Foundation.IReference<Boolean> SuppressApplicationTitle;
-
         String ColorScheme;
+        // This needs to be an optional so that the default value (null) does
+        // not modify whatever the profile's value is (either true or false)
+        Windows.Foundation.IReference<Boolean> Elevate { get; };
 
         Boolean Equals(NewTerminalArgs other);
         String GenerateName();

src/cascadia/TerminalSettingsModel/ApplicationState.cpp

@@ -9,8 +9,11 @@
 #include "ActionAndArgs.h"
 #include "JsonUtils.h"
 #include "FileUtils.h"
+#include "../../types/inc/utils.hpp"
 
 static constexpr std::wstring_view stateFileName{ L"state.json" };
+static constexpr std::wstring_view elevatedStateFileName{ L"elevated-state.json" };
+
 static constexpr std::string_view TabLayoutKey{ "tabLayout" };
 static constexpr std::string_view InitialPositionKey{ "initialPosition" };
 static constexpr std::string_view InitialSizeKey{ "initialSize" };
@@ -85,15 +88,9 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         return trait.FromJson(root);
     }
 
-    // Returns the application-global ApplicationState object.
-    Microsoft::Terminal::Settings::Model::ApplicationState ApplicationState::SharedInstance()
-    {
-        static auto state = winrt::make_self<ApplicationState>(GetBaseSettingsPath() / stateFileName);
-        return *state;
-    }
-
-    ApplicationState::ApplicationState(std::filesystem::path path) noexcept :
-        _path{ std::move(path) },
+    ApplicationState::ApplicationState(const std::filesystem::path& stateRoot) noexcept :
+        _sharedPath{ stateRoot / stateFileName },
+        _elevatedPath{ stateRoot / elevatedStateFileName },
         _throttler{ std::chrono::seconds(1), [this]() { _write(); } }
     {
         _read();
@@ -102,9 +99,21 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     // The destructor ensures that the last write is flushed to disk before returning.
     ApplicationState::~ApplicationState()
     {
+        TraceLoggingWrite(g_hSettingsModelProvider,
+                          "ApplicationState_Dtor_Start",
+                          TraceLoggingDescription("Event at the start of the ApplicationState destructor"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+
         // This will ensure that we not just cancel the last outstanding timer,
         // but instead force it to run as soon as possible and wait for it to complete.
         _throttler.flush();
+
+        TraceLoggingWrite(g_hSettingsModelProvider,
+                          "ApplicationState_Dtor_End",
+                          TraceLoggingDescription("Event at the end of the ApplicationState destructor"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
     }
 
     // Re-read the state.json from disk.
@@ -113,34 +122,13 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         _read();
     }
 
-    // Returns the state.json path on the disk.
-    winrt::hstring ApplicationState::FilePath() const noexcept
+    bool ApplicationState::IsStatePath(const winrt::hstring& filename)
     {
-        return winrt::hstring{ _path.wstring() };
+        static const auto sharedPath{ _sharedPath.filename() };
+        static const auto elevatedPath{ _elevatedPath.filename() };
+        return filename == sharedPath || filename == elevatedPath;
     }
 
-    // Generate all getter/setters
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)    \
-    type ApplicationState::name() const noexcept            \
-    {                                                       \
-        const auto state = _state.lock_shared();            \
-        const auto& value = state->name;                    \
-        return value ? *value : type{ __VA_ARGS__ };        \
-    }                                                       \
-                                                            \
-    void ApplicationState::name(const type& value) noexcept \
-    {                                                       \
-        {                                                   \
-            auto state = _state.lock();                     \
-            state->name.emplace(value);                     \
-            state->name##Changed = true;                    \
-        }                                                   \
-                                                            \
-        _throttler();                                       \
-    }
-    MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
-
     // Method Description:
     // - See GH#11119. Removes all of the data in this ApplicationState object
     //   and resets it to the defaults. This will delete the state file! That's
@@ -156,57 +144,58 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     void ApplicationState::Reset() noexcept
     try
     {
-        LOG_LAST_ERROR_IF(!DeleteFile(_path.c_str()));
+        LOG_LAST_ERROR_IF(!DeleteFile(_sharedPath.c_str()));
+        LOG_LAST_ERROR_IF(!DeleteFile(_elevatedPath.c_str()));
         *_state.lock() = {};
     }
     CATCH_LOG()
 
-    Json::Value ApplicationState::_getRoot(const locked_hfile& file) const noexcept
-    {
-        Json::Value root;
-        try
-        {
-            const auto data = ReadUTF8FileLocked(file);
-            if (data.empty())
-            {
-                return root;
-            }
-
-            std::string errs;
-            std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
-
-            if (!reader->parse(data.data(), data.data() + data.size(), &root, &errs))
-            {
-                throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
-            }
-        }
-        CATCH_LOG()
-
-        return root;
-    }
-
-    // Deserializes the state.json at _path into this ApplicationState.
+    // Deserializes the state.json and user-state (or elevated-state if
+    // elevated) into this ApplicationState.
     // * ANY errors during app state will result in the creation of a new empty state.
     // * ANY errors during runtime will result in changes being partially ignored.
     void ApplicationState::_read() const noexcept
     try
     {
-        auto state = _state.lock();
-        const auto file = OpenFileReadSharedLocked(_path);
+        std::string errs;
+        std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
 
-        auto root = _getRoot(file);
-        // GetValueForKey() comes in two variants:
-        // * take a std::optional<T> reference
-        // * return std::optional<T> by value
-        // At the time of writing the former version skips missing fields in the json,
-        // but we want to explicitly clear state fields that were removed from state.json.
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)                         \
-    if (!state->name##Changed)                                                   \
-    {                                                                            \
-        state->name = JsonUtils::GetValueForKey<std::optional<type>>(root, key); \
-    }
-        MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
+        // First get shared state out of `state.json`.
+        const auto sharedData = _readSharedContents().value_or(std::string{});
+        if (!sharedData.empty())
+        {
+            Json::Value root;
+            if (!reader->parse(sharedData.data(), sharedData.data() + sharedData.size(), &root, &errs))
+            {
+                throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+            }
+
+            // - If we're elevated, we want to only load the Shared properties
+            //   from state.json. We'll then load the Local props from
+            //   `elevated-state.json`
+            // - If we're unelevated, then load _everything_ from state.json.
+            if (::Microsoft::Console::Utils::IsElevated())
+            {
+                // Only load shared properties if we're elevated
+                FromJson(root, FileSource::Shared);
+
+                // Then, try and get anything in elevated-state
+                if (const auto localData{ _readLocalContents().value_or(std::string{}) }; !localData.empty())
+                {
+                    Json::Value root;
+                    if (!reader->parse(localData.data(), localData.data() + localData.size(), &root, &errs))
+                    {
+                        throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+                    }
+                    FromJson(root, FileSource::Local);
+                }
+            }
+            else
+            {
+                // If we're unelevated, then load everything.
+                FromJson(root, FileSource::Shared | FileSource::Local);
+            }
+        }
     }
     CATCH_LOG()
 
@@ -214,29 +203,191 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     // * Errors are only logged.
     // * _state->_writeScheduled is set to false, signaling our
     //   setters that _synchronize() needs to be called again.
-    void ApplicationState::_write() noexcept
+    void ApplicationState::_write() const noexcept
     try
     {
-        // re-read the state so that we can only update the properties that were changed.
-        Json::Value root{};
+        Json::StreamWriterBuilder wbuilder;
+
+        // When we're elevated, we've got to be tricky. We don't want to write
+        // our window state, allowed commandlines, and other Local properties
+        // into the shared `state.json`. But, if we only serialize the Shared
+        // properties to a json blob, then we'll omit windowState entirely,
+        // _removing_ the window state of the unelevated instance. Oh no!
+        //
+        // So, to be tricky, we'll first _load_ the shared state to a json blob.
+        // We'll then serialize our view of the shared properties on top of that
+        // blob. Then we'll write that blob back to the file. This will
+        // round-trip the Local properties for the unelevated instances
+        // untouched in state.json
+        //
+        // After that's done, we'll write our Local properties into
+        // elevated-state.json.
+        if (::Microsoft::Console::Utils::IsElevated())
         {
-            auto state = _state.lock();
-            const auto file = OpenFileRWExclusiveLocked(_path);
-            root = _getRoot(file);
+            std::string errs;
+            std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
+            Json::Value root;
 
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)   \
-    if (state->name##Changed)                              \
-    {                                                      \
-        JsonUtils::SetValueForKey(root, key, state->name); \
-        state->name##Changed = false;                      \
-    }
-            MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
+            // First load the contents of state.json into a json blob. This will
+            // contain the Shared properties and the unelevated instance's Local
+            // properties.
+            const auto sharedData = _readSharedContents().value_or(std::string{});
+            if (!sharedData.empty())
+            {
+                if (!reader->parse(sharedData.data(), sharedData.data() + sharedData.size(), &root, &errs))
+                {
+                    throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+                }
+            }
+            // Layer our shared properties on top of the blob from state.json,
+            // and write it back out.
+            _writeSharedContents(Json::writeString(wbuilder, _toJsonWithBlob(root, FileSource::Shared)));
 
-            Json::StreamWriterBuilder wbuilder;
-            const auto content = Json::writeString(wbuilder, root);
-            WriteUTF8FileLocked(file, content);
+            // Finally, write our Local properties back to elevated-state.json
+            _writeLocalContents(Json::writeString(wbuilder, ToJson(FileSource::Local)));
+        }
+        else
+        {
+            // We're unelevated, this is easy. Just write everything back out.
+            _writeLocalContents(Json::writeString(wbuilder, ToJson(FileSource::Local | FileSource::Shared)));
         }
     }
     CATCH_LOG()
+
+    // Returns the application-global ApplicationState object.
+    Microsoft::Terminal::Settings::Model::ApplicationState ApplicationState::SharedInstance()
+    {
+        std::filesystem::path root{ GetBaseSettingsPath() };
+        static auto state = winrt::make_self<ApplicationState>(root);
+        return *state;
+    }
+
+    // Method Description:
+    // - Loads data from the given json blob. Will only read the data that's in
+    //   the specified parseSource - so if we're reading the Local state file,
+    //   we won't destroy previously parsed Shared data.
+    // - READ: there's no layering for app state.
+    void ApplicationState::FromJson(const Json::Value& root, FileSource parseSource) const noexcept
+    {
+        auto state = _state.lock();
+        // GetValueForKey() comes in two variants:
+        // * take a std::optional<T> reference
+        // * return std::optional<T> by value
+        // At the time of writing the former version skips missing fields in the json,
+        // but we want to explicitly clear state fields that were removed from state.json.
+        //
+        // GH#11222: We only load properties that are of the same type (Local or
+        // Shared) which we requested. If we didn't want to load this type of
+        // property, just skip it.
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    if (WI_IsFlagSet(parseSource, source))                       \
+        state->name = JsonUtils::GetValueForKey<std::optional<type>>(root, key);
+
+        MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+    }
+
+    Json::Value ApplicationState::ToJson(FileSource parseSource) const noexcept
+    {
+        Json::Value root{ Json::objectValue };
+        return _toJsonWithBlob(root, parseSource);
+    }
+
+    Json::Value ApplicationState::_toJsonWithBlob(Json::Value& root, FileSource parseSource) const noexcept
+    {
+        {
+            auto state = _state.lock_shared();
+
+            // GH#11222: We only write properties that are of the same type (Local
+            // or Shared) which we requested. If we didn't want to serialize this
+            // type of property, just skip it.
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    if (WI_IsFlagSet(parseSource, source))                       \
+        JsonUtils::SetValueForKey(root, key, state->name);
+
+            MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+        }
+        return root;
+    }
+
+    // Generate all getter/setters
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    type ApplicationState::name() const noexcept                 \
+    {                                                            \
+        const auto state = _state.lock_shared();                 \
+        const auto& value = state->name;                         \
+        return value ? *value : type{ __VA_ARGS__ };             \
+    }                                                            \
+                                                                 \
+    void ApplicationState::name(const type& value) noexcept      \
+    {                                                            \
+        {                                                        \
+            auto state = _state.lock();                          \
+            state->name.emplace(value);                          \
+        }                                                        \
+                                                                 \
+        _throttler();                                            \
+    }
+    MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+
+    // Method Description:
+    // - Read the contents of our "shared" state - state that should be shared
+    //   for elevated and unelevated instances. This is things like the list of
+    //   generated profiles, the command palette commandlines.
+    std::optional<std::string> ApplicationState::_readSharedContents() const
+    {
+        return ReadUTF8FileIfExists(_sharedPath);
+    }
+
+    // Method Description:
+    // - Read the contents of our "local" state - state that should be kept in
+    //   separate files for elevated and unelevated instances. This is things
+    //   like the persisted window state, and the approved commandlines (though,
+    //   those don't matter when unelevated).
+    // - When elevated, this will DELETE `elevated-state.json` if it has bad
+    //   permissions, so we don't potentially read malicious data.
+    std::optional<std::string> ApplicationState::_readLocalContents() const
+    {
+        return ::Microsoft::Console::Utils::IsElevated() ?
+                   ReadUTF8FileIfExists(_elevatedPath, true) :
+                   ReadUTF8FileIfExists(_sharedPath, false);
+    }
+
+    // Method Description:
+    // - Write the contents of our "shared" state - state that should be shared
+    //   for elevated and unelevated instances. This will atomically write to
+    //   `state.json`
+    void ApplicationState::_writeSharedContents(const std::string_view content) const
+    {
+        WriteUTF8FileAtomic(_sharedPath, content);
+    }
+
+    // Method Description:
+    // - Write the contents of our "local" state - state that should be kept in
+    //   separate files for elevated and unelevated instances. When elevated,
+    //   this will write to `elevated-state.json`, and when unelevated, this
+    //   will atomically write to `user-state.json`
+    void ApplicationState::_writeLocalContents(const std::string_view content) const
+    {
+        if (::Microsoft::Console::Utils::IsElevated())
+        {
+            // DON'T use WriteUTF8FileAtomic, which will write to a temporary file
+            // then rename that file to the final filename. That actually lets us
+            // overwrite the elevate file's contents even when unelevated, because
+            // we're effectively deleting the original file, then renaming a
+            // different file in it's place.
+            //
+            // We're not worried about someone else doing that though, if they do
+            // that with the wrong permissions, then we'll just ignore the file and
+            // start over.
+            WriteUTF8File(_elevatedPath, content, true);
+        }
+        else
+        {
+            WriteUTF8FileAtomic(_sharedPath, content);
+        }
+    }
+
 }

src/cascadia/TerminalSettingsModel/ApplicationState.h

@@ -16,21 +16,30 @@ Abstract:
 #include "WindowLayout.g.h"
 
 #include <inc/cppwinrt_utils.h>
-#include <til/mutex.h>
-#include <til/throttled_func.h>
-#include "FileUtils.h"
 #include <JsonUtils.h>
 
+namespace winrt::Microsoft::Terminal::Settings::Model::implementation
+{
+    // If a property is Shared, then it'll be stored in `state.json`, and used
+    // in both elevated and unelevated instances of the Terminal. If a property
+    // is marked Local, then it will have separate values for elevated and
+    // unelevated instances.
+    enum FileSource : int
+    {
+        Shared = 0x1,
+        Local = 0x2
+    };
+    DEFINE_ENUM_FLAG_OPERATORS(FileSource);
+
 // This macro generates all getters and setters for ApplicationState.
 // It provides X with the following arguments:
-//   (type, function name, JSON key, ...variadic construction arguments)
-namespace winrt::Microsoft::Terminal::Settings::Model::implementation
-{
-#define MTSM_APPLICATION_STATE_FIELDS(X)                                                                                \
-    X(std::unordered_set<winrt::guid>, GeneratedProfiles, "generatedProfiles")                                          \
-    X(Windows::Foundation::Collections::IVector<Model::WindowLayout>, PersistedWindowLayouts, "persistedWindowLayouts") \
-    X(Windows::Foundation::Collections::IVector<hstring>, RecentCommands, "recentCommands")                             \
-    X(Windows::Foundation::Collections::IVector<winrt::Microsoft::Terminal::Settings::Model::InfoBarMessage>, DismissedMessages, "dismissedMessages")
+//   (source, type, function name, JSON key, ...variadic construction arguments)
+#define MTSM_APPLICATION_STATE_FIELDS(X)                                                                                                                                  \
+    X(FileSource::Shared, std::unordered_set<winrt::guid>, GeneratedProfiles, "generatedProfiles")                                                                        \
+    X(FileSource::Local, Windows::Foundation::Collections::IVector<Model::WindowLayout>, PersistedWindowLayouts, "persistedWindowLayouts")                                \
+    X(FileSource::Shared, Windows::Foundation::Collections::IVector<hstring>, RecentCommands, "recentCommands")                                                           \
+    X(FileSource::Shared, Windows::Foundation::Collections::IVector<winrt::Microsoft::Terminal::Settings::Model::InfoBarMessage>, DismissedMessages, "dismissedMessages") \
+    X(FileSource::Local, Windows::Foundation::Collections::IVector<hstring>, AllowedCommandlines, "allowedCommandlines")
 
     struct WindowLayout : WindowLayoutT<WindowLayout>
     {
@@ -44,23 +53,26 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         friend ::Microsoft::Terminal::Settings::Model::JsonUtils::ConversionTrait<Model::WindowLayout>;
     };
 
-    struct ApplicationState : ApplicationStateT<ApplicationState>
+    struct ApplicationState : public ApplicationStateT<ApplicationState>
     {
         static Microsoft::Terminal::Settings::Model::ApplicationState SharedInstance();
 
-        ApplicationState(std::filesystem::path path) noexcept;
+        ApplicationState(const std::filesystem::path& stateRoot) noexcept;
         ~ApplicationState();
 
         // Methods
         void Reload() const noexcept;
         void Reset() noexcept;
 
+        void FromJson(const Json::Value& root, FileSource parseSource) const noexcept;
+        Json::Value ToJson(FileSource parseSource) const noexcept;
+
         // General getters/setters
-        winrt::hstring FilePath() const noexcept;
+        bool IsStatePath(const winrt::hstring& filename);
 
         // State getters/setters
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...) \
-    type name() const noexcept;                          \
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    type name() const noexcept;                                  \
     void name(const type& value) noexcept;
         MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
 #undef MTSM_APPLICATION_STATE_GEN
@@ -68,21 +80,24 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     private:
         struct state_t
         {
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...) \
-    std::optional<type> name{ __VA_ARGS__ };             \
-    bool name##Changed = false;
-
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) std::optional<type> name{ __VA_ARGS__ };
             MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
 #undef MTSM_APPLICATION_STATE_GEN
         };
+        til::shared_mutex<state_t> _state;
+        std::filesystem::path _sharedPath;
+        std::filesystem::path _elevatedPath;
+        til::throttled_func_trailing<> _throttler;
 
-        Json::Value _getRoot(const winrt::Microsoft::Terminal::Settings::Model::locked_hfile& file) const noexcept;
-        void _write() noexcept;
+        void _write() const noexcept;
         void _read() const noexcept;
 
-        std::filesystem::path _path;
-        til::shared_mutex<state_t> _state;
-        til::throttled_func_trailing<> _throttler;
+        Json::Value _toJsonWithBlob(Json::Value& root, FileSource parseSource) const noexcept;
+
+        std::optional<std::string> _readSharedContents() const;
+        void _writeSharedContents(const std::string_view content) const;
+        std::optional<std::string> _readLocalContents() const;
+        void _writeLocalContents(const std::string_view content) const;
     };
 }
 

src/cascadia/TerminalSettingsModel/ApplicationState.idl

@@ -30,12 +30,15 @@ namespace Microsoft.Terminal.Settings.Model
         void Reload();
         void Reset();
 
-        String FilePath { get; };
+        Boolean IsStatePath(String filename);
 
         Windows.Foundation.Collections.IVector<WindowLayout> PersistedWindowLayouts { get; set; };
 
         Windows.Foundation.Collections.IVector<String> RecentCommands { get; set; };
 
         Windows.Foundation.Collections.IVector<InfoBarMessage> DismissedMessages { get; set; };
+
+        Windows.Foundation.Collections.IVector<String> AllowedCommandlines { get; set; };
+
     }
 }

src/cascadia/TerminalSettingsModel/FileUtils.cpp

@@ -8,6 +8,10 @@
 #include <shlobj.h>
 #include <WtExeUtils.h>
 
+#include <aclapi.h>
+#include <sddl.h>
+#include <wil/token_helpers.h>
+
 static constexpr std::string_view Utf8Bom{ u8"\uFEFF" };
 static constexpr std::wstring_view UnpackagedSettingsFolderName{ L"Microsoft\\Windows Terminal\\" };
 
@@ -39,86 +43,44 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         return baseSettingsPath;
     }
 
-    locked_hfile OpenFileReadSharedLocked(const std::filesystem::path& path)
+    // Function Description:
+    // - Checks the permissions on this file, to make sure it can only be opened
+    //   for writing by admins. We will be checking to see if the file is owned
+    //   by the Builtin\Administrators group. If it's not, then it was likely
+    //   tampered with.
+    // Arguments:
+    // - handle: a HANDLE to the file to check
+    // Return Value:
+    // - true if it had the expected permissions. False otherwise.
+    static bool _isOwnedByAdministrators(const HANDLE& handle)
     {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr) };
-        THROW_LAST_ERROR_IF(!file);
-        // just lock the entire file
-        OVERLAPPED sOverlapped;
-        sOverlapped.Offset = 0;
-        sOverlapped.OffsetHigh = 0;
-        // Shared lock
-        THROW_LAST_ERROR_IF(!LockFileEx(file.get(),
-                                        0, // lock shared, wait to return until lock is obtained
-                                        0, // reserved, does nothing
-                                        INT_MAX, // lock INT_MAX bytes
-                                        0, // higher-order bytes, if our state file is greater than 2GB I guess this will be a problem
-                                        &sOverlapped));
-        return { std::move(file), sOverlapped };
+        // If the file is owned by the administrators group, trust the
+        // administrators instead of checking the DACL permissions. It's simpler
+        // and more flexible.
+
+        wil::unique_hlocal_security_descriptor sd;
+        PSID psidOwner{ nullptr };
+        // The psidOwner pointer references the security descriptor, so it
+        // doesn't have to be freed separate from sd.
+        const auto status = GetSecurityInfo(handle,
+                                            SE_FILE_OBJECT,
+                                            OWNER_SECURITY_INFORMATION,
+                                            &psidOwner,
+                                            nullptr,
+                                            nullptr,
+                                            nullptr,
+                                            wil::out_param_ptr<PSECURITY_DESCRIPTOR*>(sd));
+        THROW_IF_WIN32_ERROR(status);
+
+        wil::unique_any_psid psidAdmins{ nullptr };
+        THROW_IF_WIN32_BOOL_FALSE(
+            ConvertStringSidToSidW(L"BA", wil::out_param_ptr<PSID*>(psidAdmins)));
+
+        return EqualSid(psidOwner, psidAdmins.get());
     }
-
-    locked_hfile OpenFileRWExclusiveLocked(const std::filesystem::path& path)
-    {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr) };
-        THROW_LAST_ERROR_IF(!file);
-        // just lock the entire file
-        OVERLAPPED sOverlapped;
-        sOverlapped.Offset = 0;
-        sOverlapped.OffsetHigh = 0;
-        // Shared lock
-        THROW_LAST_ERROR_IF(!LockFileEx(file.get(),
-                                        LOCKFILE_EXCLUSIVE_LOCK, // lock exclusive, wait to return until lock is obtained
-                                        0, // reserved, does nothing
-                                        INT_MAX, // lock INT_MAX bytes
-                                        0, // higher-order bytes, if our state file is greater than 2GB I guess this will be a problem
-                                        &sOverlapped));
-        return { std::move(file), sOverlapped };
-    }
-
-    std::string ReadUTF8FileLocked(const locked_hfile& file)
-    {
-        const auto fileSize = GetFileSize(file.get(), nullptr);
-        THROW_LAST_ERROR_IF(fileSize == INVALID_FILE_SIZE);
-
-        // By making our buffer just slightly larger we can detect if
-        // the file size changed and we've failed to read the full file.
-        std::string buffer(static_cast<size_t>(fileSize) + 1, '\0');
-        DWORD bytesRead = 0;
-        THROW_IF_WIN32_BOOL_FALSE(ReadFile(file.get(), buffer.data(), gsl::narrow<DWORD>(buffer.size()), &bytesRead, nullptr));
-
-        // As mentioned before our buffer was allocated oversized.
-        buffer.resize(bytesRead);
-
-        if (til::starts_with(buffer, Utf8Bom))
-        {
-            // Yeah this memmove()s the entire content.
-            // But I don't really want to deal with UTF8 BOMs any more than necessary,
-            // as basically not a single editor writes a BOM for UTF8.
-            buffer.erase(0, Utf8Bom.size());
-        }
-
-        return buffer;
-    }
-
-    void WriteUTF8FileLocked(const locked_hfile& file, const std::string_view& content)
-    {
-        // truncate the file because we want to overwrite it
-        SetFilePointer(file.get(), 0, nullptr, FILE_BEGIN);
-        THROW_IF_WIN32_BOOL_FALSE(SetEndOfFile(file.get()));
-
-        const auto fileSize = gsl::narrow<DWORD>(content.size());
-        DWORD bytesWritten = 0;
-        THROW_IF_WIN32_BOOL_FALSE(WriteFile(file.get(), content.data(), fileSize, &bytesWritten, nullptr));
-
-        if (bytesWritten != fileSize)
-        {
-            THROW_WIN32_MSG(ERROR_WRITE_FAULT, "failed to write whole file");
-        }
-    }
-
     // Tries to read a file somewhat atomically without locking it.
     // Strips the UTF8 BOM if it exists.
-    std::string ReadUTF8File(const std::filesystem::path& path)
+    std::string ReadUTF8File(const std::filesystem::path& path, const bool elevatedOnly)
     {
         // From some casual observations we can determine that:
         // * ReadFile() always returns the requested amount of data (unless the file is smaller)
@@ -126,9 +88,40 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         // -> Lets add a retry-loop just in case, to not fail if the file size changed while reading.
         for (int i = 0; i < 3; ++i)
         {
-            wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr) };
+            wil::unique_hfile file{ CreateFileW(path.c_str(),
+                                                GENERIC_READ,
+                                                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                                                nullptr,
+                                                OPEN_EXISTING,
+                                                FILE_ATTRIBUTE_NORMAL,
+                                                nullptr) };
             THROW_LAST_ERROR_IF(!file);
 
+            // Open the file _first_, then check if it has the right
+            // permissions. This prevents a "Time-of-check to time-of-use"
+            // vulnerability where a malicious exe could delete the file and
+            // replace it between us checking the permissions, and reading the
+            // contents. We've got a handle to the file now, which means we're
+            // going to read the contents of that instance of the file
+            // regardless. If someone replaces the file on us before we get to
+            // the GetSecurityInfo call below, then only the subsequent call to
+            // ReadUTF8File will notice it.
+            if (elevatedOnly)
+            {
+                const bool hadExpectedPermissions{ _isOwnedByAdministrators(file.get()) };
+                if (!hadExpectedPermissions)
+                {
+                    // Close the handle
+                    file.reset();
+
+                    // delete the file. It's been compromised.
+                    LOG_LAST_ERROR_IF(!DeleteFile(path.c_str()));
+
+                    // Exit early, because obviously there's nothing to read from the deleted file.
+                    return "";
+                }
+            }
+
             const auto fileSize = GetFileSize(file.get(), nullptr);
             THROW_LAST_ERROR_IF(fileSize == INVALID_FILE_SIZE);
 
@@ -166,11 +159,11 @@ namespace winrt::Microsoft::Terminal::Settings::Model
     }
 
     // Same as ReadUTF8File, but returns an empty optional, if the file couldn't be opened.
-    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path)
+    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path, const bool elevatedOnly)
     {
         try
         {
-            return { ReadUTF8File(path) };
+            return { ReadUTF8File(path, elevatedOnly) };
         }
         catch (const wil::ResultException& exception)
         {
@@ -183,9 +176,70 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         }
     }
 
-    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content)
+    void WriteUTF8File(const std::filesystem::path& path,
+                       const std::string_view& content,
+                       const bool elevatedOnly)
     {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr) };
+        SECURITY_ATTRIBUTES sa;
+        // stash the security descriptor here, so it will stay in context until
+        // after the call to CreateFile. If it gets cleaned up before that, then
+        // CreateFile will fail
+        wil::unique_hlocal_security_descriptor sd;
+        if (elevatedOnly)
+        {
+            // Initialize the security descriptor so only admins can write the
+            // file. We'll initialize the SECURITY_DESCRIPTOR with a
+            // single entry (ACE) -- a mandatory label (i.e. a
+            // LABEL_SECURITY_INFORMATION) that sets the file integrity level to
+            // "high",  with a no-write-up policy.
+            //
+            // When accessed from a security context at a lower integrity level,
+            // the no-write-up policy filters out rights that aren't in the
+            // object type's generic read and execute set (for the file type,
+            // that's FILE_GENERIC_READ | FILE_GENERIC_EXECUTE).
+            //
+            // Another option we considered here was manually setting the ACLs
+            // on this file such that Builtin\Admins could read&write the file,
+            // and all users could only read.
+            //
+            // Big thanks to @eryksun in GH#11222 for helping with this. This
+            // alternative method was chosen because it's considerably simpler.
+
+            // The required security descriptor can be created easily from the
+            // SDDL string: "S:(ML;;NW;;;HI)"
+            // (i.e. SACL:mandatory label;;no write up;;;high integrity level)
+            unsigned long cb;
+            THROW_IF_WIN32_BOOL_FALSE(
+                ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;HI)",
+                                                                    SDDL_REVISION_1,
+                                                                    wil::out_param_ptr<PSECURITY_DESCRIPTOR*>(sd),
+                                                                    &cb));
+
+            // Initialize a security attributes structure.
+            sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+            sa.lpSecurityDescriptor = sd.get();
+            sa.bInheritHandle = false;
+
+            // If we're running in an elevated context, when this file is
+            // created, it will automatically be owned by
+            // Builtin\Administrators, which will pass the above
+            // _isOwnedByAdministrators check.
+            //
+            // Programs running in an elevated context will be free to write the
+            // file, and unelevated processes will be able to read the file. An
+            // unelevated process could always delete the file and rename a new
+            // file in it's place (a la the way `vim.exe` saves files), but if
+            // they do that, the new file _won't_ be owned by Administrators,
+            // failing the above check.
+        }
+
+        wil::unique_hfile file{ CreateFileW(path.c_str(),
+                                            GENERIC_WRITE,
+                                            FILE_SHARE_READ | FILE_SHARE_DELETE,
+                                            elevatedOnly ? &sa : nullptr,
+                                            CREATE_ALWAYS,
+                                            FILE_ATTRIBUTE_NORMAL,
+                                            nullptr) };
         THROW_LAST_ERROR_IF(!file);
 
         const auto fileSize = gsl::narrow<DWORD>(content.size());
@@ -198,7 +252,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         }
     }
 
-    void WriteUTF8FileAtomic(const std::filesystem::path& path, const std::string_view& content)
+    void WriteUTF8FileAtomic(const std::filesystem::path& path,
+                             const std::string_view& content)
     {
         // GH#10787: rename() will replace symbolic links themselves and not the path they point at.
         // It's thus important that we first resolve them before generating temporary path.

src/cascadia/TerminalSettingsModel/FileUtils.h

@@ -1,41 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-#pragma once
-
 namespace winrt::Microsoft::Terminal::Settings::Model
 {
-    // I couldn't find a wil helper for this so I made it myself
-    class locked_hfile
-    {
-    public:
-        wil::unique_hfile file;
-        OVERLAPPED lockedRegion;
-
-        ~locked_hfile()
-        {
-            if (file)
-            {
-                // Need to unlock the file before it is closed
-                UnlockFileEx(file.get(), 0, INT_MAX, 0, &lockedRegion);
-            }
-        }
-
-        HANDLE get() const noexcept
-        {
-            return file.get();
-        }
-    };
-
     std::filesystem::path GetBaseSettingsPath();
-
-    locked_hfile OpenFileReadSharedLocked(const std::filesystem::path& path);
-    locked_hfile OpenFileRWExclusiveLocked(const std::filesystem::path& path);
-    std::string ReadUTF8FileLocked(const locked_hfile& file);
-    void WriteUTF8FileLocked(const locked_hfile& file, const std::string_view& content);
-
-    std::string ReadUTF8File(const std::filesystem::path& path);
-    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path);
-    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content);
+    std::string ReadUTF8File(const std::filesystem::path& path, const bool elevatedOnly = false);
+    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path, const bool elevatedOnly = false);
+    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content, const bool elevatedOnly = false);
     void WriteUTF8FileAtomic(const std::filesystem::path& path, const std::string_view& content);
 }

src/cascadia/TerminalSettingsModel/JsonUtils.h

@@ -382,7 +382,6 @@ namespace Microsoft::Terminal::Settings::Model::JsonUtils
     };
 
     template<typename T>
-
     struct ConversionTrait<std::unordered_map<std::string, T>>
     {
         std::unordered_map<std::string, T> FromJson(const Json::Value& json) const

src/cascadia/TerminalSettingsModel/MTSMSettings.h

@@ -73,7 +73,8 @@ Author(s):
     X(hstring, Icon, "icon", L"\uE756")                                                                                                                        \
     X(CloseOnExitMode, CloseOnExit, "closeOnExit", CloseOnExitMode::Graceful)                                                                                  \
     X(hstring, TabTitle, "tabTitle")                                                                                                                           \
-    X(Model::BellStyle, BellStyle, "bellStyle", BellStyle::Audible)
+    X(Model::BellStyle, BellStyle, "bellStyle", BellStyle::Audible)                                                                                            \
+    X(bool, Elevate, "elevate", false)
 
 #define MTSM_FONT_SETTINGS(X)                                                          \
     X(hstring, FontFace, "face", DEFAULT_FONT_FACE)                                    \

src/cascadia/TerminalSettingsModel/Profile.cpp

@@ -30,6 +30,7 @@ static constexpr std::string_view FontInfoKey{ "font" };
 static constexpr std::string_view PaddingKey{ "padding" };
 static constexpr std::string_view TabColorKey{ "tabColor" };
 static constexpr std::string_view UnfocusedAppearanceKey{ "unfocusedAppearance" };
+static constexpr std::string_view ElevateKey{ "elevate" };
 
 Profile::Profile(guid guid) noexcept :
     _Guid(guid)
@@ -333,5 +334,7 @@ Json::Value Profile::ToJson() const
         json[JsonKey(UnfocusedAppearanceKey)] = winrt::get_self<AppearanceConfig>(_UnfocusedAppearance.value())->ToJson();
     }
 
+    JsonUtils::SetValueForKey(json, ElevateKey, _Elevate);
+
     return json;
 }

src/cascadia/TerminalSettingsModel/Profile.idl

@@ -79,5 +79,6 @@ namespace Microsoft.Terminal.Settings.Model
         INHERITABLE_PROFILE_SETTING(Boolean, SnapOnInput);
         INHERITABLE_PROFILE_SETTING(Boolean, AltGrAliasing);
         INHERITABLE_PROFILE_SETTING(BellStyle, BellStyle);
+        INHERITABLE_PROFILE_SETTING(Boolean, Elevate);
     }
 }

src/cascadia/TerminalSettingsModel/TerminalSettings.cpp

@@ -155,6 +155,14 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
                     defaultSettings.ApplyColorScheme(scheme);
                 }
             }
+            // Elevate on NewTerminalArgs is an optional value, so the default
+            // value (null) doesn't override a profile's value. Note that
+            // elevate:false in an already elevated terminal does nothing - the
+            // profile will still be launched elevated.
+            if (newTerminalArgs.Elevate())
+            {
+                defaultSettings.Elevate(newTerminalArgs.Elevate().Value());
+            }
         }
 
         return settingsPair;
@@ -307,6 +315,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             const til::color colorRef{ profile.TabColor().Value() };
             _TabColor = static_cast<winrt::Microsoft::Terminal::Core::Color>(colorRef);
         }
+
+        _Elevate = profile.Elevate();
     }
 
     // Method Description:

src/cascadia/TerminalSettingsModel/TerminalSettings.h

@@ -159,6 +159,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         INHERITABLE_SETTING(Model::TerminalSettings, hstring, PixelShaderPath);
         INHERITABLE_SETTING(Model::TerminalSettings, bool, IntenseIsBold);
 
+        INHERITABLE_SETTING(Model::TerminalSettings, bool, Elevate, false);
+
     private:
         std::optional<std::array<Microsoft::Terminal::Core::Color, COLOR_TABLE_SIZE>> _ColorTable;
         gsl::span<Microsoft::Terminal::Core::Color> _getColorTableImpl();

src/cascadia/TerminalSettingsModel/TerminalSettings.idl

@@ -35,5 +35,7 @@ namespace Microsoft.Terminal.Settings.Model
         void ApplyColorScheme(ColorScheme scheme);
 
         ColorScheme AppliedColorScheme;
+
+        Boolean Elevate;
     };
 }

src/cascadia/TerminalSettingsModel/pch.h

@@ -53,3 +53,6 @@ TRACELOGGING_DECLARE_PROVIDER(g_hSettingsModelProvider);
 
 // Manually include til after we include Windows.Foundation to give it winrt superpowers
 #include "til.h"
+
+#include <til/mutex.h>
+#include <til/throttled_func.h>

src/cascadia/WindowsTerminal/AppHost.cpp

@@ -845,8 +845,30 @@ winrt::Windows::Foundation::IAsyncAction AppHost::_SaveWindowLayouts()
 
     if (_logic.ShouldUsePersistedLayout())
     {
-        const auto layoutJsons = _windowManager.GetAllWindowLayouts();
-        _logic.SaveWindowLayoutJsons(layoutJsons);
+        try
+        {
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Collect",
+                              TraceLoggingDescription("Logged when collecting window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+            const auto layoutJsons = _windowManager.GetAllWindowLayouts();
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Save",
+                              TraceLoggingDescription("Logged when writing window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+            _logic.SaveWindowLayoutJsons(layoutJsons);
+        }
+        catch (...)
+        {
+            LOG_CAUGHT_EXCEPTION();
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Failed",
+                              TraceLoggingDescription("An error occurred when collecting or writing window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+        }
     }
 
     co_return;
@@ -867,6 +889,12 @@ winrt::fire_and_forget AppHost::_SaveWindowLayoutsRepeat()
     // per 10 seconds, if a save is requested by another source simultaneously.
     if (_getWindowLayoutThrottler.has_value())
     {
+        TraceLoggingWrite(g_hWindowsTerminalProvider,
+                          "AppHost_requestGetLayout",
+                          TraceLoggingDescription("Logged when triggering a throttled write of the window state"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+
         _getWindowLayoutThrottler.value()();
     }
 }

src/types/inc/utils.hpp

@@ -94,4 +94,5 @@ namespace Microsoft::Console::Utils
 
     GUID CreateV5Uuid(const GUID& namespaceGuid, const gsl::span<const gsl::byte> name);
 
+    bool IsElevated();
 }

src/types/utils.cpp

@@ -5,6 +5,8 @@
 #include "inc/utils.hpp"
 #include "inc/colorTable.hpp"
 
+#include <wil/token_helpers.h>
+
 using namespace Microsoft::Console;
 
 // Routine Description:
@@ -559,3 +561,33 @@ GUID Utils::CreateV5Uuid(const GUID& namespaceGuid, const gsl::span<const gsl::b
     ::memcpy_s(&newGuid, sizeof(GUID), buffer.data(), sizeof(GUID));
     return EndianSwap(newGuid);
 }
+
+bool Utils::IsElevated()
+{
+    static bool isElevated = []() {
+        try
+        {
+            wil::unique_handle processToken{ GetCurrentProcessToken() };
+            const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
+            const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
+            if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
+            {
+                // In this case, the user has UAC entirely disabled. This is sort of
+                // weird, we treat this like the user isn't an admin at all. There's no
+                // separation of powers, so the things we normally want to gate on
+                // "having special powers" doesn't apply.
+                //
+                // See GH#7754, GH#11096
+                return false;
+            }
+
+            return wil::test_token_membership(nullptr, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS);
+        }
+        catch (...)
+        {
+            LOG_CAUGHT_EXCEPTION();
+            return false;
+        }
+    }();
+    return isElevated;
+}