How to make container installation behave like host machine installation

Question

I'm working with the following:

• Docker for Windows v20.10.11
• Docker running in Windows container mode
• mcr.microsoft.com/windows:1903 base image
• Proprietary application installed on top of this base image

Each year we create a Docker image with the latest version of our company's software. However this year's version behaves differently. Host machine installation runs fine. Containerized installation fails to run in certain situations. I can start the application as a simple EXE, for example using the Docker run command. The app will start and show up in "tasklist". However I can't start the app via the COM API, which is a critical requirement. The problem appears to be COM related. Normally we can create COM objects for our software just like for any other application. For example, IE returns a COM object just fine:

Creating these objects for our application works outside containers. However inside the container, our latest installation gives this error:

Access permissions appear to be ok. I tried a couple tests to prove this. First I can install other software like MS Word into a container and create COM objects for that:

Second I tried retrieving + modifying the application's DACL in PowerShell.

Changing access masks or trustees can cause an Access Denied error:

This also appears to confirm the access permissions were Ok by default.

Next I made sure COM is aware of the application. This appears to be fine. I get the same result on host machine and container when running this PS script:

gci HKLM:\Software\Classes -ea 0| ? {$.PSChildName -match '^\w+.\w+$' -and (gp "$($.PSPath)\CLSID" -ea 0)} | ft PSChildName

The application shows up just like any other. The details show up fine when querying by AppID. LocalServer32 points to the correct EXE:

Some other things I tried:

• Querying registry keys. There are 7 keys created when installing our software. These appear identical on host machine install and container install.
• Even though permissions appear fine, I still tried logging into the container as alternate users. For example "nt authority\system" is another virtual admin user. I also changed the password of the "builtin\administrator" user to enable logging in with that one. Lastly tried creating new users entirely and adding them to the Administrators user group. All these attempts had the same errors as "builtin\containeradministrator" (default user).
• A minor check was ensuring CMD.exe / Powershell is running as x64:
• Re-registering the DLLs associated with the installation using regsvr32.
• Starting from different base images. https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/container-base-images. The full Win Server base image behaves exactly the same way regarding errors. The smaller Win Server Core base image is even more problematic, as I can't even start the app's EXE manually using that base. Lastly I tried other tags of the full Windows base image such as 20H2 and 2004. Same result from those. Multiarch or x64 makes no difference.
• Included the "Ogawa hack" which was historically needed to make MS Office apps function correctly with COM: https://stackoverflow.com/a/1680214/7991646. It could be necessary for other COM apps too, but didn't help with my specific installation.

Is there anything else I can do to diagnose or solve this COM issue?

Answer 1

There are several things to consider:

1. The Considerations for server-side Automation of Office article states the following:

   Microsoft does not currently recommend, and does not support, Automation of Microsoft Office applications from any unattended, non-interactive client application or component (including ASP, ASP.NET, DCOM, and NT Services), because Office may exhibit unstable behavior and/or deadlock when Office is run in this environment.

   If you are building a solution that runs in a server-side context, you should try to use components that have been made safe for unattended execution. Or, you should try to find alternatives that allow at least part of the code to run client-side. If you use an Office application from a server-side solution, the application will lack many of the necessary capabilities to run successfully. Additionally, you will be taking risks with the stability of your overall solution.

2. The When CoCreateInstance returns 0x80080005 (CO_E_SERVER_EXEC_FAILURE) page describes possible reasons.

3. If many COM+ applications run under different user accounts that are specified in the This User property, the computer cannot allocate memory to create a new desktop heap for the new user. Therefore, the process cannot start. See Error when you start many COM+ applications: Error code 80080005 -- server execution failed for more information.

4. Finally, you may find a similar thread here helpful, see Server execution failed (Exception from HRESULT: 0x80080005 (CO_E_SERVER_EXEC_FAILURE)).