model.LoadAsync() fails with "Access is denied" inside a Windows AppContainer (1.1.0)
Summary
Calling model.LoadAsync() from a process running inside a Windows AppContainer fails with an access-denied error originating from ONNX Runtime's WeaklyCanonicalPath external-data validation. The same code, same model, and same on-disk paths work when the process runs outside an AppContainer. This worked in 0.8.2.1.
Environment
Microsoft.AI.Foundry.Local 1.1.0Microsoft.AI.Foundry.Local.Core 1.1.0- .NET 8.0, Windows 11
- Model:
qwen2.5-1.5b-instruct-generic-cpu:4
- Last known working version: 0.8.2.1
Repro
- Host the Foundry Local managed SDK in a process launched as a Windows AppContainer.
await FoundryLocalManager.CreateAsync(config, logger);await model.DownloadAsync(); — succeeds (~1.83 GB written to cache).await model.LoadAsync(); — fails.
Error
Microsoft.ML.OnnxRuntimeGenAI.OnnxRuntimeGenAIException: External data path validation failed
for initializer: model.embed_tokens.weight. Error: tensorprotoutils.cc:377
onnxruntime::utils::WeaklyCanonicalPath Failed to get the weakly canonical path:
"C:\ModelRelayFoundryLocal\cache\models\Microsoft\qwen2.5-1.5b-instruct-generic-cpu-4\v4" - Access is denied.
at Microsoft.ML.OnnxRuntimeGenAI.Result.VerifySuccess(IntPtr)
at Microsoft.ML.OnnxRuntimeGenAI.Model..ctor(Config)
at Microsoft.Neutron.OpenAI.Provider.OnnxLoadedModel..ctor(String, Config, GenAIConfig, InferenceModel, OnnxEP)
at Microsoft.AI.Foundry.Local.ModelManager.LoadModelAsync(...)
at Microsoft.AI.Foundry.Local.NativeInterop.ExecuteCommandManaged(...)
at Microsoft.AI.Foundry.Local.Detail.ModelLoadManager.LoadAsync(String modelId, ...)
at Microsoft.AI.Foundry.Local.ModelVariant.LoadAsync(...)
at Microsoft.AI.Foundry.Local.Model.LoadAsync(...)
The path being validated is the cached model file under AppDataDir/cache/models/.... The file exists and is readable.
What we tried
All produce the same error:
AppDataDir value |
Result |
| (default) |
fail |
%LOCALAPPDATA%\ModelRelayFoundryLocal |
fail |
C:\.ModelRelayFoundryLocal |
fail |
C:\ModelRelayFoundryLocal (no leading dot) |
fail |
The AppContainer's own per-package storage under Packages\<id>\AC\ |
fail |
We also granted the AppContainer SID readWrite on C:\ (entire drive). Same error. So this is not a filesystem ACL or path-string issue from our side.
Switching the host process to run without an AppContainer (no other code changes) — LoadAsync() succeeds and the endpoint serves requests normally.
model.LoadAsync()fails with "Access is denied" inside a Windows AppContainer (1.1.0)Summary
Calling
model.LoadAsync()from a process running inside a Windows AppContainer fails with an access-denied error originating from ONNX Runtime'sWeaklyCanonicalPathexternal-data validation. The same code, same model, and same on-disk paths work when the process runs outside an AppContainer. This worked in 0.8.2.1.Environment
Microsoft.AI.Foundry.Local1.1.0Microsoft.AI.Foundry.Local.Core1.1.0qwen2.5-1.5b-instruct-generic-cpu:4Repro
await FoundryLocalManager.CreateAsync(config, logger);await model.DownloadAsync();— succeeds (~1.83 GB written to cache).await model.LoadAsync();— fails.Error
The path being validated is the cached model file under
AppDataDir/cache/models/.... The file exists and is readable.What we tried
All produce the same error:
AppDataDirvalue%LOCALAPPDATA%\ModelRelayFoundryLocalC:\.ModelRelayFoundryLocalC:\ModelRelayFoundryLocal(no leading dot)Packages\<id>\AC\We also granted the AppContainer SID
readWriteonC:\(entire drive). Same error. So this is not a filesystem ACL or path-string issue from our side.Switching the host process to run without an AppContainer (no other code changes) —
LoadAsync()succeeds and the endpoint serves requests normally.