Update winget server com security

[yao-msft]

Change:

• Explicitly set COM access permissions for packaged com invocations. Leave access permissions as default and do not register COM objects for manual invocation so that only RPC channel can be used for manual activation.
• Update LaunchAndActivationString to allow Self, System, Built-in Admin and AppContainer only, require at least MediumIL for non-AC.
• Move Configuration to a separate COM server, use default permission.

A separate pr will be sent to update AppInstaller manifest.

Validation: Validated manually with Microsoft Store invocation, Powershell invocation (elevated and non elevated), test sample code and Devhome invocation (on package management and configuration).

Also specifically validated Store invocation with Built-in Administrator sign-in (previously not working).

Microsoft Reviewers: Open in CodeFlow

[github-actions[bot]]

@check-spelling-bot Report

:red_circle: Please review

See the :open_file_folder: files view or the :scroll:action log for details.

Unrecognized words (4)

dacl Initilize NRNWNX sacl

Previously acknowledged words that are now absent

ata bitspace DACL EPester epth hrow issuetitle mapview Mta oop PFM rzkzqaqjwj sfs STARTUPINFOW testdata visualstudiocode :arrow_right:

Some files were automatically ignored

These sample patterns would exclude them: ``` ^\Qsrc/AppInstallerCLIE2ETests/TestData/AppInstallerTestMsiInstallerV2.msi\E$ ``` You should consider adding them to: ``` .github/actions/spelling/excludes.txt ``` File matching is via Perl regular expressions. To check these files, more of their words need to be in the dictionary than not. You can use `patterns.txt` to exclude portions, add items to the dictionary (e.g. by adding them to `allow.txt`), or fix typos.

To accept :heavy_check_mark: these unrecognized words as correct and remove the previously acknowledged and now absent words, run the following commands

... in a clone of the [git@github.com:yao-msft/winget-cli.git](https://github.com/yao-msft/winget-cli.git) repository on the `comsec` branch ([:information_source: how do I use this?]( https://github.com/check-spelling/check-spelling/wiki/Accepting-Suggestions)): ``` sh curl -s -S -L 'https://raw.githubusercontent.com/check-spelling/check-spelling/v0.0.21/apply.pl' | perl - 'https://github.com/microsoft/winget-cli/actions/runs/9627840589/attempts/1' ```

Available :books: dictionaries could cover words not in the :blue_book: dictionary

This includes both **expected items** (551) from .github/actions/spelling/expect.txt and **unrecognized words** (4) Dictionary | Entries | Covers -|-|- [cspell:win32/src/win32.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/win32/src/win32.txt)|53509|20| [cspell:python/src/python/python-lib.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/python/src/python/python-lib.txt)|3873|3| [cspell:python/src/python/python.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/python/src/python/python.txt)|453|2| [cspell:python/src/common/extra.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/python/src/common/extra.txt)|741|2| [cspell:php/php.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/php/php.txt)|2597|2| [cspell:npm/npm.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/npm/npm.txt)|288|2| [cspell:django/django.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/django/django.txt)|859|2| [cspell:csharp/csharp.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/csharp/csharp.txt)|19|2| [cspell:sql/src/tsql.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/sql/src/tsql.txt)|455|1| [cspell:scala/scala.txt](https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220816/dictionaries/scala/scala.txt)|833|1| Consider adding them using (in `.github/workflows/spelling3.yml`): ``` yml with: extra_dictionaries: cspell:win32/src/win32.txt cspell:python/src/python/python-lib.txt cspell:python/src/python/python.txt cspell:python/src/common/extra.txt cspell:php/php.txt cspell:npm/npm.txt cspell:django/django.txt cspell:csharp/csharp.txt cspell:sql/src/tsql.txt cspell:scala/scala.txt ``` To stop checking additional dictionaries, add: ``` yml with: check_extra_dictionaries: '' ```

Warnings (2)

See the [:open_file_folder: files](4577/files/) view or the [:scroll:action log](https://github.com/microsoft/winget-cli/actions/runs/9627840589/job/26555394158#step:4:1) for details. [:information_source: Warnings](https://github.com/check-spelling/check-spelling/wiki/Event-descriptions) | Count -|- [:information_source: binary-file](https://github.com/check-spelling/check-spelling/wiki/Event-descriptions#binary-file) | 1 [:information_source: unexpected-line-ending](https://github.com/check-spelling/check-spelling/wiki/Event-descriptions#unexpected-line-ending) | 2 See [:information_source: Event descriptions](https://github.com/check-spelling/check-spelling/wiki/Event-descriptions) for more information.

If the flagged items are :exploding_head: false positives

If items relate to a ... * binary file (or some other file you wouldn't want to check at all). Please add a file path to the `excludes.txt` file matching the containing file. File paths are Perl 5 Regular Expressions - you can [test]( https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files. `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude [README.md]( ../tree/HEAD/README.md) (on whichever branch you're using). * well-formed pattern. If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it, try adding it to the `patterns.txt` file. Patterns are Perl 5 Regular Expressions - you can [test]( https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines. Note that patterns can't match multiline strings.

[yao-msft]

To unblock 1.8 servicing release process, I'll merge and not wait for build since it's only updating a comment from last success build and spelling task passed.