Migrate spelling-0.0.21 changes from main

Co-authored-by: Carlos Zamora <carlos.zamora@microsoft.com>

.github/actions/spelling/README.md

@@ -0,0 +1,15 @@
+# check-spelling/check-spelling configuration
+
+File | Purpose | Format | Info
+-|-|-|-
+[allow/*.txt](allow/) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow)
+[reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject)
+[excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes)
+[patterns/*.txt](patterns/) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns)
+[candidate.patterns](candidate.patterns) | Patterns that might be worth adding to [patterns.txt](patterns.txt) | perl regular expression with optional comment block introductions (all matches will be suggested) | [candidates](https://github.com/check-spelling/check-spelling/wiki/Feature:-Suggest-patterns)
+[line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns)
+[expect/*.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect)
+[advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice)
+
+Note: you can replace any of these files with a directory by the same name (minus the suffix)
+and then include multiple files inside that directory (with that suffix) to merge multiple files together.

.github/actions/spelling/advice.md

@@ -1,4 +1,4 @@
-<!-- markdownlint-disable MD033 MD041 -->
+<!-- See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice --> <!-- markdownlint-disable MD033 MD041 -->
 <details>
 <summary>
 :pencil2: Contributor please read this
@@ -6,7 +6,7 @@
 
 By default the command suggestion will generate a file named based on your commit. That's generally ok as long as you add the file to your commit. Someone can reorganize it later.
 
-:warning: The command is written for posix shells. You can copy the contents of each `perl` command excluding the outer `'` marks and dropping any `'"`/`"'` quotation mark pairs into a file and then run `perl file.pl` from the root of the repository to run the code. Alternatively, you can manually insert the items...
+:warning: The command is written for posix shells. If it doesn't work for you, you can manually _add_ (one word per line) / _remove_ items to `expect.txt` and the `excludes.txt` files.
 
 If the listed items are:
 
@@ -20,31 +20,29 @@ See the `README.md` in each directory for more information.
 
 :microscope: You can test your commits **without** *appending* to a PR by creating a new branch with that extra change and pushing it to your fork. The [check-spelling](https://github.com/marketplace/actions/check-spelling) action will run in response to your **push** -- it doesn't require an open pull request. By using such a branch, you can limit the number of typos your peers see you make. :wink:
 
-<details><summary>:clamp: If you see a bunch of garbage</summary>
 
-If it relates to a ...
-<details><summary>well-formed pattern</summary>
+<details><summary>If the flagged items are :exploding_head: false positives</summary>
 
-See if there's a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it.
+If items relate to a ...
+* binary file (or some other file you wouldn't want to check at all).
 
-If not, try writing one and adding it to a `patterns/{file}.txt`.
+  Please add a file path to the `excludes.txt` file matching the containing file.
 
-Patterns are Perl 5 Regular Expressions - you can [test](
-https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines.
-
-Note that patterns can't match multiline strings.
-</details>
-<details><summary>binary-ish string</summary>
-
-Please add a file path to the `excludes.txt` file instead of just accepting the garbage.
-
-File paths are Perl 5 Regular Expressions - you can [test](
+  File paths are Perl 5 Regular Expressions - you can [test](
 https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files.
 
-`^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude [README.md](
+  `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude [README.md](
 ../tree/HEAD/README.md) (on whichever branch you're using).
-</details>
-
+
+* well-formed pattern.
+
+  If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it,
+  try adding it to the `patterns.txt` file.
+
+  Patterns are Perl 5 Regular Expressions - you can [test](
+https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines.
+
+  Note that patterns can't match multiline strings.
 </details>
 
 </details>

.github/actions/spelling/allow/allow.txt

@@ -1,53 +1,75 @@
+admins
+allcolors
+Apc
 apc
+breadcrumb
+breadcrumbs
+bsd
 calt
 ccmp
 changelog
-cybersecurity
-Apc
 clickable
 clig
+CMMI
 copyable
+cybersecurity
 dalet
-dcs
 Dcs
+dcs
 dialytika
 dje
 downside
 downsides
 dze
 dzhe
+EDDB
+EDDC
 Enum'd
 Fitt
 formattings
+FTCS
 ftp
 fvar
+gantt
+gcc
 geeksforgeeks
 ghe
+github
 gje
+godbolt
 hostname
 hostnames
+https
 hyperlink
 hyperlinking
 hyperlinks
+iconify
 img
+inlined
 It'd
 kje
+libfuzzer
+libuv
 liga
 lje
-locl
-lorem
 Llast
+llvm
 Lmid
+locl
+lol
+lorem
 Lorigin
 maxed
+minimalistic
 mkmk
 mnt
 mru
-noreply
 nje
+noreply
 ogonek
 ok'd
 overlined
+pipeline
 postmodern
 ptys
 qof
@@ -62,17 +84,25 @@ runtimes
 shcha
 slnt
 Sos
+ssh
+timeline
+timelines
 timestamped
 TLDR
 tokenizes
 tonos
+toolset
 tshe
+ubuntu
 uiatextrange
 UIs
 und
 unregister
 versioned
+vsdevcmd
 We'd
 wildcards
+XBox
+YBox
 yeru
 zhe

.github/actions/spelling/allow/apis.txt

@@ -1,32 +1,43 @@
 ACCEPTFILES
 ACCESSDENIED
+acl
+aclapi
 alignas
 alignof
 APPLYTOSUBMENUS
+appxrecipe
 bitfield
 bitfields
 BUILDBRANCH
 BUILDMSG
 BUILDNUMBER
-BYPOSITION
 BYCOMMAND
+BYPOSITION
 charconv
 CLASSNOTAVAILABLE
+CLOSEAPP
 cmdletbinding
 COLORPROPERTY
 colspan
 COMDLG
-comparand
 commandlinetoargv
+comparand
 cstdint
 CXICON
 CYICON
+Dacl
 dataobject
 dcomp
 DERR
 dlldata
+DNE
 DONTADDTORECENT
+DWMSBT
+DWMWA
+DWMWA
 DWORDLONG
+endfor
+ENDSESSION
 enumset
 environstrings
 EXPCMDFLAGS
@@ -40,12 +51,16 @@ fullkbd
 futex
 GETDESKWALLPAPER
 GETHIGHCONTRAST
+GETMOUSEHOVERTIME
 Hashtable
 HIGHCONTRASTON
 HIGHCONTRASTW
 hotkeys
 href
 hrgn
+HTCLOSE
+hwinsta
+HWINSTA
 IActivation
 IApp
 IAppearance
@@ -62,19 +77,22 @@ IDirect
 IExplorer
 IFACEMETHOD
 IFile
+IGraphics
 IInheritable
 IMap
+IMonarch
 IObject
 iosfwd
 IPackage
 IPeasant
-isspace
 ISetup
+isspace
 IStorage
 istream
 IStringable
 ITab
 ITaskbar
+itow
 IUri
 IVirtual
 KEYSELECT
@@ -83,18 +101,27 @@ llabs
 llu
 localtime
 lround
+Lsa
+lsass
 LSHIFT
+LTGRAY
+MAINWINDOW
+memchr
+memicmp
 MENUCOMMAND
 MENUDATA
 MENUINFO
 MENUITEMINFOW
-memicmp
-mptt
+mmeapi
+MOUSELEAVE
 mov
+mptt
 msappx
 MULTIPLEUSE
 NCHITTEST
 NCLBUTTONDBLCLK
+NCMOUSELEAVE
+NCMOUSEMOVE
 NCRBUTTONDBLCLK
 NIF
 NIN
@@ -112,26 +139,36 @@ oaidl
 ocidl
 ODR
 offsetof
+ofstream
+onefuzz
 osver
 OSVERSIONINFOEXW
 otms
 OUTLINETEXTMETRICW
 overridable
+PACL
 PAGESCROLL
+PATINVERT
+PEXPLICIT
 PICKFOLDERS
 pmr
+ptstr
+QUERYENDSESSION
 rcx
 REGCLS
 RETURNCMD
 rfind
+ROOTOWNER
 roundf
 RSHIFT
+SACL
 schandle
 semver
 serializer
 SETVERSION
 SHELLEXECUTEINFOW
 shobjidl
+SHOWHIDE
 SHOWMINIMIZED
 SHOWTIP
 SINGLEUSE
@@ -152,24 +189,37 @@ Stubless
 Subheader
 Subpage
 syscall
+SYSTEMBACKDROP
+TABROW
 TASKBARCREATED
 TBPF
 THEMECHANGED
 tlg
+TME
 tmp
+tmpdir
 tolower
 toupper
+TRACKMOUSEEVENT
 TTask
 TVal
 UChar
+UFIELD
 ULARGE
+UOI
 UPDATEINIFILE
 userenv
+USEROBJECTFLAGS
+Viewbox
+virtualalloc
 wcsstr
 wcstoui
 winmain
+winsta
+winstamin
 wmemcmp
 wpc
+WSF
 wsregex
 wwinmain
 xchg

.github/actions/spelling/allow/microsoft.txt

@@ -19,6 +19,7 @@ CPRs
 cryptbase
 DACL
 DACLs
+defaultlib
 diffs
 disposables
 dotnetfeed
@@ -27,6 +28,8 @@ DWINRT
 enablewttlogging
 Intelli
 IVisual
+libucrt
+libucrtd
 LKG
 LOCKFILE
 Lxss
@@ -36,8 +39,10 @@ microsoftonline
 MSAA
 msixbundle
 MSVC
+MSVCP
 muxc
 netcore
+Onefuzz
 osgvsowi
 PFILETIME
 pgc
@@ -62,6 +67,8 @@ systemroot
 taskkill
 tasklist
 tdbuildteamid
+ucrt
+ucrtd
 unvirtualized
 VCRT
 vcruntime

.github/actions/spelling/allow/names.txt

@@ -1,14 +1,18 @@
 Anup
 austdi
+arkthur
 Ballmer
 bhoj
 Bhojwani
+Bluloco
 carlos
 dhowett
 Diviness
 dsafa
 duhowett
+DXP
 ekg
+eryksun
 ethanschoonover
 Firefox
 Gatta
@@ -20,6 +24,7 @@ Hernan
 Howett
 Illhardt
 iquilezles
+italo
 jantari
 jerrysh
 Kaiyu
@@ -33,7 +38,9 @@ leonmsft
 Lepilleur
 lhecker
 lukesampson
+Macbook
 Manandhar
+masserano
 mbadolato
 Mehrain
 menger
@@ -62,12 +69,16 @@ Rincewind
 rprichard
 Schoonover
 shadertoy
+Shomnipotence
+simioni
 Somuah
 sonph
 sonpham
 stakx
+talo
 thereses
 Walisch
+WDX
 Wellons
 Wirt
 Wojciech

.github/actions/spelling/candidate.patterns

@@ -0,0 +1,523 @@
+# marker to ignore all code on line
+^.*/\* #no-spell-check-line \*/.*$
+# marker for ignoring a comment to the end of the line
+// #no-spell-check.*$
+
+# patch hunk comments
+^\@\@ -\d+(?:,\d+|) \+\d+(?:,\d+|) \@\@ .*
+# git index header
+index [0-9a-z]{7,40}\.\.[0-9a-z]{7,40}
+
+# cid urls
+(['"])cid:.*?\g{-1}
+
+# data url in parens
+\(data:[^)]*?(?:[A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})[^)]*\)
+# data url in quotes
+([`'"])data:.*?(?:[A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,}).*\g{-1}
+# data url
+data:[-a-zA-Z=;:/0-9+]*,\S*
+
+# mailto urls
+mailto:[-a-zA-Z=;:/?%&0-9+@.]{3,}
+
+# magnet urls
+magnet:[?=:\w]+
+
+# magnet urls
+"magnet:[^"]+"
+
+# obs:
+"obs:[^"]*"
+
+# The `\b` here means a break, it's the fancy way to handle urls, but it makes things harder to read
+# In this examples content, I'm using a number of different ways to match things to show various approaches
+# asciinema
+\basciinema\.org/a/[0-9a-zA-Z]+
+
+# apple
+\bdeveloper\.apple\.com/[-\w?=/]+
+# Apple music
+\bembed\.music\.apple\.com/fr/playlist/usr-share/[-\w.]+
+
+# appveyor api
+\bci\.appveyor\.com/api/projects/status/[0-9a-z]+
+# appveyor project
+\bci\.appveyor\.com/project/(?:[^/\s"]*/){2}builds?/\d+/job/[0-9a-z]+
+
+# Amazon
+
+# Amazon
+\bamazon\.com/[-\w]+/(?:dp/[0-9A-Z]+|)
+# AWS S3
+\b\w*\.s3[^.]*\.amazonaws\.com/[-\w/&#%_?:=]*
+# AWS execute-api
+\b[0-9a-z]{10}\.execute-api\.[-0-9a-z]+\.amazonaws\.com\b
+# AWS ELB
+\b\w+\.[-0-9a-z]+\.elb\.amazonaws\.com\b
+# AWS SNS
+\bsns\.[-0-9a-z]+.amazonaws\.com/[-\w/&#%_?:=]*
+# AWS VPC
+vpc-\w+
+
+# While you could try to match `http://` and `https://` by using `s?` in `https?://`, sometimes there
+# YouTube url
+\b(?:(?:www\.|)youtube\.com|youtu.be)/(?:channel/|embed/|user/|playlist\?list=|watch\?v=|v/|)[-a-zA-Z0-9?&=_%]*
+# YouTube music
+\bmusic\.youtube\.com/youtubei/v1/browse(?:[?&]\w+=[-a-zA-Z0-9?&=_]*)
+# YouTube tag
+<\s*youtube\s+id=['"][-a-zA-Z0-9?_]*['"]
+# YouTube image
+\bimg\.youtube\.com/vi/[-a-zA-Z0-9?&=_]*
+# Google Accounts
+\baccounts.google.com/[-_/?=.:;+%&0-9a-zA-Z]*
+# Google Analytics
+\bgoogle-analytics\.com/collect.[-0-9a-zA-Z?%=&_.~]*
+# Google APIs
+\bgoogleapis\.(?:com|dev)/[a-z]+/(?:v\d+/|)[a-z]+/[-@:./?=\w+|&]+
+# Google Storage
+\b[-a-zA-Z0-9.]*\bstorage\d*\.googleapis\.com(?:/\S*|)
+# Google Calendar
+\bcalendar\.google\.com/calendar(?:/u/\d+|)/embed\?src=[@./?=\w&%]+
+\w+\@group\.calendar\.google\.com\b
+# Google DataStudio
+\bdatastudio\.google\.com/(?:(?:c/|)u/\d+/|)(?:embed/|)(?:open|reporting|datasources|s)/[-0-9a-zA-Z]+(?:/page/[-0-9a-zA-Z]+|)
+# The leading `/` here is as opposed to the `\b` above
+# ... a short way to match `https://` or `http://` since most urls have one of those prefixes
+# Google Docs
+/docs\.google\.com/[a-z]+/(?:ccc\?key=\w+|(?:u/\d+|d/(?:e/|)[0-9a-zA-Z_-]+/)?(?:edit\?[-\w=#.]*|/\?[\w=&]*|))
+# Google Drive
+\bdrive\.google\.com/(?:file/d/|open)[-0-9a-zA-Z_?=]*
+# Google Groups
+\bgroups\.google\.com/(?:(?:forum/#!|d/)(?:msg|topics?|searchin)|a)/[^/\s"]+/[-a-zA-Z0-9$]+(?:/[-a-zA-Z0-9]+)*
+# Google Maps
+\bmaps\.google\.com/maps\?[\w&;=]*
+# Google themes
+themes\.googleusercontent\.com/static/fonts/[^/\s"]+/v\d+/[^.]+.
+# Google CDN
+\bclients2\.google(?:usercontent|)\.com[-0-9a-zA-Z/.]*
+# Goo.gl
+/goo\.gl/[a-zA-Z0-9]+
+# Google Chrome Store
+\bchrome\.google\.com/webstore/detail/[-\w]*(?:/\w*|)
+# Google Books
+\bgoogle\.(?:\w{2,4})/books(?:/\w+)*\?[-\w\d=&#.]*
+# Google Fonts
+\bfonts\.(?:googleapis|gstatic)\.com/[-/?=:;+&0-9a-zA-Z]*
+# Google Forms
+\bforms\.gle/\w+
+# Google Scholar
+\bscholar\.google\.com/citations\?user=[A-Za-z0-9_]+
+# Google Colab Research Drive
+\bcolab\.research\.google\.com/drive/[-0-9a-zA-Z_?=]*
+
+# GitHub SHAs (api)
+\bapi.github\.com/repos(?:/[^/\s"]+){3}/[0-9a-f]+\b
+# GitHub SHAs (markdown)
+(?:\[`?[0-9a-f]+`?\]\(https:/|)/(?:www\.|)github\.com(?:/[^/\s"]+){2,}(?:/[^/\s")]+)(?:[0-9a-f]+(?:[-0-9a-zA-Z/#.]*|)\b|)
+# GitHub SHAs
+\bgithub\.com(?:/[^/\s"]+){2}[@#][0-9a-f]+\b
+# GitHub wiki
+\bgithub\.com/(?:[^/]+/){2}wiki/(?:(?:[^/]+/|)_history|[^/]+(?:/_compare|)/[0-9a-f.]{40,})\b
+# githubusercontent
+/[-a-z0-9]+\.githubusercontent\.com/[-a-zA-Z0-9?&=_\/.]*
+# githubassets
+\bgithubassets.com/[0-9a-f]+(?:[-/\w.]+)
+# gist github
+\bgist\.github\.com/[^/\s"]+/[0-9a-f]+
+# git.io
+\bgit\.io/[0-9a-zA-Z]+
+# GitHub JSON
+"node_id": "[-a-zA-Z=;:/0-9+]*"
+# Contributor
+\[[^\]]+\]\(https://github\.com/[^/\s"]+\)
+# GHSA
+GHSA(?:-[0-9a-z]{4}){3}
+
+# GitLab commit
+\bgitlab\.[^/\s"]*/\S+/\S+/commit/[0-9a-f]{7,16}#[0-9a-f]{40}\b
+# GitLab merge requests
+\bgitlab\.[^/\s"]*/\S+/\S+/-/merge_requests/\d+/diffs#[0-9a-f]{40}\b
+# GitLab uploads
+\bgitlab\.[^/\s"]*/uploads/[-a-zA-Z=;:/0-9+]*
+# GitLab commits
+\bgitlab\.[^/\s"]*/(?:[^/\s"]+/){2}commits?/[0-9a-f]+\b
+
+# binanace
+accounts.binance.com/[a-z/]*oauth/authorize\?[-0-9a-zA-Z&%]*
+
+# bitbucket diff
+\bapi\.bitbucket\.org/\d+\.\d+/repositories/(?:[^/\s"]+/){2}diff(?:stat|)(?:/[^/\s"]+){2}:[0-9a-f]+
+# bitbucket repositories commits
+\bapi\.bitbucket\.org/\d+\.\d+/repositories/(?:[^/\s"]+/){2}commits?/[0-9a-f]+
+# bitbucket commits
+\bbitbucket\.org/(?:[^/\s"]+/){2}commits?/[0-9a-f]+
+
+# bit.ly
+\bbit\.ly/\w+
+
+# bitrise
+\bapp\.bitrise\.io/app/[0-9a-f]*/[\w.?=&]*
+
+# bootstrapcdn.com
+\bbootstrapcdn\.com/[-./\w]+
+
+# cdn.cloudflare.com
+\bcdnjs\.cloudflare\.com/[./\w]+
+
+# circleci
+\bcircleci\.com/gh(?:/[^/\s"]+){1,5}.[a-z]+\?[-0-9a-zA-Z=&]+
+
+# gitter
+\bgitter\.im(?:/[^/\s"]+){2}\?at=[0-9a-f]+
+
+# gravatar
+\bgravatar\.com/avatar/[0-9a-f]+
+
+# ibm
+[a-z.]*ibm\.com/[-_#=:%!?~.\\/\d\w]*
+
+# imgur
+\bimgur\.com/[^.]+
+
+# Internet Archive
+\barchive\.org/web/\d+/(?:[-\w.?,'/\\+&%$#_:]*)
+
+# discord
+/discord(?:app\.com|\.gg)/(?:invite/)?[a-zA-Z0-9]{7,}
+
+# Disqus
+\bdisqus\.com/[-\w/%.()!?&=_]*
+
+# medium link
+\blink\.medium\.com/[a-zA-Z0-9]+
+# medium
+\bmedium\.com/\@?[^/\s"]+/[-\w]+
+
+# microsoft
+\b(?:https?://|)(?:(?:download\.visualstudio|docs|msdn2?|research)\.microsoft|blogs\.msdn)\.com/[-_a-zA-Z0-9()=./%]*
+# powerbi
+\bapp\.powerbi\.com/reportEmbed/[^"' ]*
+# vs devops
+\bvisualstudio.com(?::443|)/[-\w/?=%&.]*
+# microsoft store
+\bmicrosoft\.com/store/apps/\w+
+
+# mvnrepository.com
+\bmvnrepository\.com/[-0-9a-z./]+
+
+# now.sh
+/[0-9a-z-.]+\.now\.sh\b
+
+# oracle
+\bdocs\.oracle\.com/[-0-9a-zA-Z./_?#&=]*
+
+# chromatic.com
+/\S+.chromatic.com\S*[")]
+
+# codacy
+\bapi\.codacy\.com/project/badge/Grade/[0-9a-f]+
+
+# compai
+\bcompai\.pub/v1/png/[0-9a-f]+
+
+# mailgun api
+\.api\.mailgun\.net/v3/domains/[0-9a-z]+\.mailgun.org/messages/[0-9a-zA-Z=@]*
+# mailgun
+\b[0-9a-z]+.mailgun.org
+
+# /message-id/
+/message-id/[-\w@./%]+
+
+# Reddit
+\breddit\.com/r/[/\w_]*
+
+# requestb.in
+\brequestb\.in/[0-9a-z]+
+
+# sched
+\b[a-z0-9]+\.sched\.com\b
+
+# Slack url
+slack://[a-zA-Z0-9?&=]+
+# Slack
+\bslack\.com/[-0-9a-zA-Z/_~?&=.]*
+# Slack edge
+\bslack-edge\.com/[-a-zA-Z0-9?&=%./]+
+# Slack images
+\bslack-imgs\.com/[-a-zA-Z0-9?&=%.]+
+
+# shields.io
+\bshields\.io/[-\w/%?=&.:+;,]*
+
+# stackexchange -- https://stackexchange.com/feeds/sites
+\b(?:askubuntu|serverfault|stack(?:exchange|overflow)|superuser).com/(?:questions/\w+/[-\w]+|a/)
+
+# Sentry
+[0-9a-f]{32}\@o\d+\.ingest\.sentry\.io\b
+
+# Twitter markdown
+\[\@[^[/\]:]*?\]\(https://twitter.com/[^/\s"')]*(?:/status/\d+(?:\?[-_0-9a-zA-Z&=]*|)|)\)
+# Twitter hashtag
+\btwitter\.com/hashtag/[\w?_=&]*
+# Twitter status
+\btwitter\.com/[^/\s"')]*(?:/status/\d+(?:\?[-_0-9a-zA-Z&=]*|)|)
+# Twitter profile images
+\btwimg\.com/profile_images/[_\w./]*
+# Twitter media
+\btwimg\.com/media/[-_\w./?=]*
+# Twitter link shortened
+\bt\.co/\w+
+
+# facebook
+\bfburl\.com/[0-9a-z_]+
+# facebook CDN
+\bfbcdn\.net/[\w/.,]*
+# facebook watch
+\bfb\.watch/[0-9A-Za-z]+
+
+# dropbox
+\bdropbox\.com/sh?/[^/\s"]+/[-0-9A-Za-z_.%?=&;]+
+
+# ipfs protocol
+ipfs://[0-9a-z]*
+# ipfs url
+/ipfs/[0-9a-z]*
+
+# w3
+\bw3\.org/[-0-9a-zA-Z/#.]+
+
+# loom
+\bloom\.com/embed/[0-9a-f]+
+
+# regex101
+\bregex101\.com/r/[^/\s"]+/\d+
+
+# figma
+\bfigma\.com/file(?:/[0-9a-zA-Z]+/)+
+
+# freecodecamp.org
+\bfreecodecamp\.org/[-\w/.]+
+
+# image.tmdb.org
+\bimage\.tmdb\.org/[/\w.]+
+
+# mermaid
+\bmermaid\.ink/img/[-\w]+|\bmermaid-js\.github\.io/mermaid-live-editor/#/edit/[-\w]+
+
+# Wikipedia
+\ben\.wikipedia\.org/wiki/[-\w%.#]+
+
+# gitweb
+[^"\s]+/gitweb/\S+;h=[0-9a-f]+
+
+# HyperKitty lists
+/archives/list/[^@/]+\@[^/\s"]*/message/[^/\s"]*/
+
+# lists
+/thread\.html/[^"\s]+
+
+# list-management
+\blist-manage\.com/subscribe(?:[?&](?:u|id)=[0-9a-f]+)+
+
+# kubectl.kubernetes.io/last-applied-configuration
+"kubectl.kubernetes.io/last-applied-configuration": ".*"
+
+# pgp
+\bgnupg\.net/pks/lookup[?&=0-9a-zA-Z]*
+
+# Spotify
+\bopen\.spotify\.com/embed/playlist/\w+
+
+# Mastodon
+\bmastodon\.[-a-z.]*/(?:media/|\@)[?&=0-9a-zA-Z_]*
+
+# scastie
+\bscastie\.scala-lang\.org/[^/]+/\w+
+
+# images.unsplash.com
+\bimages\.unsplash\.com/(?:(?:flagged|reserve)/|)[-\w./%?=%&.;]+
+
+# pastebin
+\bpastebin\.com/[\w/]+
+
+# heroku
+\b\w+\.heroku\.com/source/archive/\w+
+
+# quip
+\b\w+\.quip\.com/\w+(?:(?:#|/issues/)\w+)?
+
+# badgen.net
+\bbadgen\.net/badge/[^")\]'\s]+
+
+# statuspage.io
+\w+\.statuspage\.io\b
+
+# media.giphy.com
+\bmedia\.giphy\.com/media/[^/]+/[\w.?&=]+
+
+# tinyurl
+\btinyurl\.com/\w+
+
+# getopts
+\bgetopts\s+(?:"[^"]+"|'[^']+')
+
+# ANSI color codes
+(?:\\(?:u00|x)1b|\x1b)\[\d+(?:;\d+|)m
+
+# URL escaped characters
+\%[0-9A-F][A-F]
+# IPv6
+\b(?:[0-9a-fA-F]{0,4}:){3,7}[0-9a-fA-F]{0,4}\b
+# c99 hex digits (not the full format, just one I've seen)
+0x[0-9a-fA-F](?:\.[0-9a-fA-F]*|)[pP]
+# Punycode
+\bxn--[-0-9a-z]+
+# sha
+sha\d+:[0-9]*[a-f]{3,}[0-9a-f]*
+# sha-... -- uses a fancy capture
+(['"]|&quot;)[0-9a-f]{40,}\g{-1}
+# hex runs
+\b[0-9a-fA-F]{16,}\b
+# hex in url queries
+=[0-9a-fA-F]*?(?:[A-F]{3,}|[a-f]{3,})[0-9a-fA-F]*?&
+# ssh
+(?:ssh-\S+|-nistp256) [-a-zA-Z=;:/0-9+]{12,}
+
+# PGP
+\b(?:[0-9A-F]{4} ){9}[0-9A-F]{4}\b
+# GPG keys
+\b(?:[0-9A-F]{4} ){5}(?: [0-9A-F]{4}){5}\b
+# Well known gpg keys
+.well-known/openpgpkey/[\w./]+
+
+# uuid:
+\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
+# hex digits including css/html color classes:
+(?:[\\0][xX]|\\u|[uU]\+|#x?|\%23)[0-9_a-fA-FgGrR]*?[a-fA-FgGrR]{2,}[0-9_a-fA-FgGrR]*(?:[uUlL]{0,3}|u\d+)\b
+# integrity
+integrity="sha\d+-[-a-zA-Z=;:/0-9+]{40,}"
+
+# https://www.gnu.org/software/groff/manual/groff.html
+# man troff content
+\\f[BCIPR]
+# '
+\\\(aq
+
+# .desktop mime types
+^MimeTypes?=.*$
+# .desktop localized entries
+^[A-Z][a-z]+\[[a-z]+\]=.*$
+# Localized .desktop content
+Name\[[^\]]+\]=.*
+
+# IServiceProvider
+\bI(?=(?:[A-Z][a-z]{2,})+\b)
+
+# crypt
+"\$2[ayb]\$.{56}"
+
+# scrypt / argon
+\$(?:scrypt|argon\d+[di]*)\$\S+
+
+# Input to GitHub JSON
+content: "[-a-zA-Z=;:/0-9+]*="
+
+# Python stringprefix / binaryprefix
+# Note that there's a high false positive rate, remove the `?=` and search for the regex to see if the matches seem like reasonable strings
+(?<!')\b(?:B|BR|Br|F|FR|Fr|R|RB|RF|Rb|Rf|U|UR|Ur|b|bR|br|f|fR|fr|r|rB|rF|rb|rf|u|uR|ur)'(?:[A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})
+
+# Regular expressions for (P|p)assword
+\([A-Z]\|[a-z]\)[a-z]+
+
+# JavaScript regular expressions
+# javascript test regex
+/.*/[gim]*\.test\(
+# javascript match regex
+\.match\(/[^/\s"]*/[gim]*\s*
+# javascript match regex
+\.match\(/\\[b].*?/[gim]*\s*\)(?:;|$)
+# javascript regex
+^\s*/\\[b].*/[gim]*\s*(?:\)(?:;|$)|,$)
+# javascript replace regex
+\.replace\(/[^/\s"]*/[gim]*\s*,
+
+# Go regular expressions
+regexp?\.MustCompile\(`[^`]*`\)
+
+# sed regular expressions
+sed 's/(?:[^/]*?[a-zA-Z]{3,}[^/]*?/){2}
+
+# go install
+go install(?:\s+[a-z]+\.[-@\w/.]+)+
+
+# kubernetes pod status lists
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase
+\w+(?:-\w+)+\s+\d+/\d+\s+(?:Running|Pending|Succeeded|Failed|Unknown)\s+
+
+# kubectl - pods in CrashLoopBackOff
+\w+-[0-9a-f]+-\w+\s+\d+/\d+\s+CrashLoopBackOff\s+
+
+# kubernetes object suffix
+-[0-9a-f]{10}-\w{5}\s
+
+# posthog secrets
+posthog\.init\((['"])phc_[^"',]+\g{-1},
+
+# xcode
+
+# xcodeproject scenes
+(?:Controller|ID|id)="\w{3}-\w{2}-\w{3}"
+
+# xcode api botches
+customObjectInstantitationMethod
+
+# font awesome classes
+\.fa-[-a-z0-9]+
+
+# Update Lorem based on your content (requires `ge` and `w` from https://github.com/jsoref/spelling; and `review` from https://github.com/check-spelling/check-spelling/wiki/Looking-for-items-locally )
+# grep '^[^#].*lorem' .github/actions/spelling/patterns.txt|perl -pne 's/.*i..\?://;s/\).*//' |tr '|' "\n"|sort -f |xargs -n1 ge|perl -pne 's/^[^:]*://'|sort -u|w|sed -e 's/ .*//'|w|review -
+# Warning, while `(?i)` is very neat and fancy, if you have some binary files that aren't proper unicode, you might run into:
+## Operation "substitution (s///)" returns its argument for non-Unicode code point 0x1C19AE (the code point will vary).
+## You could manually change `(?i)X...` to use `[Xx]...`
+## or you could add the files to your `excludes` file (a version after 0.0.19 should identify the file path)
+# Lorem
+(?:\w|\s|[,.])*\b(?i)(?:amet|consectetur|cursus|dolor|eros|ipsum|lacus|libero|ligula|lorem|magna|neque|nulla|suscipit|tempus)\b(?:\w|\s|[,.])*
+
+# Non-English
+[a-zA-Z]*[ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿĀāŁłŃńŅņŒœŚśŠšŜŝŸŽžź][a-zA-Z]{3}[a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿĀāŁłŃńŅņŒœŚśŠšŜŝŸŽžź]*
+
+# French
+# This corpus only had capital letters, but you probably want lowercase ones as well.
+\b[LN]'+[a-z]{2,}\b
+
+# latex
+\\(?:n(?:ew|ormal|osub)|r(?:enew)|t(?:able(?:of|)|he|itle))(?=[a-z]+)
+
+# the negative lookahead here is to allow catching 'templatesz' as a misspelling
+# but to otherwise recognize a Windows path with \templates\foo.template or similar:
+\\(?:necessary|r(?:eport|esolve[dr]?|esult)|t(?:arget|emplates?))(?![a-z])
+# ignore long runs of a single character:
+\b([A-Za-z])\g{-1}{3,}\b
+# Note that the next example is no longer necessary if you are using
+# to match a string starting with a `#`, use a character-class:
+[#]backwards
+# version suffix <word>v#
+(?:(?<=[A-Z]{2})V|(?<=[a-z]{2}|[A-Z]{2})v)\d+(?:\b|(?=[a-zA-Z_]))
+# Compiler flags (Scala)
+(?:^|[\t ,>"'`=(])-J-[DPWXY](?=[A-Z]{2,}|[A-Z][a-z]|[a-z]{2,})
+# Compiler flags
+#(?:^|[\t ,"'`=(])-[DPWXYLlf](?=[A-Z]{2,}|[A-Z][a-z]|[a-z]{2,})
+
+# Compiler flags (linker)
+,-B
+# curl arguments
+\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)*
+# set arguments
+\bset(?:\s+-[abefimouxE]{1,2})*\s+-[abefimouxE]{3,}(?:\s+-[abefimouxE]+)*
+# tar arguments
+\b(?:\\n|)g?tar(?:\.exe|)(?:(?:\s+--[-a-zA-Z]+|\s+-[a-zA-Z]+|\s[ABGJMOPRSUWZacdfh-pr-xz]+\b)(?:=[^ ]*|))+
+# tput arguments -- https://man7.org/linux/man-pages/man5/terminfo.5.html -- technically they can be more than 5 chars long...
+\btput\s+(?:(?:-[SV]|-T\s*\w+)\s+)*\w{3,5}\b
+# macOS temp folders
+/var/folders/\w\w/[+\w]+/(?:T|-Caches-)/

.github/actions/spelling/excludes.txt

@@ -1,28 +1,39 @@
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes
 (?:(?i)\.png$)
+(?:^|/)(?i)COPYRIGHT
+(?:^|/)(?i)LICEN[CS]E
+(?:^|/)3rdparty/
 (?:^|/)dirs$
 (?:^|/)go\.mod$
 (?:^|/)go\.sum$
-(?:^|/)package-lock\.json$
+(?:^|/)package(?:-lock|)\.json$
 (?:^|/)sources(?:|\.dep)$
-SUMS$
+(?:^|/)vendor/
+\.a$
 \.ai$
+\.avi$
 \.bmp$
+\.bz2$
 \.cer$
 \.class$
 \.crl$
 \.crt$
 \.csr$
 \.dll$
+\.docx?$
+\.drawio$
 \.DS_Store$
 \.eot$
 \.eps$
 \.exe$
 \.gif$
+\.gitattributes$
 \.graffle$
 \.gz$
 \.icns$
 \.ico$
 \.jar$
+\.jks$
 \.jpeg$
 \.jpg$
 \.key$
@@ -30,28 +41,53 @@ SUMS$
 \.lock$
 \.map$
 \.min\..
+\.mod$
 \.mp3$
 \.mp4$
+\.o$
+\.ocf$
 \.otf$
 \.pbxproj$
 \.pdf$
 \.pem$
+\.png$
 \.psd$
+\.pyc$
 \.runsettings$
+\.s$
 \.sig$
 \.so$
 \.svg$
 \.svgz$
+\.svgz?$
 \.tar$
 \.tgz$
+\.tiff?$
 \.ttf$
 \.vsdx$
+\.wav$
+\.webm$
+\.webp$
 \.woff
+\.woff2?$
 \.xcf$
 \.xls
+\.xlsx?$
 \.xpm$
 \.yml$
 \.zip$
+^\.github/actions/spelling/
+^\.github/fabricbot.json$
+^\.gitignore$
+^\Q.git-blame-ignore-revs\E$
+^\Q.github/workflows/spelling.yml\E$
+^\Qdoc/reference/windows-terminal-logo.ans\E$
+^\Qsamples/ConPTY/EchoCon/EchoCon/EchoCon.vcxproj.filters\E$
+^\Qsrc/host/exe/Host.EXE.vcxproj.filters\E$
+^\Qsrc/host/ft_host/chafa.txt\E$
+^\Qsrc/tools/closetest/CloseTest.vcxproj.filters\E$
+^\XamlStyler.json$
+^build/config/
 ^consolegit2gitfilters\.json$
 ^dep/
 ^doc/reference/master-sequence-list.csv$
@@ -61,6 +97,7 @@ SUMS$
 ^src/host/runft\.bat$
 ^src/host/runut\.bat$
 ^src/interactivity/onecore/BgfxEngine\.
+^src/renderer/atlas/
 ^src/renderer/wddmcon/WddmConRenderer\.
 ^src/terminal/adapter/ut_adapter/run\.bat$
 ^src/terminal/parser/delfuzzpayload\.bat$
@@ -75,6 +112,6 @@ SUMS$
 ^src/tools/texttests/fira\.txt$
 ^src/tools/U8U16Test/(?:fr|ru|zh)\.txt$
 ^src/types/ut_types/UtilsTests.cpp$
-^\.github/actions/spelling/
-^\.gitignore$
-^\XamlStyler.json$
+^tools/ReleaseEngineering/ServicingPipeline.ps1$
+ignore$
+SUMS$

.github/actions/spelling/expect/alphabet.txt

@@ -5,26 +5,19 @@ AAAAAABBBBBBCCC
 AAAAABBBBBBCCC
 abcd
 abcd
-abcde
-abcdef
-ABCDEFG
-ABCDEFGH
 ABCDEFGHIJ
 abcdefghijk
 ABCDEFGHIJKLMNO
 abcdefghijklmnop
 ABCDEFGHIJKLMNOPQRST
-abcdefghijklmnopqrstuvwxyz
 ABCG
 ABE
 abf
 BBBBB
 BBBBBBBB
-BBBBBBBBBBBBBBDDDD
 BBBBBCCC
 BBBBCCCCC
 BBGGRR
-CCE
 EFG
 EFGh
 QQQQQQQQQQABCDEFGHIJ
@@ -33,7 +26,6 @@ QQQQQQQQQQABCDEFGHIJKLMNOPQRSTQQQQQQQQQQ
 QQQQQQQQQQABCDEFGHIJPQRSTQQQQQQQQQQ
 qrstuvwxyz
 qwerty
-QWERTYUIOP
 qwertyuiopasdfg
 YYYYYYYDDDDDDDDDDD
 ZAAZZ

.github/actions/spelling/expect/web.txt

@@ -1,19 +1,6 @@
-http
-www
-easyrgb
-php
-ecma
-rapidtables
 WCAG
-freedesktop
-ycombinator
-robertelder
-kovidgoyal
-leonerd
-fixterms
 winui
 appshellintegration
 mdtauk
-cppreference
 gfycat
 Guake

.github/actions/spelling/line_forbidden.patterns

@@ -0,0 +1,62 @@
+# reject `m_data` as there's a certain OS which has evil defines that break things if it's used elsewhere
+# \bm_data\b
+
+# If you have a framework that uses `it()` for testing and `fit()` for debugging a specific test,
+# you might not want to check in code where you were debugging w/ `fit()`, in which case, you might want
+# to use this:
+#\bfit\(
+
+# s.b. GitHub
+\bGithub\b
+
+# s.b. GitLab
+\bGitlab\b
+
+# s.b. JavaScript
+\bJavascript\b
+
+# s.b. Microsoft
+\bMicroSoft\b
+
+# s.b. another
+\ban[- ]other\b
+
+# s.b. greater than
+\bgreater then\b
+
+# s.b. into
+#\sin to\s
+
+# s.b. opt-in
+\sopt in\s
+
+# s.b. less than
+\bless then\b
+
+# s.b. otherwise
+\bother[- ]wise\b
+
+# s.b. nonexistent
+\bnon existing\b
+\b[Nn]o[nt][- ]existent\b
+
+# s.b. preexisting
+[Pp]re[- ]existing
+
+# s.b. preempt
+[Pp]re[- ]empt\b
+
+# s.b. preemptively
+[Pp]re[- ]emptively
+
+# s.b. reentrancy
+[Rr]e[- ]entrancy
+
+# s.b. reentrant
+[Rr]e[- ]entrant
+
+# s.b. workaround(s)
+#\bwork[- ]arounds?\b
+
+# Reject duplicate words
+\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s

.github/actions/spelling/patterns/patterns.txt

@@ -1,11 +1,6 @@
-https://(?:(?:[-a-zA-Z0-9?&=]*\.|)microsoft\.com)/[-a-zA-Z0-9?&=_#\/.]*
-https://aka\.ms/[-a-zA-Z0-9?&=\/_]*
-https://www\.itscj\.ipsj\.or\.jp/iso-ir/[-0-9]+\.pdf
-https://www\.vt100\.net/docs/[-a-zA-Z0-9#_\/.]*
-https://www.w3.org/[-a-zA-Z0-9?&=\/_#]*
-https://(?:(?:www\.|)youtube\.com|youtu.be)/[-a-zA-Z0-9?&=]*
-https://(?:[a-z-]+\.|)github(?:usercontent|)\.com/[-a-zA-Z0-9?%&=_\/.]*
-https://www.xfree86.org/[-a-zA-Z0-9?&=\/_#]*
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns
+
+https?://\S+
 [Pp]ublicKeyToken="?[0-9a-fA-F]{16}"?
 (?:[{"]|UniqueIdentifier>)[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}(?:[}"]|</UniqueIdentifier)
 (?:0[Xx]|\\x|U\+|#)[a-f0-9A-FGgRr]{2,}[Uu]?[Ll]{0,2}\b
@@ -25,3 +20,77 @@ std::memory_order_[\w]+
 D2DERR_SHADER_COMPILE_FAILED
 TIL_FEATURE_[0-9A-Z_]+
 vcvars\w*
+ROY\sG\.\sBIV
+!(?:(?i)ESC)!\[
+!(?:(?i)CSI)!(?:\d+(?:;\d+|)m|[ABCDF])
+
+# Python stringprefix / binaryprefix
+\b(?:B|BR|Br|F|FR|Fr|R|RB|RF|Rb|Rf|U|UR|Ur|b|bR|br|f|fR|fr|r|rB|rF|rb|rf|u|uR|ur)'
+
+# Automatically suggested patterns
+# hit-count: 3831 file-count: 582
+# IServiceProvider
+\bI(?=(?:[A-Z][a-z]{2,})+\b)
+
+# hit-count: 71 file-count: 35
+# Compiler flags
+(?:^|[\t ,"'`=(])-[D](?=[A-Z]{2,}|[A-Z][a-z])
+(?:^|[\t ,"'`=(])-[X](?=[A-Z]{2,}|[A-Z][a-z]|[a-z]{2,})
+
+# hit-count: 41 file-count: 28
+# version suffix <word>v#
+(?:(?<=[A-Z]{2})V|(?<=[a-z]{2}|[A-Z]{2})v)\d+(?:\b|(?=[a-zA-Z_]))
+
+# hit-count: 20 file-count: 9
+# hex runs
+\b[0-9a-fA-F]{16,}\b
+
+# hit-count: 10 file-count: 7
+# uuid:
+\b[0-9a-fA-F]{8}-(?:[0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}\b
+
+# hit-count: 4 file-count: 4
+# mailto urls
+mailto:[-a-zA-Z=;:/?%&0-9+@.]{3,}
+
+# hit-count: 4 file-count: 1
+# ANSI color codes
+(?:\\(?:u00|x)1b|\x1b)\[\d+(?:;\d+|)m
+
+# hit-count: 2 file-count: 1
+# latex
+\\(?:n(?:ew|ormal|osub)|r(?:enew)|t(?:able(?:of|)|he|itle))(?=[a-z]+)
+
+# hit-count: 1 file-count: 1
+# hex digits including css/html color classes:
+(?:[\\0][xX]|\\u|[uU]\+|#x?|\%23)[0-9_a-fA-FgGrR]*?[a-fA-FgGrR]{2,}[0-9_a-fA-FgGrR]*(?:[uUlL]{0,3}|u\d+)\b
+
+# hit-count: 1 file-count: 1
+# Non-English
+[a-zA-Z]*[ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿĀāŁłŃńŅņŒœŚśŠšŜŝŸŽžź][a-zA-Z]{3}[a-zA-ZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿĀāŁłŃńŅņŒœŚśŠšŜŝŸŽžź]*
+
+# hit-count: 1 file-count: 1
+# French
+# This corpus only had capital letters, but you probably want lowercase ones as well.
+\b[LN]'+[a-z]{2,}\b
+
+# acceptable duplicates
+# ls directory listings
+[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+
+# C/idl types + English ...
+\s(Guid|long|LONG|that) \g{-1}\s
+
+# javadoc / .net
+(?:[\\@](?:groupname|param)|(?:public|private)(?:\s+static|\s+readonly)*)\s+(\w+)\s+\g{-1}\s
+
+# Commit message -- Signed-off-by and friends
+^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$
+
+# Autogenerated revert commit message
+^This reverts commit [0-9a-f]{40}\.$
+
+# vtmode
+--vtmode\s+(\w+)\s+\g{-1}\s
+
+# ignore long runs of a single character:
+\b([A-Za-z])\g{-1}{3,}\b

.github/actions/spelling/reject.txt

@@ -1,22 +1,12 @@
 ^attache$
 ^attacher$
 ^attachers$
-^spae$
-^spaebook$
-^spaecraft$
-^spaed$
-^spaedom$
-^spaeing$
-^spaeings$
-^spae-man$
-^spaeman$
-^spaer$
-^Spaerobee$
-^spaes$
-^spaewife$
-^spaewoman$
-^spaework$
-^spaewright$
-^wether$
-^wethers$
-^wetherteg$
+benefitting
+occurences?
+^dependan.*
+^oer$
+Sorce
+^[Ss]pae.*
+^untill$
+^untilling$
+^wether.*

.github/workflows/spelling2.yml

@@ -1,20 +1,134 @@
 # spelling.yml is blocked per https://github.com/check-spelling/check-spelling/security/advisories/GHSA-g86g-chm8-7r2p
 name: Spell checking
+
+# Comment management is handled through a secondary job, for details see:
+# https://github.com/check-spelling/check-spelling/wiki/Feature%3A-Restricted-Permissions
+#
+# `jobs.comment-push` runs when a push is made to a repository and the `jobs.spelling` job needs to make a comment
+#   (in odd cases, it might actually run just to collapse a commment, but that's fairly rare)
+#   it needs `contents: write` in order to add a comment.
+#
+# `jobs.comment-pr` runs when a pull_request is made to a repository and the `jobs.spelling` job needs to make a comment
+#   or collapse a comment (in the case where it had previously made a comment and now no longer needs to show a comment)
+#   it needs `pull-requests: write` in order to manipulate those comments.
+
+# Updating pull request branches is managed via comment handling.
+# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list
+#
+# These elements work together to make it happen:
+#
+# `on.issue_comment`
+#   This event listens to comments by users asking to update the metadata.
+#
+# `jobs.update`
+#   This job runs in response to an issue_comment and will push a new commit
+#   to update the spelling metadata.
+#
+# `with.experimental_apply_changes_via_bot`
+#   Tells the action to support and generate messages that enable it
+#   to make a commit to update the spelling metadata.
+#
+# `with.ssh_key`
+#   In order to trigger workflows when the commit is made, you can provide a
+#   secret (typically, a write-enabled github deploy key).
+#
+#   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
+
 on:
-  pull_request_target:
   push:
+    branches:
+    - "**"
+    tags-ignore:
+    - "**"
+  pull_request_target:
+    branches:
+    - "**"
+    tags-ignore:
+    - "**"
+    types:
+    - 'opened'
+    - 'reopened'
+    - 'synchronize'
+  issue_comment:
+    types:
+    - 'created'
 
 jobs:
   spelling:
     name: Spell checking
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+    outputs:
+      followup: ${{ steps.spelling.outputs.followup }}
     runs-on: ubuntu-latest
+    if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
+    concurrency:
+      group: spelling-${{ github.event.pull_request.number || github.ref }}
+      # note: If you use only_check_changed_files, you do not want cancel-in-progress
+      cancel-in-progress: true
     steps:
-    - name: checkout-merge
-      if: "contains(github.event_name, 'pull_request')"
-      uses: actions/checkout@v2
+    - name: check-spelling
+      id: spelling
+      uses: check-spelling/check-spelling@v0.0.21
       with:
-        ref: refs/pull/${{github.event.pull_request.number}}/merge
-    - name: checkout
-      if: "!contains(github.event_name, 'pull_request')"
-      uses: actions/checkout@v2
-    - uses: check-spelling/check-spelling@v0.0.19
+        suppress_push_for_open_pull_request: 1
+        checkout: true
+        check_file_names: 1
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        post_comment: 0
+        use_magic_file: 1
+        extra_dictionary_limit: 10
+        extra_dictionaries:
+          cspell:software-terms/src/software-terms.txt
+          cspell:python/src/python/python-lib.txt
+          cspell:node/node.txt
+          cspell:cpp/src/stdlib-c.txt
+          cspell:cpp/src/stdlib-cpp.txt
+          cspell:fullstack/fullstack.txt
+          cspell:filetypes/filetypes.txt
+          cspell:html/html.txt
+          cspell:cpp/src/compiler-msvc.txt
+          cspell:python/src/common/extra.txt
+          cspell:powershell/powershell.txt
+          cspell:aws/aws.txt
+          cspell:cpp/src/lang-keywords.txt
+          cspell:npm/npm.txt
+          cspell:dotnet/dotnet.txt
+          cspell:python/src/python/python.txt
+          cspell:css/css.txt
+          cspell:cpp/src/stdlib-cmath.txt
+        check_extra_dictionaries: ''
+
+  comment-push:
+    name: Report (Push)
+    # If your workflow isn't running on push, you can remove this job
+    runs-on: ubuntu-latest
+    needs: spelling
+    permissions:
+      contents: write
+    if: (success() || failure()) && needs.spelling.outputs.followup && github.event_name == 'push'
+    steps:
+    - name: comment
+      uses: check-spelling/check-spelling@v0.0.21
+      with:
+        checkout: true
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        task: ${{ needs.spelling.outputs.followup }}
+
+  comment-pr:
+    name: Report (PR)
+    # If you workflow isn't running on pull_request*, you can remove this job
+    runs-on: ubuntu-latest
+    needs: spelling
+    permissions:
+      pull-requests: write
+    if: (success() || failure()) && needs.spelling.outputs.followup && contains(github.event_name, 'pull_request')
+    steps:
+    - name: comment
+      uses: check-spelling/check-spelling@v0.0.21
+      with:
+        checkout: true
+        spell_check_this: check-spelling/spell-check-this@prerelease
+        task: ${{ needs.spelling.outputs.followup }}

OpenConsole.sln

@@ -336,6 +336,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WpfTerminalTestNetCore", "s
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wt", "src\cascadia\wt\wt.vcxproj", "{506FD703-BAA7-4F6E-9361-64F550EC8FCA}"
 EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "elevate-shim", "src\cascadia\ElevateShim\elevate-shim.vcxproj", "{416FD703-BAA7-4F6E-9361-64F550EC8FCA}"
+EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Microsoft.Terminal.Settings.Editor", "src\cascadia\TerminalSettingsEditor\Microsoft.Terminal.Settings.Editor.vcxproj", "{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}"
 	ProjectSection(ProjectDependencies) = postProject
 		{CA5CAD1A-082C-4476-9F33-94B339494076} = {CA5CAD1A-082C-4476-9F33-94B339494076}
@@ -400,6 +402,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WindowsTerminal.UIA.Tests",
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "api-ms-win-core-synch-l1-2-0", "src\api-ms-win-core-synch-l1-2-0\api-ms-win-core-synch-l1-2-0.vcxproj", "{9CF74355-F018-4C19-81AD-9DC6B7F2C6F5}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Utils", "Utils", "{61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		AuditMode|Any CPU = AuditMode|Any CPU
@@ -2803,6 +2807,43 @@ Global
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.Build.0 = Release|x64
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.ActiveCfg = Release|Win32
 		{506FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.Build.0 = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|Any CPU.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM64.ActiveCfg = AuditMode|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|ARM64.Build.0 = AuditMode|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|DotNet_x64Test.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|DotNet_x86Test.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x64.ActiveCfg = AuditMode|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x64.Build.0 = AuditMode|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x86.ActiveCfg = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.AuditMode|x86.Build.0 = AuditMode|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|Any CPU.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM64.ActiveCfg = Debug|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|ARM64.Build.0 = Debug|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|DotNet_x64Test.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|DotNet_x86Test.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x64.ActiveCfg = Debug|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x64.Build.0 = Debug|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x86.ActiveCfg = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Debug|x86.Build.0 = Debug|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|Any CPU.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|ARM.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|ARM64.ActiveCfg = Fuzzing|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|DotNet_x64Test.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|DotNet_x86Test.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|x64.ActiveCfg = Fuzzing|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Fuzzing|x86.ActiveCfg = Fuzzing|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|Any CPU.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM64.ActiveCfg = Release|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|ARM64.Build.0 = Release|ARM64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|DotNet_x64Test.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|DotNet_x86Test.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.ActiveCfg = Release|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x64.Build.0 = Release|x64
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.ActiveCfg = Release|Win32
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA}.Release|x86.Build.0 = Release|Win32
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.ActiveCfg = Release|x64
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.Build.0 = Release|x64
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32}.AuditMode|Any CPU.Deploy.0 = Release|x64
@@ -3403,7 +3444,7 @@ Global
 		{CA5CAD1A-9A12-429C-B551-8562EC954746} = {59840756-302F-44DF-AA47-441A9D673202}
 		{CA5CAD1A-B11C-4DDB-A4FE-C3AFAE9B5506} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{48D21369-3D7B-4431-9967-24E81292CF63} = {05500DEF-2294-41E3-AF9A-24E580B82836}
-		{CA5CAD1A-039A-4929-BA2A-8BEB2E4106FE} = {59840756-302F-44DF-AA47-441A9D673202}
+		{CA5CAD1A-039A-4929-BA2A-8BEB2E4106FE} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{B0AC39D6-7B40-49A9-8202-58549BAE1FB1} = {59840756-302F-44DF-AA47-441A9D673202}
 		{58A03BB2-DF5A-4B66-91A0-7EF3BA01269A} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
 		{A22EC5F6-7851-4B88-AC52-47249D437A52} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
@@ -3416,10 +3457,11 @@ Global
 		{D3EF7B96-CD5E-47C9-B9A9-136259563033} = {04170EEF-983A-4195-BFEF-2321E5E38A1E}
 		{95B136F9-B238-490C-A7C5-5843C1FECAC4} = {05500DEF-2294-41E3-AF9A-24E580B82836}
 		{024052DE-83FB-4653-AEA4-90790D29D5BD} = {E8F24881-5E37-4362-B191-A3BA0ED7F4EB}
-		{067F0A06-FCB7-472C-96E9-B03B54E8E18D} = {59840756-302F-44DF-AA47-441A9D673202}
+		{067F0A06-FCB7-472C-96E9-B03B54E8E18D} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{6BAE5851-50D5-4934-8D5E-30361A8A40F3} = {81C352DB-1818-45B7-A284-18E259F1CC87}
 		{1588FD7C-241E-4E7D-9113-43735F3E6BAD} = {4DAF0299-495E-4CD1-A982-9BAC16A45932}
-		{506FD703-BAA7-4F6E-9361-64F550EC8FCA} = {59840756-302F-44DF-AA47-441A9D673202}
+		{506FD703-BAA7-4F6E-9361-64F550EC8FCA} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
+		{416FD703-BAA7-4F6E-9361-64F550EC8FCA} = {61901E80-E97D-4D61-A9BB-E8F2FDA8B40C}
 		{CA5CAD1A-0B5E-45C3-96A8-BB496BFE4E32} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
 		{CA5CAD1A-D7EC-4107-B7C6-79CB77AE2907} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
 		{CA5CAD1A-082C-4476-9F33-94B339494076} = {77875138-BB08-49F9-8BB1-409C2150E0E1}
@@ -3438,6 +3480,7 @@ Global
 		{C323DAEE-B307-4C7B-ACE5-7293CBEFCB5B} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{F19DACD5-0C6E-40DC-B6E4-767A3200542C} = {BDB237B6-1D1D-400F-84CC-40A58FA59C8E}
 		{9CF74355-F018-4C19-81AD-9DC6B7F2C6F5} = {89CDCC5C-9F53-4054-97A4-639D99F169CD}
+		{61901E80-E97D-4D61-A9BB-E8F2FDA8B40C} = {59840756-302F-44DF-AA47-441A9D673202}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3140B1B7-C8EE-43D1-A772-D82A7061A271}

src/cascadia/CascadiaPackage/CascadiaPackage.wapproj

@@ -68,6 +68,7 @@
     <ProjectReference Include="..\TerminalAzBridge\TerminalAzBridge.vcxproj" />
     <ProjectReference Include="..\ShellExtension\WindowsTerminalShellExt.vcxproj" />
     <ProjectReference Include="..\wt\wt.vcxproj" />
+    <ProjectReference Include="..\ElevateShim\elevate-shim.vcxproj" />
   </ItemGroup>
 
   <Target Name="OpenConsoleStompSourceProjectForWapProject" BeforeTargets="_ConvertItems">

src/cascadia/ElevateShim/elevate-shim.cpp

@@ -0,0 +1,47 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+#include <string>
+#include <filesystem>
+
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <wil/stl.h>
+#include <wil/resource.h>
+#include <wil/win32_helpers.h>
+#include <shellapi.h>
+
+// BODGY
+//
+// If we try to do this in the Terminal itself, then there's a bunch of weird
+// things that can go wrong and prevent the elevated Terminal window from
+// getting created. Specifically, if the origin Terminal exits right away after
+// spawning the elevated WT, then ShellExecute might not successfully complete
+// the elevation. What's even more, the Terminal will mysteriously crash
+// somewhere in XAML land.
+//
+// To mitigate this, the Terminal will call into us with the commandline it
+// wants elevated. We'll hang around until ShellExecute is finished, so that the
+// process can successfully elevate.
+
+#pragma warning(suppress : 26461) // we can't change the signature of wWinMain
+int __stdcall wWinMain(HINSTANCE, HINSTANCE, LPWSTR pCmdLine, int)
+{
+    // All of the args passed to us (something like `new-tab -p {guid}`) are in
+    // pCmdLine
+
+    // Get the path to WindowsTerminal.exe, which should live next to us.
+    std::filesystem::path module{ wil::GetModuleFileNameW<std::wstring>(nullptr) };
+    // Swap elevate-shim.exe for WindowsTerminal.exe
+    module.replace_filename(L"WindowsTerminal.exe");
+
+    // Go!
+    SHELLEXECUTEINFOW seInfo{ 0 };
+    seInfo.cbSize = sizeof(seInfo);
+    seInfo.fMask = SEE_MASK_DEFAULT;
+    seInfo.lpVerb = L"runas"; // This asks the shell to elevate the process
+    seInfo.lpFile = module.c_str(); // This is `...\WindowsTerminal.exe`
+    seInfo.lpParameters = pCmdLine; // This is `new-tab -p {guid}`
+    seInfo.nShow = SW_SHOWNORMAL;
+    LOG_IF_WIN32_BOOL_FALSE(ShellExecuteExW(&seInfo));
+}

src/cascadia/ElevateShim/elevate-shim.rc

@@ -0,0 +1,69 @@
+// Microsoft Visual C++ generated resource script.
+//
+#include "resource.h"
+
+#define APSTUDIO_READONLY_SYMBOLS
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 2 resource.
+//
+#include "winres.h"
+/////////////////////////////////////////////////////////////////////////////
+#undef APSTUDIO_READONLY_SYMBOLS
+
+/////////////////////////////////////////////////////////////////////////////
+// English (United States) resources
+
+#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
+LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
+#pragma code_page(1252)
+
+#ifdef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// TEXTINCLUDE
+//
+
+1 TEXTINCLUDE 
+BEGIN
+    "resource.h\0"
+END
+
+2 TEXTINCLUDE 
+BEGIN
+    "#include ""winres.h""\0"
+END
+
+3 TEXTINCLUDE 
+BEGIN
+    "\r\n"
+    "\0"
+END
+
+#endif    // APSTUDIO_INVOKED
+
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Icon
+//
+
+// Icon with lowest ID value placed first to ensure application icon
+// remains consistent on all systems.
+IDI_APPICON             ICON                    "..\\..\\..\\res\\terminal.ico"
+
+#endif    // English (United States) resources
+/////////////////////////////////////////////////////////////////////////////
+
+
+
+#ifndef APSTUDIO_INVOKED
+/////////////////////////////////////////////////////////////////////////////
+//
+// Generated from the TEXTINCLUDE 3 resource.
+//
+
+
+/////////////////////////////////////////////////////////////////////////////
+#endif    // not APSTUDIO_INVOKED
+

src/cascadia/ElevateShim/elevate-shim.vcxproj

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{416fd703-baa7-4f6e-9361-64f550ec8fca}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>elevate-shim</RootNamespace>
+    <ProjectName>elevate-shim</ProjectName>
+    <TargetName>elevate-shim</TargetName>
+    <ConfigurationType>Application</ConfigurationType>
+  </PropertyGroup>
+
+  <Import Project="..\..\..\common.openconsole.props" Condition="'$(OpenConsoleDir)'==''" />
+  <Import Project="$(OpenConsoleDir)src\common.build.pre.props" />
+
+  <!-- Source Files -->
+  <ItemGroup>
+    <ClCompile Include="elevate-shim.cpp">
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+
+  <ItemGroup>
+    <ResourceCompile Include="elevate-shim.rc" />
+  </ItemGroup>
+
+  <Import Project="$(OpenConsoleDir)src\common.build.post.props" />
+
+  <ItemDefinitionGroup>
+    <Link>
+      <!-- Remove all non-onecore dependencies -->
+      <AdditionalDependencies>onecore.lib</AdditionalDependencies>
+    </Link>
+  </ItemDefinitionGroup>
+</Project>

src/cascadia/ElevateShim/resource.h

@@ -0,0 +1,16 @@
+//{{NO_DEPENDENCIES}}
+// Microsoft Visual C++ generated include file.
+// Used by wt.rc
+//
+#define IDI_APPICON 101
+
+// Next default values for new objects
+//
+#ifdef APSTUDIO_INVOKED
+#ifndef APSTUDIO_READONLY_SYMBOLS
+#define _APS_NEXT_RESOURCE_VALUE 102
+#define _APS_NEXT_COMMAND_VALUE 40001
+#define _APS_NEXT_CONTROL_VALUE 1001
+#define _APS_NEXT_SYMED_VALUE 101
+#endif
+#endif

src/cascadia/LocalTests_SettingsModel/pch.h

@@ -61,6 +61,9 @@ Author(s):
 // Manually include til after we include Windows.Foundation to give it winrt superpowers
 #include "til.h"
 
+#include <til/mutex.h>
+#include <til/throttled_func.h>
+
 // Common includes for most tests:
 #include "../../inc/argb.h"
 #include "../../inc/conattrs.hpp"

src/cascadia/LocalTests_TerminalApp/SettingsTests.cpp

@@ -69,6 +69,8 @@ namespace TerminalAppLocalTests
 
         TEST_METHOD(TestIterableColorSchemeCommands);
 
+        TEST_METHOD(TestElevateArg);
+
         TEST_CLASS_SETUP(ClassSetup)
         {
             return true;
@@ -1267,4 +1269,264 @@ namespace TerminalAppLocalTests
         }
     }
 
+    void SettingsTests::TestElevateArg()
+    {
+        static constexpr std::wstring_view settingsJson{ LR"(
+        {
+            "defaultProfile": "{6239a42c-0000-49a3-80bd-e8fdd045185c}",
+            "profiles": [
+                {
+                    "name": "profile0",
+                    "guid": "{6239a42c-0000-49a3-80bd-e8fdd045185c}",
+                    "commandline": "cmd.exe"
+                },
+                {
+                    "name": "profile1",
+                    "guid": "{6239a42c-1111-49a3-80bd-e8fdd045185c}",
+                    "elevate": true,
+                    "commandline": "pwsh.exe"
+                },
+                {
+                    "name": "profile2",
+                    "guid": "{6239a42c-2222-49a3-80bd-e8fdd045185c}",
+                    "elevate": false,
+                    "commandline": "wsl.exe"
+                }
+            ],
+            "keybindings": [
+                { "keys": ["ctrl+a"], "command": { "action": "newTab", "profile": "profile0" } },
+                { "keys": ["ctrl+b"], "command": { "action": "newTab", "profile": "profile1" } },
+                { "keys": ["ctrl+c"], "command": { "action": "newTab", "profile": "profile2" } },
+
+                { "keys": ["ctrl+d"], "command": { "action": "newTab", "profile": "profile0", "elevate": false } },
+                { "keys": ["ctrl+e"], "command": { "action": "newTab", "profile": "profile1", "elevate": false } },
+                { "keys": ["ctrl+f"], "command": { "action": "newTab", "profile": "profile2", "elevate": false } },
+
+                { "keys": ["ctrl+g"], "command": { "action": "newTab", "profile": "profile0", "elevate": true } },
+                { "keys": ["ctrl+h"], "command": { "action": "newTab", "profile": "profile1", "elevate": true } },
+                { "keys": ["ctrl+i"], "command": { "action": "newTab", "profile": "profile2", "elevate": true } },
+            ]
+        })" };
+
+        const winrt::guid guid0{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-0000-49a3-80bd-e8fdd045185c}") };
+        const winrt::guid guid1{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-1111-49a3-80bd-e8fdd045185c}") };
+        const winrt::guid guid2{ ::Microsoft::Console::Utils::GuidFromString(L"{6239a42c-2222-49a3-80bd-e8fdd045185c}") };
+
+        CascadiaSettings settings{ settingsJson, {} };
+
+        auto keymap = settings.GlobalSettings().ActionMap();
+        VERIFY_ARE_EQUAL(3u, settings.ActiveProfiles().Size());
+
+        const auto profile2Guid = settings.ActiveProfiles().GetAt(2).Guid();
+        VERIFY_ARE_NOT_EQUAL(winrt::guid{}, profile2Guid);
+
+        VERIFY_ARE_EQUAL(9u, keymap.KeyBindings().Size());
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=nullopt: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('A'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=nullopt: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('B'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=nullopt: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('C'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NULL(realArgs.TerminalArgs().Elevate());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('D'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('E'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=false: don't auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('F'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(false, termSettings.Elevate());
+        }
+
+        {
+            Log::Comment(L"profile.elevate=omitted, action.elevate=true: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('G'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile0", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"cmd.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=true, action.elevate=true: DO auto elevate");
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('H'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile1", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"pwsh.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+        {
+            Log::Comment(L"profile.elevate=false, action.elevate=true: DO auto elevate");
+
+            KeyChord kc{ true, false, false, false, static_cast<int32_t>('I'), 0 };
+            auto actionAndArgs = TestUtils::GetActionAndArgs(keymap, kc);
+            VERIFY_ARE_EQUAL(ShortcutAction::NewTab, actionAndArgs.Action());
+            const auto& realArgs = actionAndArgs.Args().try_as<NewTabArgs>();
+            VERIFY_IS_NOT_NULL(realArgs);
+            // Verify the args have the expected value
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Commandline().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().StartingDirectory().empty());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().TabTitle().empty());
+            VERIFY_IS_FALSE(realArgs.TerminalArgs().Profile().empty());
+            VERIFY_ARE_EQUAL(L"profile2", realArgs.TerminalArgs().Profile());
+            VERIFY_IS_NOT_NULL(realArgs.TerminalArgs().Elevate());
+            VERIFY_IS_TRUE(realArgs.TerminalArgs().Elevate().Value());
+
+            const auto termSettingsResult = TerminalSettings::CreateWithNewTerminalArgs(settings, realArgs.TerminalArgs(), nullptr);
+            const auto termSettings = termSettingsResult.DefaultSettings();
+            VERIFY_ARE_EQUAL(L"wsl.exe", termSettings.Commandline());
+            VERIFY_ARE_EQUAL(true, termSettings.Elevate());
+        }
+    }
+
 }

src/cascadia/TerminalApp/AdminWarningPlaceholder.cpp

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+#pragma once
+
+#include "pch.h"
+#include "AdminWarningPlaceholder.h"
+#include "AdminWarningPlaceholder.g.cpp"
+#include <LibraryResources.h>
+using namespace winrt::Windows::UI::Xaml;
+
+namespace winrt::TerminalApp::implementation
+{
+    AdminWarningPlaceholder::AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline) :
+        _control{ control },
+        _Commandline{ cmdline }
+    {
+        InitializeComponent();
+        // If the content we're hosting is a TermControl, then use the control's
+        // BG as our BG, to give the impression that it's there, under the
+        // dialog.
+        if (const auto termControl{ control.try_as<winrt::Microsoft::Terminal::Control::TermControl>() })
+        {
+            RootGrid().Background(termControl.BackgroundBrush());
+        }
+    }
+    void AdminWarningPlaceholder::_primaryButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                      RoutedEventArgs const& e)
+    {
+        _PrimaryButtonClickedHandlers(*this, e);
+    }
+    void AdminWarningPlaceholder::_cancelButtonClick(winrt::Windows::Foundation::IInspectable const& /*sender*/,
+                                                     RoutedEventArgs const& e)
+    {
+        _CancelButtonClickedHandlers(*this, e);
+    }
+    winrt::Windows::UI::Xaml::Controls::UserControl AdminWarningPlaceholder::Control()
+    {
+        return _control;
+    }
+
+    // Method Description:
+    // - Move the focus to the cancel button by default. This has the LOAD
+    //   BEARING side effect of also triggering Narrator to read out the
+    //   contents of the dialog. It's unclear why doing this works, but it does.
+    // - Using a LayoutUpdated event to trigger the focus change when we're
+    //   added to the UI tree did not seem to work.
+    // - Whoever is adding us to the UI tree is responsible for calling this!
+    // Arguments:
+    // - <none>
+    // Return Value:
+    // - <none>
+    void AdminWarningPlaceholder::FocusOnLaunch()
+    {
+        CancelButton().Focus(FocusState::Programmatic);
+    }
+
+    winrt::hstring AdminWarningPlaceholder::ControlName()
+    {
+        return RS_(L"AdminWarningPlaceholderName");
+    }
+
+    void AdminWarningPlaceholder::_keyUpHandler(IInspectable const& /*sender*/,
+                                                Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e)
+    {
+        // If the user presses escape, close the dialog (without confirming)
+        const auto key = e.OriginalKey();
+        if (key == winrt::Windows::System::VirtualKey::Escape)
+        {
+            _CancelButtonClickedHandlers(*this, e);
+            e.Handled(true);
+        }
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.h

@@ -0,0 +1,51 @@
+/*++
+Copyright (c) Microsoft Corporation
+Licensed under the MIT license.
+
+Module Name:
+- AdminWarningPlaceholder
+
+Abstract:
+- The AdminWarningPlaceholder is a control used to fill space in a pane and
+  present a warning to the user. It holds on to a real control that it should be
+  replaced with. It looks just like a ContentDialog, except it exists per-pane,
+  whereas a ContentDialog can only be added to take up the whole window.
+- The caller should make sure to bind our PrimaryButtonClicked and
+  CancelButtonClicked events, to be informed as to which was pressed.
+
+Author(s):
+- Mike Griese - September 2021
+
+--*/
+
+#pragma once
+
+#include "AdminWarningPlaceholder.g.h"
+#include "../../cascadia/inc/cppwinrt_utils.h"
+
+namespace winrt::TerminalApp::implementation
+{
+    struct AdminWarningPlaceholder : AdminWarningPlaceholderT<AdminWarningPlaceholder>
+    {
+        AdminWarningPlaceholder(const winrt::Microsoft::Terminal::Control::TermControl& control, const winrt::hstring& cmdline);
+        void FocusOnLaunch();
+        winrt::Windows::UI::Xaml::Controls::UserControl Control();
+        winrt::hstring ControlName();
+        WINRT_CALLBACK(PropertyChanged, Windows::UI::Xaml::Data::PropertyChangedEventHandler);
+        WINRT_OBSERVABLE_PROPERTY(winrt::hstring, Commandline, _PropertyChangedHandlers);
+        TYPED_EVENT(PrimaryButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+        TYPED_EVENT(CancelButtonClicked, TerminalApp::AdminWarningPlaceholder, winrt::Windows::UI::Xaml::RoutedEventArgs);
+
+    private:
+        friend struct AdminWarningPlaceholderT<AdminWarningPlaceholder>; // friend our parent so it can bind private event handlers
+
+        winrt::Microsoft::Terminal::Control::TermControl _control{ nullptr };
+
+        void _primaryButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                 winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _cancelButtonClick(winrt::Windows::Foundation::IInspectable const& sender,
+                                winrt::Windows::UI::Xaml::RoutedEventArgs const& e);
+        void _keyUpHandler(Windows::Foundation::IInspectable const& sender,
+                           Windows::UI::Xaml::Input::KeyRoutedEventArgs const& e);
+    };
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.idl

@@ -0,0 +1,12 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+namespace TerminalApp
+{
+    [default_interface] runtimeclass AdminWarningPlaceholder : Windows.UI.Xaml.Controls.UserControl,
+                                                               Windows.UI.Xaml.Data.INotifyPropertyChanged
+    {
+        String Commandline { get; };
+        String ControlName { get; };
+    }
+}

src/cascadia/TerminalApp/AdminWarningPlaceholder.xaml

@@ -0,0 +1,97 @@
+<!--
+    Copyright (c) Microsoft Corporation. All rights reserved. Licensed under
+    the MIT License. See LICENSE in the project root for license information.
+-->
+<UserControl x:Class="TerminalApp.AdminWarningPlaceholder"
+             xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+             xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+             xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
+             xmlns:local="using:TerminalApp"
+             xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
+             xmlns:mux="using:Microsoft.UI.Xaml.Controls"
+             AutomationProperties.AccessibilityView="Content"
+             AutomationProperties.IsDialog="True"
+             AutomationProperties.Name="{x:Bind ControlName, Mode=OneWay}"
+             PreviewKeyUp="_keyUpHandler"
+             mc:Ignorable="d">
+
+    <!--
+        We have to use two grids to be tricky here:
+        - The outer grid will get its background from the control it hosts, and
+        expands to fit its container. This will make it look like the background
+        fills the space available.
+        - The inner grid is set to Center,Center, so that the "dialog" appears
+        centered
+    -->
+
+    <Grid x:Name="RootGrid"
+          HorizontalAlignment="Stretch"
+          VerticalAlignment="Stretch">
+        <Grid HorizontalAlignment="Center"
+              VerticalAlignment="Center">
+            <Border Margin="8,8,8,8"
+                    Padding="16,8,16,8"
+                    AllowFocusOnInteraction="True"
+                    AutomationProperties.AccessibilityView="Raw"
+                    AutomationProperties.IsDialog="True"
+                    Background="{ThemeResource SystemControlBackgroundAltHighBrush}"
+                    BorderBrush="{ThemeResource SystemAccentColor}"
+                    BorderThickness="2,2,2,2"
+                    CornerRadius="{ThemeResource OverlayCornerRadius}">
+                <StackPanel Orientation="Vertical">
+                    <TextBlock x:Name="ApproveCommandlineWarningTitle"
+                               x:Uid="ApproveCommandlineWarningTitle"
+                               Padding="0,0,0,16"
+                               HorizontalAlignment="Left"
+                               FontSize="20"
+                               FontWeight="Normal"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="PrefixTextBlock"
+                               x:Uid="ApproveCommandlineWarningPrefixTextBlock"
+                               HorizontalAlignment="Left"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="CommandlineText"
+                               Margin="0,16,0,16"
+                               HorizontalAlignment="Left"
+                               FontFamily="Cascadia Mono"
+                               IsTextSelectionEnabled="True"
+                               Text="{x:Bind Commandline, Mode=OneWay}"
+                               TextWrapping="WrapWholeWords" />
+
+                    <TextBlock x:Name="SuffixTextBlock"
+                               x:Uid="ApproveCommandlineWarningSuffixTextBlock"
+                               HorizontalAlignment="Left"
+                               IsTextSelectionEnabled="True"
+                               TextWrapping="WrapWholeWords" />
+                    <Grid Margin="0,8,0,8"
+                          HorizontalAlignment="Stretch"
+                          XYFocusKeyboardNavigation="Enabled">
+                        <Grid.ColumnDefinitions>
+                            <ColumnDefinition Width="*" />
+                            <ColumnDefinition Width="*" />
+                        </Grid.ColumnDefinitions>
+                        <Button x:Name="PrimaryButton"
+                                x:Uid="ApproveCommandlineWarning_PrimaryButton"
+                                Grid.Column="0"
+                                Margin="0,0,8,0"
+                                HorizontalAlignment="Stretch"
+                                Click="_primaryButtonClick"
+                                IsTabStop="True"
+                                Style="{StaticResource AccentButtonStyle}" />
+                        <Button x:Name="CancelButton"
+                                x:Uid="ApproveCommandlineWarning_CancelButton"
+                                Grid.Column="1"
+                                HorizontalAlignment="Stretch"
+                                Click="_cancelButtonClick"
+                                IsTabStop="True" />
+                    </Grid>
+                </StackPanel>
+            </Border>
+        </Grid>
+    </Grid>
+
+</UserControl>

src/cascadia/TerminalApp/AppLogic.cpp

@@ -12,6 +12,8 @@
 #include <WtExeUtils.h>
 #include <wil/token_helpers.h >
 
+#include "../../types/inc/utils.hpp"
+
 using namespace winrt::Windows::ApplicationModel;
 using namespace winrt::Windows::ApplicationModel::DataTransfer;
 using namespace winrt::Windows::UI::Xaml;
@@ -131,38 +133,6 @@ static Documents::Run _BuildErrorRun(const winrt::hstring& text, const ResourceD
     return textRun;
 }
 
-// Method Description:
-// - Returns whether the user is either a member of the Administrators group or
-//   is currently elevated.
-// - This will return **FALSE** if the user has UAC disabled entirely, because
-//   there's no separation of power between the user and an admin in that case.
-// Return Value:
-// - true if the user is an administrator
-static bool _isUserAdmin() noexcept
-try
-{
-    wil::unique_handle processToken{ GetCurrentProcessToken() };
-    const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
-    const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
-    if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
-    {
-        // In this case, the user has UAC entirely disabled. This is sort of
-        // weird, we treat this like the user isn't an admin at all. There's no
-        // separation of powers, so the things we normally want to gate on
-        // "having special powers" doesn't apply.
-        //
-        // See GH#7754, GH#11096
-        return false;
-    }
-
-    return wil::test_token_membership(nullptr, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS);
-}
-catch (...)
-{
-    LOG_CAUGHT_EXCEPTION();
-    return false;
-}
-
 namespace winrt::TerminalApp::implementation
 {
     // Function Description:
@@ -214,7 +184,7 @@ namespace winrt::TerminalApp::implementation
         // The TerminalPage has to be constructed during our construction, to
         // make sure that there's a terminal page for callers of
         // SetTitleBarContent
-        _isElevated = _isUserAdmin();
+        _isElevated = ::Microsoft::Console::Utils::IsElevated();
         _root = winrt::make_self<TerminalPage>();
 
         _reloadSettings = std::make_shared<ThrottledFuncTrailing<>>(winrt::Windows::System::DispatcherQueue::GetForCurrentThread(), std::chrono::milliseconds(100), [weakSelf = get_weak()]() {
@@ -910,8 +880,6 @@ namespace winrt::TerminalApp::implementation
     void AppLogic::_RegisterSettingsChange()
     {
         const std::filesystem::path settingsPath{ std::wstring_view{ CascadiaSettings::SettingsPath() } };
-        const std::filesystem::path statePath{ std::wstring_view{ ApplicationState::SharedInstance().FilePath() } };
-
         _reader.create(
             settingsPath.parent_path().c_str(),
             false,
@@ -920,14 +888,29 @@ namespace winrt::TerminalApp::implementation
             // editors, who will write a temp file, then rename it to be the
             // actual file you wrote. So listen for that too.
             wil::FolderChangeEvents::FileName | wil::FolderChangeEvents::LastWriteTime,
-            [this, settingsBasename = settingsPath.filename(), stateBasename = statePath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
-                const auto modifiedBasename = std::filesystem::path{ fileModified }.filename();
+            [this, settingsBasename = settingsPath.filename()](wil::FolderChangeEvent, PCWSTR fileModified) {
+                // DO NOT create a static reference to ApplicationState::SharedInstance here.
+                //
+                // ApplicationState::SharedInstance already caches its own
+                // static ref. If _we_ keep a static ref to the member in
+                // AppState, then our reference will keep ApplicationState alive
+                // after the `ActionToStringMap` gets cleaned up. Then, when we
+                // try to persist the actions in the window state, we won't be
+                // able to. We'll try to look up the action and the map just
+                // won't exist. We'll explode, even though the Terminal is
+                // tearing down anyways. So we'll just die, but still invoke
+                // WinDBG's post-mortem debugger, who won't be able to attach to
+                // the process that's already exiting.
+                //
+                // So DON'T ~give a mouse a cookie~ take a static ref here.
+
+                const winrt::hstring modifiedBasename{ std::filesystem::path{ fileModified }.filename().c_str() };
 
                 if (modifiedBasename == settingsBasename)
                 {
                     _reloadSettings->Run();
                 }
-                else if (modifiedBasename == stateBasename)
+                else if (ApplicationState::SharedInstance().IsStatePath(modifiedBasename))
                 {
                     _reloadState();
                 }

src/cascadia/TerminalApp/Pane.cpp

@@ -34,7 +34,7 @@ static const Duration AnimationDuration = DurationHelper::FromTimeSpan(winrt::Wi
 winrt::Windows::UI::Xaml::Media::SolidColorBrush Pane::s_focusedBorderBrush = { nullptr };
 winrt::Windows::UI::Xaml::Media::SolidColorBrush Pane::s_unfocusedBorderBrush = { nullptr };
 
-Pane::Pane(const Profile& profile, const TermControl& control, const bool lastFocused) :
+Pane::Pane(const Profile& profile, const Controls::UserControl& control, const bool lastFocused) :
     _control{ control },
     _lastActive{ lastFocused },
     _profile{ profile }
@@ -42,8 +42,11 @@ Pane::Pane(const Profile& profile, const TermControl& control, const bool lastFo
     _root.Children().Append(_borderFirst);
     _borderFirst.Child(_control);
 
-    _connectionStateChangedToken = _control.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
-    _warningBellToken = _control.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    if (const auto& termControl{ _control.try_as<TermControl>() })
+    {
+        _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+        _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    }
 
     // On the first Pane's creation, lookup resources we'll use to theme the
     // Pane, including the brushed to use for the focused/unfocused border
@@ -125,11 +128,23 @@ NewTerminalArgs Pane::GetTerminalArgsForPane() const
     assert(_IsLeaf());
 
     NewTerminalArgs args{};
-    auto controlSettings = _control.Settings().as<TerminalSettings>();
+    auto termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        if (auto adminWarning{ _control.try_as<AdminWarningPlaceholder>() })
+        {
+            termControl = adminWarning.Content().try_as<TermControl>();
+        }
+    }
+    if (!termControl)
+    {
+        return nullptr;
+    }
+    auto controlSettings = termControl.Settings().as<TerminalSettings>();
 
     args.Profile(controlSettings.ProfileName());
     // If we know the user's working directory use it instead of the profile.
-    if (const auto dir = _control.WorkingDirectory(); !dir.empty())
+    if (const auto dir = termControl.WorkingDirectory(); !dir.empty())
     {
         args.StartingDirectory(dir);
     }
@@ -832,6 +847,40 @@ bool Pane::SwapPanes(std::shared_ptr<Pane> first, std::shared_ptr<Pane> second)
     return false;
 }
 
+Controls::UserControl Pane::ReplaceControl(const Controls::UserControl& control)
+{
+    if (!_IsLeaf())
+    {
+        return nullptr;
+    }
+
+    // Remove old control's event handlers
+    const auto& oldControl = _control;
+    _gotFocusRevoker.revoke();
+    _lostFocusRevoker.revoke();
+    if (const auto& oldTermControl{ _control.try_as<TermControl>() })
+    {
+        oldTermControl.ConnectionStateChanged(_connectionStateChangedToken);
+        oldTermControl.WarningBell(_warningBellToken);
+    }
+
+    _control = control;
+
+    _borderFirst.Child(_control);
+
+    // Register an event with the control to have it inform us when it gains focus.
+    _gotFocusRevoker = _control.GotFocus(winrt::auto_revoke, { this, &Pane::_ControlGotFocusHandler });
+    _lostFocusRevoker = _control.LostFocus(winrt::auto_revoke, { this, &Pane::_ControlLostFocusHandler });
+
+    if (const auto& termControl{ _control.try_as<TermControl>() })
+    {
+        _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+        _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+    }
+
+    return oldControl;
+}
+
 // Method Description:
 // - Given two panes' offsets, test whether the `direction` side of first is adjacent to second.
 // Arguments:
@@ -1079,8 +1128,12 @@ void Pane::_ControlConnectionStateChangedHandler(const winrt::Windows::Foundatio
     {
         return;
     }
-
-    const auto newConnectionState = _control.ConnectionState();
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        return;
+    }
+    const auto newConnectionState = termControl.ConnectionState();
     const auto previousConnectionState = std::exchange(_connectionState, newConnectionState);
 
     if (newConnectionState < ConnectionState::Closed)
@@ -1123,7 +1176,9 @@ void Pane::_ControlWarningBellHandler(const winrt::Windows::Foundation::IInspect
     {
         return;
     }
-    if (_profile)
+
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (_profile && termControl)
     {
         // We don't want to do anything if nothing is set, so check for that first
         if (static_cast<int>(_profile.BellStyle()) != 0)
@@ -1137,7 +1192,7 @@ void Pane::_ControlWarningBellHandler(const winrt::Windows::Foundation::IInspect
 
             if (WI_IsFlagSet(_profile.BellStyle(), winrt::Microsoft::Terminal::Settings::Model::BellStyle::Window))
             {
-                _control.BellLightOn();
+                termControl.BellLightOn();
             }
 
             // raise the event with the bool value corresponding to the taskbar flag
@@ -1197,7 +1252,11 @@ void Pane::Shutdown()
     std::unique_lock lock{ _createCloseLock };
     if (_IsLeaf())
     {
-        _control.Close();
+        const auto& termControl{ _control.try_as<TermControl>() };
+        if (termControl)
+        {
+            termControl.Close();
+        }
     }
     else
     {
@@ -1207,7 +1266,7 @@ void Pane::Shutdown()
 }
 
 // Method Description:
-// - Get the root UIElement of this pane. There may be a single TermControl as a
+// - Get the root UIElement of this pane. There may be a single UserControl as a
 //   child, or an entire tree of grids and panes as children of this element.
 // Arguments:
 // - <none>
@@ -1266,7 +1325,7 @@ TermControl Pane::GetLastFocusedTerminalControl()
             {
                 if (p->_IsLeaf())
                 {
-                    return p->_control;
+                    return p->GetTerminalControl();
                 }
                 pane = p;
             }
@@ -1274,7 +1333,7 @@ TermControl Pane::GetLastFocusedTerminalControl()
         }
         return _firstChild->GetLastFocusedTerminalControl();
     }
-    return _control;
+    return GetTerminalControl();
 }
 
 // Method Description:
@@ -1283,8 +1342,15 @@ TermControl Pane::GetLastFocusedTerminalControl()
 // Arguments:
 // - <none>
 // Return Value:
-// - nullptr if this Pane is a parent, otherwise the TermControl of this Pane.
-TermControl Pane::GetTerminalControl()
+// - nullptr if this Pane is a parent or isn't hosting a Terminal, otherwise the
+//   TermControl of this Pane.
+TermControl Pane::GetTerminalControl() const
+{
+    auto control{ GetUserControl() };
+    return control ? control.try_as<TermControl>() : nullptr;
+}
+
+Controls::UserControl Pane::GetUserControl() const
 {
     return _IsLeaf() ? _control : nullptr;
 }
@@ -1457,9 +1523,13 @@ void Pane::_FocusFirstChild()
 void Pane::UpdateSettings(const TerminalSettingsCreateResult& settings, const Profile& profile)
 {
     assert(_IsLeaf());
-
+    const auto& termControl{ _control.try_as<TermControl>() };
+    if (!termControl)
+    {
+        return;
+    }
     _profile = profile;
-    auto controlSettings = _control.Settings().as<TerminalSettings>();
+    auto controlSettings = termControl.Settings().as<TerminalSettings>();
     // Update the parent of the control's settings object (and not the object itself) so
     // that any overrides made by the control don't get affected by the reload
     controlSettings.SetParent(settings.DefaultSettings());
@@ -1472,8 +1542,8 @@ void Pane::UpdateSettings(const TerminalSettingsCreateResult& settings, const Pr
         // sure the unfocused settings inherit from that.
         unfocusedSettings.SetParent(controlSettings);
     }
-    _control.UnfocusedAppearance(unfocusedSettings);
-    _control.UpdateSettings();
+    termControl.UnfocusedAppearance(unfocusedSettings);
+    termControl.UpdateSettings();
 }
 
 // Method Description:
@@ -1614,8 +1684,12 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
         _id = remainingChild->Id();
 
         // Add our new event handler before revoking the old one.
-        _connectionStateChangedToken = _control.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
-        _warningBellToken = _control.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+        const auto& termControl{ _control.try_as<TermControl>() };
+        if (termControl)
+        {
+            _connectionStateChangedToken = termControl.ConnectionStateChanged({ this, &Pane::_ControlConnectionStateChangedHandler });
+            _warningBellToken = termControl.WarningBell({ this, &Pane::_ControlWarningBellHandler });
+        }
 
         // Revoke the old event handlers. Remove both the handlers for the panes
         // themselves closing, and remove their handlers for their controls
@@ -1629,8 +1703,11 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
             closedChild->WalkTree([](auto p) {
                 if (p->_IsLeaf())
                 {
-                    p->_control.ConnectionStateChanged(p->_connectionStateChangedToken);
-                    p->_control.WarningBell(p->_warningBellToken);
+                    if (const auto& closedControl{ p->_control.try_as<TermControl>() })
+                    {
+                        closedControl.ConnectionStateChanged(p->_connectionStateChangedToken);
+                        closedControl.WarningBell(p->_warningBellToken);
+                    }
                 }
                 return false;
             });
@@ -1638,15 +1715,19 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
 
         closedChild->Closed(closedChildClosedToken);
         remainingChild->Closed(remainingChildClosedToken);
-        remainingChild->_control.ConnectionStateChanged(remainingChild->_connectionStateChangedToken);
-        remainingChild->_control.WarningBell(remainingChild->_warningBellToken);
+
+        if (const auto& remainingControl{ remainingChild->_control.try_as<TermControl>() })
+        {
+            remainingControl.ConnectionStateChanged(remainingChild->_connectionStateChangedToken);
+            remainingControl.WarningBell(remainingChild->_warningBellToken);
+        }
 
         // If we or either of our children was focused, we want to take that
         // focus from them.
         _lastActive = _lastActive || _firstChild->_lastActive || _secondChild->_lastActive;
 
         // Remove all the ui elements of the remaining child. This'll make sure
-        // we can re-attach the TermControl to our Grid.
+        // we can re-attach the UserControl to our Grid.
         remainingChild->_root.Children().Clear();
         remainingChild->_borderFirst.Child(nullptr);
 
@@ -1657,7 +1738,7 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
         _root.ColumnDefinitions().Clear();
         _root.RowDefinitions().Clear();
 
-        // Reattach the TermControl to our grid.
+        // Reattach the UserControl to our grid.
         _root.Children().Append(_borderFirst);
         _borderFirst.Child(_control);
 
@@ -1719,8 +1800,11 @@ void Pane::_CloseChild(const bool closeFirst, const bool isDetaching)
             closedChild->WalkTree([](auto p) {
                 if (p->_IsLeaf())
                 {
-                    p->_control.ConnectionStateChanged(p->_connectionStateChangedToken);
-                    p->_control.WarningBell(p->_warningBellToken);
+                    if (const auto& closedControl{ p->_control.try_as<TermControl>() })
+                    {
+                        closedControl.ConnectionStateChanged(p->_connectionStateChangedToken);
+                        closedControl.WarningBell(p->_warningBellToken);
+                    }
                 }
                 return false;
             });
@@ -2468,11 +2552,14 @@ std::pair<std::shared_ptr<Pane>, std::shared_ptr<Pane>> Pane::_Split(SplitDirect
 
     if (_IsLeaf())
     {
-        // revoke our handler - the child will take care of the control now.
-        _control.ConnectionStateChanged(_connectionStateChangedToken);
-        _connectionStateChangedToken.value = 0;
-        _control.WarningBell(_warningBellToken);
-        _warningBellToken.value = 0;
+        if (const auto& termControl{ _control.try_as<TermControl>() })
+        {
+            // revoke our handler - the child will take care of the control now.
+            termControl.ConnectionStateChanged(_connectionStateChangedToken);
+            termControl.WarningBell(_warningBellToken);
+            _connectionStateChangedToken.value = 0;
+            _warningBellToken.value = 0;
+        }
 
         // Remove our old GotFocus handler from the control. We don't want the
         // control telling us that it's now focused, we want it telling its new
@@ -2482,7 +2569,7 @@ std::pair<std::shared_ptr<Pane>, std::shared_ptr<Pane>> Pane::_Split(SplitDirect
     }
 
     // Remove any children we currently have. We can't add the existing
-    // TermControl to a new grid until we do this.
+    // UserControl to a new grid until we do this.
     _root.Children().Clear();
     _borderFirst.Child(nullptr);
     _borderSecond.Child(nullptr);
@@ -2860,8 +2947,13 @@ float Pane::CalcSnappedDimension(const bool widthOrHeight, const float dimension
 //   If requested size is already snapped, then both returned values equal this value.
 Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const float dimension) const
 {
+    const auto& termControl{ _control.try_as<TermControl>() };
     if (_IsLeaf())
     {
+        if (!termControl)
+        {
+            return { dimension, dimension };
+        }
         // If we're a leaf pane, align to the grid of controlling terminal
 
         const auto minSize = _GetMinSize();
@@ -2872,7 +2964,7 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
             return { minDimension, minDimension };
         }
 
-        float lower = _control.SnapDimensionToGrid(widthOrHeight, dimension);
+        float lower = termControl.SnapDimensionToGrid(widthOrHeight, dimension);
         if (widthOrHeight)
         {
             lower += WI_IsFlagSet(_borders, Borders::Left) ? PaneBorderSize : 0;
@@ -2892,7 +2984,7 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
         }
         else
         {
-            const auto cellSize = _control.CharacterDimensions();
+            const auto cellSize = termControl.CharacterDimensions();
             const auto higher = lower + (widthOrHeight ? cellSize.Width : cellSize.Height);
             return { lower, higher };
         }
@@ -2937,26 +3029,39 @@ Pane::SnapSizeResult Pane::_CalcSnappedDimension(const bool widthOrHeight, const
 // - <none>
 void Pane::_AdvanceSnappedDimension(const bool widthOrHeight, LayoutSizeNode& sizeNode) const
 {
+    const auto& termControl{ _control.try_as<TermControl>() };
     if (_IsLeaf())
     {
-        // We're a leaf pane, so just add one more row or column (unless isMinimumSize
-        // is true, see below).
-
-        if (sizeNode.isMinimumSize)
+        if (termControl)
         {
-            // If the node is of its minimum size, this size might not be snapped (it might
-            // be, say, half a character, or fixed 10 pixels), so snap it upward. It might
-            // however be already snapped, so add 1 to make sure it really increases
-            // (not strictly necessary but to avoid surprises).
-            sizeNode.size = _CalcSnappedDimension(widthOrHeight, sizeNode.size + 1).higher;
+            // We're a leaf pane, so just add one more row or column (unless isMinimumSize
+            // is true, see below).
+
+            if (sizeNode.isMinimumSize)
+            {
+                // If the node is of its minimum size, this size might not be snapped (it might
+                // be, say, half a character, or fixed 10 pixels), so snap it upward. It might
+                // however be already snapped, so add 1 to make sure it really increases
+                // (not strictly necessary but to avoid surprises).
+                sizeNode.size = _CalcSnappedDimension(widthOrHeight, sizeNode.size + 1).higher;
+            }
+            else
+            {
+                const auto cellSize = termControl.CharacterDimensions();
+                sizeNode.size += widthOrHeight ? cellSize.Width : cellSize.Height;
+            }
         }
         else
         {
-            const auto cellSize = _control.CharacterDimensions();
-            sizeNode.size += widthOrHeight ? cellSize.Width : cellSize.Height;
+            // If we're a leaf that didn't have a TermControl, then just increment
+            // by one. We have to increment by _some_ value, because this is used in
+            // a while() loop to find the next bigger size we can snap to. But since
+            // a non-terminal control doesn't really care what size it's snapped to,
+            // we can just say "one pixel larger is the next snap point"
+            sizeNode.size += 1;
         }
     }
-    else
+    else // !_IsLeaf()
     {
         // We're a parent pane, so we have to advance dimension of our children panes. In
         // fact, we advance only one child (chosen later) to keep the growth fine-grained.
@@ -3058,7 +3163,8 @@ Size Pane::_GetMinSize() const
 {
     if (_IsLeaf())
     {
-        auto controlSize = _control.MinimumSize();
+        const auto& termControl{ _control.try_as<TermControl>() };
+        auto controlSize = termControl ? termControl.MinimumSize() : Size{ 1, 1 };
         auto newWidth = controlSize.Width;
         auto newHeight = controlSize.Height;
 
@@ -3244,7 +3350,10 @@ std::optional<SplitDirection> Pane::PreCalculateAutoSplit(const std::shared_ptr<
 // - Returns true if the pane or one of its descendants is read-only
 bool Pane::ContainsReadOnly() const
 {
-    return _IsLeaf() ? _control.ReadOnly() : (_firstChild->ContainsReadOnly() || _secondChild->ContainsReadOnly());
+    const auto& termControl{ GetTerminalControl() };
+    return termControl ?
+               termControl.ReadOnly() :
+               (_IsLeaf() ? false : (_firstChild->ContainsReadOnly() || _secondChild->ContainsReadOnly()));
 }
 
 // Method Description:
@@ -3257,13 +3366,14 @@ bool Pane::ContainsReadOnly() const
 // - <none>
 void Pane::CollectTaskbarStates(std::vector<winrt::TerminalApp::TaskbarState>& states)
 {
-    if (_IsLeaf())
+    const auto& termControl{ GetTerminalControl() };
+    if (termControl)
     {
-        auto tbState{ winrt::make<winrt::TerminalApp::implementation::TaskbarState>(_control.TaskbarState(),
-                                                                                    _control.TaskbarProgress()) };
+        auto tbState{ winrt::make<winrt::TerminalApp::implementation::TaskbarState>(termControl.TaskbarState(),
+                                                                                    termControl.TaskbarProgress()) };
         states.push_back(tbState);
     }
-    else
+    else if (!_IsLeaf())
     {
         _firstChild->CollectTaskbarStates(states);
         _secondChild->CollectTaskbarStates(states);

src/cascadia/TerminalApp/Pane.h

@@ -56,7 +56,7 @@ class Pane : public std::enable_shared_from_this<Pane>
 {
 public:
     Pane(const winrt::Microsoft::Terminal::Settings::Model::Profile& profile,
-         const winrt::Microsoft::Terminal::Control::TermControl& control,
+         const winrt::Windows::UI::Xaml::Controls::UserControl& control,
          const bool lastFocused = false);
 
     Pane(std::shared_ptr<Pane> first,
@@ -66,8 +66,9 @@ public:
          const bool lastFocused = false);
 
     std::shared_ptr<Pane> GetActivePane();
+    winrt::Windows::UI::Xaml::Controls::UserControl GetUserControl() const;
     winrt::Microsoft::Terminal::Control::TermControl GetLastFocusedTerminalControl();
-    winrt::Microsoft::Terminal::Control::TermControl GetTerminalControl();
+    winrt::Microsoft::Terminal::Control::TermControl GetTerminalControl() const;
     winrt::Microsoft::Terminal::Settings::Model::Profile GetFocusedProfile();
 
     // Method Description:
@@ -126,6 +127,8 @@ public:
                                      winrt::Microsoft::Terminal::Settings::Model::SplitDirection splitType);
     std::shared_ptr<Pane> DetachPane(std::shared_ptr<Pane> pane);
 
+    winrt::Windows::UI::Xaml::Controls::UserControl ReplaceControl(const winrt::Windows::UI::Xaml::Controls::UserControl& control);
+
     int GetLeafPaneCount() const noexcept;
 
     void Maximize(std::shared_ptr<Pane> zoomedPane);
@@ -200,7 +203,8 @@ private:
     winrt::Windows::UI::Xaml::Controls::Grid _root{};
     winrt::Windows::UI::Xaml::Controls::Border _borderFirst{};
     winrt::Windows::UI::Xaml::Controls::Border _borderSecond{};
-    winrt::Microsoft::Terminal::Control::TermControl _control{ nullptr };
+    winrt::Windows::UI::Xaml::Controls::UserControl _control{ nullptr };
+
     winrt::Microsoft::Terminal::TerminalConnection::ConnectionState _connectionState{ winrt::Microsoft::Terminal::TerminalConnection::ConnectionState::NotConnected };
     static winrt::Windows::UI::Xaml::Media::SolidColorBrush s_focusedBorderBrush;
     static winrt::Windows::UI::Xaml::Media::SolidColorBrush s_unfocusedBorderBrush;

src/cascadia/TerminalApp/Resources/en-US/Resources.resw

@@ -504,6 +504,24 @@
   <data name="MultiLinePasteDialog.Title" xml:space="preserve">
     <value>Warning</value>
   </data>
+  <data name="ApproveCommandlineWarningPrefixTextBlock.Text" xml:space="preserve">
+    <value>You are about to execute the following command-line:</value>
+  </data>
+  <data name="ApproveCommandlineWarningSuffixTextBlock.Text" xml:space="preserve">
+    <value>Do you wish to continue?</value>
+  </data>
+  <data name="ApproveCommandlineWarning_PrimaryButton.Content" xml:space="preserve">
+    <value>Allow command-line</value>
+  </data>
+  <data name="ApproveCommandlineWarning_CancelButton.Content" xml:space="preserve">
+    <value>Cancel</value>
+  </data>
+  <data name="ApproveCommandlineWarningTitle.Text" xml:space="preserve">
+    <value>Warning</value>
+  </data>
+  <data name="AdminWarningPlaceholderName" xml:space="preserve">
+    <value>Elevated command-line warning</value>
+  </data>
   <data name="CommandPalette_SearchBox.PlaceholderText" xml:space="preserve">
     <value>Type a command name...</value>
   </data>

src/cascadia/TerminalApp/TabManagement.cpp

@@ -16,6 +16,7 @@
 #include <LibraryResources.h>
 
 #include "TabRowControl.h"
+#include "AdminWarningPlaceholder.h"
 #include "ColorHelper.h"
 #include "DebugTapConnection.h"
 #include "SettingsTab.h"
@@ -68,6 +69,17 @@ namespace winrt::TerminalApp::implementation
         const auto profile{ _settings.GetProfileForArgs(newTerminalArgs) };
         const auto settings{ TerminalSettings::CreateWithNewTerminalArgs(_settings, newTerminalArgs, *_bindings) };
 
+        // Try to handle auto-elevation
+        if (_maybeElevate(newTerminalArgs, settings, profile))
+        {
+            return S_OK;
+        }
+        // We can't go in the other direction (elevated->unelevated)
+        // unfortunately. This seems to be due to Centennial quirks. It works
+        // unpackaged, but not packaged.
+        //
+        // This call to _MakePane won't return nullptr, we already checked that
+        // case above with the _maybeElevate call.
         _CreateNewTabFromPane(_MakePane(newTerminalArgs, false, existingConnection));
 
         const uint32_t tabCount = _tabs.Size();
@@ -240,8 +252,11 @@ namespace winrt::TerminalApp::implementation
     // - pane: The pane to use as the root.
     void TerminalPage::_CreateNewTabFromPane(std::shared_ptr<Pane> pane)
     {
-        auto newTabImpl = winrt::make_self<TerminalTab>(pane);
-        _InitializeTab(newTabImpl);
+        if (pane)
+        {
+            auto newTabImpl = winrt::make_self<TerminalTab>(pane);
+            _InitializeTab(newTabImpl);
+        }
     }
 
     // Method Description:

src/cascadia/TerminalApp/TerminalAppLib.vcxproj

@@ -63,6 +63,9 @@
     <Page Include="CommandPalette.xaml">
       <SubType>Designer</SubType>
     </Page>
+    <Page Include="AdminWarningPlaceholder.xaml">
+      <SubType>Designer</SubType>
+    </Page>
   </ItemGroup>
   <!-- ========================= Headers ======================== -->
   <ItemGroup>
@@ -141,6 +144,9 @@
     <ClInclude Include="AppLogic.h">
       <DependentUpon>AppLogic.idl</DependentUpon>
     </ClInclude>
+    <ClInclude Include="AdminWarningPlaceholder.h">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+    </ClInclude>
     <ClInclude Include="Toast.h" />
   </ItemGroup>
   <!-- ========================= Cpp Files ======================== -->
@@ -234,6 +240,9 @@
     <ClCompile Include="AppLogic.cpp">
       <DependentUpon>AppLogic.idl</DependentUpon>
     </ClCompile>
+    <ClCompile Include="AdminWarningPlaceholder.cpp">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+    </ClCompile>
     <ClCompile Include="$(GeneratedFilesDir)module.g.cpp" />
     <ClCompile Include="Toast.cpp" />
   </ItemGroup>
@@ -295,6 +304,10 @@
       <DependentUpon>CommandPalette.xaml</DependentUpon>
       <SubType>Code</SubType>
     </Midl>
+    <Midl Include="AdminWarningPlaceholder.idl">
+      <DependentUpon>AdminWarningPlaceholder.xaml</DependentUpon>
+      <SubType>Code</SubType>
+    </Midl>
     <Midl Include="FilteredCommand.idl" />
     <Midl Include="EmptyStringVisibilityConverter.idl" />
   </ItemGroup>

src/cascadia/TerminalApp/TerminalPage.cpp

@@ -12,11 +12,14 @@
 #include "TerminalPage.g.cpp"
 #include <winrt/Windows.Storage.h>
 
+#include "../WinRTUtils/inc/WtExeUtils.h"
+
 #include "TabRowControl.h"
 #include "ColorHelper.h"
 #include "DebugTapConnection.h"
 #include "SettingsTab.h"
 #include "RenameWindowRequestedArgs.g.cpp"
+#include "AdminWarningPlaceholder.h"
 #include "../inc/WindowingBehavior.h"
 
 #include <til/latch.h>
@@ -300,10 +303,7 @@ namespace winrt::TerminalApp::implementation
     // - true if the ApplicationState should be used.
     bool TerminalPage::ShouldUsePersistedLayout(CascadiaSettings& settings) const
     {
-        // GH#5000 Until there is a separate state file for elevated sessions we should just not
-        // save at all while in an elevated window.
         return Feature_PersistedWindowLayout::IsEnabled() &&
-               !IsElevated() &&
                settings.GlobalSettings().FirstWindowPreference() == FirstWindowPreference::PersistedWindowLayout;
     }
 
@@ -551,7 +551,24 @@ namespace winrt::TerminalApp::implementation
     void TerminalPage::_CompleteInitialization()
     {
         _startupState = StartupState::Initialized;
-        _InitializedHandlers(*this, nullptr);
+
+        // GH#632 - It's possible that the user tried to create the terminal
+        // with only one tab, with only an elevated profile. If that happens,
+        // we'll create _another_ process to host the elevated version of that
+        // profile. This can happen from the jumplist, or if the default profile
+        // is `elevate:true`, or from the commandline.
+        //
+        // However, we need to make sure to close this window in that scenario.
+        // Since there aren't any _tabs_ in this window, we won't ever get a
+        // closed event. So do it manually.
+        if (_tabs.Size() == 0)
+        {
+            _LastTabClosedHandlers(*this, nullptr);
+        }
+        else
+        {
+            _InitializedHandlers(*this, nullptr);
+        }
     }
 
     // Method Description:
@@ -867,6 +884,13 @@ namespace winrt::TerminalApp::implementation
         else
         {
             const auto newPane = _MakePane(newTerminalArgs);
+            // If the newTerminalArgs caused us to open an elevated window
+            // instead of creating a pane, it may have returned nullptr. Just do
+            // nothing then.
+            if (!newPane)
+            {
+                return;
+            }
             if (altPressed && !debugTap)
             {
                 this->_SplitPane(SplitDirection::Automatic,
@@ -1486,6 +1510,311 @@ namespace winrt::TerminalApp::implementation
         return true;
     }
 
+    // Function Description:
+    // - Returns true if this commandline is a commandline that we know is safe.
+    //   Generally, this is true for any executables in system32. We can use
+    //   this to bypass the elevated state check, because we're confident that
+    //   executables in that path won't have been hijacked.
+    //   - TECHNICALLY a user can take ownership of a file in system32 and
+    //     replace it as the system administrator. You could say it's OK though
+    //     because you'd already have to have had admin rights to mess that
+    //     folder up or something.
+    // - Will attempt to resolve environment strings.
+    // - Will also manually allow commandlines as generated for the default WSL
+    //   distros.
+    // - Will also trust %ProgramFiles%\Powershell\...\pwsh.exe paths, for
+    //   PowerShell Core.
+    // Arguments:
+    // - commandLine: the command to check.
+    // Return Value (example):
+    // - C:\windows\system32\cmd.exe -> returns true
+    // - cmd.exe -> returns false
+    // - C:\windows\system32\cmd.exe /k echo sneaky sneak -> returns false
+    // - %SystemRoot%\System32\cmd.exe -> returns true
+    // - %SystemRoot%\System32\wsl.exe -d <distro name> -> returns true
+    static bool _isTrustedCommandline(std::wstring_view commandLine)
+    {
+        // use C++11 magic statics to make sure we only do this once.
+        static std::wstring systemDirectory = []() -> std::wstring {
+            // *** THIS IS A SINGLETON ***
+            static std::wstring sys32{};
+            if (FAILED(wil::GetSystemDirectoryW(sys32)))
+            {
+                // we couldn't look up where system32 is?? Then it's definitely not
+                // in System32
+                return {};
+            }
+            return sys32;
+        }();
+
+        if (systemDirectory.empty())
+        {
+            return false;
+        }
+
+        const std::filesystem::path fullCommandlinePath{
+            wil::ExpandEnvironmentStringsW<std::wstring>(commandLine.data())
+        };
+
+        if (fullCommandlinePath.wstring().size() > systemDirectory.size())
+        {
+            // Get the first part of the executable path
+            const auto start = fullCommandlinePath.wstring().substr(0, systemDirectory.size());
+            // Doing this as an ASCII only check might be wrong, but I'm
+            // guessing if system32 isn't at X:\windows\system32... this isn't
+            // the only thing that is going to be sad in Windows.
+            const auto pathEquals = til::equals_insensitive_ascii(start, systemDirectory);
+            if (pathEquals && std::filesystem::exists(fullCommandlinePath))
+            {
+                return true;
+            }
+        }
+
+        // Also, if the path is literally
+        //   %SystemRoot%\System32\wsl.exe -d <distro name>
+        // then allow it.
+
+        // Largely stolen from _tryMangleStartingDirectoryForWSL in ConptyConnection.
+        // Find the first space, quote or the end of the string -- we'll look
+        // for wsl before that.
+        const auto terminator{ commandLine.find_first_of(LR"(" )", 1) }; // look past the first character in case it starts with "
+        const auto start{ til::at(commandLine, 0) == L'"' ? 1 : 0 };
+        const std::filesystem::path executablePath{ commandLine.substr(start, terminator - start) };
+        const auto executableFilename{ executablePath.filename().wstring() };
+
+        if (executableFilename == L"wsl" || executableFilename == L"wsl.exe")
+        {
+            // We've got a WSL -- let's just make sure it's the right one.
+            if (executablePath.has_parent_path())
+            {
+                if (executablePath.parent_path().wstring() != systemDirectory)
+                {
+                    return false; // it wasn't in system32!
+                }
+            }
+            else
+            {
+                // Unqualified WSL, this is dangerous, so return false.
+                return false;
+            }
+
+            // Get everything after the wsl.exe
+            const auto arguments{ terminator == std::wstring_view::npos ?
+                                      std::wstring_view{} :
+                                      commandLine.substr(terminator + 1) };
+            const auto dashD{ arguments.find(L"-d ") };
+
+            // If we found a "-d " IMMEDIATELY AFTER wsl.exe. If it wasn't
+            // immediately after, it could have been `wsl.exe --doSomethingEvil`
+            if (dashD == 0)
+            {
+                // Using the string following "-d "...
+                const auto afterDashD{ arguments.substr(dashD + 3) };
+                // Find the next space
+                const auto afterFirstWord = afterDashD.find(L" ");
+                // if that space _wasn't_ at the end of the commandline, then
+                // there were some other args. That means it was `wsl -d distro
+                // anything`, and we should ask the user.
+                //
+                // So if it was at the end of the commandline, then there were
+                // no other args besides the distro name.
+                if (afterFirstWord == std::wstring::npos)
+                {
+                    return true;
+                }
+            }
+        }
+        else if (executableFilename == L"pwsh" || executableFilename == L"pwsh.exe")
+        {
+            // is does executablePath start with %ProgramFiles%\\PowerShell?
+            const std::filesystem::path powershellCoreRoot
+            {
+                wil::ExpandEnvironmentStringsW<std::wstring>(
+#if defined(_M_AMD64) || defined(_M_ARM64) // No point in looking for WOW if we're not somewhere it exists
+                    L"%ProgramFiles(x86)%\\PowerShell"
+#elif defined(_M_ARM64) // same with ARM
+                    L"%ProgramFiles(Arm)%\\PowerShell"
+#else
+                    L"%ProgramFiles%\\PowerShell"
+#endif
+                )
+            };
+
+            // Is the path to the commandline actually exactly one of the
+            // versions that exists in this directory?
+            for (const auto& versionedDir : std::filesystem::directory_iterator(powershellCoreRoot))
+            {
+                const auto versionedPath = versionedDir.path();
+                if (executablePath.parent_path() == versionedPath)
+                {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    // Method Description:
+    // - For a given commandline, determines if we should prompt the user for
+    //   approval. We only do this check when elevated. This will check the
+    //   AllowedCommandlines in `elevated-state.json`, to see if the commandline
+    //   already exists in that list.
+    // Arguments:
+    // - cmdline: The commandline to check
+    // Return Value:
+    // - true if we should prompt the user for approval.
+    bool TerminalPage::_shouldPromptForCommandline(const winrt::hstring& cmdline) const
+    {
+        // NOTE: For debugging purposes, changing this to `true || IsElevated()`
+        // is a handy way of forcing the elevation logic, even when unelevated.
+        if (IsElevated())
+        {
+            // If the cmdline is EXACTLY an executable in
+            // `C:\WINDOWS\System32`, then ignore this check.
+            if (_isTrustedCommandline(cmdline))
+            {
+                return false;
+            }
+
+            if (const auto& allowedCommandlines{ ApplicationState::SharedInstance().AllowedCommandlines() })
+            {
+                for (const auto& approved : allowedCommandlines)
+                {
+                    if (approved == cmdline)
+                    {
+                        return false;
+                    }
+                }
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    void TerminalPage::_adminWarningPrimaryClicked(const TerminalApp::AdminWarningPlaceholder& sender,
+                                                   const winrt::Windows::UI::Xaml::RoutedEventArgs& /*args*/)
+    {
+        auto warningControl{ winrt::get_self<AdminWarningPlaceholder>(sender) };
+        const auto& cmdline{ warningControl->Commandline() };
+        // Look through the tabs and panes to look for us. Whichever pane had us
+        // as content - replace their content with the TermControl we were
+        // holding on to.
+        for (const auto& tab : _tabs)
+        {
+            if (const auto& tabImpl{ _GetTerminalTabImpl(tab) })
+            {
+                tabImpl->GetRootPane()->WalkTree([warningControl, cmdline, tabImpl](std::shared_ptr<Pane> pane) -> bool {
+                    const auto& projectedWarningControl{ pane->GetUserControl().try_as<TerminalApp::AdminWarningPlaceholder>() };
+                    // If it was a warning control, then get our implementation
+                    // type out of it.
+                    if (const auto& otherWarning{ winrt::get_self<AdminWarningPlaceholder>(projectedWarningControl) })
+                    {
+                        // This pane had a warning in it.
+                        // Was it a warning for the same commandline that we
+                        // just approved?
+                        if (otherWarning->Commandline() == cmdline)
+                        {
+                            // Go ahead and allow them. Swap the control into
+                            // the pane, which will initialize and start it.
+                            tabImpl->ReplaceControl(pane, otherWarning->Control());
+                        }
+                        // Don't return true here. We want to make sure to check
+                        // all the panes for the same commandline we just
+                        // approved.
+                    }
+                    // return false so we make sure to iterate on every leaf.
+                    return false;
+                });
+            }
+        }
+
+        // Update the list of approved commandlines.
+        auto allowedCommandlines{ ApplicationState::SharedInstance().AllowedCommandlines() };
+        if (!allowedCommandlines)
+        {
+            allowedCommandlines = winrt::single_threaded_vector<winrt::hstring>();
+        }
+
+        // But of course, we don't need to add this commandline if it's already
+        // in the list of approved commandlines.
+        bool foundCopy = false;
+        for (const auto& approved : allowedCommandlines)
+        {
+            if (approved == cmdline)
+            {
+                foundCopy = true;
+                break;
+            }
+        }
+        if (!foundCopy)
+        {
+            allowedCommandlines.Append(cmdline);
+        }
+        ApplicationState::SharedInstance().AllowedCommandlines(allowedCommandlines);
+    }
+
+    void TerminalPage::_adminWarningCancelClicked(const TerminalApp::AdminWarningPlaceholder& sender,
+                                                  const winrt::Windows::UI::Xaml::RoutedEventArgs& /*args*/)
+    {
+        auto warningControl{ winrt::get_self<AdminWarningPlaceholder>(sender) };
+
+        for (const auto& tab : _tabs)
+        {
+            if (const auto& tabImpl{ _GetTerminalTabImpl(tab) })
+            {
+                tabImpl->GetRootPane()->WalkTree([warningControl](std::shared_ptr<Pane> pane) -> bool {
+                    if (pane->GetUserControl() == *warningControl)
+                    {
+                        pane->Close();
+                        return true;
+                    }
+                    // We're not going to auto-close all the other panes with
+                    // the same commandline warning, akin to what we're doing in
+                    // the approve handler. If they want to reject one pane, but
+                    // accept the next one, that's okay.
+                    return false;
+                });
+            }
+        }
+    }
+
+    // Method Description:
+    // - If the requested settings want us to elevate this new terminal
+    //   instance, and we're not currently elevated, then open the new terminal
+    //   as an elevated instance (using _OpenElevatedWT). Does nothing if we're
+    //   already elevated, or if the control settings don't want to be elevated.
+    // Arguments:
+    // - newTerminalArgs: The NewTerminalArgs for this terminal instance
+    // - controlSettings: The constructed TerminalSettingsCreateResult for this Terminal instance
+    // - profile: The Profile we're using to launch this Terminal instance
+    // Return Value:
+    // - true iff we tossed this request to an elevated window. Callers can use
+    //   this result to early-return if needed.
+    bool TerminalPage::_maybeElevate(const NewTerminalArgs& newTerminalArgs,
+                                     const TerminalSettingsCreateResult& controlSettings,
+                                     const Profile& profile)
+    {
+        // Try to handle auto-elevation
+        const bool requestedElevation = controlSettings.DefaultSettings().Elevate();
+        const bool currentlyElevated = IsElevated();
+
+        // We aren't elevated, but we want to be.
+        if (requestedElevation && !currentlyElevated)
+        {
+            // Manually set the Profile of the NewTerminalArgs to the guid we've
+            // resolved to. If there was a profile in the NewTerminalArgs, this
+            // will be that profile's GUID. If there wasn't, then we'll use
+            // whatever the default profile's GUID is.
+
+            newTerminalArgs.Profile(::Microsoft::Console::Utils::GuidToString(profile.Guid()));
+            _OpenElevatedWT(newTerminalArgs);
+            return true;
+        }
+        return false;
+    }
+
     // Method Description:
     // - Split the focused pane either horizontally or vertically, and place the
     //   given pane accordingly in the tree
@@ -1499,13 +1828,6 @@ namespace winrt::TerminalApp::implementation
                                   std::shared_ptr<Pane> newPane)
     {
         const auto focusedTab{ _GetFocusedTabImpl() };
-
-        // Do nothing if no TerminalTab is focused
-        if (!focusedTab)
-        {
-            return;
-        }
-
         _SplitPane(*focusedTab, splitDirection, splitSize, newPane);
     }
 
@@ -1523,6 +1845,14 @@ namespace winrt::TerminalApp::implementation
                                   const float splitSize,
                                   std::shared_ptr<Pane> newPane)
     {
+        // If the caller is calling us with the return value of _MakePane
+        // directly, it's possible that nullptr was returned, if the connections
+        // was supposed to be launched in an elevated window. In that case, do
+        // nothing here. We don't have a pane with which to create the split.
+        if (!newPane)
+        {
+            return;
+        }
         const float contentWidth = ::base::saturated_cast<float>(_tabContent.ActualWidth());
         const float contentHeight = ::base::saturated_cast<float>(_tabContent.ActualHeight());
         const winrt::Windows::Foundation::Size availableSpace{ contentWidth, contentHeight };
@@ -2148,7 +2478,13 @@ namespace winrt::TerminalApp::implementation
     //   a duplicate of the currently focused pane
     // - existingConnection: optionally receives a connection from the outside
     //   world instead of attempting to create one
-    std::shared_ptr<Pane> TerminalPage::_MakePane(const NewTerminalArgs& newTerminalArgs, const bool duplicate, TerminalConnection::ITerminalConnection existingConnection)
+    // Return Value:
+    // - If the newTerminalArgs required us to open the pane as a new elevated
+    //   connection, then we'll return nullptr. Otherwise, we'll return a new
+    //   Pane for this connection.
+    std::shared_ptr<Pane> TerminalPage::_MakePane(const NewTerminalArgs& newTerminalArgs,
+                                                  const bool duplicate,
+                                                  TerminalConnection::ITerminalConnection existingConnection)
     {
         TerminalSettingsCreateResult controlSettings{ nullptr };
         Profile profile{ nullptr };
@@ -2179,6 +2515,12 @@ namespace winrt::TerminalApp::implementation
             controlSettings = TerminalSettings::CreateWithNewTerminalArgs(_settings, newTerminalArgs, *_bindings);
         }
 
+        // Try to handle auto-elevation
+        if (_maybeElevate(newTerminalArgs, controlSettings, profile))
+        {
+            return nullptr;
+        }
+
         auto connection = existingConnection ? existingConnection : _CreateConnectionFromSettings(profile, controlSettings.DefaultSettings());
         if (existingConnection)
         {
@@ -2202,7 +2544,21 @@ namespace winrt::TerminalApp::implementation
         const auto control = _InitControl(controlSettings, connection);
         _RegisterTerminalEvents(control);
 
-        auto resultPane = std::make_shared<Pane>(profile, control);
+        WUX::Controls::UserControl controlToAdd{ control };
+
+        // Check if we should warn the user about running a new unelevated
+        // commandline.
+        const auto& cmdline{ controlSettings.DefaultSettings().Commandline() };
+        const auto doAdminWarning{ _shouldPromptForCommandline(cmdline) };
+        if (doAdminWarning)
+        {
+            auto warningControl{ winrt::make_self<implementation::AdminWarningPlaceholder>(control, cmdline) };
+            warningControl->PrimaryButtonClicked({ get_weak(), &TerminalPage::_adminWarningPrimaryClicked });
+            warningControl->CancelButtonClicked({ get_weak(), &TerminalPage::_adminWarningCancelClicked });
+            controlToAdd = *warningControl;
+        }
+
+        auto resultPane = std::make_shared<Pane>(profile, controlToAdd);
 
         if (debugConnection) // this will only be set if global debugging is on and tap is active
         {
@@ -2223,6 +2579,17 @@ namespace winrt::TerminalApp::implementation
             original->SetActive();
         }
 
+        if (doAdminWarning)
+        {
+            // We know this is safe - we literally just added the
+            // AdminWarningPlaceholder as the controlToAdd like 20 lines up.
+            //
+            // Focus the warning here. The LayoutUpdated within the dialog
+            // itself isn't good enough. That, for some reason, fires _before_
+            // the dialog is in the UI tree, which is useless for us.
+            controlToAdd.try_as<implementation::AdminWarningPlaceholder>()->FocusOnLaunch();
+        }
+
         return resultPane;
     }
 
@@ -3337,6 +3704,63 @@ namespace winrt::TerminalApp::implementation
         return profile;
     }
 
+    // Function Description:
+    // - Helper to launch a new WT instance elevated. It'll do this by spawning
+    //   a helper process, who will asking the shell to elevate the process for
+    //   us. This might cause a UAC prompt. The elevation is performed on a
+    //   background thread, as to not block the UI thread.
+    // Arguments:
+    // - newTerminalArgs: A NewTerminalArgs describing the terminal instance
+    //   that should be spawned. The Profile should be filled in with the GUID
+    //   of the profile we want to launch.
+    // Return Value:
+    // - <none>
+    // Important: Don't take the param by reference, since we'll be doing work
+    // on another thread.
+    void TerminalPage::_OpenElevatedWT(NewTerminalArgs newTerminalArgs)
+    {
+        // BODGY
+        //
+        // We're going to construct the commandline we want, then toss it to a
+        // helper process called `elevate-shim.exe` that happens to live next to
+        // us. elevate-shim.exe will be the one to call ShellExecute with the
+        // args that we want (to elevate the given profile).
+        //
+        // We can't be the one to call ShellExecute ourselves. ShellExecute
+        // requires that the calling process stays alive until the child is
+        // spawned. However, in the case of something like `wt -p
+        // AlwaysElevateMe`, then the original WT will try to ShellExecute a new
+        // wt.exe (elevated) and immediately exit, preventing ShellExecute from
+        // successfully spawning the elevated WT.
+
+        std::filesystem::path exePath = wil::GetModuleFileNameW<std::wstring>(nullptr);
+        exePath.replace_filename(L"elevate-shim.exe");
+
+        // Build the commandline to pass to wt for this set of NewTerminalArgs
+        std::wstring cmdline{
+            fmt::format(L"new-tab {}", newTerminalArgs.ToCommandline().c_str())
+        };
+
+        wil::unique_process_information pi;
+        STARTUPINFOW si{};
+        si.cb = sizeof(si);
+
+        LOG_IF_WIN32_BOOL_FALSE(CreateProcessW(exePath.c_str(),
+                                               cmdline.data(),
+                                               nullptr,
+                                               nullptr,
+                                               FALSE,
+                                               0,
+                                               nullptr,
+                                               nullptr,
+                                               &si,
+                                               &pi));
+
+        // TODO: GH#8592 - It may be useful to pop a Toast here in the original
+        // Terminal window informing the user that the tab was opened in a new
+        // window.
+    }
+
     // Method Description:
     // - Handles the change of connection state.
     // If the connection state is failure show information bar suggesting to configure termination behavior
@@ -3472,4 +3896,5 @@ namespace winrt::TerminalApp::implementation
 
         applicationState.DismissedMessages(std::move(messages));
     }
+
 }

src/cascadia/TerminalApp/TerminalPage.h

@@ -207,6 +207,7 @@ namespace winrt::TerminalApp::implementation
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowCloseReadOnlyDialog();
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowMultiLinePasteWarningDialog();
         winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowLargePasteWarningDialog();
+        winrt::Windows::Foundation::IAsyncOperation<winrt::Windows::UI::Xaml::Controls::ContentDialogResult> _ShowCommandlineApproveWarning();
 
         void _CreateNewTabFlyout();
         void _OpenNewTabDropdown();
@@ -403,6 +404,17 @@ namespace winrt::TerminalApp::implementation
 
         winrt::Microsoft::Terminal::Settings::Model::Profile GetClosestProfileForDuplicationOfProfile(const winrt::Microsoft::Terminal::Settings::Model::Profile& profile) const noexcept;
 
+        bool _maybeElevate(const winrt::Microsoft::Terminal::Settings::Model::NewTerminalArgs& newTerminalArgs,
+                           const winrt::Microsoft::Terminal::Settings::Model::TerminalSettingsCreateResult& controlSettings,
+                           const winrt::Microsoft::Terminal::Settings::Model::Profile& profile);
+        void _OpenElevatedWT(winrt::Microsoft::Terminal::Settings::Model::NewTerminalArgs newTerminalArgs);
+
+        bool _shouldPromptForCommandline(const winrt::hstring& cmdline) const;
+        void _adminWarningPrimaryClicked(const winrt::TerminalApp::AdminWarningPlaceholder& sender,
+                                         const winrt::Windows::UI::Xaml::RoutedEventArgs& args);
+        void _adminWarningCancelClicked(const winrt::TerminalApp::AdminWarningPlaceholder& sender,
+                                        const winrt::Windows::UI::Xaml::RoutedEventArgs& args);
+
         winrt::fire_and_forget _ConnectionStateChangedHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;
         void _CloseOnExitInfoDismissHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;
         void _KeyboardServiceWarningInfoDismissHandler(const winrt::Windows::Foundation::IInspectable& sender, const winrt::Windows::Foundation::IInspectable& args) const;

src/cascadia/TerminalApp/TerminalTab.cpp

@@ -426,7 +426,10 @@ namespace winrt::TerminalApp::implementation
     winrt::fire_and_forget TerminalTab::Scroll(const int delta)
     {
         auto control = GetActiveTerminalControl();
-
+        if (!control)
+        {
+            co_return;
+        }
         co_await winrt::resume_foreground(control.Dispatcher());
 
         const auto currentOffset = control.ScrollOffset();
@@ -511,7 +514,11 @@ namespace winrt::TerminalApp::implementation
             if (p->_IsLeaf())
             {
                 p->Id(_nextPaneId);
-                _AttachEventHandlersToControl(p->Id().value(), p->_control);
+                if (auto termControl{ p->_control.try_as<TermControl>() })
+                {
+                    _AttachEventHandlersToControl(p->Id().value(), termControl);
+                }
+
                 _nextPaneId++;
             }
             return false;
@@ -856,6 +863,10 @@ namespace winrt::TerminalApp::implementation
     // - <none>
     void TerminalTab::_AttachEventHandlersToControl(const uint32_t paneId, const TermControl& control)
     {
+        if (!control)
+        {
+            return;
+        }
         auto weakThis{ get_weak() };
         auto dispatcher = TabViewItem().Dispatcher();
         ControlEventTokens events{};
@@ -1744,6 +1755,19 @@ namespace winrt::TerminalApp::implementation
         return Title();
     }
 
+    void TerminalTab::ReplaceControl(std::shared_ptr<Pane> pane, const Controls::UserControl& control)
+    {
+        pane->ReplaceControl(control);
+
+        if (auto termControl{ pane->_control.try_as<TermControl>() })
+        {
+            _AttachEventHandlersToControl(pane->Id().value(), termControl);
+        }
+
+        // Update the title manually.
+        UpdateTitle();
+    }
+
     DEFINE_EVENT(TerminalTab, ActivePaneChanged, _ActivePaneChangedHandlers, winrt::delegate<>);
     DEFINE_EVENT(TerminalTab, ColorSelected, _colorSelected, winrt::delegate<winrt::Windows::UI::Color>);
     DEFINE_EVENT(TerminalTab, ColorCleared, _colorCleared, winrt::delegate<>);

src/cascadia/TerminalApp/TerminalTab.h

@@ -93,6 +93,9 @@ namespace winrt::TerminalApp::implementation
 
         std::shared_ptr<Pane> GetRootPane() const { return _rootPane; }
 
+        void ReplaceControl(std::shared_ptr<Pane> pane,
+                            const winrt::Windows::UI::Xaml::Controls::UserControl& control);
+
         winrt::TerminalApp::TerminalTabStatus TabStatus()
         {
             return _tabStatus;

src/cascadia/TerminalControl/TermControl.cpp

@@ -2648,4 +2648,9 @@ namespace winrt::Microsoft::Terminal::Control::implementation
     {
         return _core.ReadEntireBuffer();
     }
+
+    Media::Brush TermControl::BackgroundBrush()
+    {
+        return RootGrid().Background();
+    }
 }

src/cascadia/TerminalControl/TermControl.h

@@ -111,6 +111,8 @@ namespace winrt::Microsoft::Terminal::Control::implementation
 
         hstring ReadEntireBuffer() const;
 
+        Windows::UI::Xaml::Media::Brush BackgroundBrush();
+
         // -------------------------------- WinRT Events ---------------------------------
         // clang-format off
         WINRT_CALLBACK(FontSizeChanged, Control::FontSizeChangedEventArgs);

src/cascadia/TerminalControl/TermControl.idl

@@ -71,5 +71,7 @@ namespace Microsoft.Terminal.Control
         void ToggleReadOnly();
 
         String ReadEntireBuffer();
+
+        Windows.UI.Xaml.Media.Brush BackgroundBrush { get; };
     }
 }

src/cascadia/TerminalSettingsModel/ActionArgs.h

@@ -110,6 +110,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         ACTION_ARG(winrt::hstring, Profile, L"");
         ACTION_ARG(Windows::Foundation::IReference<bool>, SuppressApplicationTitle, nullptr);
         ACTION_ARG(winrt::hstring, ColorScheme);
+        ACTION_ARG(Windows::Foundation::IReference<bool>, Elevate, nullptr);
 
         static constexpr std::string_view CommandlineKey{ "commandline" };
         static constexpr std::string_view StartingDirectoryKey{ "startingDirectory" };
@@ -119,6 +120,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         static constexpr std::string_view ProfileKey{ "profile" };
         static constexpr std::string_view SuppressApplicationTitleKey{ "suppressApplicationTitle" };
         static constexpr std::string_view ColorSchemeKey{ "colorScheme" };
+        static constexpr std::string_view ElevateKey{ "elevate" };
 
     public:
         hstring GenerateName() const;
@@ -136,6 +138,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
                        otherAsUs->_ProfileIndex == _ProfileIndex &&
                        otherAsUs->_Profile == _Profile &&
                        otherAsUs->_SuppressApplicationTitle == _SuppressApplicationTitle &&
+                       otherAsUs->_Elevate == _Elevate &&
                        otherAsUs->_ColorScheme == _ColorScheme;
             }
             return false;
@@ -152,6 +155,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             JsonUtils::GetValueForKey(json, TabColorKey, args->_TabColor);
             JsonUtils::GetValueForKey(json, SuppressApplicationTitleKey, args->_SuppressApplicationTitle);
             JsonUtils::GetValueForKey(json, ColorSchemeKey, args->_ColorScheme);
+            JsonUtils::GetValueForKey(json, ElevateKey, args->_Elevate);
             return *args;
         }
         static Json::Value ToJson(const Model::NewTerminalArgs& val)
@@ -170,6 +174,7 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             JsonUtils::SetValueForKey(json, TabColorKey, args->_TabColor);
             JsonUtils::SetValueForKey(json, SuppressApplicationTitleKey, args->_SuppressApplicationTitle);
             JsonUtils::SetValueForKey(json, ColorSchemeKey, args->_ColorScheme);
+            JsonUtils::SetValueForKey(json, ElevateKey, args->_Elevate);
             return json;
         }
         Model::NewTerminalArgs Copy() const
@@ -183,11 +188,20 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             copy->_Profile = _Profile;
             copy->_SuppressApplicationTitle = _SuppressApplicationTitle;
             copy->_ColorScheme = _ColorScheme;
+            copy->_Elevate = _Elevate;
             return *copy;
         }
         size_t Hash() const
         {
-            return ::Microsoft::Terminal::Settings::Model::HashUtils::HashProperty(Commandline(), StartingDirectory(), TabTitle(), TabColor(), ProfileIndex(), Profile(), SuppressApplicationTitle(), ColorScheme());
+            return ::Microsoft::Terminal::Settings::Model::HashUtils::HashProperty(Commandline(),
+                                                                                   StartingDirectory(),
+                                                                                   TabTitle(),
+                                                                                   TabColor(),
+                                                                                   ProfileIndex(),
+                                                                                   Profile(),
+                                                                                   SuppressApplicationTitle(),
+                                                                                   ColorScheme(),
+                                                                                   Elevate());
         }
     };
 

src/cascadia/TerminalSettingsModel/ActionArgs.idl

@@ -117,13 +117,20 @@ namespace Microsoft.Terminal.Settings.Model
         String TabTitle;
         Windows.Foundation.IReference<Windows.UI.Color> TabColor;
         String Profile; // Either a GUID or a profile's name if the GUID isn't a match
+
+        // We use IReference<> to treat some args as nullable where null means
+        // "use the inherited value". See ProfileIndex,
+        // SuppressApplicationTitle, Elevate. Strings that behave this way just
+        // use `null` as "use the inherited value".
+
         // ProfileIndex can be null (for "use the default"), so this needs to be
         // a IReference, so it's nullable
         Windows.Foundation.IReference<Int32> ProfileIndex { get; };
-
         Windows.Foundation.IReference<Boolean> SuppressApplicationTitle;
-
         String ColorScheme;
+        // This needs to be an optional so that the default value (null) does
+        // not modify whatever the profile's value is (either true or false)
+        Windows.Foundation.IReference<Boolean> Elevate { get; };
 
         Boolean Equals(NewTerminalArgs other);
         String GenerateName();

src/cascadia/TerminalSettingsModel/ApplicationState.cpp

@@ -9,8 +9,11 @@
 #include "ActionAndArgs.h"
 #include "JsonUtils.h"
 #include "FileUtils.h"
+#include "../../types/inc/utils.hpp"
 
 static constexpr std::wstring_view stateFileName{ L"state.json" };
+static constexpr std::wstring_view elevatedStateFileName{ L"elevated-state.json" };
+
 static constexpr std::string_view TabLayoutKey{ "tabLayout" };
 static constexpr std::string_view InitialPositionKey{ "initialPosition" };
 static constexpr std::string_view InitialSizeKey{ "initialSize" };
@@ -85,15 +88,9 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         return trait.FromJson(root);
     }
 
-    // Returns the application-global ApplicationState object.
-    Microsoft::Terminal::Settings::Model::ApplicationState ApplicationState::SharedInstance()
-    {
-        static auto state = winrt::make_self<ApplicationState>(GetBaseSettingsPath() / stateFileName);
-        return *state;
-    }
-
-    ApplicationState::ApplicationState(std::filesystem::path path) noexcept :
-        _path{ std::move(path) },
+    ApplicationState::ApplicationState(const std::filesystem::path& stateRoot) noexcept :
+        _sharedPath{ stateRoot / stateFileName },
+        _elevatedPath{ stateRoot / elevatedStateFileName },
         _throttler{ std::chrono::seconds(1), [this]() { _write(); } }
     {
         _read();
@@ -102,9 +99,21 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     // The destructor ensures that the last write is flushed to disk before returning.
     ApplicationState::~ApplicationState()
     {
+        TraceLoggingWrite(g_hSettingsModelProvider,
+                          "ApplicationState_Dtor_Start",
+                          TraceLoggingDescription("Event at the start of the ApplicationState destructor"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+
         // This will ensure that we not just cancel the last outstanding timer,
         // but instead force it to run as soon as possible and wait for it to complete.
         _throttler.flush();
+
+        TraceLoggingWrite(g_hSettingsModelProvider,
+                          "ApplicationState_Dtor_End",
+                          TraceLoggingDescription("Event at the end of the ApplicationState destructor"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
     }
 
     // Re-read the state.json from disk.
@@ -113,34 +122,13 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         _read();
     }
 
-    // Returns the state.json path on the disk.
-    winrt::hstring ApplicationState::FilePath() const noexcept
+    bool ApplicationState::IsStatePath(const winrt::hstring& filename)
     {
-        return winrt::hstring{ _path.wstring() };
+        static const auto sharedPath{ _sharedPath.filename() };
+        static const auto elevatedPath{ _elevatedPath.filename() };
+        return filename == sharedPath || filename == elevatedPath;
     }
 
-    // Generate all getter/setters
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)    \
-    type ApplicationState::name() const noexcept            \
-    {                                                       \
-        const auto state = _state.lock_shared();            \
-        const auto& value = state->name;                    \
-        return value ? *value : type{ __VA_ARGS__ };        \
-    }                                                       \
-                                                            \
-    void ApplicationState::name(const type& value) noexcept \
-    {                                                       \
-        {                                                   \
-            auto state = _state.lock();                     \
-            state->name.emplace(value);                     \
-            state->name##Changed = true;                    \
-        }                                                   \
-                                                            \
-        _throttler();                                       \
-    }
-    MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
-
     // Method Description:
     // - See GH#11119. Removes all of the data in this ApplicationState object
     //   and resets it to the defaults. This will delete the state file! That's
@@ -156,57 +144,58 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     void ApplicationState::Reset() noexcept
     try
     {
-        LOG_LAST_ERROR_IF(!DeleteFile(_path.c_str()));
+        LOG_LAST_ERROR_IF(!DeleteFile(_sharedPath.c_str()));
+        LOG_LAST_ERROR_IF(!DeleteFile(_elevatedPath.c_str()));
         *_state.lock() = {};
     }
     CATCH_LOG()
 
-    Json::Value ApplicationState::_getRoot(const locked_hfile& file) const noexcept
-    {
-        Json::Value root;
-        try
-        {
-            const auto data = ReadUTF8FileLocked(file);
-            if (data.empty())
-            {
-                return root;
-            }
-
-            std::string errs;
-            std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
-
-            if (!reader->parse(data.data(), data.data() + data.size(), &root, &errs))
-            {
-                throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
-            }
-        }
-        CATCH_LOG()
-
-        return root;
-    }
-
-    // Deserializes the state.json at _path into this ApplicationState.
+    // Deserializes the state.json and user-state (or elevated-state if
+    // elevated) into this ApplicationState.
     // * ANY errors during app state will result in the creation of a new empty state.
     // * ANY errors during runtime will result in changes being partially ignored.
     void ApplicationState::_read() const noexcept
     try
     {
-        auto state = _state.lock();
-        const auto file = OpenFileReadSharedLocked(_path);
+        std::string errs;
+        std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
 
-        auto root = _getRoot(file);
-        // GetValueForKey() comes in two variants:
-        // * take a std::optional<T> reference
-        // * return std::optional<T> by value
-        // At the time of writing the former version skips missing fields in the json,
-        // but we want to explicitly clear state fields that were removed from state.json.
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)                         \
-    if (!state->name##Changed)                                                   \
-    {                                                                            \
-        state->name = JsonUtils::GetValueForKey<std::optional<type>>(root, key); \
-    }
-        MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
+        // First get shared state out of `state.json`.
+        const auto sharedData = _readSharedContents().value_or(std::string{});
+        if (!sharedData.empty())
+        {
+            Json::Value root;
+            if (!reader->parse(sharedData.data(), sharedData.data() + sharedData.size(), &root, &errs))
+            {
+                throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+            }
+
+            // - If we're elevated, we want to only load the Shared properties
+            //   from state.json. We'll then load the Local props from
+            //   `elevated-state.json`
+            // - If we're unelevated, then load _everything_ from state.json.
+            if (::Microsoft::Console::Utils::IsElevated())
+            {
+                // Only load shared properties if we're elevated
+                FromJson(root, FileSource::Shared);
+
+                // Then, try and get anything in elevated-state
+                if (const auto localData{ _readLocalContents().value_or(std::string{}) }; !localData.empty())
+                {
+                    Json::Value root;
+                    if (!reader->parse(localData.data(), localData.data() + localData.size(), &root, &errs))
+                    {
+                        throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+                    }
+                    FromJson(root, FileSource::Local);
+                }
+            }
+            else
+            {
+                // If we're unelevated, then load everything.
+                FromJson(root, FileSource::Shared | FileSource::Local);
+            }
+        }
     }
     CATCH_LOG()
 
@@ -214,29 +203,191 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     // * Errors are only logged.
     // * _state->_writeScheduled is set to false, signaling our
     //   setters that _synchronize() needs to be called again.
-    void ApplicationState::_write() noexcept
+    void ApplicationState::_write() const noexcept
     try
     {
-        // re-read the state so that we can only update the properties that were changed.
-        Json::Value root{};
+        Json::StreamWriterBuilder wbuilder;
+
+        // When we're elevated, we've got to be tricky. We don't want to write
+        // our window state, allowed commandlines, and other Local properties
+        // into the shared `state.json`. But, if we only serialize the Shared
+        // properties to a json blob, then we'll omit windowState entirely,
+        // _removing_ the window state of the unelevated instance. Oh no!
+        //
+        // So, to be tricky, we'll first _load_ the shared state to a json blob.
+        // We'll then serialize our view of the shared properties on top of that
+        // blob. Then we'll write that blob back to the file. This will
+        // round-trip the Local properties for the unelevated instances
+        // untouched in state.json
+        //
+        // After that's done, we'll write our Local properties into
+        // elevated-state.json.
+        if (::Microsoft::Console::Utils::IsElevated())
         {
-            auto state = _state.lock();
-            const auto file = OpenFileRWExclusiveLocked(_path);
-            root = _getRoot(file);
+            std::string errs;
+            std::unique_ptr<Json::CharReader> reader{ Json::CharReaderBuilder::CharReaderBuilder().newCharReader() };
+            Json::Value root;
 
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...)   \
-    if (state->name##Changed)                              \
-    {                                                      \
-        JsonUtils::SetValueForKey(root, key, state->name); \
-        state->name##Changed = false;                      \
-    }
-            MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
-#undef MTSM_APPLICATION_STATE_GEN
+            // First load the contents of state.json into a json blob. This will
+            // contain the Shared properties and the unelevated instance's Local
+            // properties.
+            const auto sharedData = _readSharedContents().value_or(std::string{});
+            if (!sharedData.empty())
+            {
+                if (!reader->parse(sharedData.data(), sharedData.data() + sharedData.size(), &root, &errs))
+                {
+                    throw winrt::hresult_error(WEB_E_INVALID_JSON_STRING, winrt::to_hstring(errs));
+                }
+            }
+            // Layer our shared properties on top of the blob from state.json,
+            // and write it back out.
+            _writeSharedContents(Json::writeString(wbuilder, _toJsonWithBlob(root, FileSource::Shared)));
 
-            Json::StreamWriterBuilder wbuilder;
-            const auto content = Json::writeString(wbuilder, root);
-            WriteUTF8FileLocked(file, content);
+            // Finally, write our Local properties back to elevated-state.json
+            _writeLocalContents(Json::writeString(wbuilder, ToJson(FileSource::Local)));
+        }
+        else
+        {
+            // We're unelevated, this is easy. Just write everything back out.
+            _writeLocalContents(Json::writeString(wbuilder, ToJson(FileSource::Local | FileSource::Shared)));
         }
     }
     CATCH_LOG()
+
+    // Returns the application-global ApplicationState object.
+    Microsoft::Terminal::Settings::Model::ApplicationState ApplicationState::SharedInstance()
+    {
+        std::filesystem::path root{ GetBaseSettingsPath() };
+        static auto state = winrt::make_self<ApplicationState>(root);
+        return *state;
+    }
+
+    // Method Description:
+    // - Loads data from the given json blob. Will only read the data that's in
+    //   the specified parseSource - so if we're reading the Local state file,
+    //   we won't destroy previously parsed Shared data.
+    // - READ: there's no layering for app state.
+    void ApplicationState::FromJson(const Json::Value& root, FileSource parseSource) const noexcept
+    {
+        auto state = _state.lock();
+        // GetValueForKey() comes in two variants:
+        // * take a std::optional<T> reference
+        // * return std::optional<T> by value
+        // At the time of writing the former version skips missing fields in the json,
+        // but we want to explicitly clear state fields that were removed from state.json.
+        //
+        // GH#11222: We only load properties that are of the same type (Local or
+        // Shared) which we requested. If we didn't want to load this type of
+        // property, just skip it.
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    if (WI_IsFlagSet(parseSource, source))                       \
+        state->name = JsonUtils::GetValueForKey<std::optional<type>>(root, key);
+
+        MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+    }
+
+    Json::Value ApplicationState::ToJson(FileSource parseSource) const noexcept
+    {
+        Json::Value root{ Json::objectValue };
+        return _toJsonWithBlob(root, parseSource);
+    }
+
+    Json::Value ApplicationState::_toJsonWithBlob(Json::Value& root, FileSource parseSource) const noexcept
+    {
+        {
+            auto state = _state.lock_shared();
+
+            // GH#11222: We only write properties that are of the same type (Local
+            // or Shared) which we requested. If we didn't want to serialize this
+            // type of property, just skip it.
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    if (WI_IsFlagSet(parseSource, source))                       \
+        JsonUtils::SetValueForKey(root, key, state->name);
+
+            MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+        }
+        return root;
+    }
+
+    // Generate all getter/setters
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    type ApplicationState::name() const noexcept                 \
+    {                                                            \
+        const auto state = _state.lock_shared();                 \
+        const auto& value = state->name;                         \
+        return value ? *value : type{ __VA_ARGS__ };             \
+    }                                                            \
+                                                                 \
+    void ApplicationState::name(const type& value) noexcept      \
+    {                                                            \
+        {                                                        \
+            auto state = _state.lock();                          \
+            state->name.emplace(value);                          \
+        }                                                        \
+                                                                 \
+        _throttler();                                            \
+    }
+    MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
+#undef MTSM_APPLICATION_STATE_GEN
+
+    // Method Description:
+    // - Read the contents of our "shared" state - state that should be shared
+    //   for elevated and unelevated instances. This is things like the list of
+    //   generated profiles, the command palette commandlines.
+    std::optional<std::string> ApplicationState::_readSharedContents() const
+    {
+        return ReadUTF8FileIfExists(_sharedPath);
+    }
+
+    // Method Description:
+    // - Read the contents of our "local" state - state that should be kept in
+    //   separate files for elevated and unelevated instances. This is things
+    //   like the persisted window state, and the approved commandlines (though,
+    //   those don't matter when unelevated).
+    // - When elevated, this will DELETE `elevated-state.json` if it has bad
+    //   permissions, so we don't potentially read malicious data.
+    std::optional<std::string> ApplicationState::_readLocalContents() const
+    {
+        return ::Microsoft::Console::Utils::IsElevated() ?
+                   ReadUTF8FileIfExists(_elevatedPath, true) :
+                   ReadUTF8FileIfExists(_sharedPath, false);
+    }
+
+    // Method Description:
+    // - Write the contents of our "shared" state - state that should be shared
+    //   for elevated and unelevated instances. This will atomically write to
+    //   `state.json`
+    void ApplicationState::_writeSharedContents(const std::string_view content) const
+    {
+        WriteUTF8FileAtomic(_sharedPath, content);
+    }
+
+    // Method Description:
+    // - Write the contents of our "local" state - state that should be kept in
+    //   separate files for elevated and unelevated instances. When elevated,
+    //   this will write to `elevated-state.json`, and when unelevated, this
+    //   will atomically write to `user-state.json`
+    void ApplicationState::_writeLocalContents(const std::string_view content) const
+    {
+        if (::Microsoft::Console::Utils::IsElevated())
+        {
+            // DON'T use WriteUTF8FileAtomic, which will write to a temporary file
+            // then rename that file to the final filename. That actually lets us
+            // overwrite the elevate file's contents even when unelevated, because
+            // we're effectively deleting the original file, then renaming a
+            // different file in it's place.
+            //
+            // We're not worried about someone else doing that though, if they do
+            // that with the wrong permissions, then we'll just ignore the file and
+            // start over.
+            WriteUTF8File(_elevatedPath, content, true);
+        }
+        else
+        {
+            WriteUTF8FileAtomic(_sharedPath, content);
+        }
+    }
+
 }

src/cascadia/TerminalSettingsModel/ApplicationState.h

@@ -16,21 +16,30 @@ Abstract:
 #include "WindowLayout.g.h"
 
 #include <inc/cppwinrt_utils.h>
-#include <til/mutex.h>
-#include <til/throttled_func.h>
-#include "FileUtils.h"
 #include <JsonUtils.h>
 
+namespace winrt::Microsoft::Terminal::Settings::Model::implementation
+{
+    // If a property is Shared, then it'll be stored in `state.json`, and used
+    // in both elevated and unelevated instances of the Terminal. If a property
+    // is marked Local, then it will have separate values for elevated and
+    // unelevated instances.
+    enum FileSource : int
+    {
+        Shared = 0x1,
+        Local = 0x2
+    };
+    DEFINE_ENUM_FLAG_OPERATORS(FileSource);
+
 // This macro generates all getters and setters for ApplicationState.
 // It provides X with the following arguments:
-//   (type, function name, JSON key, ...variadic construction arguments)
-namespace winrt::Microsoft::Terminal::Settings::Model::implementation
-{
-#define MTSM_APPLICATION_STATE_FIELDS(X)                                                                                \
-    X(std::unordered_set<winrt::guid>, GeneratedProfiles, "generatedProfiles")                                          \
-    X(Windows::Foundation::Collections::IVector<Model::WindowLayout>, PersistedWindowLayouts, "persistedWindowLayouts") \
-    X(Windows::Foundation::Collections::IVector<hstring>, RecentCommands, "recentCommands")                             \
-    X(Windows::Foundation::Collections::IVector<winrt::Microsoft::Terminal::Settings::Model::InfoBarMessage>, DismissedMessages, "dismissedMessages")
+//   (source, type, function name, JSON key, ...variadic construction arguments)
+#define MTSM_APPLICATION_STATE_FIELDS(X)                                                                                                                                  \
+    X(FileSource::Shared, std::unordered_set<winrt::guid>, GeneratedProfiles, "generatedProfiles")                                                                        \
+    X(FileSource::Local, Windows::Foundation::Collections::IVector<Model::WindowLayout>, PersistedWindowLayouts, "persistedWindowLayouts")                                \
+    X(FileSource::Shared, Windows::Foundation::Collections::IVector<hstring>, RecentCommands, "recentCommands")                                                           \
+    X(FileSource::Shared, Windows::Foundation::Collections::IVector<winrt::Microsoft::Terminal::Settings::Model::InfoBarMessage>, DismissedMessages, "dismissedMessages") \
+    X(FileSource::Local, Windows::Foundation::Collections::IVector<hstring>, AllowedCommandlines, "allowedCommandlines")
 
     struct WindowLayout : WindowLayoutT<WindowLayout>
     {
@@ -44,23 +53,26 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         friend ::Microsoft::Terminal::Settings::Model::JsonUtils::ConversionTrait<Model::WindowLayout>;
     };
 
-    struct ApplicationState : ApplicationStateT<ApplicationState>
+    struct ApplicationState : public ApplicationStateT<ApplicationState>
     {
         static Microsoft::Terminal::Settings::Model::ApplicationState SharedInstance();
 
-        ApplicationState(std::filesystem::path path) noexcept;
+        ApplicationState(const std::filesystem::path& stateRoot) noexcept;
         ~ApplicationState();
 
         // Methods
         void Reload() const noexcept;
         void Reset() noexcept;
 
+        void FromJson(const Json::Value& root, FileSource parseSource) const noexcept;
+        Json::Value ToJson(FileSource parseSource) const noexcept;
+
         // General getters/setters
-        winrt::hstring FilePath() const noexcept;
+        bool IsStatePath(const winrt::hstring& filename);
 
         // State getters/setters
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...) \
-    type name() const noexcept;                          \
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) \
+    type name() const noexcept;                                  \
     void name(const type& value) noexcept;
         MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
 #undef MTSM_APPLICATION_STATE_GEN
@@ -68,21 +80,24 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
     private:
         struct state_t
         {
-#define MTSM_APPLICATION_STATE_GEN(type, name, key, ...) \
-    std::optional<type> name{ __VA_ARGS__ };             \
-    bool name##Changed = false;
-
+#define MTSM_APPLICATION_STATE_GEN(source, type, name, key, ...) std::optional<type> name{ __VA_ARGS__ };
             MTSM_APPLICATION_STATE_FIELDS(MTSM_APPLICATION_STATE_GEN)
 #undef MTSM_APPLICATION_STATE_GEN
         };
+        til::shared_mutex<state_t> _state;
+        std::filesystem::path _sharedPath;
+        std::filesystem::path _elevatedPath;
+        til::throttled_func_trailing<> _throttler;
 
-        Json::Value _getRoot(const winrt::Microsoft::Terminal::Settings::Model::locked_hfile& file) const noexcept;
-        void _write() noexcept;
+        void _write() const noexcept;
         void _read() const noexcept;
 
-        std::filesystem::path _path;
-        til::shared_mutex<state_t> _state;
-        til::throttled_func_trailing<> _throttler;
+        Json::Value _toJsonWithBlob(Json::Value& root, FileSource parseSource) const noexcept;
+
+        std::optional<std::string> _readSharedContents() const;
+        void _writeSharedContents(const std::string_view content) const;
+        std::optional<std::string> _readLocalContents() const;
+        void _writeLocalContents(const std::string_view content) const;
     };
 }
 

src/cascadia/TerminalSettingsModel/ApplicationState.idl

@@ -30,12 +30,15 @@ namespace Microsoft.Terminal.Settings.Model
         void Reload();
         void Reset();
 
-        String FilePath { get; };
+        Boolean IsStatePath(String filename);
 
         Windows.Foundation.Collections.IVector<WindowLayout> PersistedWindowLayouts { get; set; };
 
         Windows.Foundation.Collections.IVector<String> RecentCommands { get; set; };
 
         Windows.Foundation.Collections.IVector<InfoBarMessage> DismissedMessages { get; set; };
+
+        Windows.Foundation.Collections.IVector<String> AllowedCommandlines { get; set; };
+
     }
 }

src/cascadia/TerminalSettingsModel/FileUtils.cpp

@@ -8,6 +8,10 @@
 #include <shlobj.h>
 #include <WtExeUtils.h>
 
+#include <aclapi.h>
+#include <sddl.h>
+#include <wil/token_helpers.h>
+
 static constexpr std::string_view Utf8Bom{ u8"\uFEFF" };
 static constexpr std::wstring_view UnpackagedSettingsFolderName{ L"Microsoft\\Windows Terminal\\" };
 
@@ -39,86 +43,44 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         return baseSettingsPath;
     }
 
-    locked_hfile OpenFileReadSharedLocked(const std::filesystem::path& path)
+    // Function Description:
+    // - Checks the permissions on this file, to make sure it can only be opened
+    //   for writing by admins. We will be checking to see if the file is owned
+    //   by the Builtin\Administrators group. If it's not, then it was likely
+    //   tampered with.
+    // Arguments:
+    // - handle: a HANDLE to the file to check
+    // Return Value:
+    // - true if it had the expected permissions. False otherwise.
+    static bool _isOwnedByAdministrators(const HANDLE& handle)
     {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr) };
-        THROW_LAST_ERROR_IF(!file);
-        // just lock the entire file
-        OVERLAPPED sOverlapped;
-        sOverlapped.Offset = 0;
-        sOverlapped.OffsetHigh = 0;
-        // Shared lock
-        THROW_LAST_ERROR_IF(!LockFileEx(file.get(),
-                                        0, // lock shared, wait to return until lock is obtained
-                                        0, // reserved, does nothing
-                                        INT_MAX, // lock INT_MAX bytes
-                                        0, // higher-order bytes, if our state file is greater than 2GB I guess this will be a problem
-                                        &sOverlapped));
-        return { std::move(file), sOverlapped };
+        // If the file is owned by the administrators group, trust the
+        // administrators instead of checking the DACL permissions. It's simpler
+        // and more flexible.
+
+        wil::unique_hlocal_security_descriptor sd;
+        PSID psidOwner{ nullptr };
+        // The psidOwner pointer references the security descriptor, so it
+        // doesn't have to be freed separate from sd.
+        const auto status = GetSecurityInfo(handle,
+                                            SE_FILE_OBJECT,
+                                            OWNER_SECURITY_INFORMATION,
+                                            &psidOwner,
+                                            nullptr,
+                                            nullptr,
+                                            nullptr,
+                                            wil::out_param_ptr<PSECURITY_DESCRIPTOR*>(sd));
+        THROW_IF_WIN32_ERROR(status);
+
+        wil::unique_any_psid psidAdmins{ nullptr };
+        THROW_IF_WIN32_BOOL_FALSE(
+            ConvertStringSidToSidW(L"BA", wil::out_param_ptr<PSID*>(psidAdmins)));
+
+        return EqualSid(psidOwner, psidAdmins.get());
     }
-
-    locked_hfile OpenFileRWExclusiveLocked(const std::filesystem::path& path)
-    {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr) };
-        THROW_LAST_ERROR_IF(!file);
-        // just lock the entire file
-        OVERLAPPED sOverlapped;
-        sOverlapped.Offset = 0;
-        sOverlapped.OffsetHigh = 0;
-        // Shared lock
-        THROW_LAST_ERROR_IF(!LockFileEx(file.get(),
-                                        LOCKFILE_EXCLUSIVE_LOCK, // lock exclusive, wait to return until lock is obtained
-                                        0, // reserved, does nothing
-                                        INT_MAX, // lock INT_MAX bytes
-                                        0, // higher-order bytes, if our state file is greater than 2GB I guess this will be a problem
-                                        &sOverlapped));
-        return { std::move(file), sOverlapped };
-    }
-
-    std::string ReadUTF8FileLocked(const locked_hfile& file)
-    {
-        const auto fileSize = GetFileSize(file.get(), nullptr);
-        THROW_LAST_ERROR_IF(fileSize == INVALID_FILE_SIZE);
-
-        // By making our buffer just slightly larger we can detect if
-        // the file size changed and we've failed to read the full file.
-        std::string buffer(static_cast<size_t>(fileSize) + 1, '\0');
-        DWORD bytesRead = 0;
-        THROW_IF_WIN32_BOOL_FALSE(ReadFile(file.get(), buffer.data(), gsl::narrow<DWORD>(buffer.size()), &bytesRead, nullptr));
-
-        // As mentioned before our buffer was allocated oversized.
-        buffer.resize(bytesRead);
-
-        if (til::starts_with(buffer, Utf8Bom))
-        {
-            // Yeah this memmove()s the entire content.
-            // But I don't really want to deal with UTF8 BOMs any more than necessary,
-            // as basically not a single editor writes a BOM for UTF8.
-            buffer.erase(0, Utf8Bom.size());
-        }
-
-        return buffer;
-    }
-
-    void WriteUTF8FileLocked(const locked_hfile& file, const std::string_view& content)
-    {
-        // truncate the file because we want to overwrite it
-        SetFilePointer(file.get(), 0, nullptr, FILE_BEGIN);
-        THROW_IF_WIN32_BOOL_FALSE(SetEndOfFile(file.get()));
-
-        const auto fileSize = gsl::narrow<DWORD>(content.size());
-        DWORD bytesWritten = 0;
-        THROW_IF_WIN32_BOOL_FALSE(WriteFile(file.get(), content.data(), fileSize, &bytesWritten, nullptr));
-
-        if (bytesWritten != fileSize)
-        {
-            THROW_WIN32_MSG(ERROR_WRITE_FAULT, "failed to write whole file");
-        }
-    }
-
     // Tries to read a file somewhat atomically without locking it.
     // Strips the UTF8 BOM if it exists.
-    std::string ReadUTF8File(const std::filesystem::path& path)
+    std::string ReadUTF8File(const std::filesystem::path& path, const bool elevatedOnly)
     {
         // From some casual observations we can determine that:
         // * ReadFile() always returns the requested amount of data (unless the file is smaller)
@@ -126,9 +88,40 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         // -> Lets add a retry-loop just in case, to not fail if the file size changed while reading.
         for (int i = 0; i < 3; ++i)
         {
-            wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, nullptr) };
+            wil::unique_hfile file{ CreateFileW(path.c_str(),
+                                                GENERIC_READ,
+                                                FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+                                                nullptr,
+                                                OPEN_EXISTING,
+                                                FILE_ATTRIBUTE_NORMAL,
+                                                nullptr) };
             THROW_LAST_ERROR_IF(!file);
 
+            // Open the file _first_, then check if it has the right
+            // permissions. This prevents a "Time-of-check to time-of-use"
+            // vulnerability where a malicious exe could delete the file and
+            // replace it between us checking the permissions, and reading the
+            // contents. We've got a handle to the file now, which means we're
+            // going to read the contents of that instance of the file
+            // regardless. If someone replaces the file on us before we get to
+            // the GetSecurityInfo call below, then only the subsequent call to
+            // ReadUTF8File will notice it.
+            if (elevatedOnly)
+            {
+                const bool hadExpectedPermissions{ _isOwnedByAdministrators(file.get()) };
+                if (!hadExpectedPermissions)
+                {
+                    // Close the handle
+                    file.reset();
+
+                    // delete the file. It's been compromised.
+                    LOG_LAST_ERROR_IF(!DeleteFile(path.c_str()));
+
+                    // Exit early, because obviously there's nothing to read from the deleted file.
+                    return "";
+                }
+            }
+
             const auto fileSize = GetFileSize(file.get(), nullptr);
             THROW_LAST_ERROR_IF(fileSize == INVALID_FILE_SIZE);
 
@@ -166,11 +159,11 @@ namespace winrt::Microsoft::Terminal::Settings::Model
     }
 
     // Same as ReadUTF8File, but returns an empty optional, if the file couldn't be opened.
-    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path)
+    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path, const bool elevatedOnly)
     {
         try
         {
-            return { ReadUTF8File(path) };
+            return { ReadUTF8File(path, elevatedOnly) };
         }
         catch (const wil::ResultException& exception)
         {
@@ -183,9 +176,70 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         }
     }
 
-    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content)
+    void WriteUTF8File(const std::filesystem::path& path,
+                       const std::string_view& content,
+                       const bool elevatedOnly)
     {
-        wil::unique_hfile file{ CreateFileW(path.c_str(), GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, nullptr, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr) };
+        SECURITY_ATTRIBUTES sa;
+        // stash the security descriptor here, so it will stay in context until
+        // after the call to CreateFile. If it gets cleaned up before that, then
+        // CreateFile will fail
+        wil::unique_hlocal_security_descriptor sd;
+        if (elevatedOnly)
+        {
+            // Initialize the security descriptor so only admins can write the
+            // file. We'll initialize the SECURITY_DESCRIPTOR with a
+            // single entry (ACE) -- a mandatory label (i.e. a
+            // LABEL_SECURITY_INFORMATION) that sets the file integrity level to
+            // "high",  with a no-write-up policy.
+            //
+            // When accessed from a security context at a lower integrity level,
+            // the no-write-up policy filters out rights that aren't in the
+            // object type's generic read and execute set (for the file type,
+            // that's FILE_GENERIC_READ | FILE_GENERIC_EXECUTE).
+            //
+            // Another option we considered here was manually setting the ACLs
+            // on this file such that Builtin\Admins could read&write the file,
+            // and all users could only read.
+            //
+            // Big thanks to @eryksun in GH#11222 for helping with this. This
+            // alternative method was chosen because it's considerably simpler.
+
+            // The required security descriptor can be created easily from the
+            // SDDL string: "S:(ML;;NW;;;HI)"
+            // (i.e. SACL:mandatory label;;no write up;;;high integrity level)
+            unsigned long cb;
+            THROW_IF_WIN32_BOOL_FALSE(
+                ConvertStringSecurityDescriptorToSecurityDescriptor(L"S:(ML;;NW;;;HI)",
+                                                                    SDDL_REVISION_1,
+                                                                    wil::out_param_ptr<PSECURITY_DESCRIPTOR*>(sd),
+                                                                    &cb));
+
+            // Initialize a security attributes structure.
+            sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+            sa.lpSecurityDescriptor = sd.get();
+            sa.bInheritHandle = false;
+
+            // If we're running in an elevated context, when this file is
+            // created, it will automatically be owned by
+            // Builtin\Administrators, which will pass the above
+            // _isOwnedByAdministrators check.
+            //
+            // Programs running in an elevated context will be free to write the
+            // file, and unelevated processes will be able to read the file. An
+            // unelevated process could always delete the file and rename a new
+            // file in it's place (a la the way `vim.exe` saves files), but if
+            // they do that, the new file _won't_ be owned by Administrators,
+            // failing the above check.
+        }
+
+        wil::unique_hfile file{ CreateFileW(path.c_str(),
+                                            GENERIC_WRITE,
+                                            FILE_SHARE_READ | FILE_SHARE_DELETE,
+                                            elevatedOnly ? &sa : nullptr,
+                                            CREATE_ALWAYS,
+                                            FILE_ATTRIBUTE_NORMAL,
+                                            nullptr) };
         THROW_LAST_ERROR_IF(!file);
 
         const auto fileSize = gsl::narrow<DWORD>(content.size());
@@ -198,7 +252,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model
         }
     }
 
-    void WriteUTF8FileAtomic(const std::filesystem::path& path, const std::string_view& content)
+    void WriteUTF8FileAtomic(const std::filesystem::path& path,
+                             const std::string_view& content)
     {
         // GH#10787: rename() will replace symbolic links themselves and not the path they point at.
         // It's thus important that we first resolve them before generating temporary path.

src/cascadia/TerminalSettingsModel/FileUtils.h

@@ -1,41 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-#pragma once
-
 namespace winrt::Microsoft::Terminal::Settings::Model
 {
-    // I couldn't find a wil helper for this so I made it myself
-    class locked_hfile
-    {
-    public:
-        wil::unique_hfile file;
-        OVERLAPPED lockedRegion;
-
-        ~locked_hfile()
-        {
-            if (file)
-            {
-                // Need to unlock the file before it is closed
-                UnlockFileEx(file.get(), 0, INT_MAX, 0, &lockedRegion);
-            }
-        }
-
-        HANDLE get() const noexcept
-        {
-            return file.get();
-        }
-    };
-
     std::filesystem::path GetBaseSettingsPath();
-
-    locked_hfile OpenFileReadSharedLocked(const std::filesystem::path& path);
-    locked_hfile OpenFileRWExclusiveLocked(const std::filesystem::path& path);
-    std::string ReadUTF8FileLocked(const locked_hfile& file);
-    void WriteUTF8FileLocked(const locked_hfile& file, const std::string_view& content);
-
-    std::string ReadUTF8File(const std::filesystem::path& path);
-    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path);
-    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content);
+    std::string ReadUTF8File(const std::filesystem::path& path, const bool elevatedOnly = false);
+    std::optional<std::string> ReadUTF8FileIfExists(const std::filesystem::path& path, const bool elevatedOnly = false);
+    void WriteUTF8File(const std::filesystem::path& path, const std::string_view& content, const bool elevatedOnly = false);
     void WriteUTF8FileAtomic(const std::filesystem::path& path, const std::string_view& content);
 }

src/cascadia/TerminalSettingsModel/JsonUtils.h

@@ -382,7 +382,6 @@ namespace Microsoft::Terminal::Settings::Model::JsonUtils
     };
 
     template<typename T>
-
     struct ConversionTrait<std::unordered_map<std::string, T>>
     {
         std::unordered_map<std::string, T> FromJson(const Json::Value& json) const

src/cascadia/TerminalSettingsModel/MTSMSettings.h

@@ -73,7 +73,8 @@ Author(s):
     X(hstring, Icon, "icon", L"\uE756")                                                                                                                        \
     X(CloseOnExitMode, CloseOnExit, "closeOnExit", CloseOnExitMode::Graceful)                                                                                  \
     X(hstring, TabTitle, "tabTitle")                                                                                                                           \
-    X(Model::BellStyle, BellStyle, "bellStyle", BellStyle::Audible)
+    X(Model::BellStyle, BellStyle, "bellStyle", BellStyle::Audible)                                                                                            \
+    X(bool, Elevate, "elevate", false)
 
 #define MTSM_FONT_SETTINGS(X)                                                          \
     X(hstring, FontFace, "face", DEFAULT_FONT_FACE)                                    \

src/cascadia/TerminalSettingsModel/Profile.cpp

@@ -30,6 +30,7 @@ static constexpr std::string_view FontInfoKey{ "font" };
 static constexpr std::string_view PaddingKey{ "padding" };
 static constexpr std::string_view TabColorKey{ "tabColor" };
 static constexpr std::string_view UnfocusedAppearanceKey{ "unfocusedAppearance" };
+static constexpr std::string_view ElevateKey{ "elevate" };
 
 Profile::Profile(guid guid) noexcept :
     _Guid(guid)
@@ -333,5 +334,7 @@ Json::Value Profile::ToJson() const
         json[JsonKey(UnfocusedAppearanceKey)] = winrt::get_self<AppearanceConfig>(_UnfocusedAppearance.value())->ToJson();
     }
 
+    JsonUtils::SetValueForKey(json, ElevateKey, _Elevate);
+
     return json;
 }

src/cascadia/TerminalSettingsModel/Profile.idl

@@ -79,5 +79,6 @@ namespace Microsoft.Terminal.Settings.Model
         INHERITABLE_PROFILE_SETTING(Boolean, SnapOnInput);
         INHERITABLE_PROFILE_SETTING(Boolean, AltGrAliasing);
         INHERITABLE_PROFILE_SETTING(BellStyle, BellStyle);
+        INHERITABLE_PROFILE_SETTING(Boolean, Elevate);
     }
 }

src/cascadia/TerminalSettingsModel/TerminalSettings.cpp

@@ -155,6 +155,14 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
                     defaultSettings.ApplyColorScheme(scheme);
                 }
             }
+            // Elevate on NewTerminalArgs is an optional value, so the default
+            // value (null) doesn't override a profile's value. Note that
+            // elevate:false in an already elevated terminal does nothing - the
+            // profile will still be launched elevated.
+            if (newTerminalArgs.Elevate())
+            {
+                defaultSettings.Elevate(newTerminalArgs.Elevate().Value());
+            }
         }
 
         return settingsPair;
@@ -307,6 +315,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
             const til::color colorRef{ profile.TabColor().Value() };
             _TabColor = static_cast<winrt::Microsoft::Terminal::Core::Color>(colorRef);
         }
+
+        _Elevate = profile.Elevate();
     }
 
     // Method Description:

src/cascadia/TerminalSettingsModel/TerminalSettings.h

@@ -159,6 +159,8 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
         INHERITABLE_SETTING(Model::TerminalSettings, hstring, PixelShaderPath);
         INHERITABLE_SETTING(Model::TerminalSettings, bool, IntenseIsBold);
 
+        INHERITABLE_SETTING(Model::TerminalSettings, bool, Elevate, false);
+
     private:
         std::optional<std::array<Microsoft::Terminal::Core::Color, COLOR_TABLE_SIZE>> _ColorTable;
         gsl::span<Microsoft::Terminal::Core::Color> _getColorTableImpl();

src/cascadia/TerminalSettingsModel/TerminalSettings.idl

@@ -35,5 +35,7 @@ namespace Microsoft.Terminal.Settings.Model
         void ApplyColorScheme(ColorScheme scheme);
 
         ColorScheme AppliedColorScheme;
+
+        Boolean Elevate;
     };
 }

src/cascadia/TerminalSettingsModel/pch.h

@@ -53,3 +53,6 @@ TRACELOGGING_DECLARE_PROVIDER(g_hSettingsModelProvider);
 
 // Manually include til after we include Windows.Foundation to give it winrt superpowers
 #include "til.h"
+
+#include <til/mutex.h>
+#include <til/throttled_func.h>

src/cascadia/WindowsTerminal/AppHost.cpp

@@ -845,8 +845,30 @@ winrt::Windows::Foundation::IAsyncAction AppHost::_SaveWindowLayouts()
 
     if (_logic.ShouldUsePersistedLayout())
     {
-        const auto layoutJsons = _windowManager.GetAllWindowLayouts();
-        _logic.SaveWindowLayoutJsons(layoutJsons);
+        try
+        {
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Collect",
+                              TraceLoggingDescription("Logged when collecting window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+            const auto layoutJsons = _windowManager.GetAllWindowLayouts();
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Save",
+                              TraceLoggingDescription("Logged when writing window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+            _logic.SaveWindowLayoutJsons(layoutJsons);
+        }
+        catch (...)
+        {
+            LOG_CAUGHT_EXCEPTION();
+            TraceLoggingWrite(g_hWindowsTerminalProvider,
+                              "AppHost_SaveWindowLayouts_Failed",
+                              TraceLoggingDescription("An error occurred when collecting or writing window state"),
+                              TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                              TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+        }
     }
 
     co_return;
@@ -867,6 +889,12 @@ winrt::fire_and_forget AppHost::_SaveWindowLayoutsRepeat()
     // per 10 seconds, if a save is requested by another source simultaneously.
     if (_getWindowLayoutThrottler.has_value())
     {
+        TraceLoggingWrite(g_hWindowsTerminalProvider,
+                          "AppHost_requestGetLayout",
+                          TraceLoggingDescription("Logged when triggering a throttled write of the window state"),
+                          TraceLoggingLevel(WINEVENT_LEVEL_VERBOSE),
+                          TraceLoggingKeyword(TIL_KEYWORD_TRACE));
+
         _getWindowLayoutThrottler.value()();
     }
 }

src/types/inc/utils.hpp

@@ -94,4 +94,5 @@ namespace Microsoft::Console::Utils
 
     GUID CreateV5Uuid(const GUID& namespaceGuid, const gsl::span<const gsl::byte> name);
 
+    bool IsElevated();
 }

src/types/utils.cpp

@@ -5,6 +5,8 @@
 #include "inc/utils.hpp"
 #include "inc/colorTable.hpp"
 
+#include <wil/token_helpers.h>
+
 using namespace Microsoft::Console;
 
 // Routine Description:
@@ -559,3 +561,33 @@ GUID Utils::CreateV5Uuid(const GUID& namespaceGuid, const gsl::span<const gsl::b
     ::memcpy_s(&newGuid, sizeof(GUID), buffer.data(), sizeof(GUID));
     return EndianSwap(newGuid);
 }
+
+bool Utils::IsElevated()
+{
+    static bool isElevated = []() {
+        try
+        {
+            wil::unique_handle processToken{ GetCurrentProcessToken() };
+            const auto elevationType = wil::get_token_information<TOKEN_ELEVATION_TYPE>(processToken.get());
+            const auto elevationState = wil::get_token_information<TOKEN_ELEVATION>(processToken.get());
+            if (elevationType == TokenElevationTypeDefault && elevationState.TokenIsElevated)
+            {
+                // In this case, the user has UAC entirely disabled. This is sort of
+                // weird, we treat this like the user isn't an admin at all. There's no
+                // separation of powers, so the things we normally want to gate on
+                // "having special powers" doesn't apply.
+                //
+                // See GH#7754, GH#11096
+                return false;
+            }
+
+            return wil::test_token_membership(nullptr, SECURITY_NT_AUTHORITY, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS);
+        }
+        catch (...)
+        {
+            LOG_CAUGHT_EXCEPTION();
+            return false;
+        }
+    }();
+    return isElevated;
+}