Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix [BUG] Cowork's `spawnLocalProcess` fails immediately with `errno: -4094, code: 'UNKNOWN', syscall: 'spawn'` on enterprise Windows machines with WDAC (Windows Defender Application Control) kernel-mode enforcement enabled. [1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#56341Fetched 2026-05-06 06:30:44
View on GitHub
Comments
0
Participants
1
Timeline
6
Reactions
0
Author
cheezizyummycheezizyummy
Participants
cheezizyummycheezizyummy
Timeline (top)
labeled ×6

Error Message

[error] Session initialization failed: spawn UNKNOWN { errno: -4094, code: 'UNKNOWN', syscall: 'spawn', stack: 'Error: spawn UNKNOWN at ChildProcess.spawn (node:internal/child_process:441:11) at Object.spawn (node:child_process:810:9) at nXi.spawnLocalProcess (…index.js:235:2728) at nXi.initialize (…index.js:235:7165)' }

Code Example

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

---

[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

---

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...

---

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

---

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...

---

## Error from main.log


[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

---

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

---

[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

---

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...
RAW_BUFFERClick to expand / collapse

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report (please file separate reports for different bugs)
  • I am using the latest version of Claude Code

What's Wrong?

What's Wrong?

Cowork's spawnLocalProcess fails immediately with errno: -4094, code: 'UNKNOWN', syscall: 'spawn' on enterprise Windows machines with WDAC (Windows Defender Application Control) kernel-mode enforcement enabled. Cowork is completely non-functional on affected machines — every session fails at initialization.

Environment

  • OS: Windows 11 Enterprise, Intune Autopilot enrolled
  • Hardware: ThinkPad P14s Gen 6 AMD
  • Claude Desktop: MSIX package Claude_1.5354.0.0_x64__pzs8sxrjxfjjc
  • Claude Code SDK: 2.1.121
  • WDAC status: Kernel-mode enforced (SecurityServicesRunning: {2,3,4}, VirtualizationBasedSecurityStatus: 2)
  • HVCI: Enabled (UEFI-locked)

Steps to Reproduce

  1. Install Claude Desktop via MSIX on a Windows 11 machine with WDAC kernel-mode enforcement enabled
  2. Start any Cowork task
  3. Session fails immediately with spawn UNKNOWN

Verify WDAC status with:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

Affected machines have SecurityServicesRunning including 2 and VirtualizationBasedSecurityStatus = 2.

Error from main.log

[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

Key Findings

The spawn never reaches the OS. Process Monitor shows zero Process Create events and zero filesystem access to the claude-code directory during spawn attempts. No Event ID 4688 is logged. The failure occurs inside libuv's uv_spawn before CreateProcessW is called, returning an unmapped NTSTATUS that surfaces as UV_UNKNOWN.

The VM is healthy. Boots successfully, network connected, API reachable, SDK installs. host_loop_mode: true — failure is on the host side only.

claude.exe is valid. Properly signed (Anthropic EV cert via DigiCert, valid), executes fine from PowerShell with a full token (--version → exit 0). Fails silently (exit 1, no output) under a limited token via runas /trustlevel:0x20000.

Spawn target paths only exist in the MSIX-virtualized filesystem:

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...

Creating a symlink at the real path did not resolve the issue.

Ruled Out

The following were fully investigated and confirmed NOT to be the cause:

  • AppLocker (AllowedByDefault, no Event ID 866 blocks)
  • ASR rules (16 rules, all Audit mode)
  • WDAC user-mode enforcement (not enforced, status 0)
  • WDAC enforcement blocks (no Event ID 3077 or 3089)
  • Exploit Protection / DisallowChildProcessCreation (OFF on Claude Desktop)
  • Defender / SmartScreen (no blocks logged)
  • Git Bash, WSL, CLAUDE_CODE_GIT_BASH_PATH (all configured, did not fix)
  • HVCI Intune exemption (UEFI-locked, could not disable, did not fix)
  • Binary signature (valid Anthropic EV cert)
  • Environment block (40 vars, 1925 chars, no control characters)
  • MSIX manifest (has runFullTrust, unvirtualizedResources, localSystemServices)

Separate Packaging Defect

The Claude MSIX package is missing AppxMetadata\CodeIntegrity.cat — the entire AppxMetadata directory is absent. Microsoft's own MSIX packages (e.g. Windows Calculator) include this file. Windows logs repeated Event ID 3010 errors ("unable to load catalog, STATUS_OBJECT_PATH_NOT_FOUND") timed to each Cowork attempt.

Note: CodeIntegrity.cat validates PE files inside the MSIX package, not external binaries, so this is unlikely to be the direct cause of the spawn failure. It is a separate packaging defect that should be corrected regardless.

Questions for Anthropic Engineering

  1. Why does uv_spawn fail before CreateProcessW is called on WDAC kernel-enforced machines? What NTSTATUS is actually being returned?
  2. Does spawnLocalProcess account for MSIX filesystem virtualization when constructing the spawn target path and cwd?
  3. Does the MSIX container assign a limited token to the child process during spawn? claude.exe exits silently under a limited token.
  4. What is the specific interaction between WDAC kernel enforcement and the Electron/Node.js spawn call that causes the failure?

Impact

Affects all Intune Autopilot-enrolled enterprise machines with WDAC kernel enforcement — a standard enterprise security baseline. Cowork is completely non-functional on these machines. Chat and all non-Cowork features work normally.

What Should Happen?

What's Wrong?

Cowork's spawnLocalProcess fails immediately with errno: -4094, code: 'UNKNOWN', syscall: 'spawn' on enterprise Windows machines with WDAC (Windows Defender Application Control) kernel-mode enforcement enabled. Cowork is completely non-functional on affected machines — every session fails at initialization.

Environment

  • OS: Windows 11 Enterprise, Intune Autopilot enrolled
  • Hardware: ThinkPad P14s Gen 6 AMD
  • Claude Desktop: MSIX package Claude_1.5354.0.0_x64__pzs8sxrjxfjjc
  • Claude Code SDK: 2.1.121
  • WDAC status: Kernel-mode enforced (SecurityServicesRunning: {2,3,4}, VirtualizationBasedSecurityStatus: 2)
  • HVCI: Enabled (UEFI-locked)

Steps to Reproduce

  1. Install Claude Desktop via MSIX on a Windows 11 machine with WDAC kernel-mode enforcement enabled
  2. Start any Cowork task
  3. Session fails immediately with spawn UNKNOWN

Verify WDAC status with:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

Affected machines have SecurityServicesRunning including 2 and VirtualizationBasedSecurityStatus = 2.

Key Findings

The spawn never reaches the OS. Process Monitor shows zero Process Create events and zero filesystem access to the claude-code directory during spawn attempts. No Event ID 4688 is logged. The failure occurs inside libuv's uv_spawn before CreateProcessW is called, returning an unmapped NTSTATUS that surfaces as UV_UNKNOWN.

The VM is healthy. Boots successfully, network connected, API reachable, SDK installs. host_loop_mode: true — failure is on the host side only.

claude.exe is valid. Properly signed (Anthropic EV cert via DigiCert, valid), executes fine from PowerShell with a full token (--version → exit 0). Fails silently (exit 1, no output) under a limited token via runas /trustlevel:0x20000.

Spawn target paths only exist in the MSIX-virtualized filesystem:

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...

Creating a symlink at the real path did not resolve the issue.

Ruled Out

The following were fully investigated and confirmed NOT to be the cause:

  • AppLocker (AllowedByDefault, no Event ID 866 blocks)
  • ASR rules (16 rules, all Audit mode)
  • WDAC user-mode enforcement (not enforced, status 0)
  • WDAC enforcement blocks (no Event ID 3077 or 3089)
  • Exploit Protection / DisallowChildProcessCreation (OFF on Claude Desktop)
  • Defender / SmartScreen (no blocks logged)
  • Git Bash, WSL, CLAUDE_CODE_GIT_BASH_PATH (all configured, did not fix)
  • HVCI Intune exemption (UEFI-locked, could not disable, did not fix)
  • Binary signature (valid Anthropic EV cert)
  • Environment block (40 vars, 1925 chars, no control characters)
  • MSIX manifest (has runFullTrust, unvirtualizedResources, localSystemServices)

Separate Packaging Defect

The Claude MSIX package is missing AppxMetadata\CodeIntegrity.cat — the entire AppxMetadata directory is absent. Microsoft's own MSIX packages (e.g. Windows Calculator) include this file. Windows logs repeated Event ID 3010 errors ("unable to load catalog, STATUS_OBJECT_PATH_NOT_FOUND") timed to each Cowork attempt.

Note: CodeIntegrity.cat validates PE files inside the MSIX package, not external binaries, so this is unlikely to be the direct cause of the spawn failure. It is a separate packaging defect that should be corrected regardless.

Questions for Anthropic Engineering

  1. Why does uv_spawn fail before CreateProcessW is called on WDAC kernel-enforced machines? What NTSTATUS is actually being returned?
  2. Does spawnLocalProcess account for MSIX filesystem virtualization when constructing the spawn target path and cwd?
  3. Does the MSIX container assign a limited token to the child process during spawn? claude.exe exits silently under a limited token.
  4. What is the specific interaction between WDAC kernel enforcement and the Electron/Node.js spawn call that causes the failure?

Impact

Affects all Intune Autopilot-enrolled enterprise machines with WDAC kernel enforcement — a standard enterprise security baseline. Cowork is completely non-functional on these machines. Chat and all non-Cowork features work normally.

Error Messages/Logs

## Error from main.log


[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

Steps to Reproduce

Preflight Checklist

  • I have searched existing issues and this hasn't been reported yet
  • This is a single bug report
  • I am using the latest version of Claude Desktop (1.5354.0.0)

What's Wrong?

Cowork's spawnLocalProcess fails immediately with errno: -4094, code: 'UNKNOWN', syscall: 'spawn' on enterprise Windows machines with WDAC (Windows Defender Application Control) kernel-mode enforcement enabled. Cowork is completely non-functional on affected machines — every session fails at initialization.

Environment

  • OS: Windows 11 Enterprise, Intune Autopilot enrolled
  • Hardware: ThinkPad P14s Gen 6 AMD
  • Claude Desktop: MSIX package Claude_1.5354.0.0_x64__pzs8sxrjxfjjc
  • Claude Code SDK: 2.1.121
  • WDAC status: Kernel-mode enforced (SecurityServicesRunning: {2,3,4}, VirtualizationBasedSecurityStatus: 2)
  • HVCI: Enabled (UEFI-locked)

Steps to Reproduce

  1. Install Claude Desktop via MSIX on a Windows 11 machine with WDAC kernel-mode enforcement enabled
  2. Start any Cowork task
  3. Session fails immediately with spawn UNKNOWN

Verify WDAC status with:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, CodeIntegrityPolicyEnforcementStatus

Affected machines have SecurityServicesRunning including 2 and VirtualizationBasedSecurityStatus = 2.

Error from main.log

[error] Session initialization failed: spawn UNKNOWN {
  errno: -4094,
  code: 'UNKNOWN',
  syscall: 'spawn',
  stack: 'Error: spawn UNKNOWN
    at ChildProcess.spawn (node:internal/child_process:441:11)
    at Object.spawn (node:child_process:810:9)
    at nXi.spawnLocalProcess (…index.js:235:2728)
    at nXi.initialize (…index.js:235:7165)'
}

Key Findings

The spawn never reaches the OS. Process Monitor shows zero Process Create events and zero filesystem access to the claude-code directory during spawn attempts. No Event ID 4688 is logged. The failure occurs inside libuv's uv_spawn before CreateProcessW is called, returning an unmapped NTSTATUS that surfaces as UV_UNKNOWN.

The VM is healthy. Boots successfully, network connected, API reachable, SDK installs. host_loop_mode: true — failure is on the host side only.

claude.exe is valid. Properly signed (Anthropic EV cert via DigiCert, valid), executes fine from PowerShell with a full token (--version → exit 0). Fails silently (exit 1, no output) under a limited token via runas /trustlevel:0x20000.

Spawn target paths only exist in the MSIX-virtualized filesystem:

# From sdkOptions logged before each failure:
executable: 'C:\Users\...\AppData\Roaming\Claude\claude-code\2.1.121\claude.exe'
cwd:        'C:\Users\...\AppData\Roaming\Claude\local-agent-mode-sessions\...\outputs'

# Neither path exists at the real filesystem location — only at:
# %LOCALAPPDATA%\Packages\Claude_pzs8sxrjxfjjc\LocalCache\Roaming\Claude\...

Creating a symlink at the real path did not resolve the issue.

Ruled Out

The following were fully investigated and confirmed NOT to be the cause:

  • AppLocker (AllowedByDefault, no Event ID 866 blocks)
  • ASR rules (16 rules, all Audit mode)
  • WDAC user-mode enforcement (not enforced, status 0)
  • WDAC enforcement blocks (no Event ID 3077 or 3089)
  • Exploit Protection / DisallowChildProcessCreation (OFF on Claude Desktop)
  • Defender / SmartScreen (no blocks logged)
  • Git Bash, WSL, CLAUDE_CODE_GIT_BASH_PATH (all configured, did not fix)
  • HVCI Intune exemption (UEFI-locked, could not disable, did not fix)
  • Binary signature (valid Anthropic EV cert)
  • Environment block (40 vars, 1925 chars, no control characters)
  • MSIX manifest (has runFullTrust, unvirtualizedResources, localSystemServices)

Separate Packaging Defect

The Claude MSIX package is missing AppxMetadata\CodeIntegrity.cat — the entire AppxMetadata directory is absent. Microsoft's own MSIX packages (e.g. Windows Calculator) include this file. Windows logs repeated Event ID 3010 errors ("unable to load catalog, STATUS_OBJECT_PATH_NOT_FOUND") timed to each Cowork attempt.

Note: CodeIntegrity.cat validates PE files inside the MSIX package, not external binaries, so this is unlikely to be the direct cause of the spawn failure. It is a separate packaging defect that should be corrected regardless.

Questions for Anthropic Engineering

  1. Why does uv_spawn fail before CreateProcessW is called on WDAC kernel-enforced machines? What NTSTATUS is actually being returned?
  2. Does spawnLocalProcess account for MSIX filesystem virtualization when constructing the spawn target path and cwd?
  3. Does the MSIX container assign a limited token to the child process during spawn? claude.exe exits silently under a limited token.
  4. What is the specific interaction between WDAC kernel enforcement and the Electron/Node.js spawn call that causes the failure?

Impact

Affects all Intune Autopilot-enrolled enterprise machines with WDAC kernel enforcement — a standard enterprise security baseline. Cowork is completely non-functional on these machines. Chat and all non-Cowork features work normally.

Claude Model

Not sure / Multiple models

Is this a regression?

No, this never worked

Last Working Version

No response

Claude Code Version

2.1.121 (Claude Code)

Platform

Other

Operating System

Windows

Terminal/Shell

Non-interactive/CI environment

Additional Information

No response

extent analysis

TL;DR

The issue is likely due to the interaction between WDAC kernel enforcement and the Electron/Node.js spawn call, causing uv_spawn to fail before CreateProcessW is called, and can be mitigated by adjusting the MSIX package configuration or the spawn target path.

Guidance

  • Investigate the NTSTATUS returned by uv_spawn to understand the specific error cause.
  • Verify if spawnLocalProcess accounts for MSIX filesystem virtualization when constructing the spawn target path and cwd.
  • Check if the MSIX container assigns a limited token to the child process during spawn, which might cause claude.exe to exit silently.
  • Consider adding AppxMetadata\CodeIntegrity.cat to the MSIX package to resolve the separate packaging defect, although it's unlikely to be the direct cause of the spawn failure.

Example

No code snippet is provided as the issue is related to the interaction between WDAC, MSIX, and Electron/Node.js, and requires a deeper understanding of the underlying system configuration.

Notes

The issue is specific to Windows 11 Enterprise machines with WDAC kernel-mode enforcement enabled, and the provided information suggests that the failure occurs inside libuv's uv_spawn before CreateProcessW is called. The MSIX package configuration and the spawn target path construction are potential areas of investigation.

Recommendation

Apply a workaround by adjusting the MSIX package configuration or the spawn target path to accommodate the WDAC kernel enforcement and MSIX filesystem virtualization. This might involve modifying the spawnLocalProcess function to account for the virtualized filesystem or adjusting the MSIX package to include the necessary configuration files.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#orchestration issue#cache issue#memory leak#API versioning

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix [BUG] Cowork's `spawnLocalProcess` fails immediately with `errno: -4094, code: 'UNKNOWN', syscall: 'spawn'` on enterprise Windows machines with WDAC (Windows Defender Application Control) kernel-mode enforcement enabled. [1 participants]