[Windows Sandbox] Turn on MITIGATION_EXTENSION_POINT_DISABLE for child processes.

chrome/browser/win/chrome_elf_init.cc

Index: chrome/browser/win/chrome_elf_init.cc
diff --git a/chrome/browser/win/chrome_elf_init.cc b/chrome/browser/win/chrome_elf_init.cc
index 5c091296c46aa393c7ca68a47c3c5139a3b0b775..d954dbe45454e49c1eb427ed904e44cb31a0cbb9 100644
--- a/chrome/browser/win/chrome_elf_init.cc
+++ b/chrome/browser/win/chrome_elf_init.cc
@@ -18,6 +18,7 @@
 #include "chrome_elf/dll_hash/dll_hash.h"
 #include "components/variations/variations_associated_data.h"
 #include "content/public/browser/browser_thread.h"
+#include "content/public/common/content_features.h"
 
 const char kBrowserBlacklistTrialName[] = "BrowserBlacklist";
 const char kBrowserBlacklistTrialDisabledGroupName[] = "NoBlacklist";
@@ -109,6 +110,22 @@ void InitializeChromeElf() {
       FROM_HERE,
       base::Bind(&ReportSuccessfulBlocks),
       base::TimeDelta::FromSeconds(kBlacklistReportingDelaySec));
+
+  // Make sure the early finch emergency "off switch" for
+  // sandbox::MITIGATION_EXTENSION_POINT_DISABLE is set properly in reg.
+  // Note: the very existence of this key signals elf to not enable
+  // this mitigation on browser next start.
+  base::win::RegKey finch_security_registry_key(
+      HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_READ);
+
+  if (base::FeatureList::IsEnabled(features::kWinSboxDisableExtensionPoints)) {
+    if (finch_security_registry_key.Valid())
+      finch_security_registry_key.DeleteKey(L"");
+  } else {
+    if (!finch_security_registry_key.Valid())
+      finch_security_registry_key.Create(
+          HKEY_CURRENT_USER, elf_sec::kRegSecurityFinchPath, KEY_WRITE);
+  }
 }
 
 void BrowserBlacklistBeaconSetup() {