Improve MOTW error handling in download flow (#6127)

####  DownloadFlow.cpp

- Reorder workflow: RenameDownloadedInstaller now runs before
UpdateInstallerFileMotwIfApplicable, so AES always scans the
properly-named installer file.

####  Downloader.cpp — RemoveMotwIfApplicable

- Also handle ERROR_PATH_NOT_FOUND (in addition to ERROR_FILE_NOT_FOUND)
from IPersistFile::Load — different Windows builds return different
codes when no Zone.Identifier ADS is present.
- Restore missing THROW_IF_FAILED(hr) to correctly surface any other
Load failures rather than falling through to Remove()/Save() on an
unloaded object.

####  Downloader.cpp — ApplyMotwUsingIAttachmentExecuteIfApplicable

- Wrap RemoveMotwIfApplicable in a try/catch inside the updateMotw
lambda — log a warning but proceed to IAttachmentExecute::Save(). MOTW
removal is best-effort; a removal failure should not abort the
  security scan.
- Wrap the entire AES thread body in try/catch and log exceptions via
AICLI_LOG, so unhandled errors are surfaced rather than silently leaving
hr in an indeterminate state. Use LOG_IF_FAILED for
  CoInitializeEx so failures are captured through WIL.
- Fix the return value: previously aesSaveResult was always returned,
reporting S_OK when Save() was never reached (e.g. after CoInitializeEx
failure). Now returns the thread's hr when aesSaveResult was
  never updated

Author: Trenly

src/AppInstallerCLICore/Workflows/DownloadFlow.cpp

@@ -338,8 +338,8 @@ namespace AppInstaller::CLI::Workflow
 
         context <<
             VerifyInstallerHash <<
-            UpdateInstallerFileMotwIfApplicable <<
-            RenameDownloadedInstaller;
+            RenameDownloadedInstaller <<
+            UpdateInstallerFileMotwIfApplicable;
 
         if (installerDownloadOnly)
         {

src/AppInstallerCommonCore/Downloader.cpp

@@ -481,16 +481,20 @@ namespace AppInstaller::Utility
         THROW_IF_FAILED(zoneIdentifier.As(&persistFile));
 
         auto hr = persistFile->Load(filePath.c_str(), STGM_READ);
-        if (hr == HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND))
+        if (hr == HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND) ||
+            hr == HRESULT_FROM_WIN32(ERROR_PATH_NOT_FOUND))
         {
-            // IPersistFile::Load returns same error for "file not found" and "motw not found".
+            // IPersistFile::Load can return ERROR_FILE_NOT_FOUND or ERROR_PATH_NOT_FOUND for
+            // both "file not found" and "motw not found" depending on the Windows build.
             // Check if the file exists to be sure we are on the "motw not found" case.
             THROW_HR_IF(HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND), !std::filesystem::exists(filePath));
 
             AICLI_LOG(Core, Info, << "File does not contain motw. Skipped removing motw");
             return;
         }
 
+        THROW_IF_FAILED(hr);
+
         THROW_IF_FAILED(zoneIdentifier->Remove());
         THROW_IF_FAILED(persistFile->Save(NULL, TRUE));
 
@@ -516,8 +520,17 @@ namespace AppInstaller::Utility
             RETURN_IF_FAILED(attachmentExecute->SetLocalPath(filePath.c_str()));
             RETURN_IF_FAILED(attachmentExecute->SetSource(Utility::ConvertToUTF16(source).c_str()));
 
-            // IAttachmentExecute::Save() expects the local file to be clean(i.e. it won't clear existing motw if it thinks the source url is trusted)
-            RemoveMotwIfApplicable(filePath);
+            // IAttachmentExecute::Save() expects the local file to be clean (i.e. it won't clear existing motw if it thinks the source url is trusted).
+            // If removal fails for any reason, log a warning and proceed — a removal failure should not abort the security check.
+            try
+            {
+                RemoveMotwIfApplicable(filePath);
+            }
+            catch (...)
+            {
+                HRESULT hrRemoveMotw = wil::ResultFromCaughtException();
+                AICLI_LOG(Core, Warning, << "RemoveMotwIfApplicable failed before IAttachmentExecute::Save(). Result: " << hrRemoveMotw << ". Proceeding with Save()");
+            }
 
             aesSaveResult = attachmentExecute->Save();
 
@@ -536,21 +549,31 @@ namespace AppInstaller::Utility
 
         std::thread aesThread([&]()
             {
-                hr = CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED);
-                if (FAILED(hr))
+                try
                 {
-                    return;
-                }
+                    hr = LOG_IF_FAILED(CoInitializeEx(nullptr, COINIT_APARTMENTTHREADED));
+                    if (FAILED(hr))
+                    {
+                        return;
+                    }
 
-                hr = updateMotw();
-                CoUninitialize();
+                    hr = updateMotw();
+                    CoUninitialize();
+                }
+                catch (...)
+                {
+                    hr = wil::ResultFromCaughtException();
+                    AICLI_LOG(Core, Error, << "Exception in IAttachmentExecute thread. Result: " << hr);
+                }
             });
 
         aesThread.join();
 
         AICLI_LOG(Core, Info, << "Finished applying motw using IAttachmentExecute. Result: " << hr << " IAttachmentExecute::Save() result: " << aesSaveResult);
 
-        return aesSaveResult;
+        // Return the thread's hr when aesSaveResult was never updated (e.g. CoInitializeEx failure or exception
+        // before IAttachmentExecute::Save() was called), so the caller sees the real failure instead of S_OK.
+        return (FAILED(hr) && aesSaveResult == S_OK) ? hr : aesSaveResult;
     }
 
     Microsoft::WRL::ComPtr<IStream> GetReadOnlyStreamFromURI(std::string_view uriStr)