diff --git a/internal/gcs/bridge.go b/internal/gcs/bridge.go
index 0aa9d54536..17e54f8242 100644
--- a/internal/gcs/bridge.go
+++ b/internal/gcs/bridge.go
@@ -32,6 +32,8 @@ const (
 	// maxMsgSize is the maximum size of an incoming message. This is not
 	// enforced by the guest today but some maximum must be set to avoid
 	// unbounded allocations.
+	//
+	// Matches HCS limitions on maximum (sent and received) message size.
 	maxMsgSize = 0x10000
 )
 
@@ -266,7 +268,7 @@ func readMessage(r io.Reader) (int64, msgType, []byte, error) {
 	var h [hdrSize]byte
 	_, err := io.ReadFull(r, h[:])
 	if err != nil {
-		return 0, 0, nil, err
+		return 0, 0, nil, fmt.Errorf("header read: %w", err)
 	}
 	typ := msgType(binary.LittleEndian.Uint32(h[hdrOffType:]))
 	n := binary.LittleEndian.Uint32(h[hdrOffSize:])
diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
index 9b02a21aa0..9e98cefc91 100644
--- a/internal/guest/runtime/hcsv2/uvm.go
+++ b/internal/guest/runtime/hcsv2/uvm.go
@@ -24,6 +24,7 @@ import (
 	didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver"
 	"github.com/Microsoft/hcsshim/pkg/annotations"
 	"github.com/Microsoft/hcsshim/pkg/securitypolicy"
+	cgroup1stats "github.com/containerd/cgroups/v3/cgroup1/stats"
 	"github.com/mattn/go-shellwords"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/pkg/errors"
@@ -837,7 +838,16 @@ func (h *Host) GetProperties(ctx context.Context, containerID string, query prot
 			if err != nil {
 				return nil, err
 			}
+			// zero out [Blkio] sections, since:
+			//  1. (Az)CRI (currently) only looks at the CPU and memory sections; and
+			//  2. it can get very large for containers with many layers
+			cgroupMetrics.Blkio.Reset()
+			// also preemptively zero out [Rdma] and [Network], since they could also grow untenable large
+			cgroupMetrics.Rdma.Reset()
+			cgroupMetrics.Network = []*cgroup1stats.NetworkStat{}
 			properties.Metrics = cgroupMetrics
+		default:
+			log.G(ctx).WithField("propertyType", requestedProperty).Warn("unknown or empty property type")
 		}
 	}
 
diff --git a/internal/layers/lcow.go b/internal/layers/lcow.go
index 2a6da2a622..dccd994e87 100644
--- a/internal/layers/lcow.go
+++ b/internal/layers/lcow.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/Microsoft/go-winio/pkg/fs"
 	"github.com/containerd/containerd/api/types"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -77,7 +78,13 @@ func (lc *lcowLayersCloser) Release(ctx context.Context) (retErr error) {
 // Returns the path at which the `rootfs` of the container can be accessed. Also, returns the path inside the
 // UVM at which container scratch directory is located. Usually, this path is the path at which the container
 // scratch VHD is mounted. However, in case of scratch sharing this is a directory under the UVM scratch.
-func MountLCOWLayers(ctx context.Context, containerID string, layers *LCOWLayers, guestRoot string, vm *uvm.UtilityVM) (_, _ string, _ resources.ResourceCloser, err error) {
+func MountLCOWLayers(
+	ctx context.Context,
+	containerID string,
+	layers *LCOWLayers,
+	guestRoot string,
+	vm *uvm.UtilityVM,
+) (_, _ string, _ resources.ResourceCloser, err error) {
 	if vm == nil {
 		return "", "", nil, errors.New("MountLCOWLayers cannot be called for process-isolated containers")
 	}
@@ -114,7 +121,13 @@ func MountLCOWLayers(ctx context.Context, containerID string, layers *LCOWLayers
 	}
 
 	hostPath := layers.ScratchVHDPath
-	hostPath, err = filepath.EvalSymlinks(hostPath)
+	// For LCOW, we can reuse another container's scratch space (usually the sandbox container's).
+	//
+	// When sharing a scratch space, the `hostPath` will be a symlink to the sandbox.vhdx location to use.
+	// When not sharing a scratch space, `hostPath` will be the path to the sandbox.vhdx to use.
+	//
+	// Evaluate the symlink here (if there is one).
+	hostPath, err = fs.ResolvePath(hostPath)
 	if err != nil {
 		return "", "", nil, fmt.Errorf("failed to eval symlinks on scratch path: %w", err)
 	}
diff --git a/test/functional/make_uvm_cim_test.go b/test/functional/make_uvm_cim_test.go
index 968f1a0657..d99b1d1673 100644
--- a/test/functional/make_uvm_cim_test.go
+++ b/test/functional/make_uvm_cim_test.go
@@ -12,22 +12,24 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/Microsoft/go-winio/pkg/fs"
 	"github.com/Microsoft/go-winio/pkg/guid"
-	"github.com/Microsoft/hcsshim/pkg/cimfs"
-	"github.com/Microsoft/hcsshim/pkg/extractuvm"
 	"github.com/google/go-containerregistry/pkg/crane"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
+
+	"github.com/Microsoft/hcsshim/pkg/cimfs"
+	"github.com/Microsoft/hcsshim/pkg/extractuvm"
 )
 
 func compareFiles(t *testing.T, file1, file2 string) (bool, error) {
 	t.Helper()
 
-	file1, err := filepath.EvalSymlinks(file1)
+	file1, err := fs.ResolvePath(file1)
 	if err != nil {
 		return false, err
 	}
 
-	file2, err = filepath.EvalSymlinks(file2)
+	file2, err = fs.ResolvePath(file2)
 	if err != nil {
 		return false, err
 	}