Thoughts from the EPS Windows Server Performance Team
In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a means to elevate their own privilege level.
The Microsoft Windows Vista operating system mitigates this security risk by isolating services in Session 0 and making Session 0 non-interactive. In Windows Vista (and Windows Longhorn Server), only system processes and services run in Session 0. The user logs on to Session 1. On Windows Longhorn Server, subsequent users log on to subsequent sessions (Session 2, Session 3 etc). This means that services never run in the same session as users' applications and are therefore protected from attacks that originate in application code.
Specific examples of affected driver classes include:
Application classes affected by this feature:
Sessions in Windows XP / 2003OK - so we've already mentioned that Session 0 poses a security risk because services run at elevated privilege. The first user on the console also runs in Session 0 - which provides the most common attack vector used to target unsuspecting users.
Sessions in Windows VistaIn Windows Vista, Session 0 is created for services and user-mode drivers. Session 1 is created for the first user who logs in. Applications for this user run in Session 1.
OK - so what could this actually look like in a real world scenario? Consider the following example - if a service belonging to an application generates a UI element in Session 0 - for example a dialog box waiting for the user to click "OK" or "Cancel", the application is now waiting on the service, and the UI is not displayed in the user session. From the user perspective, the application appears to be hung, when in actual fact it is performing quite normally, and patiently waiting for a user response that the user cannot see!
As you can imagine - this presents a problem for users, administrators and developers. However, there are some quick mitigating factors to consider.
When testing applications for compatibility with Windows Vista, consider the following test scenarios:
Finally, you can leverage the following Windows Vista capability solutions:
And that will do it for a quick look at how Session 0 isolation affects Application Compatibility in Windows Vista. The links below contain more information on some of the concepts discussed above. Until next time ...
- CC Hameed
PingBack from http://www.ditii.com/blog/2007/04/27/windows-session-0-isolation/
The Enterprise Platforms Windows Server Perfomance Team have published and explaintion of Session 0.
Today we are going to briefly go over the basics of some concepts that can be pretty confusing even at
In our previous post on PCA, we discussed several runtime issue detection scenarios. Today, we are going
<a href= http://1.mastr6.com >portland zip codes</a>
I'm having a very strange behavior - CreateProcessAsUser fails with error 233 when called from service while logon screen active. Service
tries to create a process when new console session connected, so when it receives the SERVICE_CONTROL_SESSIONCHANGE notofication with the WTS_CONSOLE_CONNECT, it obtains a user token (via WTSQueryUserToken or
OpenProcessToken/DuplicateTokenEx/SetTokenInformation - no sense). In
most cases it works well, but when it create a process after user
logoff (and now system in logon screen) it fails with error 233.
How to reproduce it:
1. Logon as console user (session 0)
2. Switch user (logon screen, session 0)
3. Logon another user (session 1) (CreateProcessAsUser succeeded)
4. Logoff another user (logon screen, session 2) (CreateProcessAsUser
In my sample i'm trying to launch calc.exe, and in vista it works
well, problem appears only with the Windows XP.
Anyone else seen a similar issue, or know why this is happening? If it
helps, i can upload a sample to reproduce this behavior...
I am having the same issue with CreateProcessAsUser at the logon screen (this is to run a vnc server w/o any UI). WTSQueryUserToken returns a NULL token and CPAU fails. Any help?