Friday, August 10, 2012

Interactive Services Detection - Accessing Session 0 on demand via the command line

Note that the FireDaemon Pro installer enables the UI0Detect service plus allows you to switch to the Session 0 desktop via the FireDaemon GUI or CLI.

Also check out the FireDaemon Session 0 Viewer. It supersedes the method of switching to and remaining on Session 0 as outlined below.

Windows Vista introduced us to the concept of Session 0 Isolation. This was in response to the need to isolate highly privileged service applications from malicious applications running in user space. These malicious applications would attempt to inject arbitrary code via into the service application via the application's message loop. These attacks are classified as shatter attacks. The net effect of this is that interactive Windows services are only available on Session o (or the Console session). When you log on to your Vista, 2008 or Windows 7 machine you now no longer login to Session 0 but into Session 1. Session 0 Isolation becomes problematic when attempting to run applications under FireDaemon as the interactive component (ie. the application's "visible" GUI) is no longer visible on the currently logged on session. Luckily Microsoft supplies the Interactive Services Detection Service on Windows Vista, 2008 and 7 to allow you access to Session 0 so you can interact with any interactive services (including FireDaemon ones) running on that session. Enabling the Interactive Service Detection Service (UI0Detect - that's UI "zero" Detect) is completed fastest at the command line. You will need to be an administrator to do this. Open an elevated command prompt and type:

sc config ui0detect start= auto

followed by

sc start ui0detect

Interactive Services Detection

Once that is done you will notice the Interactive Services Detection popup in the Task Bar:


This dialog can be annoying and is easily dismissed by clicking on Ask me later. The problem then arises on how to switch to the Session 0 desktop when the Interactive Services Detection popup is not present? There are two undocumented system calls available which allow you to switch to and from Session 0: WinStationSwitchToServicesSession and WinStationRevertFromServicesSession. These two system calls only work if the Interactive Services Detection service is running. To switch to Session 0 enter the following at a command prompt:

 rundll32 winsta.dll,WinStationSwitchToServicesSession

Windows will switch desktop and you will find yourself on Session 0. You can then revert back to your logged in session by clicking on Return now or entering the following at a command prompt:

rundll32 winsta.dll,WinStationRevertFromServicesSession

20-Jun-2014 03:20 AM - Patrick
Hi H4nd0,

thanks for this post.

> How did that happen? Well quite simply, I launched
> C:WindowsSystem32cmd.exe using FireDaemon Pro

I'm running Vista, some questions regarding the above tip:

1. Did you enable the FD option "Console Application"?
2. What is your setting for the FD option "Start-Up Mode"?
3. What are your settings for the FD options "Show Window" and
"Interact with Desktop"?

Kind regards from Germany,
20-Jun-2014 03:20 AM - H4nd0
1. Console application is unchecked
2. Startup mode is up to you but mine was automatic
3. Show Window is Normal and Interact with Desktop is checked
20-Jun-2014 03:20 AM - Geoff Chappell
Please will you not use RUNDLL32 to call arbitrary functions in arbitrary DLLs?

For the record, RUNDLL32 expects the named function to have a particular prototype. When you use it to call a function with some other prototype, you rely on exception handling in RUNDLL32 to catch any trouble you cause.

To those who know the "proper" use of RUNDLL32, your use is either cavalier or ignorant. At best, you announce your product as one that will readily use undocumented features without having taken much trouble to understand what you're doing. Is that what you want?
20-Jun-2014 03:20 AM - W2008 server
[...] [...]
28-Aug-2014 07:40 PM - Willll
nice article ! Could you tell how did you start cmd.exe in session 0 ? thank you.

Captcha Image

Recent Posts



    Sign up for Product Updates and Discounts
    Captcha Image