Windows Sysinternals : Windows Core Concepts - Sessions, Window Stations, Desktops, and Window Messages

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
8/8/2011 6:21:38 PM
The descriptions of several of the Sysinternals utilities—including Process Explorer, Process Monitor, PsExec, AdInsight, Desktops, and LogonSessions—refer to terminal services sessions, session IDs, the “console session,” and “session 0”; interactive and noninteractive window stations; and other programs running on the “same desktop.” These concepts, although not widely understood, can be critical to problem solving on the Windows platform.

Let’s start with an overview of the hierarchy, an example of which is depicted in Figure 1, and then define the terms. At the outermost layer are terminal services (TS) sessions. Each session contains one or more window stations, which contain desktops. Each of these securable objects has resources allocated for its sole use. There is also a loose relationship between these and logon sessions created by the LSA. Although Windows documentation doesn’t always make a clear distinction between LSA logon sessions and TS sessions, they are completely separate entities.

Figure 1. Relationship between sessions, window stations, and desktops.

1. Terminal Services Sessions

Terminal services support multiple interactive user sessions on a single computer. Introduced in Windows NT 4.0 Terminal Server Edition, they were not incorporated into the Windows client operating system family until Windows XP. Features they support include Fast User Switching, Remote Desktop, Remote Assistance, Remote Applications Integrated Locally (RAIL, a.k.a. RemoteApps), and virtual machine integration features. An important limitation of Windows clients (Windows XP, Windows Vista, and Windows 7) is that only one interactive session can be active at a time. That is, while processes can continue to run in multiple disconnected sessions simultaneously, only one session can update a display device and receive keyboard and mouse input. A further limitation is that a domain-joined Windows XP computer supports at most only one interactive session. For example, if a user is logged on at the console, you can log on to the computer via Remote Desktop using the same account and continue that session, but you cannot log on with a different user account unless the first user is logged off.

Terminal services sessions are identified by an incrementing numeric session ID, starting with session 0. Windows defines a global namespace in the Object Manager and a session-private “local” namespace for each session numbered 1 and higher to provide isolation between sessions. The global namespace serves as the local namespace for processes in session 0.

System processes and Windows services always run in terminal services session 0. In Windows XP and Windows Server 2003, the first interactive user to log on to a computer also uses terminal services session 0 and, consequently, uses the same local namespace as services. Windows XP and Windows Server 2003 create sessions 1 and higher only when needed; if the first user logs off before a second one logs on, the second user uses session 0 as well. Consequently, on a domain-joined Windows XP, session 0 is always the only session.

In Windows Vista and newer, services run in session 0, but for security reasons all interactive user sessions run in sessions 1 and higher. This increased separation between end-user processes and system processes is called session 0 isolation.


The term console session is sometimes mistaken as a synonym for session 0. The console session is the terminal services session associated with the locally attached keyboard, video, and mouse. If all active sessions on a computer are remote desktop sessions, the console session remains connected and displays a logon screen. It might or might not happen to be session 0 on Windows XP/Windows 2003, but it is never session 0 on Windows Vista or newer.

2. Window Stations

Each terminal services session contains one or more named window stations. A window station is a securable object that contains a clipboard, an atom table, and one or more desktops. Every process is associated with one window station. Within a TS session, only the window station named WinSta0 can display a user interface or receive user input. In TS sessions 1 and higher, Windows creates only a WinSta0 window station. (See Figure 2.) In session 0, in addition to WinSta0, Windows creates a separate window station for every LSA logon session associated with a service, with the locally unique identifier (LUID) of the logon session incorporated into the window station name. For example, service processes that run as System run in the Service-0x0-3e7$ window station, while those that run as Network Service run in the Service-0x0-3e4$ window station. These window stations cannot display UI.

Figure 2. WinObj showing the interactive window station in session 2’s private namespace.

PsExec -s cmd.exe runs a command prompt in the Service-0x0-3e7$ window station and redirects its console I/O to PsExec. PsExec’s -i option lets you specify the terminal services session and runs the target process in its WinSta0 window station.

A service configured to run as System can also be configured to Allow Service To Interact With Desktop. When so configured, the service runs in session 0’s WinSta0 instead of Service-0x0-3e7$. When the interactive user was also in session 0, this allowed the service to display UI directly to the end user. In hindsight, this wasn’t a good idea as I’ll describe shortly, and Microsoft has recommended against using this technique—and with session 0 isolation, this no longer works. (The Interactive Services Detection service, UI0Detect, offers partial mitigation.)

3. Desktops

Each window station contains one or more desktops. A desktop is a securable object with a logical display surface on which applications can render UI in the form of windows.


The desktops described here are unrelated to the Desktop abstraction at the top of the Windows Explorer shell namespace.

Multiple desktops can contain UI, but only one can be displayed at a time. There are typically three desktops in the interactive window station: Default, Screen-saver, and Winlogon. The Default desktop is where user applications run by default. (The Sysinternals Desktops utility creates up to three additional desktops on which to run applications.) The Screen-saver desktop is where Windows runs the screen saver if password protection is enabled. The Winlogon desktop, also known as the secure desktop, is where Windows transfers control when you press Ctrl+Alt+Del and the default place to display UAC elevation dialog boxes. Permissions on the Winlogon desktop restrict access only to programs running as System, which protects secure operations involving password entry.

As a process is associated with a window station, each of its threads is associated with a desktop within the window station. Although individual threads of a process can be associated with different desktops, they are usually associated with a single desktop.

Several Sysinternals utilities, including Process Explore and Process Monitor, identify the TS session ID to which a process belongs. Although none of the utilities reliably identify the window station or desktops that a process is associated with, Process Explorer’s Handle View can offer hints in the form of open handles to window stations or desktop objects. For example, in Figure 3, Process Explorer shows a process running as System in session 0 with open handles to the \Default desktop and the \Windows\WindowStations\Service-0x0-3e7$ window station.

Figure 3. A process in session 0 with open handles to desktop and window station objects.

4. Window Messages

Unlike console applications, Windows-based applications are event driven. Each thread that creates window objects has a queue to which messages are sent. These GUI threads wait for and then process window messages as they arrive. These messages tell the window what to do or what occurred. For example, messages can tell the window “Redraw yourself,” “Move to screen coordinates (x,y),” “Close yourself,” “The Enter key was pressed,” “The right mouse button was clicked at coordinates (x,y),” or “The user is logging off.”

Window messaging is mediated by the window manager. Messages can be sent to any window from any thread running on the same desktop—the window manager does not allow a program to send a window message to a window on a different desktop. Process Monitor’s /Terminate and /WaitForIdle commands must be invoked from the same desktop on which the target Procmon instance is running, because they use window messaging to tell the existing instance to shut itself down and to determine that the target instance is ready to process commands in the form of window messages.

Window messages can be used to simulate mouse or keyboard activity. RegJump and the Jump To feature in Process Monitor and Autoruns do exactly this to navigate to a key in Regedit. Because of the levels of abstraction between a physical keypress and the resulting window messages received by a GUI program, it is effectively impossible for the target program to know with absolute certainty whether a key was pressed on a keyboard or another program simulated a keypress by sending it window messages. (This is true of all windowing systems, not just Windows.)

Except for the introduction of multithreading support in 32-bit versions of Windows, this window messaging architecture dates back to Windows 1.0, and it brings forward a lot of legacy. In particular, window objects do not have security descriptors or access control lists. This is why allowing services to display windows on the user’s desktop was a bad idea—user programs could send malformed or specially crafted messages to windows owned by processes running as System and, if successfully exploited, control those processes. (This is commonly called a shatter attack.) If the user was not already an administrator, elevation of privilege became trivially easy. This is the main reason that interactive users no longer log on to session 0.

With “standard user,” which is the default mode in Windows Vista and newer—and with UAC elevation popularizing the ability of applications to run with administrator rights in the same desktop with nonadministrative processes—some additional protection was needed to reduce the risk of shatter attacks against windows owned by elevated processes. The result is User Interface Privilege Isolation (UIPI).

Prior to Windows Vista, any process running as a particular user could take complete control over any other process running as the same user. With Mandatory Integrity Control (MIC), processes are assigned and run at an integrity level (IL), a numeric value that indicates the relative trustworthiness of the process. Elevated apps run at High, normal user apps run at Medium, and low-rights processes such as Protected Mode Internet Explorer run at Low.

With UIPI, when the window manager mediates a window message that can change the target’s state (such as a button click message), the window manager compares the IL of the process sending the message to the IL of the process that owns the window receiving the message. If the sender’s IL is lower than that of the receiver’s, the message is blocked. This is the reason that RegJump and similar Jump To features must execute at an IL at least as high as that of Regedit.

For more information about MIC and UIPI, see the Windows Vista Integrity Mechanism Technical Reference at

Other -----------------
- Windows Sysinternals : Windows Core Concepts - Call Stacks and Symbols
- Windows Sysinternals : Windows Core Concepts - Administrative Rights
- Overview of Process Management in Microsoft Visio 2010 (part 4)
- Overview of Process Management in Microsoft Visio 2010 (part 3) - Validation of process diagrams
- Overview of Process Management in Microsoft Visio 2010 (part 2) - New process flow templates
- Overview of Process Management in Microsoft Visio 2010 (part 1)
- Windows 7 : Working with Scanners and Cameras (part 2) - Manipulating Pictures in Windows Media Player & Printing Your Masterpiece
- Windows 7 : Working with Scanners and Cameras (part 1) - Using Windows Pictures Library with a Digital Camera, Scanner
- Windows 7 : Understanding and Resolving Installation Failures (part 2) - Understanding Installation Restrictions with AppLocker
- Windows 7 : Understanding and Resolving Installation Failures (part 1) - Verifying Software Installation Requirements
- Sysinternals License Information
- The Windows Sysinternals Web Site
- Overview of Internet Explorer 8 (part 4) - Installing Add-Ons to IE8 & Configuring Windows Internet Explorer 8 Options
- Overview of Internet Explorer 8 (part 3) - Using New Security and Safety Features of IE8 & Working with SmartScreen Filters
- Overview of Internet Explorer 8 (part 2) - Defining IE8 Web Slices & Using IE8 Compatibility View
- Overview of Internet Explorer 8 (part 1) - Defining IE8 Accelerators
- Windows 7 : Configuring Hardware and Applications - Managing Applications
- Windows 7 : Configuring Hardware and Applications - Managing Printers
- Windows 7 : Configuring Hardware (part 2) - Installing and Updating Device Drivers & Driver Signing
- Windows 7 : Configuring Hardware (part 1) - Device Stage & Using Device Manager
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us