| Date: | August 22, 2006 / year-entry #285 |
| Tags: | code |
| Orig Link: | https://blogs.msdn.microsoft.com/oldnewthing/20060822-00/?p=30013 |
| Comments: | 60 |
| Summary: | An extension of the "What if two programs did this?" thought experiment is the "Who says there's only one?" question. A common question I see is, "From a service, how do I do X with the currently logged-on user?" (Where "X" can be a variety of things such as interact with them or impersonate them.)... |
An extension of the "What if two programs did this?" thought experiment is the "Who says there's only one?" question. A common question I see is, "From a service, how do I do X with the currently logged-on user?" (Where "X" can be a variety of things such as interact with them or impersonate them.) But who says that there's only one? With the introduction of Fast User Switching in Windows XP, the possibility for multiple logged-on users exists even in consumer scenarios. You might say, "Well, I mean that among all the users that are logged on, I want the one that's using the computer right now." Except that with Media Center Extender, there can still be two users, one sitting at the console and another in the TV room with the extender, and both of them are using the computer right now. And on the server side of things, Terminal Services has been around since NT4 (a limited version of which is available in Windows XP Professional under the name "Remote Desktop"). There are many variations on this question. "How can I check whether the 'Press Ctrl+Alt+Del to begin' dialog is being displayed?" There is not just one such dialog; there is one for every session. If there are three users logged onto the machine, one of them logged in and active, another one disconnected, and a third sitting at the 'Press Ctrl+Alt+Del to begin' dialog, what should the answer be? That depends on what you're planning to use this information for. Sometimes it takes a few iterations before people get the message, and sometimes they never do. "How do I impersonate the currently logged-on user?" "Which user? There can be more than one. <explanation>" "I want the one on the desktop." "They all have their own desktop." "I want the one on the current desktop." "What do you mean by 'the' current desktop? There is one current desktop for each user." "I want the desktop I should display my UI on." "Your question has become circular. You want to display your UI on the desktop that your UI should be displayed on." "Why won't you answer my question?!" |
Comments (60)
Comments are closed. |
Hmmm… Endless Loop anyone?
http://en.wikipedia.org/wiki/Circular_definition
Now i see the problem with my question, but how do i implement my program then?
;-)
This kind of thinking is an example of why the singleton pattern should be considered an ANTIpattern.
It’s almost always incorrect to assume that there will be only one instance of anything. And even if it’s right today, it may be wrong tomorrow. We have to stop believing in singletons.
Apok : That question reminds me of a story I once heard about a mythical group of [sub-culture]s who, having had a physicist explain to them how vast space is, how far away other stars and planets are, how unlikely we are to be able to travel at anything approaching the speed of light, and how far advanced cryogenics isn’t, then asked him "Well, how are we going to travel to distant worlds before we die then?"
VNC can run as a service, but can only control the desktop of the first user logged on (at the console).
In fact, that is usually the best solution, as the vast majority of desktops only ever have one user logged on. Shared home computers and terminal servers are the exception.
MCE extenders also should not affect that solution.
For what it’s worth, in my organization it’s far more likely that any given session is a remote desktop session than a physical console session.
As developers of network software, there’s no way we can keep our entire labs at our desks. My desk contains a laptop and an LCD, but my lab consists of a stack of Virtual Server hosts downstairs in an air conditioned room. That keeps the office cooler (air conditioning costs a fortune), quieter, and uses less power. I believe this will be the rule rather than the exception, at least in corporate settings.
Hey, even at home my server sits in a closet, headless. :)
So what is the correct way to think about this? I presume there is some way to get a reference to the session that my program was created in(excepting services, of course).
<<So what is the correct way to think about this?>>
Some ways:
– Wait for the user to initiate the dialog. Have a client application talking to the service (this is also safer)
– You might need to react to an action that is user caused (ie opening an infected file), then try to interact with the user opening the file (if you can determine who that is :-)
– Tell to everybody (for something global, like low batery, or running on UPS)
– THINK! Throw 10 scenarios at any solution you can find. Ask "what if." Find someone in your team who is good at playing "devil’s advocate." For instance I can see problems with all my sugestions above :-)
If your application is launched by a user, it will automatically appear in the correct session with no extra effort from you. In fact, you are usually prevented from interacting with any other window stations. (I can’t really remember how window stations relate to sessions, but I believe that each session can have more than one window station.)
The "Scheduled Tasks" feature in Windows tends to be a bit funny with how it selects a desktop to recieve its UI. When I log into one of our servers at work using Terminal Services every ten minutes a console window appears representing a scheduled task configured to run as me and then vanishes a few seconds later after stealing my keyboard focus. If I have two sessions open at once, it seems to be pretty random which one recieves the UI.
Strangely enough, when I tried to make this task run as a user that doesn’t log in (it’s a reserved account that we use for non-human agents on the network) the task didn’t run at all, even though it was configured to run when the user is not logged in. I never did figure out why.
Raymond, you’re a smart guy, but sometimes I’m surprised that you haven’t been beaten up by a co-worker going postal at your way of answering questions…
So, what is the recommended practice when your application, which runs as a service, (or any other situation when it could find itself with multiple or no user desktops/sessions/logins/whatever) needs operator input to proceed?
You guys at Microsoft must have encountered this problem a million times and solved it about an equal number of times. What does the SOP tell you to do?
(Please display the answer on the blog.)
“Classic” computers — vaxes and such — had a similar problem. There were all sorts of system services, and some of them need occasional attention. However, there really isn’t a single notable user send messages to.
The solution (because it’s a problem that actually needs a solution) was to have an “operators console” — one particular terminal that all such messages would go to.
What’s the Microsoft solution? Suppose I’m writing a small service controlling a bit of hardware, and my program really, really needs to tell SOMEONE that something bad is happening — that the humidity in the server room is too high, or that the lights are on, or whatever. Where is that message supposed to go?
Remember that I want to do it the “standard” way: the way that Microsoft recommends and uses itself in datacenters.
"The question is still under-specific."
Aaaaaghhh!!!! YOU DID IT AGAIN!
I didn’t specify which operator, because that is part of what I don’t know. All I know is that the app needs operator input. So how do I go about getting that input?
Assume that no code has been written at all – we’re still trying to design the application. The only thing we know for sure is that it will run as a service, and that it will find itself in the problematic situation of having zero or more than one desktops/sessions/etc.
What is the Microsoft way of solving this problem?
Got it from the KB:
http://support.microsoft.com/kb/327618/
"We recommend that the service writer use a client/server technology such as remote procedure call (RPC), sockets, named pipes or COM to interact with the logged-on user from a service. Additionally, we recommend that you use the MessageBox function together with the MB_SERVICE_NOTIFICATION flag to display simple status messages."
So instead of having one client console for each service, is there something similar to SNMP for Windows services?
If a service needs operator input, you may be willing to take input from anyone. In that case you should put a display on all the available desktops.
No, he didn’t. You still aren’t clear enough on the concept–or else you’re trolling. You need to identify something about the person you want to talk to. If Administrator and Jane Secretary are both logged in to a machine–which one do you want to talk to? Read Matt’s comment for a bunch of more-specific scenarios. You’re still acting like the guy in the hypothetical of Raymond’s original post. You haven’t defined who "the user I want to talk to" is yet, so there are a number of answers. Here’s a quick one–enumerate the list of logged-on users, and pick one at random (or the first one). I hope he hasn’t locked his terminal. I hope it wasn’t Jane Secretary, who knows just enough about computers to run a couple applications, and uses cheat-sheets to remind her how to start them.
Get the point yet?
multi-desktop support is something all winXP apps should have, because its so common and easy to test for. XP Pro is a bit limited because it locks out the current user when the 2nd comes in remotely, but the Server releases handle both side by side, though Server 2003 has a bit more isolation between instances, which actually makes sharing stuff harder.
Raymond even omitted the fact that when the screen saver kicks in, it brings up the logon desktop, so there is a 2nd desktop, even on a single user box.
-Services should be written assuming that there is no end user to notify. do you think that just because the OS can bring up dialogs telling you that your laptop wont suspend because a driver refused the request, the user
wants to see it?
When a service brings up a dialog on a desktop, it creates a privilege escalation back door. Anyone app on the same desktop can send messages to it, maybe, if they try hard, get their DLL to load and execute under it. Nobody wants that.
If your service wants to talk to the client, it should have an app that runs on the client and which talks over some secure channel e.g. named pipe, with a restricted set of messages. The service can notify clients this way; the clients request things of the server. Both ends should assume that messages may be sent by malicious apps, and check them before casting them to structs.
Where you do have fun with multiple desktops is that NT kernel objects get relinked to. Run Winobj as a remote user -you’ll see. Different users have different named objects.
Rick, Matt,
I’m not trolling. The answer to my question was in the KB: "We recommend that the service writer use a client/server technology such as remote procedure call (RPC), sockets, named pipes or COM to interact with the logged-on user from a service."
So, the question of "how do I pop up a UI", as well as the question of "on which desktop" is meaningless – you’re not supposed to pop up anything at all. You’re supposed to write a client app that connects to the service. That app can then pop up anything it wants.
This is why I think Raymond’s approach is wrong. Why lead the person asking the question round and round, wasting everyone’s time, instead of just saying:
"Since you can have multiple desktops, or no desktop, or terminal services, and all that, the standard way is to write a small client-side app that your users can run."
There. Whoever asked can now go on and be productive.
If they, after being told that, want to be extra-smart and implement the heuristics the Matt lists – great. But they now know what the SOP is as well as why it is SOP, and can fall back on it.
I had a problem related to this at home the other day. My wife and I were both logged on to our user accounts. I was working on a document in Excel and wanted to print it double sided on our HP printer. She knew how to do that so I let her. It printed the first page, but would not print the second page.
We tried deleting the print job, but it was hung up and successive jobs wouldn’t print. I finally shut everything down and when I went to her user session, there was a HP print wizard providing instructions for turning over the paper to print double sided and waiting for the "Continue" button to be clicked. When I clicked it, the 2nd page of the document printed.
Kind of irritating. It’s a new printer so it certainly could have been tested on XP with multiple users.
I think people might be more clear on what they want if there were a few examples on users they might want to contact and how to do that – at worst they’ll know a bit more about what they don’t want.
Other questions in this vein from network-land: What is the IP address of this computer? What is its Ethernet address?
It sounds like the service writer wants to pop up an icon that will be seen – there are two different solutions that should work ok:
1. Iterate through all sessions and pop up the icon on those that are connected.
2. Pop the icon on every session.
After a timeout, kill all icons that haven’t been looked at.
This sounds like a really bad idea, and I’d love it if I could disable that sort of behavior (along with the tools that write focus stealing apps) – this leads to Raymonds underlying question: what exactly are you trying to do?
"Other questions in this vein from network-land"
And in the land of multiple monitors or headless servers:
"What is the screen resolution?"
I remember having to do some very annoying things when running Java on Linux without an X server, because the Java Runtime tried to find out the bit depth and resolution of the display when starting up, and there was no way to keep it from doing this.
Ben Cooke wrote: "Strangely enough, when I tried to make this task run as a user that doesn’t log in (it’s a reserved account that we use for non-human agents on the network) the task didn’t run at all, even though it was configured to run when the user is not logged in. I never did figure out why."
The user that runs a scheduled task needs to have permission to read and write the Scheduled Tasks directory. No kidding.
Mr. Currently Logged In User: What if no user is logged in?
You should consider logging an event to an appropriate Windows Event Log, then continue as best you can. Rely on some other management tool processing that log to alert the administrator or appropriate delegated operator. This allows administrators to aggregate monitoring of multiple servers.
There are many tools that can do this, including (I think) Microsoft Operations Manager.
(This is very much do-as-I-say, not do-as-I-do. I’ve inherited responsibility for an application server product originally written by my boss. Right now it is generally configured as an interactive service, with all that entails – the damn thing pops a notification icon on ‘the’ taskbar, which means session 0, the interactive console session. This will no longer work as of Windows Vista. Unfortunately I have no long-term development budget, either time or money, so development is currently on hold – I tend to get requests to make specific functionality changes which do get budgeted, but no budget for generally improving the software. Sucks.)
Mike,
true.
Your solution seems even better as it allows for multiple servers.
The downside of Microsoft Operations Manager is that you have to buy it, so I would not code to that API if I were writing something that was supposed to run on someone’s home PC.
Perhaps putting an SNMP angent into the service is the best way to do it, combined with logging to the system event log? (Like http://snmpboy.msft.net/ )
Most annoying case I have seen of this: Canon printer software that insists on having its ever-present control panel on "the" desktop. If two users log in, *both* control panels crash.
The problem has, in essence, become domain specific – you have to tell Raymond who you want to contact. He can tell you (if he’s feeling particularly nice) how you get said desktop.
It would be interesting to know how to*:
+ Iterate though all sessions with Admin access (if you have an issue you wish to display to anyone who is logged on you may well want to do this to admins/power users etc. first.
E.G my UPS is acting up).
+ If I am a service running as a user, get the desktop(s)** for that user
+ How to find out which user ‘owns’/ ‘is responsible for’ an attached device. If two users are logged in and net uses to a remote file system can I tell which one did it easily..
+ Identify which users interacted with the desktop (perhaps by mouse/keyboard for arguments sake) last/first
+ Which user was the first to logon to the machine.
+ If a user logged in is set to auto login (and thus for my purposes will be considered the most useful user to talk to)
+ Which sessions have a screen saver active
+ Which sessions are remote, (specifically terminal services – if you can tell it’s being interacted with by VNC et al so much the better :)
+ Which sessions are disabled due to removed USB authentication keys and the like (If I have to talk to active directory to do this that’s a pain)
Just some thoughts. If you want people to be clever in how they code for desktop interaction in the world or multiple users these questions should all be reasonably answerable right?
* I assume this is all on MSDN – therefore don’t actually bother answering
** Can the same user ever have two sessions (active or otherwise) to a computer. From different domains?
Oh yeah – rsclient.
The answer to your specific
"Suppose I’m writing a small service controlling a bit of hardware, and my program really, really needs to tell SOMEONE that something bad is happening — that the humidity in the server room is too high, or that the lights are on, or whatever.
__Where is that message supposed to go__?"
The answer is that such a response should not rely on a user being logged into the said box. The message should go to some other system which will inform the sysadmin/interested parties as needed.
This should hopefully be configurable and redundant.
An example of the most basic thing you can do is send an email. I know commercial systems which email/page/text/call(!)/have pretty GUI/make noises. All major server suppliers tend to provide their own proprietary solutions.
This system could then, if desired, use something like windows messenger service* to inform all connected users of the issue.
In the degenerate case (like a SOHO situation) the service that does this monitoring is running on the machine itself.
The idea is that your app should talk to some other system which lets the admin take whatever steps they see fit by supplying a timely, informative programmatic indication of the sate.
If you do this via an open standard so much the better.
* Yeah, I know – I assuming you’re behind a firewall so are happy to have this on :)
The Currently Logged-In User
aaaaand breath.
Then describe, *for your app* who, out of all the possible users, should get this notification.
If you cannot decide, with your domain specific knowledge* who to contact then Raymond could just say ‘Pick a random session’. Based on your spec (it doesn’t matter) this is a valid and reasonable answer (well deterministic would be good for debugging).
Remember that all good thought experiments require a good start point. In your case an application that has a more descriptive name than “App” :)
* If you have no specific knowledge invent an app in your head, think of an error case then think who you would want to contact if you had all the info in the world about each session.
If you have an application running as a service, it should NEVER present a UI!
Send an email to the admin, log an event, but never ever bug anyone using the machine!
"Can the same user ever have two sessions (active or otherwise) to a computer."
Yes. In fact, this is sometimes necessary. I’ve seen cases where a terminal services session becomes unusable. It’s possible to establish another session though by connecting again with another instance of the client (and then use the terminal services manager on the server to kill the other connection).
This reminds me of my main peeve with iTunes on XP, about a year ago I had 2 housemates with iPods and we all had a login on my XP box. Suppose user1 left iTunes running and then locked his session, if user2 came along and wanted to update his tunes then he’d login, run iTunes and plug his iPod in – the iPod would then (rather inconveniently) connect to the user1’s instance of iTunes which you couldn’t see or interact with and prevent you connecting to to the instance you could see until you found user1 and got him to log out. Arrgh.
This problem only arises if you try to solve two issues at once:
1. My service has encountered an event that someone may need to be notified of.
2. I want to be notified when specific events occur.
If a service needs to notify somebody of an event it should either write to the event log and/or generate a WMI event notification. It then becomes the responsibilty of whomever is listening to decide whether it is appropriate for them to respond and if so to take any measures necessary.
Doing it this way means you don’t need to worry about whether someone is logged in, whether 100 people are logged in or whether somebody is monitoring the situation remotely because all of the can be handled as appropriate.
The Currently Logged-In User: it’s that you aren’t supposed to have any user interface in a service. That’s it. It’s common sense, it has been a recommendation since forever, the Shatter proof-of-concept made a strong case for it, and it’s now (Windows Vista and later) a requirement
"From a service, how do I do X with the currently logged-on user?"
Where X is presumably "expose the system to a shatter attack".
I appreciate the original sentiment – I have spend years railing against Windows programmers who have this strange notion that there must be an arse in the seat before a computer can work – but allowing privileged code to put a UI on an unprivileged desktop has been demonstrated to be a Very Bad Idea in itself.
KJK::Hyperion,
it is common sense if you think about it, but what is lacking is a document that spells out what the proper way is.
I know about the vulnerabilities of emulating user actions via SendMessage, and I know about a lot of other vulnerabilities.
What I want Microsoft to do is stand up and say: "We have analyzed vulnerabilities and found that the following way is the right way to allow a user to interact with services."
For example, when you SSH to a host, you don’t have to care about what a proper key exchange algorithm should consist of, even if it is common sense how it should work, if you are a cryptographer. All the cryptographic knowledge has been distilled into SSH and the manual that tells you how to use it. You don’t have to rely on remembering exploits.
This is why, when you have to implement crypto, should use a public algorithm and not try to be smart and roll your own. (And you should preferably use an entire public protocol to get the authentication and all the surrounding bits right as well.)
In the same way, I want for someone to distill all the common sense that is floating around into a document that spells out how services should be written so they can be managed locally or remotely via SNMP, Msft Operations Manager or whatever remote management facilities Microsoft decide to support, so someone writing a services doesn’t have to chase around and gather up all that common sense.
I know of no such document besides the one I found in the Microsoft KB. If you do, please share it with us.
To me, the obvious answer seems to be to have a setting in your app for who to contact in response to this event. That way the administrator can configure it. Of course, this leads to the question of what to do if there is *no-one* logged in, which is quite common on a server.
One thing that would be useful is a general "event dispatch" system, where services can just say "Tell someone about this…" and the system can figure out (based on the configuration of the event system) who to tell and how to tell them. Then allow plugins for the event sinks, so that I can (for example) write a plugin to send me a message through my company’s Jabber server, or send me an SMS message.
But maybe Windows already has this? It has the system-wide event log, so is there some way to hook into that and get notified when an event fitting a given criteria goes into the log?
The Currently Logged In User: You’re basic assumption is wrong. There is no one "best" way of doing it, it depends entirely upon what the service is doing. For some (I’d contend most) WMI is the right way to do it. Others would be better suited to just logging information to an Event log. RPC, Email, SMS or a myriad of other technologies might be a better fit for other cases.
The only one sure-fire wrong answer is displaying a GUI directly from a privileged account.
There is no "proper" way… the only proper way is, keep the GUI out of the server. God knows there’s no scarcity of IPC mechanisms on Windows
This article and its comments are about the most interesting thread I have seen here, raising many interesting questions!
I now want to counteract the current ‘send all messages to the log’ thread with a real anecote of why this isnt enough.
Back in 1997, my twin CPU P6/150 box (!) suddenly stopped updating the icons on the desktop.
So I restarted. Only the box didnt come back up. No OS.
So I pulled out my DAT tape backup from the previous month (lucky me) and did a system recover on it.
After a few hours, I had the system functional enough to see the event log. Which had a warning that drive C: and drive D: filesystem were corrupt.
I think I’d hit some race condition in the early NT4 NTFS code or the disk driver, but both filesystems got toasted. And what did the OS do? Nothing but leave a message in the log, on the now-toast FS.
This is the kind of event were every user needs to see a big warning in big letters "the filesystem is toast, save up your working docs to a network share, then power off the machine without trying to do a clean shutdown. Take it to support and let them deal with it"
I’ve had HDD failures on linux too; they dont do much more than log either. What is the point in SMART logging if all it does is add stuff to /var/log/errors?
Andy C: While many ways are right, they are not without tradeoffs, and I think it is outright stupid of Microsoft to not have a single documented standard solution for this. As it is now, developers are forced to figure out for themselves what the “right” solution is, but they are not even told what the tradeoffs are!
Example: Microsoft has a product called Microsoft Operations Manager that is used to manage datacenters. If you choose a method that can’t be integrated with MOM, well, then your service is much less attractive for organizations using MOM.
Did you know that? I sure didn’t. Before you call me a n00b (which I am) – whoever wrote the article I quoted from MSKB didn’t know that either, because MOM isn’t even mentioned!
If I had been forced to decide on a service-management solution I would have picked something incompatible with MOM, thereby making my service much harder to manage.
I’m not asking for something difficult. Microsoft can just stand up and say “Use SNMP. Download SDK here.”
The question of whether notifications etc. should result in dialog boxes popping up, emails being sent, or whatever is not for the event producer to decide. For home users I’d like Microsoft to include with Windows a little applet that perhaps lives in the system tray where I can select things such as:
+ Any hard drive events of type “ERROR” should result in a dialog box popping up on every session, or on the login screen, or whatever.
If you had two users on a machine, you could have personalized settings for each user. The secretary doesn’t have to see stuff they don’t understand anyway, and the power user can see everything.
For datacenters, the MOM could use SNMP to monitor the service and send emails, start sirens or whatever.
In short – all the problems of finding the right method, adding more methods disappear. Services use one api to generate events. Another program handles the “get the event to someone that cares” part. And it scales from home user to datacenter!
Again, notifying operators is a very common action. I’m amazed Microsoft hasn’t declared some method to be the standard.
Steve Loughran wrote: "I’ve had HDD failures on linux too; they dont do much more than log either. What is the point in SMART logging if all it does is add stuff to /var/log/errors?"
None really.
I’ve found this for KDE: MetaMonitor http://www.kde-apps.org/content/show.php?content=30603
That would allow you to have a popup on your desktop when your HD is about to go.
If you run KDE, that is.
I’m sure there are similar programs for Gnome.
(As an aside – while we are arguing over how impossible it is to pop up UIs, well, these guys just solved the problem. Privilege escalation is impossible since the notifier runs as the current user.)
Windows can only handle 1 physical console desktop. Don’t pretend it can handle several.
Whoa there, Consul Desktop. That’s not true with Windows Media Center Edition, as has already been pointed out in the comments to this article.
I haven’t noticed anyone point out that there could in fact be NOBODY logged on to the system. A service is running at reboot whether there are any logged-on users or not, so not only do you have to deal with choosing between logged-on users, you also have to deal with zero users.
To Steve Loughran:
In case anyone doesn’t believe you, you’ll be glad to know that you can show them the same problem with more recent systems, up to and including build 5472 (and, as you mentioned, Linux).
Though recently I had one pleasantly surprising experience. Windows 2003 detected some bad blocks on a USB hard disk and, same as always, it recorded an event without telling me. But when I noticed the event, I ran CHKDSK with the option to check for bad blocks. CHKDSK told me the names of the affected files! It only gave me the shortnames, and every other user tool in Windows 2003 only gives me the longnames, so I had to do a bit of hunting to find the files, but it was still a big help. Windows 2003 did better than Linux this time.
The next surprise was that CHKDSK actually recovered the contents of the files. I was amazed. I thought I would have to copy new copies back in from another external backup, but decided to try the "FC" command first and it reported no differences. CHKDSK found bad blocks, recovered the contents, and at the end it said it found no problems with the file system. It actually told the truth. But I wouldn’t expect this to be repeatable. Ordinarily with bad blocks you’re going to have to recover the file from a different backup.
I still think the person sitting at the console should be informed together with the writing of an event log. For example "Windows Explorer isn’t going to respond for a while because we’re trying to read a defective CD, so during this time don’t try to close your non-responding Windows Explorer." And maybe even "Here’s a cancel button if you want to stop trying to read your defective CD".
“There is no “one size fits all” solution. It has to be dealt with on a case-by-case basis. -Raymond”
Raymond, you are very good at saying what *can’t* be done.
But you are not good at saying what *can* be done and how one should choose between the alternatives.
I think the latter is much more interesting than the former.
What’s the best way for your situation (your client, your organization, yourself even) to be notified?
Also, are some messages from your service critical errors? Does someone need to be notified NOW (by email, pager, carrier pigeon, everything!!)? Are some messages important, and should be relayed by email, but not mission critical and can "wait until Monday"?
If you’re a software vendor, get to know your customers. What method(s) do they use to monitor their servers (and services)? Maybe they like SNMP. Maybe they detect errors in the Event Log. Maybe they like emails and pages set out to important admins. Provide methods for your software to hook into these reporting mechanisms. But most importantly, report out, don’t accept inputs back in this case (the danger of the privileged dialog on an unprivileged desktop was mentioned earlier).
The idea here is that, whatever’s gone wrong, you provide methods to tell those who need to know, how they want to know. Then, they can deal with it, perhaps by logging into the desktop with their privileged session and using your desktop admin tools.
I’ll give you an example. My organization likes (for some reason) paging system operators when a server "goes down". They have a strange definition for servers "going down", but the point is, server admins have their cell phones ringing with text messages all day long. I didn’t say it was effective, but it was what the organization wanted. Whether the organization is you, your employer, or your client, ask yourself how they want to be notified.
+1 to a document describing the various approaches and solutions to this kind of problem.
I’d bet the two most commonly appropriate solutions are:
1. Send an email (or SMS, or something)
2. Have the user run a client app (possibly on login) which monitors the service for events
The other approaches are:
1. Have the service allow GUI interaction and display junk on the screen — Bad idea, and no longer supported by Vista
2. Log it and forget – Hope it wasn’t important, because probably noone will notice :)
As someone mentioned SMART monitoring of HDDs under Linux, and suggested a KDE app – what about my linux server whose only idea of a GUI is a coloured SSH session (when I run one, that is). In my case, smart errors are logged and a monitoring app sends me an email if it sees any. Same goes for brute-force hacking attempts on the server.
Whatever the answer to the problem is, I’m certain it requires the admin user to run an app to receive send-and-forget messages from the server, that message can be broadcast to many destinations, and is logged somewhere on the server. Whether the destination is email, a MSN message, SMS, or a UDP packet doesn’t matter.
The point is, you can’t have any interaction with the server because you may not be able to get to it (network down errors go … where? you must send so they can be received when the network is back up, at least the admin knows what happened in case, say, some services need restarting), and you can’t have direct interaction because no-one is likely to be in the server room (this also includes beeping from the BIOS, but that will be noticed after a while).
I suppose the only true way to deal with it is MessageBox, eventually someone will come and look at why the server is unresponsive :)
I’m glad the corrupt FS story has opened up this discussion more, as the underlying problem is "how do I notify somebody competent in a timely manner".
In theory, windows has the event log, which is remotely accessible, and integrates with other management tools. In practise, most consumer-grade users dont know WTF it is, so it only ever gets opened when someone competent comes round or connects in to scope it out.
On the subject of linux HDD failures, the only time it hit me I was at a conference in a different country. From the laptop I’d noticed my email wasnt filtering, so its SSH in to the desktop, kill -9’d thunderbird and went to ~/bin to restart it, only to discover there was no ~/bin; the whole of /home had been unmounted after too many failures. not good.
I think I’d like every OS to SMS me on an HDD failure, and for that not to be a premium rate feature that I have to pay for enterprise management tools for.
At the same time, I dont want to get paged whenever some app feels like telling me that the default printer back over the VPN has run out of paper. a ::SendSMStoOperator() API call is not something the drivers should have. ::NotifyOperator(CRITICAL,FACILITY_FILESYTEM,…) would be better.
The Currently Logged-In User said "I remember having to do some very annoying things when running Java on Linux without an X server, because the Java Runtime tried to find out the bit depth and resolution of the display when starting up, and there was no way to keep it from doing this."
Java doesnt work properly without X11 installed on unix because the advanced image API somehow needs it to do image processing. You have to install that headless X11 server that renders to memory only for things to work.
other unix apps need it too -the oracle command line installer for one. We suspect it is creating the GUI and filling in the forms and hitting the buttons itself.
Dont even get me started on apps that expect a keyboard…
Speaking of who says there’s only one, think of all the Windows apps (not just Java) that get The screen resolution, Windows apps and drivers that get The keyboard state, Windows apps and drivers and firewalls that use The IP address, a few Windows apps and drivers and firewalls which somewhat understand multiple NICs but still use The IP address of each NIC, etc. Someone please remind me of why The workgroup or The domain works OK.
My guess as to why Oracle’s installer requires an X server is that it uses Java. If Java won’t start up without an X server, Oracle’s installer wouldn’t be able to start up either.
My two cents about the new (beta indeed) MSN Screensaver. 1. it launches browser windows, 2. it crashes if it runs simultaneously under two accounts. Maybe a MSN team member reads this.
One more "only one": Historically most Usenet news readers assumed there was only one news server that the user would want to connect to. Outlook Express nicely avoids that assumption most of the time. Microsoft deserves at least 95% of a congratulation for this.
Oops, sorry for not having only one in a row here. I just came across a very relevant answer in MSDN:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/window_stations.asp
> The interactive window station, Winsta0, is
> the only window station that can display a
> user interface or receive user input. It is
> assigned to the logon session of the
> interactive user, and contains the keyboard,
> mouse, and display device. All other window
> stations are noninteractive, which means they
> cannot display a user interface or receive
> user input.
>
> When a user logs on to a Terminal Services-
> enabled computer, a session is started for
> the user. Each session is associated with
> its own interactive window station. For more
> information, see Terminal Services Sessions.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/terminal_services_sessions.asp
> The console session on the Terminal Server is
> assigned the session ID 0.
>
> Each Terminal Services session is associated
> with an interactive window station. The only
> supported window station name for an
> interactive window station is “WinSta0”;
> therefore each session is associated with its
> own “WinSta0” window station.
[…]
> However, because the Terminal Services
> console session is never deleted, the window
> stations associated with the console session
> are not deleted.
If I understand correctly, in Vista the Terminal Services console session will no longer be session ID 0. It will be session ID something else.
Nonetheless the Terminal Services console session will be just one console session, right? That session will contain just one Winsta0. That session might also contain other window stations but they won’t be Winsta0. Other sessions will contain Winsta0 stations but they won’t be in the console session. There will only be one Winsta0 in the console session.
There can be several desktops in the Winsta0 window station in the console session, but only one of those desktops will be retrieved by the OpenInputDesktop function.
Result: the unique user logged into the console session.
Now I have to go away and figure out how my scheduled task should interact with me (currently if I get the settings right I just have to read the error message in the console window…)