| Date: | May 8, 2007 / year-entry #163 |
| Tags: | code |
| Orig Link: | https://blogs.msdn.microsoft.com/oldnewthing/20070508-01/?p=26933 |
| Comments: | 39 |
| Summary: | One of the major changes to services in Windows Vista is session 0 isolation. After reading the summary, you can follow that first supplementary link, Impact of Session 0 Isolation on Services and Drivers in Windows Vista, to dig deeper and receive guidance on how you need to modify your service. Then again, some of the... |
One of the major changes to services in Windows Vista is session 0 isolation. After reading the summary, you can follow that first supplementary link, Impact of Session 0 Isolation on Services and Drivers in Windows Vista, to dig deeper and receive guidance on how you need to modify your service. Then again, some of the questions I see regarding session 0 reveal that they were relying on behavior that wasn't true even in Windows XP. Many people† assume that session 0 is the one connected to the physical keyboard, but there is no such guarantee. If you turn on Fast User Switching and have multiple users logged on, the second and subsequent users will be on sessions other than session 0, even though they are at the physical keyboard when they log in. Conversely, if you use Remote Desktop Connection to connect to a Windows XP machine, you can connect to session 0 remotely. So whatever they were doing, it was already broken. Nitpicker's corner †The phrase "many people" means "many people". Microsoft employees fall under the category of people. (I can't believe people are nitpicking the nitpicker's corner.) |
Comments (39)
Comments are closed. |
"(I can’t believe people are nitpicking the nitpicker’s corner.)"
I just wanted to leave another keep-up-the-good-fight message. Don’t let the haters get you down.
"So whatever they were doing, it was already broken."
But that’s true of just about everything, given enough time.
"If you turn on Fast User Switching and have multiple users logged on …"
Does this happen a lot? I don’t know anyone who uses Fast User Switching.
Yeah, well, it would only be broken on XP with Fast User switching or Terminal services. Most business desktop setups do not use Fast User switching, and not many desktops have Terminal services setup. So the likelyhood of running into this was low if you write business desktop apps.
It finally bit me last year, 4 years after the code went into production. Someone had Fast User turned on and something didn’t work. Just part of the standard code maintenance cycle.
Darn, this is going to make my "Service Replacement" exploit code sooo much more complicated…
(Yes, I have an exploit that uses the fact that Power Users can start/stop services and that some third party apps install services with weak file permissions.)
The "session 0 isolation" link should point to:
http://msdn2.microsoft.com/en-us/library/aa480152.aspx#appcomp_topic12
instead. (It should have a fragment identifier of topic12 instead of topic10. The link in the article goes to the right page, but it points at the IIS7 changes, not the changes to session 0.) :-)
Knowing that you can remote desktop into session 0 (mstsc /console) has saved me before though. Not too long ago I was installing a F/OSS database product (that shall remain nameless) that insisted it couldn’t be done remotely.
Which is just great when you have a headless server….
It’s an arms race. You can never win when they feel the need to show off their brilliance by bringing other people down.
"We shall nitpick in France, we shall nitpick on the seas and oceans, we shall nitpick with growing confidence and growing strength in the air, we shall nitpick on the beaches, we shall nitpick on the landing grounds, we shall nitpick in the fields and in the streets, we shall nitpick in the hills; we shall never surrender."
So is Ray’s next blog speech going to be, "Not only are we going to Redmond, we’re going to Seattle and San Francisco and Silicon Valley and Boston, and then we’re going to Washington, D.C., to take back the Nits! Byaaah!!"
Dave: You clearly don’t have a household with a shared computer. The computer in our kitchen almost always has 4 people logged onto it with FUS. We love it.
Yes, FUS was one of the nice features that XP introduced.
I can. How could you not believe that? Pick pick pick… ;-P
OnT: this is good. I’m really hoping this’ll kick a certain manufacturer of printers into writing better software… i’m such an optimist.
Raymond,
the link should be http://msdn2.microsoft.com/en-us/library/aa480152.aspx#appcomp_topic12 if you want it to go directly to the anchor for the topic.
"Does this happen a lot? I don’t know anyone who uses Fast User Switching."
Ignorance is bliss, eh?
That goes well with the "I don’t know anyone who logs in as a limited user"
Vista’s Session 0 change will force at least one product to fix some security hole. This particular product has service running as System, exposed a UI and launches Internet Explorer as the System user. Even if the logged in user is not an admin.
The response to this bug was: "it works on Windows 2000" and "nobody we know uses fast user Switching."
Fortunately this product has a small enough market that (almost) nobody cares.
As I said, ignorance is bliss.
I use both Fast User Switching AND Remote Desktop on WinXP all the time. FUS is used on our home computer so my wife & I can both use it (she’s Korean and has lots of Korean apps which I can’t read ;). I use Remote Desktop to connect to my computer at work, over the VPN.
Anyway, there are far better (and more secure) ways for a service to display UI on the computer its running. Checking that "allow service to interact with the desktop" has always been a horrible kludge.
> some of the questions I see regarding session
> 0 reveal that they were relying on behavior
> that wasn’t true even in Windows XP
Maybe because they were relying on MSDN? MSDN has so many bugs on session handling that I hardly know where to start with this.
> I can’t believe people are nitpicking the
> nitpicker’s corner
No problem. The author of
http://blogs.msdn.com/oldnewthing/archive/2007/03/14/1878777.aspx
understood it perfectly.
Any way to force Vista to have a non-isolated Win2000 ?
We cannot upgrade/buy workstation with Vista because of the inability to use VNC to control them remotely (RDP is not an option – switching to another desktop it makes our 3D application to lose context and can even lead to BSOD for asynch operations pending on various devices..).
I meant : any way to force vista to have a non-isolated session 0 (like Win2000)
Jan, not that I’m aware of, but there are workarounds for getting VNC to work in whatever session you’ve logged in to. It basically involves running is a normal program rather than a service.
Google for "vnc vista" and the first page has a workaround.
Norman Diamond: go away, nobody likes you. Get your own blog and enjoy being completely ignored. Stop hijacking someone else’s success for your attention craving antics
I don’t want to hijack a conversation, but on the topic of Remote Desktop… which version of Windows Vista do I need to own to use Remote Desktop? It looks like only Business and Ultimate include both Remote Desktop client AND Server, but I want a system with Media Center and Remote Desktop.
To get a system with Media Center and Remote Desktop, do I need to buy Ultimate?
VNC never worked for me in user mode either. It would never update the screen unless I forced a manual refresh, making it nearly useless.
So I switched to Remote Desktop for Vista… at the moment I’m back in XP though.
@Norman:
I forwarded the bugs you found and reported a couple of months ago on microsoft.public.win32.programmer.kernel to doc writers. As far as I can tell, they fixed all incorrect statements about session 0:
http://msdn2.microsoft.com/en-us/library/aa379591.aspx
http://msdn2.microsoft.com/en-us/library/aa383496.aspx
If you find more issues you can report them to the newsgroup, or use "give feedback" link on the docs page itself.
Thanks for helping us make MSDN docs better.
Wednesday, May 09, 2007 10:29 AM by KJK::Hyperion
I already know. No one likes bug fixers because bug fixers embarrass them. No one likes bug reporters because bug reporters make extra work for them — who wants to waste time denying that a bug was a bug, when they could have spent that time relaxing?
Please ignore me more often.
Huh?
Wednesday, May 09, 2007 10:24 PM by Pavel Lebedinsky
Thank you very much! Meanwhile this week I posted in the kernel newsgroup about one more page with a few bugs in it. The day I read that page I also read a few other pages with related bugs but didn’t post about them.
That garbage link is a huge waste of time. I type in details and then your company replies that I acquired the MSDN-English version of http://msdn.microsoft.com outside of North America, therefore it differs vastly from the version of http://msdn.microsoft.com which is distributed in North America, therefore I should pay a support fee to Microsoft Japan in order to inform them of a bug in an MSDN-English page. Or they toss the entire contents that I typed in and keep only headers. Or they toss half of the contents that I typed in. One time your colleagues politely maintained a conversation long enough so that they could repeat that point twice about the MSDN-English version of Microsoft’s web site being vastly different from the version that’s distributed in North America. Pardon me while I stop wasting time with those contact links.
Lucky for you, those pages that Pavel pointed to (as well as plenty of others) now have a "Community Content" section, into which you can enter your corrections directly.
It’s annoying how otherwise intelligent people don’t understand that "Tu quoque" is actually an invalid argument.
http://en.wikipedia.org/wiki/Tu_quoque
You really don’t get it do you? Even though it has been explained to you dozens of times already… This is not a bug database. It is not formal microsoft documentation. You claim to acknowledge this fact over and over again in your posts, yet still go on moaning and complaining about completely irrelevent nonsense all the time.
If you have bugs to report, report them through the official channels. These channels may involve you paying a large number of yen (as you point out at least once a month) but that is the way that microsoft operates. Complaining on various msdn blogs about this fact achieves absolutely nothing, apart from making more and more people get completely sick of seeing your name attached to posts.
Please, unless you have something constructive to add, just don’t post. If Raymond makes a post about some random topic, that is not an invitation for you to complain about how some completely unrelated topic caused you to lose data on a scsi floppy disc attached to a laptop running the japanese version of windows 95. Nobody cares.
And since you love nitpicking, when I say ‘nobody cares’ above, I am not diminishing the fact that you lost data 10 years ago due to a windows bug. I am saying that the fact that you lost data 10 years ago is completely irrelevent now. Nobody cares about your whining because your whining almost never has any relevence to the current discussion, nor does it contribute anything constructive. Its just whining because you were hit by a bug. Nobody (on this blog) cares. Feel free to whine as much as you like to the people who are meant to receive your whinings.
He’s quite likely referring to your infuriating habit of always trying to appear to be a smartass by nitpicking details in almost every post, including the nitpickers corner. You should rather be smug in the knowledge that Raymond has had to introduce a nitpickers corner almost entirely to cater for you and you alone, because you pig-headedly refuse to accept that this is just a blog, and not formal microsoft documentation. Raymond will make generalisations… he assumes that most of his readers are smart enough not to take every word literally. You claim to understand this, but still go on nit-picking the most stupid things, and wasting everybodys time with it.
We all know that you are in Japan and that protocol and such is different there… most of us know that things are more formal there. What you need to accept is that this is a blog, and not offical japanese-quality documentation where everything must be taken quite literally.
Or, he could be referring to your annoying habit of nit-picking generalisations made in articles or comments. This is a windows blog. Most comments relate to windows development. It is just attention-seeking when you point out that you’ve been doing 32bit development 600 years ago on an abacus. It is completely irrelevent to the discussion. We are all aware that there are platforms other than x86/windows, and we are all aware that there have been platforms with different capabilities before the x86 became popular. You’re not the only one who reads or posts to this blog who has had experience on those platforms, yet you’re the only one who feels the need to point them out all the time. The rest of us all take it for granted.
So please, until you’re able to actually accept that this is an informal blog, where certain things are left unsaid, and certain things are overstated, and certain things are intentionally generalised, Stop Posting.
Unless you’re actually going to contribute something positive to the conversation, rather than just moaning about some bug, or that microsoft makes the same mistakes, or that some sentence that everyone else was able to read in the correct context could be ambiguous, Stop Posting.
The last time I posted, proposing the 6 degrees of norman game, you assumed that I was encouraging microsoft and its users to just accept bugs rather than fix them. As usual, you completely misinterpreted the intent, just as you will probably misinterpret the intent of this post. Nobody is condoning bugs or saying that users should just accept them. The simple point is that this is neither a bug reporting tool, nor official documentation, so stop treating it as such.
Until you can do that, really… Stop Posting
Amen, "Not Normal Diamond."
Raymond:
Not sure if you are an inspiration to Dr. Cox’s character in the show "Scrubs" on Comedy or if it is the other way round :)
"The last time I posted, proposing the 6 degrees of norman game,"
Oh man, I missed that but it sounds brilliant. Have you followed it up with the Norman Diamond drinking game yet?
When he mentions he’s in Japan, take a shot. Take one more shot when he’s being snooty about bugs that occur because of localization issues.
When you find the same complaint posted to multiple blogs, take a shot for each blog.
… this list could go on for pages.
Wednesday, May 09, 2007 10:24 PM by Pavel Lebedinsky
Mr. Lebedinsky, thank you again. I hope that "Not Norman Diamond" doesn’t get you fired for having done so. I wonder if "Not Norman Diamond" is the manager who made Mr. Chen pay for attempting to help reduce the number of bugs in Windows 98.
About the MSDN contact links, it looks like you were sincere in your recommendation, so I replied sincerely, even though the facts duplicated facts that I’ve posted a number of times before. Sorry to see that your colleagues are still embarrassed by the facts, so embarrassed that they have to hide their names in shame. Anyway thank you for your efforts.
J: http://blogs.msdn.com/larryosterman/archive/2007/01/23/how-the-magic-of-windows-vista-saved-38g-of-my-data.aspx#1521194
Norman Diamond:
…
I’m not, and never have been an employee of microsoft. I am just one of many msdn blog readers who are entirely frustrated at your posts, to the point of having to hijack Raymond’s blog to ask you as politely as I can to shut up.
Thursday, May 10, 2007 8:18 PM by J
Yup, I want to too. Did you read about the fake 90-day warranty being changed to a fake 1-year warranty?
I sure do want to. If Microsoft would do the same in J’s country, where the language version of 99% of Windows systems sold in J’s country can’t handle their own language, J would want to go postal too.
I just finished 10 hours tracking down an emergency call because one of our products didn’t work on the day that it was supposed to be delivered to our customer (and they’re an OEM with millions of customers). Carried a notebook PC to their site with source code and compiler so I could add various trace statements to a DLL.
Here’s how it finally turned out. One employee of our customer had the nerve to use her real name for her account, a Japanese name on a Japanese Windows XP system. Naturally that was too much for WTSQuerySessionInformation.
What kind of fool would ever expect a Win32 API on a Japanese version of Windows XP to perform in an environment with Japanese strings? Sadly, sometimes the answer is me. I’m not really the kind of person who wants to take shots, but stuff like this tries to persuade me to become one. And then there are people who try telling me that Windows has been tested.
Yeah, and let me know when they get fixed too.
No kidding. It would be around 25% of the pages of MSDN.
Careful… Norman Diamond is trying to get us all drunk by manipulating his own drinking game!
Perhaps it’s a compulsion on ND’s part? Perhaps ND really believes he is helping?
He seems to value being right/accurate over social acceptance and/or politeness, to a greater extent than the average person. I guess that makes him exceptional!
I have met others with similar behaviours occasionally in software development.
I frequently find his commentary insightful, though colored with immense frustration.
I suggest there are very few humans – let alone organizations run by collections of people that aren’t perfect – that are able to satisfy his desire for correctness and consistency at all times.
Sunday, May 13, 2007 12:27 PM by Fink
> I suggest there are very few humans – let
> alone organizations run by collections of
> people that aren’t perfect – that are able to
> satisfy his desire for correctness and
> consistency at all times.
No shi*. That’s why I don’t complain about the occurrence of bugs. Everyone makes bugs. Honest people try to fix them. Notice what I’ve complained about:
Microsoft reneges on warranties.
Microsoft charges fees in order to let victims report bugs through proper channels, or to even state a KB article whose published hotfix we want.
Microsoft asserts the reader’s geographical location as the reason for refusing to fix MSDN bugs, coupled with Microsoft’s assertion that http://msdn.microsoft.com/library differs vastly depending on where the browser acquired it.
Also guess why it took me 9 hours instead of 0.1, last Friday night and Saturday morning, to find the cited bug in session handling. For about 8.9 hours I was assuming the bug was mine, repeatedly adding trace statements to a DLL until finally finding where the bug was. And guess who didn’t charge our customer a fee for reporting a bug to us (even though most of our bugs really are ours).
If making Windows work in countries other than the U.S. is a non-goal at Microsoft, then bugfixes aren’t overdue, refunds are.
By the way, before Norman comes back and says something like "but you have said in the past that other Microsoft employees read this blog, and so I complain for the sake of those employees" — clearly the people who DO have influence over these policies (note: they’re probably not developer-types) probably DON’T read this blog. So even if you complain for the sake of the policy-makers, it is apparently not working.
Someone once said "the definition of insanity is doing the same thing over and over again and expecting different results."
My previous comment stated what comment it was replying to. I can’t believe I have to repeat this kind of explanation.
Yes I know that Mr. Chen has no control over Microsoft policies. I can’t believe I have to repeat this kind of explanation.
Several commenters have expressed the opinion that Windows shouldn’t work except in the U.S. That would be fine with me, Windows shouldn’t be sold except in the U.S., and refunds are overdue. If other commenters want to repeat this agreement on fundamental issues, it probably will be repeated.