How to assign a different desktop to a process (interactive service)?
Klaus Trabitsch
I have an interactive service that also needs to be accessed from terminal
server sessions. Since a new desktop is used when connecting through a
terminal session, the service cannot interact with the new terminal session
(only with the main console desktop).
Does anybody know if it is possible to bind the service process to the desktop
(Winstation) of a terminal session?
Thanks,
Klaus
Tim Robinson
No. Each session gets its own copy of Win32 (WIN32K.SYS and CSRSS.EXE) and
so each session has its own concepts of window stations, desktops and HWNDs.
A process started in one session isn't going to be able to get access to the
GUI of another session.
In any case, this is a really bad design from a security point of view. An
interactive service can be compromised by any user able to call SendMessage
or PostMessage, no matter how privileged. Presumably your service is running
under the System account, so this means that any user is able to hijack the
local computer through your service.
I recommend changing the design so that your service is non-interactive,
splitting the user interface into a separate application that runs on each
user's desktop and communicates with the service through some secure
mechanism (e.g. pipes). This should solve the session problem and also plug
this particular security hole.
--
Tim Robinson (MVP, Windows SDK)
http://mobius.sourceforge.net/