We introduced Service 0 Isolation a few weeks ago as an application compatibility topic. It is only natural that we continue our conversation about services in the context of Windows 7. But this time, we will talk about some of the benefits to service optimization that are available in Windows 7. This post focuses on a new feature in Windows 7 called Trigger Start Services. But before we jump into the API, let’s provide some background about services.

What Are Services?

A service is an integral mechanism built into Microsoft Windows operating systems. You can think of services as “special applications” that run with no regard to the current user context. Services are different from “regular” user applications because you can configure a service to run from the time a system starts up (boots) until it shuts down, without requiring an active user to be present – that is, services can run even though no users are logged on.

We like to think about services as running tasks for us in the background without interfering with user operations. Services on Windows are responsible for all kinds of background activity that do not involve the user, ranging from the Remote Procedure Call (RPC) service, through Printer Spoolers, to the Network Location Awareness service.

Over the years, Windows has grown and with it the number background services. But to be honest, background services in Windows are a pain – the operating system ships with a lot of them in the box. On top of that, ISVs and their applications add even more services, like software updates to name only one. With that said, some of these services are critical and are required during boot sequences, some are required later when a specific user logs on, while others don’t need to execute until they are called upon. Nonetheless, when you look at the currently running services, you see a lot of services that really don’t need to run 24x7.

What’s Wrong with Services Running 24x7?

There are several issues with having services run 24x7:

First, why have something run (even in the background) when there is no need for it to run? Any running process (services included) uses valuable memory and CPU resources that could be used by other applications and services. If you total up all the services that are running at any given time, they add up to quite a lot of memory, handles, threads, and plenty of CPU usage. All of these “wasted” resources reduce the overall computer performance, decrease its responsiveness, and make users think their computers are sluggish and slow. Also, since most of the running services are configured as Auto-Start (start running upon system log-on), these services have an impact on the computer's boot time.

Second, these wasted resources, have a direct impact on power consumption. The more demands we place on the CPU, the more power our computer uses. This can be critical for laptops, and could reduce battery life from four hours to three hours.

Third, having non-productive software run all the time may lead to memory leaks and overall system instability. This can lead to application crashes and ultimately computer crashes.

Last, but not least, if a service is running 24x7, and this services is well known (any popular application might have one – like the PDF Reader), it provides a larger attack surface. A hacker might use the knowledge that a certain popular application installs a service that runs 24x7, and try to hack into that service to gain privileged access to the computer.

Given all of the above, it makes you wonder why so many developers configure their services to run all the time when there are other options. Even before Windows 7, there were several service start-up options:

• Disabled completely disables the service and prevents it and its dependencies from running—this means that the user must start the service manually from the Control Panel or the command line
• Manual starts a service as required (defined by dependencies to other services) or when called from an application using the relevant API as shown later in this post
• Automatic starts the services at system logon
• Automatic Delayed is a newer startup type introduced in Windows Vista that starts the service after the system has finished booting and after initial demanding operations have completed, so that the system boots up faster

Unfortunately, many ISVs (Microsoft included) still choose to configure their services to Automatic (or Automatic Delayed) because it is the easy solution for everyone. A service simply runs 24x7 and is always available, eliminating the need to check any dependencies or verify that the service is running.

There are many examples of existing services that can become more resource friendly and more secure by not running 24x7. For example, think of an update service that checks for new application updates. If the computer is not connected to a network and has no IP available, why should the update service run? It can't reach anywhere, so why run a program that does nothing? Think about a policy management service that is invoked when a group policy changes or when the computer joins or leaves a domain, but right now the computer is connected to my home network and again the service works in vain.

Introducing Windows 7 Trigger Start Services

The solution for the above problems is to move the service out of its “forever running state” into other types of background activity, such as scheduled tasks or trigger-start services. This post focuses on Windows 7 Trigger Start Services. Windows 7 Scheduled Tasks include a lot of valuable information that we will describe in another post.

Trigger-start services are new to Windows7. A trigger-start service is a regular service that you can configure to run (or stop running) only when it is triggered, that is, only when certain criteria and conditions that you define are met (for example, when the first network IP address becomes available, or when the last network IP is lost). Here is a list of the available triggers that you can use to configure the Start-Up mode of a given service:

• Device interface arrival or departure
• Joining or leaving a domain
• Opening or closing a firewall port
• Group policy change
• First IP address available/ last IP address leaving
• Custom event – Event Tracing for Windows (ETW)

The last item in the list represents the extendibility point. As a developer, you can configure any ETW event as a trigger for services, which gives you a very good tool to fine-tune your control over starting and stopping services from your application.

So what exactly is a trigger?

A trigger consists of:

• A trigger event type
• A trigger event subtype
• The action to be taken in response to the trigger event
• One or more trigger-specific data items (for certain trigger event types)

The subtype and the trigger-specific data items together specify the conditions for notifying the service of the event. The format of a data item depends on the trigger event type; a data item can be made up of binary data, a string, or a multistring.

Working with Trigger Start Services

Unfortunately, Windows 7 Services MMC UI does not include a graphical representation of the trigger start services. However, you have two options. You can still use the old and good sc.exe (Service Configuration command line tool), or you can use the WIN32 ChangeServiceConfig2 method to configure the service start option programmatically as demonstrated in this post.

Using SC.exe to Query Service Trigger Information

It's time to start have some fun. First, let’s start with just extracting some configuration information from a few services. The generic form for using the service configuration is:

sc <server> [command] [service name] <option1> <option2>...

• command is the operation you wish to perform like querying trigger information
• service name is the name of the service you wish to work with
• options are the different values (options) you can pass to configure the service

Let’s start by querying a specific service for its trigger start configuration. To do so you need to launch a Windows Shell window:

1. Open the start menu.
2. Type CMD in the search box.
3. Choose cmd.exe.
   This will open a Windows Shell window.
4. Type sc qtriggerinfo w32time and press enter

This is how it should look:

As you can see, we queried the trigger information of the W32time service, which is configured to start when the computer is joined to a domain and stop when the computer leaves the domain.

Microsoft updated the sc.exe command-line tool for Windows 7 to support configuring and querying a service for supported triggers. Type sc triggerinfo in the Windows shell window and press enter. The result looks like the box below, and lists all the different triggers and how to configure a service to use trigger start services.

C:\>sc triggerinfo
DESCRIPTION:
        Changes the trigger parameters of a service.
USAGE:
        sc <server> triggerinfo [service name] <option1> <option2>...
OPTIONS:
 start/device/UUID/HwId1/... <Start the service on arrival of the
                             specified device interface class UUID
                             string with one or more hardware ID
                             strings and/or compatible ID strings>
 start/custom/UUID/data0/.. <Start the service on arrival of an
                             event from the specified custom ETW
                             provider UUID string with one or more
                             binary data items as hexadecimal
                             string format such as ABCDABCD to
                             set 4 byte data>
 stop/custom/UUID/data0/... <Stop the service on arrival of an
                             event from the specified custom ETW
                             provider UUID string with one or more
                             binary data items as hexadecimal
                             string format such as ABCDABCD to
                             set 4 byte data>
 start/strcustom/UUID/data0/.. <Start the service on arrival of an
                             event from the specified custom ETW
                             provider UUID string with one or more
                             optional string data items>
 stop/strcustom/UUID/data0/.. <Stop the service on arrival of an
                             event from the specified custom ETW
                             provider UUID string with one or more
                             optional string data items>
 start/networkon             <Start the service on first IP address>
 stop/networkoff             <Stop the service on zero IP addresses>
 start/domainjoin            <Start the service on domain join>
 stop/domainleave            <Stop the service on domain leave>
 delete                      <Delete the existing trigger parameters>

For example, to configure a service to start when the first IP address becomes available, all you need to do is type sc triggerinfo [your service name] start/networkon, where “your service name” is replaced with the name of the service that you wish to configure.

Configuring Trigger Start Services Programmatically Using ChanceServiceConfig2

The more interesting aspect, from a developer's point of view, is writing services that are trigger aware and using code to configure a service. In Windows 7, you can use the ChangeServiceConfig2 function to configure service trigger information and the QueryServiceConfig2 function to query it.

Service trigger registration is performed by calling ChangeServiceConfig2, passing SERVICE_CONFIG_TRIGGER_INFO for the dwInfoLevel parameter, and providing the trigger registration information in a SERVICE_TRIGGER_INFO structure through the lpInfo parameter. In addition, one or more trigger-specific data items can be specified. The following is an example of a service installer function that creates a USB device trigger for a service that is named MyService:

define SERVICE_NAME L"MyService"
    //set the device guid
    static const GUID GUID_USBDevice = {
       0x53f56307, 0xb6bf, 0x11d0, 
       {0x94, 0xf2, 0x00, 0xa0, 0xc9, 
       0x1e, 0xfb, 0x8b }};

BOOL _SetServiceToStartOnDeviceTrigger()
{
    BOOL fResult = FALSE;

    SC_HANDLE hScm = OpenSCManager(
        NULL, //local machine
        NULL, //active database
        SC_MANAGER_CONNECT);

    if(hScm != NULL)
    {
        SC_HANDLE hService = OpenService(
            hScm,
            SERVICE_NAME,
            SERVICE_ALL_ACCESS);

        If( hService != NULL)
        {

           LPCWSTR lpszDeviceString = L"USBSTOR\\GenDisk";
           SERVICE_TRIGGER_SPECIFIC_DATA_ITEM deviceData = {0};
           deviceData.dwDataType = SERVICE_TRIGGER_DATA_TYPE_STRING;
           deviceData.cbData = 
                       (wcslen(lpszDeviceString)+1) * sizeof(WCHAR);    
           deviceData.pData = (PBYTE)lpszDeviceString;


           
           SERVICE_TRIGGER st;
           st.dwTriggerType = 
                       SERVICE_TRIGGER_TYPE_DEVICE_INTERFACE_ARRIVAL;
           st.dwAction = SERVICE_TRIGGER_ACTION_SERVICE_START;
           st.pTriggerSubtype = (GUID *) &GUID_USBDevice;
           st.cDataItems = 1;
           st.pDataItems = &deviceData;

           
           SERVICE_TRIGGER_INFO sti;
           sti.cTriggers = 1;
           sti.pTriggers = &st;
           sti.pReserved = 0;

           fResult = ChangeServiceConfig2(
                        hService,
                        SERVICE_CONFIG_TRIGGER_INFO,
                        &sti);
        }
        CloseServiceHandle (hService);
    }
    CloseServiceHandle (hScm);

    if(!fResult)
    {
        printf("Service trigger registration failed (%d)\n", 
                 GetLastError());
    }
    return fResult;
}

In the above code snippet, you can see that first we get a handle (hScm) to the SCM by calling openSCManager. Next, we call openService and pass the handle to the SCM- hscm,and the service name – SERVICE_NAME that we wish access. The last parameter, SERVICE_ALL_ACCESS, indicates that we have complete access to the services. Assuming we got a valid handle to the service, we now start to build the specific structure that we’ll soon use to configure the service.

SERVICE_TRIGGER_SPECIFIC_DATA_ITEM defines the trigger event type. It contains trigger-specific data for the service trigger event. In our case we define the string that represents a USB gen disk arrival.

Next we define the SERVICE_TRIGGER structure, which represents a service trigger event. Note that this is where we define the trigger type (device arrival), the action (start the service), and the trigger sub type (the specific family of the USB device). Then we define one device that will trigger the service. Note that you can define an array of devices and their GUIDs. You should also note that we don’t want the service to be triggered upon just any USB device arrival like a mouse or a camera. We want the service to start only when a USB disk arrives.

Finally, we define the SERVICE_TRIGGER_INFO structure, which contains trigger event information for a service. This structure simply points to the SERVICE_TRIGGER struct that we defined previously, and the number of triggers that, in this case, is one.

Now we can call the ChanceServiceConfig2 function and pass the handle to the service we wish to configure, a SERVICE_CONFIG_TRIGGER_INFO parameter that indicates that we wish to configure the service trigger, and a null.

That is all there is to it. If we are successful, then our service will run after we insert a USB hard drive.

In the next post, we'll review how to write a simple implementation of a .NET service that we’ll program to start upon arrival of a USB generic disk.

You can learn about Windows 7 using the Windows 7 Training Kit for Developers or by viewing Windows 7 videos on Channel 9.

You can also get hands-on experience for Windows 7 Trigger Start Services using the Windows 7 Online training that is part of the Channel 9 Learning Center

Windows 7 is now available to the public and anyone can buy and install Windows 7, whether for a new computer or an existing one. Soon, people from around the world will run your applications on Windows 7. They will expect the application to work and to feel as though it is a native Windows 7 application that takes advantage of new Windows 7 features and technologies like the Taskbar, libraries, touch, and sensors.

As Windows 7 approached GA, we continued to release new developer content to help you get up to speed with the new operating system. Now that it's here, Windows 7 GA is a great “excuse” for us to give you a quick update on all the Windows 7 developer content that is available to help you learn how to write a great Windows 7 application.

Below is a list of locations where you can find Windows 7 developer content.

Updated Windows 7 Training Kit – (Download it now)

To help you get your application onto Windows 7 as soon as possible, we updated the Windows 7 Training Kit for Developers. You can still find all the previous topics such as Taskbar, Sensor and Location, Libraries and Shell, Multitouch, Ribbon, etc. New to the kit are labs that work with VS2010 and use the new MFC improvements in VS2010 (download VS2010). We also added VB to all of our managed solutions – truly, no developer is left behind.

Windows 7 Online Training on Channel 9 Learning Center

Let’s assume you are interested in learning about Windows 7 libraries, or how to add some cool Taskbar functionality to your application, but you don’t want to download the entire training kit. Well with the Windows 7 Online Training Kit located on the Channel 9 Learning Center, you have immediate access to all Windows 7 learning units individually. Each learning unit (like the Taskbar) includes a few hands-on-labs and related videos. This gives you quick and easy access to most of our training material. For the rest of the content, like PowerPoint presentations and additional demos, you will have to download the Windows 7 Training Kit for Developers. The following image shows part of the managed code hands-on-lab for the Taskbar.

As always, the Windows 7 Topic Area on Channel 9 still features specific Windows 7 videos and screencasts. Over the past few weeks, we created new videos that I am sure you will find exciting and helpful, including a new Mark Russinovich video. As a friendly reminder, the last video Mark did, “Mark Russinovich: Inside Windows 7, was a Channel 9 blockbuster. If you haven't already viewed it, I highly recommend it, and make sure you see Mark’s new video Mark Russinovich: Inside Windows 7 Redux. Don’t forget to stay up-to-date with other topics:

• Using Windows 7 – Contains consumer- and user-related videos such as how to install Windows 7 and how to set up a home group network
• Programming Windows 7 – I don’t really need to explain what goes here, right?
• Last but not least, “Under the Hood” –Covers deep architectural Windows concepts

MSDN Developer Center

The MSDN Developer Center also received a “Windows 7 GA refresh” and now sports a new look and much improved functionality. The MSDN Developer Center includes a lot of Windows 7 material that extends the training content on available on Channel 9. You can think of the MSDN Developer Center as a hub for the Windows 7 content that will give you a great head start as you develop applications that will shine on Windows 7. You can find information about specific topics, review different programming models, learn about the developer tools that you can use, watch videos, and read blogs.

A New Book for Windows 7 Developers

Among the other things that you will find on the MSDN Developer Center, is a list of recommended Windows 7 books for developers. It turns out that over the past few months, I’ve been busy writing a Windows 7 book with three amazing co-authors: Laurence Moroney, Sasha Goldshtein, and Alon Fliess. Together, we wrote Introducing Windows 7 for Developers. It covers most of the exciting Windows 7 features like the Taskbar, Libraries, Sensor and Location, Multitouch (including new WPF 4 support with VS2010), and even Silverlight out of

browser (including touch :). As far as I know, this is the first Windows 7 developer book, and I hope you will find it useful. Mark Russinovich found this book helpful while integrating Windows 7 features with the Sysinternals tools and he wrote the foreword for this book.

I hope this list will help get you on your way to writing amazing Windows 7 applications.

PDC 2009 takes place at the LA Convention Center on November 17^th, 18^th, and 19^th. As I wrote before, The Professional Developers Conference is the one event each developer has to attend. Windows 7 will become generally available (GA) to the public on October 22nd. With the pre-release veil of secrecy lifted, during this year's PDC we can dive deep (very deep) into Windows 7 to extend our understanding of how Windows 7 works and, even more importantly, how developers can take advantage of all the great new improvements and features Windows 7 has to offer.

Just in case you missed my previous announcement, there is a FREE Windows 7 (seminar) Boot Camp led by top Microsoft Windows experts like Mark Russinovich, Landy Wang, and Arun Kishan. Then, during the PDC proper, we’ll have several deep-dive Windows 7 sessions.

During this year's PDC, we’ll host the Windows 7 Developer Center. The Windows 7 Developer Center gives you the opportunity to test your application on Windows 7, identify and solve problems with a group of consultants, and eventually get your application Logo-certified. Applications can be loaded onto a secure Windows 7 test platform in a private developer lab environment for Logo testing and submission. Our Windows Applications Developer Consultants can also help with Windows Compatibility questions or offer specific guidance for how you can make your application shine on Windows 7. You can pre-book a time slot right away, book a time when you get to the PDC, or just stop by Room 504/505. And guess what? It is all free; all you need to do is register.

Registration

You can pre-register for a 1-hour timeslot in the lab as outlined below. You can also register upon arrival at PDC09 by signing up at the reception station located in Room 504/505, or just stop by to talk about developing applications for Windows 7.

Getting Started

Logo Test - To help maximize your time in the lab at PDC, we are asking that you run the Logo test and submit the .xml result report to our team for review prior to the event. Our consultants will analyze your results and prepare a report to review with you on-site at PDC.

VeriSign & WinQual IDs – In order to submit your product for Windows 7 Logo, you will need to obtain both of these credentials. Once obtained, you will be able to work directly with a Microsoft consultant through the submission process while on-site at PDC. (More info here - https://winqual.microsoft.com/.)

Follow these simple steps to register and prepare for PDC 2009:

1. Email srglabs@microsoft.com with 3 timeslots in order of preference from those listed above.

2. Download the Logo toolkit from MS Connect and follow the instructions for testing.

3. Send the .xml result report generated by the Logo toolkit to srglabs@microsoft.com for analysis.

4. Sign up for VeriSign & WinQual IDs that will be required for Logo submission by visiting https://winqual.microsoft.com/.

Additional Resources

• For general questions contact srglabs@microsoft.com

• For questions and more details about the Windows 7 Logo Program visit MS Connect

This is a great opportunity to prepare your applications for Windows 7, but there is limited availability so be sure to register early to get your preferred time slot.

You can learn about Windows 7 using the Windows 7 Training Kit for Developers or by viewing Windows 7 videos on Channel 9

It has been a while since the last blog posting, Windows 7 RTM – Go Get It, and we have a lot of catching up to do.

The Windows 7 GA data is still October 22^nd, less than a month away, which means your application should be almost ready for Windows 7. As you prepare your applications for Window 7, be sure to verify that you don’t have any issues with version checking and UAC Data Redirection. This post topic, Session 0 Isolation, is another application compatibility topic that requires our special attention, especially if your applications include services. If your services are working on Windows Vista, most likely they will continue to work on Windows 7 (still you need to test your application fully on Windows 7). However, if you didn’t run the proper compatibility testing on Windows Vista, you might want to take few moments to read this post.

Let’s start with a better understanding of what services are.

What are services?

A service is an integral mechanism built into Microsoft Windows operating systems. You can think of services as “special applications” that run with no regard to the current user context. Services are different from “regular” user applications because you can configure a service to run from the time a system starts up (boots) until it shuts down, without requiring an active user to be present – that is, services can run without having any users logged on.

We like to think about services as running “tasks” for us in the background without interfering with user operations. Services on Windows are responsible for all kinds of background activity that do not involve the user, ranging from the Remote Procedure Call (RPC) service, through Printer Spoolers, to the Network Location Awareness service.

What’s the problem?

Some services may attempt to display user interface dialogs or communicate with user applications. Such functionality is “typical” of Windows XP services, mainly because it is easy to do so. If you happen to own a service that attempts to display some user interface objects, like a dialog box, or tries to communicate with applications you might run into trouble running on Windows 7.

When running a service that is trying to display a dialog box on Windows 7, instead of the desired dialog box, you will see an annoying flashing icon on the taskbar. And, if you press on that flashing icon, you will see a security dialog box. To be more specific, when running on Windows 7, your service may experiences one or more of the following symptoms. The service:

• Is running, but cannot do what it is supposed to do, and just eats CPU cycles and memory
• Is running, but other processes can't communicate with it and it cannot communicate with the user, or other applications / services
• Is trying to communicate with user applications through window messages, but the window messages are not reaching their destination
• Displays a flashing icon on the taskbar indicating the service wants to interact with the desktop

All the above symptoms point to the conclusion that your service is experiencing Session 0 Isolation of Windows 7 Services, that is, the “physical” separation between services and user applications, but more about that in just a bit. First, let’s define the two “buckets of issues” your services may experience when running on Windows 7:

• The service fails to display a UI or it displays a mitigation UI (or annoying flashing dialog box): When a service attempts to show any user interface element (even if it is allowed to interact with the desktop), a mitigation layer prompts the user with the Interactive services dialog detection dialog box, as shown in the next image. The user may opt in to see the service UI on the session 0 secure desktop, but the interruption in workflow makes this a serious application compatibility issue. Furthermore, some users may not react very well to a dialog that blocks your services / application from getting the user input and breaking the flow of the application.

• Objects shared by services and applications become invisible or inaccessible: When an object created by a service is accessed by a standard application (running with standard user privileges), the object cannot be found in the global namespace (that is, it is private to session 0). This means that other applications will not be able to access the so-called “shared object” from the global namespace, and most certainly, not directly from session 0. Additionally, security changes might warrant a situation where even if the object is visible, it is not accessible. This may affect other processes (such as standard user applications) from interacting with your service, again breaking the application flow.

Clearly, Session 0 Isolation has the potential of being a serious compatibility pain. Well, this post should provide you with enough information to identify if your service is at “risk” -- and how to solve the problem. However, I have to remind you that the main reason for isolating services from user application is making it harder for malicious software to run with elevated privileges, which enables them to do far more harm than running as standard user as explained in the following section, thus making Windows much more secure operating system. 

The Reason: Session 0 Isolation of Windows 7 Services

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, services and applications run in the same session as the one started by the first user who logs onto the console. This session is called Session 0, and as shown in the following image, prior to Windows Vista, Session 0 included both services and standard user applications.

Image source: http://www.microsoft.com/whdc/system/vista/services.mspx

Running services and user applications together in Session 0 poses a security risk because services run with elevated privileges, while user applications run with user privileges (most of which are not admin).This makes the services targets for malicious agents that are looking for mechanisms to elevate their own privilege levels by “hijacking” the services.

Starting with Windows Vista, only services are hosted in Session 0. User applications are isolated from services, and run in subsequent sessions created when users log onto the system: Session 1 for the first logged on user, Session 2 for the second, and so on, as shown in the following image.

Image source: http://www.microsoft.com/whdc/system/vista/services.mspx

Entities (applications or services) running in different sessions cannot send each other messages, share UI elements, or share kernel objects without explicitly qualifying them to the global namespace and providing the appropriate access control settings. The following image illustrates this:

You can find additional valuable information about this in Impact of Session 0 Isolation on Services and Drivers in Windows Vista (http://www.microsoft.com/whdc/system/vista/services.mspx), an article that is equally applicable to Windows 7.

How can you detect whether your service might experience some of the above-mentioned problems?

So far, we have presented the symptoms associated with Session 0 isolation of Windows services, explained what service isolation is, and how it may affect your services and applications. Below are tests and other actions you can take in order to pinpoint your real problem and start resolving it.

Test #1 – Verifying service (or any other process) session assignment

1. Launch Process Explorer.
   1. To download or learn more about Process Explorer, see the Process Explorer Web site on Microsoft TechNet.
2. Ensure that Process Explorer displays all processes:
   1. Click File.
   2. Choose Show processes from all users.
3. Locate the first csrss.exe process, which is a service found under the System Idle Process (see next image), and inspect its properties:
   1. Right-click the process.
   2. Select Properties.
   3. Navigate to the Security tab.
   4. Note the session in which the service runs (typically Session 0) and its integrity level.
4. Locate the second csrss.exe process, found under the Wininit.exe (see next image), and inspect its properties as you did in step #3:

The following images show the process properties of both csrss.exe files - one runs under the medium integrity level (in Session 1) and the other runs under the system integrity level (in Session 0) – can you tell which one?:

The left image shows the process properties for the csrss.exe instance that runs at the high system integrity level (session 0), while the image on the right shows the process properties for the csrss.exe instance that runs with medium integrity level (session 1) of the current logged-in user (which is me).

If your service is running under Session 0 and under a high integrity level, it will be unable to display UI directly. It is also likely that you will experience problems when sharing kernel objects or files with the service.

Test #2 – Ensuring object accessibility

1. Launch Process Explorer.
2. Ensure that Process Explorer displays all processes:
   1. Click File.
   2. Choose Show processes from all users.
3. Locate the suspected service.
4. If the service contains objects that you know are shared with user applications, inspect their handles in the Handles lower pane (press CTRL+H to see it, or access it from the View menu).
   1. Right-click each suspected handle and select Properties.
   2. Switch to the Security tab to see the users and groups that are allowed to access the object referenced by this handle.

The following image shows an example of a shared object that everyone can access (for the “Synchronize” right) even though it is opened in a system service that runs in session 0

The following image displays an example of a shared object that only administrators and the SYSTEM group can access:

Now that you know what the problems could be, what about fixing them?

You've already done the hard part, knowing and understanding that you have a session 0 issue; solving these problems is easy.

Here are some ideas on how to solve the above mentioned problems:

• If a service needs to interact with the user by sending a message, use the WTSSendMessage function. It is almost identical in functionality to a MessageBox. This will provide an adequate and simple solution to services that do not require an elaborate UI, and is secure because the displayed message box cannot be used to take control of the underlying service.
• If your service requires a more elaborate UI, use the CreateProcessAsUser function to create a process in the requesting user’s desktop Note that you will still need to communicate between the newly created process and the original services, which is where the next bullet point kicks in.
• If two-way interaction is required, use Windows Communication Foundation (WCF), .NET remoting, named pipes, or any other interprocess communication (IPC) mechanism (excluding window messages) to communicate across sessions. The assumption is that because these technologies (most of them) integrate better security policies than the one used by basic Windows Messaging, they will provide the required elevation (if needed).
• Secure communication and other shared objects (for example, named pipe, file mapping), by using a Discretionary Access Control List (DACL) to tighten the set of users granted access to the mechanism. Use a System Access Control List (SACL) to ensure that medium- or low-integrity processes can access the mechanism even though a system- or high-integrity service created it.
• Ensure that kernel objects meant to be shared across sessions have names prefixed with the Global\ string, indicating that they belong in a session-global namespace.

Additional Resources

You can find more-detailed information about this topic in the Windows 7 Training Kit for Developers, including a detailed whitepaper and hands-on-lab. If you want, you can download just the Session 0 Isolation hands-on-lab directly.

Here is some basic information about the tools used in this post:

Process Explorer – a monitoring tool for Windows processes that is able to display process integrity levels and object security information.

• More information: http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
• Download: http://download.sysinternals.com/Files/ProcessExplorer.zip

You can get much more information about this topic and others in Windows 7 topic page on channel 9.

For more Windows 7 Technical content and hands-on experience download the - Windows 7 Training Kit for Developers is also a great place to learn more about this topic

This is it people. Windows 7 RTM is available for download from MSDN & TechNet sites! If you have a MSDN subscription you can get Windows 7 RTM in English. On October 1st, the remaining languages will be released, for more information read - Windows 7 RTM Available Today for MSDN & TechNet Subscribers. You can also get the Windows 7 SDK  and the RTM version of the Windows API Code Pack for .NET Framework.

Make sure you get them all today to start testing your applications, and to make sure your applications are ready for Windows 7 RTM! Now is the time to work on your applications to make sure they are Windows 7 compatible. On top of that, you can use new Windows 7 features such as the Sensor and Location Platform, Taskbar, Libraries, Multi-Touch, the new Graphics APIs, the Windows Ribbon, and many other important and exciting Windows 7 technologies to make your application shine on Windows 7.

New Windows 7 Training Kit for Developers - Get it NOW!

To help you get your application on Windows 7 as soon as possible, we updated the Windows 7 Training Kit for Developers for the RTM version and gave it a new look and better functionality. You can still find all existing topics such as: Taskbar, Sensor and Location, Libraries and Shell, DirectX, Multi-touch, Ribbon, etc. No dev was left behind! The kit is built for both native Win32

C++ developers and .NET developers, so now most topics have multiple labs.We also added 6 new Application Compatibility labs: Version Checking, Data Redirection, UIPI, Installer Detection, Session 0 Isolation, and High DPI, to help you get over the most common application compatibility issues. All the topics in the training kit include additional information like whitepapers, links to MSDN, and links to videos from Channel 9.

 Updated Windows Topic Area on Channel 9

We also gave the Windows topic area on Channel 9 a brand new look and functionality to help you to better choose the right Windows 7 content you need. In the new Windows topic area for Channel 9, you can choose from three main topic areas:

• Using Windows 7 – Contains consumer- and user-related videos such as how to install Windows 7 and how to set up a home group network
• Programming Windows 7 – I don’t really need to explain what goes here, right?
• Last but not least, “Under the Hood” – Contains classics like the interview with Mark Russinovich on Windows 7 Internals.

While we hope you find all this helpful, this is only the start! We are working on more new and exciting content that will be shipped in the following weeks, so stay tuned.

In the meantime, here is some additional useful information:

• The Windows page on MSDN is the one-stop shop for Windows client developers
• At Develop for Windows 7, you can find all the information you need about specific technologies like Direct2D, Taskbar, Sensor and Location, Power Shell 2, Windows Ribbon, and many more
• Windows Application Compatibility is the one page you want to visit to make sure your application runs properly on Windows 7; it includes content and tools to test and fix many application compatibility issues. Directly accessible from that page, is the Windows 7 Application Quality Cookbook
• Also still very relevant, is the Windows Vista Application Compatibility Cookbook--most Windows 7 compatibility issues are the direct result of the changes introduced in the Windows Vista timeframe, and are included as topics in this Cookbook (UAC, Session 0 Service Isolation, IE Protected Mode, etc.), which is a great starting point for addressing these issues
• New Windows 7 videos on the Channel 9 Windows page explore specific features and technologies, and are great “windows” to the Windows engineering team
• As always, the E7 blog is an amazing source of the engineering back story behind Windows 7
• Last, but not least, for IT-Pro, we have our SPRINGBOARD SERIES, and edge on TechNet

And, of course, continue to watch for new posts.

To making sure your application is ready (compatible) for Windows 7, I am going to start providing additional information about the few compatibility topics we introduced in the “Is Your Application Ready for Windows 7 RTM?” post. This post focuses UAC Virtualization or more known as Data Redirection.

What Are You Talking About?

Today, many applications are still designed to write files to the Program Files, Windows directories, or system root (typically the C drive) folders. Some applications are designed to update Microsoft® Windows registry values, specifically values in HKLM/Software. But there is one problem: the files or registry values are not created or updated. You may ask, “What’s going on? My application goes through the code and does not report an error. So where are my files?”

To be specific, you may experience one or more of the following symptoms:

• Your application writes to Program Files, Windows directories, or the system root (typically the C drive) folders, but you can't find your files in these locations
• Your application writes to the Windows registry, specifically to HKLM/Software, but you can't see the registry updates
• You switch to another user account, and your application is unable to find files that were written to Program Files, Windows directories, or the system root (typically the C drive) folders, or it finds older versions of these files
• After turning User Account Control (UAC) on or off, your application is unable to find files in the Program Files or Windows directories

If this happens to your application, it is experiencing UAC Virtualization (AKA Data Redirection). The following information provides you with everything you need to know in order to detect this application compatibility problem, offers some solutions, and provides additional information about the specific nature of the compatibility problem.

The Real Issue: UAC Virtualization

Prior to Windows Vista, administrators typically ran applications. As a result, applications could freely read and write system files and registry keys. If standard users ran these applications, they would fail due to insufficient access. Windows Vista improved application compatibility for standard users by redirecting writes (and subsequent file or registry operations) to a per-user location within the user’s profile.

For example, if an application attempts to write to C:\Program Files\Contoso\Settings.ini, and the user does not have permissions to write to that directory (the Program Files), the write operation will be redirected to C:\Users\Username\AppData\Local\VirtualStore\Program Files\Contoso\settings.ini. If an application attempts to write to HKEY_LOCAL_MACHINE\Software\Contoso\ in the registry, it will automatically be redirected to HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software\Contoso or HKEY_USERS\UserSID_Classes\VirtualStore\Machine\Software\Contoso.

The following figure illustrates the two components of the Windows Virtualization process: file virtualization and registry virtualization:

To learn more about UAC virtualization and new UAC technologies, see “New UAC Technologies for Windows Vista” at http://msdn.microsoft.com/en-us/library/bb756960.aspx.

Solution

Virtualization is intended only to assist in application compatibility with existing programs. New applications designed for Microsoft Windows 7 should NOT perform write operations to sensitive system areas, nor should they rely on virtualization to provide redress for incorrect application behavior. Always develop applications for use with standard user privileges and don’t count on the application running under administrator privileges. Test your application with standard user privileges and not administrator privileges.

If you are experiencing UAC virtualization with applications developed prior to Windows 7, re-design your applications to write files to the appropriate locations. When updating existing code to run on Windows 7, you should:

• Ensure that during run-time, applications store data only in per-user locations or in computer locations within %alluserprofile% that have properly set access control list (ACL) settings. For more information about ACLs, see Access Control Lists.
• Determine the known folder to which you want to write the data files. Generic data used by all users should be written to a global public location that is shared by all users. All other data should be written to a per-user location.
  • Generic data files can include, but are not limited to log files, settings files (INI/XML), saved state applications such as saved games, and so on
  • User documents are different; they should be saved to the Documents folder (or to a location the user specifies)
• Ensure that you do not hard-code paths once you have determined the appropriate locations. Instead, use one of the following programming models and APIs to retrieve the correct paths of specific Windows known folders:
  • C/C++ native applications: Use the SHGetKnownFolderPath function that retrieves the full path of a known folder identified by the folder's KNOWNFOLDERID, a GUID parameter indicating the known location you would like to obtain:
    • FOLDERID_ProgramData – Shared program data directory for all users
    • FOLDERID_LocalAppData – Per-user program data directory (non-roaming)
    • FOLDERID_RoamingAppData – Per-user program data directory (roaming)
  • Managed Code: Use the System.Environment.GetFolderPath function. GetFolderPath takes a parameter indicating the Known Location you would like to obtain
    • Environment.SpecialFolder.CommonApplicationData – Shared program data directory for all users
    • Environment.SpecialFolder.LocalApplicationData – Per-user program data directory (non-roaming)
    • Environment.SpecialFolder.ApplicationData – Per-user program data directory (roaming)
  • If none of the above-mentioned options are available, use the environment variable:
    • %ALLUSERSPROFILE% – Shared program data directory for all users
    • %LOCALAPPDATA% – Per-user program data directory (non-roaming) - Windows Vista or later
    • %APPDATA% – Per-user program data directory (roaming) - Windows Vista or later

Steps to Determine the Most Appropriate Solution

So far, we have presented the symptoms associated with UAC virtualization, explained why redirection is taking place, and suggested a solution. This section contains tests and procedures you should perform in order to pinpoint the real problem and plot a way to resolve it.

Test #1:

• Launch the application with standard user privileges
• Run through the scenario that results in a write operation to any given protected folder such as the Program Files or system root (C:\) directories
• Expected results: The application “succeeds” in writing the file to the protected folder; however, you can't find the file in the expected location
• Conclusion: This suggests that UAC data virtualization is redirecting the file to a different location

Test #2:

• Using Windows Explorer, search for your files in the VirtualStore folder
  • The VirtualStore folder is a folder in your profile which stores redirected files
  • The VirtualStore folder’s name and location are subject to change in later versions of Windows
• First, attempt to find it under %localappdata%\VirtualStore
• If you are unable to find it there, try issuing dir %userprofile%\yourfile.dat /s /a at a command line (usually found C:\Users\<user name>\AppData\Local\VirtualStore)
• Expected results: You should find your file at the virtual store folder or sub folders
• Conclusion: This is proof that UAC virtualization is taking place

Test #3

• Log in as an administrator and launch your application with administrator privileges.
  • To launch the application with administrator privileges, right-click the file executable and select Run as Administrator
  • When an application runs with administrator privileges, virtualization is turned off, and the application now has sufficient privileges to write to the protected folders
• Do not rely on permanently marking your application to require administrator privileges as a way to bypass virtualization, as doing so will leave the system more vulnerable to attack, will prevent the application from running with limited or standard user privileges, and will needlessly annoy users with a UAC prompt
• Expected results: The application succeeds in writing the file to the protected folder, and you can find the file at the expected location
• Conclusion: Running the application with administrator privileges turns off virtualization and grants privileges

Test #4

• Launch Process Monitor (ProcMon)
  • To learn more about Process Monitor, visit the Windows Sysinternals Process Monitor Web site on Microsoft TechNet
  • During the hands-on lab, we will walk you through a detailed step-by-step process to use Process Monitor
• Configure filtering to show only file operations and only those operations performed by your process
  • When you launch Process Monitor, the Process Monitor Filter dialog box appears
    
• Add the following entry to the filter: "Column=Process Name, Relation=is, Value=YourApp.exe, Action=Include"
• To invoke the Process Monitor Filter dialog box again, click this toolbar button
• After clicking OK, configure Process Monitor to log only file events by enabling the following toolbar buttons as shown:
• Press CTRL-X to clear the log; press CTRL-E to toggle logging on/off
• Expected results: You will see file operations whose results are REPARSE; the next line (with result SUCCESS) will usually be the redirected operation:

• Double-click the line representing the operation with REPARSE as the result and click the Stack tab to show the call stack at the time of the operation:

• The pink K and blue U letters on the left of each stack frame show whether the stack frame is in kernel mode (K) or in user mode (U);in this case, we are interested only in user-mode stack frames
• In this example, the SaveFile function (at frame 21) in BrokenAppNative.exe is the one performing the operation which will be redirected
• You should configure symbols for a more meaningful display' for more information about configuring symbols, refer to the Debugging Tools for Windows Web site
• Conclusion: This test proves that UAC Virtualization did take place and shows you what operations in your application need to be corrected

Task #5

• Add a manifest to your application which contains a UAC directive
  • This will mark your application as UAC-aware and will disable UAC virtualization
  • A manifest is an XML document that developers embed as a resource in a DLL or .exe file, but can be a standalone file named YourApp.exe.manifest or YourDLL.dll.manifest
  • Manifests can contain a variety of information that usually pertains to application compatibility, such as the exact version of Visual C++ runtime to load, the version of Common Controls Library to load, as well as UAC settings
  • Read more about UAC settings in the manifest in the Windows Vista Developer Story: Create and Embed an Application Manifest (UAC)
• Expected results: The application now fails to write to any of the protected folders, returning an “access denied” error
  • This is a GOOD result, because the UAC data virtualization didn’t kick into action
  • As the developer, you should be able to recognize this (because you marked the application as UAC-aware in the manifest) and avoid writing to any of the protected areas
• Conclusion: Windows enables virtualization because the application isn’t marked as UAC-aware. Marking your application as UAC-aware disables virtualization. If your app tries to write to protected store while marked as UAC-aware, you will get an access denied exception

Hands On Labs and Additional Material

you can download this doc, a presentation describing UAC Virtualization, and two full hands on labs on this topic, one for managed code and one for native, from here.

Tools

In order to detect UAC virtualization we use the following tools:

• Process Monitor, a free and advanced Microsoft tool that monitors and logs file system, registry, network, and process activity
  • To learn more about Process Monitor, see the Process Monitor page at the Windows Sysinternals Web site
  • Download Process Monitor from Microsoft TechNet
• Standard User Analyzer, part of the Microsoft Application Compatibility Toolkit, is a free tool that monitors resource (file, registry, and others) usage of a given application and reports activity that is responsible for Standard User problems
  • To learn more about Standard User Analyzer see “Standard User Analyzer” at Microsoft TechNet
  • To obtain Standard User Analyzer, download the Microsoft Application Compatibility Toolkit

Additional Resources

• Windows Vista Application Compatibility: UAC: Standard User Changes – http://msdn.microsoft.com/en-us/library/bb963893.aspx
• Common file and registry virtualization issues in Windows Vista – http://support.microsoft.com/kb/927387
• New UAC Technologies for Windows Vista – http://msdn.microsoft.com/en-us/library/bb756960.aspx
• Inside Windows Vista User Account Control – http://technet.microsoft.com/en-us/magazine/2007.06.uac.aspx