Hello,
I noticed that an interactive service cannot run in vista any more. This issue
is good to security, but bad news for me using an interactive service.
My service is simple and needs only 2 functions - one is getting cursor
position and the other is setting cursor position. These 2 functions can be
implemented through one other user application after user logon. But before
user logon, how can I do this job
Thank you in advance.
Sweating Egg;;
How to get(set) cursor position in my service before logon?
talismax
Rizzlers
Hello, there.
Our software is like the Stardock Multiplicity.
If you have never seen it before, you can check what it is in this site.
http://www.stardock.com/products/multiplicitypro/
To share keyboard/mouse even before user logon, cursor positioin check
is needed. That's why I need getting/setting cursor position in service.
Thanks again.
Sweating Egg;;
moemen.ahmed
Please help me~~~
rwerner
Hello SucceedEgg,
How does your service communicate to your client application (if it does indeed do this) Does the service start when the computer starts Have you tried debugging your service to see whats going on Can you provide any detailed information on how your service is communicating with Windows / Client Application Does your application conform with the Session 0 Isolation mitigations provided here: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnlong/html/AppComp.asp
Thanks!
Matthew Braun
Adam Miles
Hello SucceedEgg,
I have been talking with some engineers internally and have gotten the same answer from everyone. As you know, in Vista Session 0 is isolated from the users sessions and desktop completely. This is a security feature that has been implimented to prevent backround services from hijacking the users space. The issue you are seeing is by design, the mitigation for it would be to have a client application running within the users session communicate with the service to get / set the users cursor position.
Thanks!
Matthew Braun
XpyXt
Hello, Matthew.
win32_userdesktop has 2 members - one is win32_useraccount and the other is win32_desktop. win32_useraccount and win32_desktop class do not have any member to indicate the current cursor position.
Thanks for your help~
Egg
Cammyr
Dear Matthew,
That's correct. I want to know how to check cursor position when there is no user session.
Dear Aaron,
As I mentioned early, almost all of our SW users are a single user for their computer. I think they don't need user switching. Though it would be good to support all sessions, now it is sufficient to support correct operation in Session 0(before logon) and 1(after logon) only.
Let me record your recommendation for future SW upgrade.
Thank you guys~ Merry Christmas~
Egg
Kallex
Hello Matthew.
I appreciate your kind support.
I think that in Session 0, the cursor position check API should be allowed for 3rd parties to use.
It's primitive and essential.
Egg
KatieV8563
I think what you'll have to do is to break this into multiple processes -- basically one for each desktop in each session. Before I get into the specifics, please be aware that your code has to be very carefully threat-modeled, designed and written in order not to create security risks on the machines your program is installed on. Two references that I highly recommend you absorb are The Security Development Lifecycle and Writing Secure Code, Second Edition. (An update to the latter will be released this Spring: Writing Secure Code for Windows Vista).
I believe it goes like this -- you'll need to test to verify the details here: For each session on the system, there is a winlogon desktop, on which user credentials are collected. When a user logs on to a session, that session gets a "default" desktop (where apps generally run) and a screen-saver desktop (where screen savers run when the password-protection option is enabled). To interact with the logged-on users' desktops, I would recommend that you start a process when the user logs on, using an appropriate autorun technique such as HKLM\...\Run. To interact with the winlogon desktop(s), you'll need a service running as LocalSystem. It will need to register for session change notifications (when the service calls SetServiceStatus, include the SERVICE_ACCEPT_SESSIONCHANGE flag). When the service handler receives a SERVICE_CONTROL_SESSIONCHANGE notification with an event type of WTS_CONSOLE_CONNECT or WTS_REMOTE_CONNECT for a new session, spawn a process that runs in that session and that runs on the winlogon desktop. (You'll need to duplicate your token, change the session ID in the duplicate, and start the new process with that updated token. Set the STARTUPINFO's lpDesktop to "winsta0\Winlogon".) That new process should now be able to get/set the mouse cursor on the logon screen of the new session. (I haven't tested on Vista, but on XP with multiple FUS sessions, there could be multiple winlogon desktops, one of which was attached to the console. I would not be surprised to see the same in Vista.)
Your service code should studiously avoid creating any windows (visible or not) or exposing any unsecured access points (such as named pipes), and it should very carefully validate any data that it receives. The binaries and configuration settings should not be writable by any non-administrator.
HTH
-- Aaron Margosis
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx
GR101
hdp203
Hello SucceedEgg,
I think what is happening is that you are attempting to access the cursor information from the Session 0 Desktop (which is not allowed) (I think this is what you mean by stating "not supporting interactive service"). I am not an expert at WMI by any means however I did find the following WMI class Win32_UserDesktop http://msdn.microsoft.com/library/default.asp url=/library/en-us/wmisdk/wmi/win32_userdesktop.asp which seems to be able to get desktop settings / information of a specific user. Can you give this a try to see what happens I will continue to research this.
Thanks!
Matthew Braun
SneakerXZ
> Did that work in previous OSes outside of session 0
No. I think most our customers may be a single user for their computer
and our SW fits to those kind of users.
I've never heard their complaint about bad working outside of sesstion 0.
Please help me~~
Sweating Egg
;;
p_shah
Hello, Mathew
> Does the service start when the computer starts
Yes. My service starts automatically when computer starts.
> How does your service communicate to your client application (if it does indeed do this)
My service can run stand-alone before user logon and after user logon, my service communicates with a client app using named event objects and a memory mapped file. I think that the communication is not problem and if that has a problem, I can solve it.
My service calls GetCursorInfo(for Win2K, GetCursorPos works, but for WinXP, GetCursorPos does not work) to check cursor position. But in Vista, the GetCursorInfo call in my service does not work at all. I think the reason may be from not supporting an interactive service in Vista. As I mentioned early, after user logs on, client app can call this API and inform my service of the result. But before user logs on, how to check cursor position
Even before user logs on explicitly, can an user application run
Thanks in advance.
Egg
Noah1212
Hello SucceedEgg,
Actually I think I misread your question, you are wanting to get the cursor position before the user has even logged in. Which means there is no user session. Let me look into this a bit further, this might take a while longer as most of the engineers are on holiday this next week. I will get back to you as soon as I have more information.
Thanks!
Matthew Braun