Windows Internals covering windows server 2008 and windows vista- P7

Windows Internals covering windows server 2008 and windows vista- P7: In this chapter, we’ll introduce the key Microsoft Windows operating system concepts andterms we’ll be using throughout this book, such as the Windows API, processes, threads, virtualmemory, kernel mode and user mode, objects, handles, security, and the registry.
Nội dung trích xuất từ tài liệu:
Windows Internals covering windows server 2008 and windows vista- P7 In rare cases, a service can have a valid reason to interact with the user via dialog boxes or windows. To configure a service with the right to interact with the user, the SERVICE_INTERACTIVE_PROCESS modifier must be present in the service’s registry key’s Type parameter. (Note that services configured to run under a user account can’t be marked as interactive.) When the SCM starts a service marked as interactive, it launches the service’s process in the local system account’s security context but connects the service with WinSta0 instead of the noninteractive service window station. On versions of Windows prior to Windows Vista, this connection to WinSta0 allowed the service to display dialog boxes and windows on the console and allowed those windows to respond to user input because the processes used by the console user run in session 0 and therefore share the window station with the interactive services. However, in Windows Vista and Windows Server 2008, only processes owned by the system and Windows services run in session 0; all other logon sessions, including those of console users, run in different sessions. Any window displayed by processes in session 0 is therefore not visible to the user. This change was made to prevent “shatter attacks,” whereby a less privileged application sends window messages to a window visible on the same window station to exploit a bug in a more privileged process that owns the window, which permits it to execute code in the more privileged process. To remain compatible with services that depend on user input, Windows includes a service that notifies users when a service has displayed a window. The Interactive Services Detection (UI0Detect) service looks for visible windows on the main desktop of the WinSta0 window station of session 0 and displays a notification dialog box on the console user’s desktop, allowing the user to switch to session 0 and view the service’s UI (this is akin to connecting to a local Terminal Services session or switching users). Note The Interactive Services Detection mechanism is purely for application compatibility, and developers are strongly recommended to move away from interactive services and use a secondary, nonprivileged helper application to communicate visually with the user. Local RPC or COM can be used between this helper application and the service for configuration purposes after UI input has been received. The dialog box, an example of which is shown in Figure 4-11, includes the process name, the time when the UI message was displayed, and the title of the window being displayed. Once the user connects to session 0, a similar dialog box provides a portal back to the user’s session. In the figure, the service displaying a window is Microsoft Paint, which was explicitly started by the Sysinternals PsExec utility with options that caused PsExec to run Paint in session 0. You can try this yourself with the following command: 1. psexec –s –i 0 –d mspaint.exe This tells PsExec to run Microsoft Paint as a system process (–s) running on session 0 (–i 0), and to return immediately instead of waiting for the process to finish (–d). 290Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. If you click Show Me The Message, you can switch to the console for session 0 (and switch back again with a similar window on the console). 4.2.2 The Service Control Manager The SCM’s executable file is %SystemRoot%System32Services.exe, and like most service processes, it runs as a Windows console program. The Wininit process starts the SCM early during the system boot. (Refer to Chapter 13 for details on the boot process.) The SCM’s startup function, SvcCtrlMain, orchestrates the launching of services that are configured for automatic startup. SvcCtrlMain first creates a synchronization event named SvcctrlStartEvent_A3752DX that it initializes as nonsignaled. Only after the SCM completes steps necessary to prepare it to receive commands from SCPs does the SCM set the ...