Inside Session 0 Isolation and the UI Detection Service – Part 1

One of the many exciting changes in Windows Vista’s service security hardening mechanisms (which have been aptly explained and documented in multiple blogs and whitepapers , so I’ll refrain from rehashing old material) is Session 0 Isolation. I’ve thought it would be useful to talk about this change and describe the behaviour and implementation of the UI Detection Service (UI0Detect), an important part of the infrastructure in terms of providing compatible behaviour with earlier versions of Windows.

As a brief refresher or introduction to Session 0 Isolation, let’s remember how services used to work on previous versions of Windows: you could run them under various accounts (the most common being System, Local Service and Network Service), and they ran in the same session the console user, which was logged-on to session 0 as well. Services were not supposed to display GUIs, but, if they really had to, they could be marked as interactive, meaning that they could display windows on the interactive window station for session 0.

Windows implemented this by allowing such services to connect to the Winsta0 Windowstation , which is the default interactive Windowstation for the current session — unlike non-interactive services, which belonged to a special “Service-0×0-xxx$” Windowstation, where xxx was a logon session identifer (you can look at the WDK header ntifs.h for a list of the built-in account identifiers (LUIDs)). You can see the existence of these windowstations by enumerating them in the object manager namespace with a tool such as Sysinternals’ WinObj.

winobj

Essentially, this meant three things: applications could either do Denial of Service attacks against named objects that the service would expect to own and create, they could feed malicious data to objects such as sections which were incorrectly secured or trusted by the service, and , for interactive services, they could also attempt shatter attacks — sending window messages with executable payloads in their buffer, exploting service bugs and causing the payload code to execute at higher privileges.

Session 0 Isolation puts an end to all that, by first having a separate session for the console user (any user session starts at 1, thus protecting named objects), and second, by disabling support for interactive services — that is, even though services may still display a UI, it won’t appear on any user’s desktop (instead, it will appear on the default desktop of the session 0 interactive windowstation).

That’s all fine and dandy for protecting the objects, but what if the service hasn’t been recompiled not to directly show a UI (but to instead use a secondary process started with CreateProcessAsUser, or to use the WTSSendMessage API) and depends on user input before continuing? Having a dialog box on the session 0 desktop without the user’s awareness would potentially have significant application compatibility issues — this is where the UI Detection Service comes into play.

If you’re like most Vista users, you’ve actually probably never seen the default desktop on session 0′s interactive windowstation in your life (or in simpler words, never “logged-on” or “switched to” session 0)! Since you can’t log on to it, and since interactive services which displayed UIs are thankfully rare, it remains a hidden mystery of Windows Vista, unless you’ve encountered such a service. So let’s follow Alice down the rabbit hole into session 0 wonderland, with some simple Service Controller (Sc.exe) commands to create our very own interactive service.

Using an elevated command prompt, create a service called RabbitHole with the following command:

sc create RabbitHole binpath= %SYSTEMROOT%\system32\notepad.exe type= interact type= own

Be careful to get the right spaces — there’s a space after each equal sign! You should expect to get a warning from Sc.exe, notifying you of changes in Windows Vista and later (the ones I’ve just described).

Now let’s start the service, and see what happens:

sc start RabbitHole

If all went well, Sc.exe should appear as if it’s waiting on the command to complete, and a new window should appear on your taskbar (it does not appear in the foreground). That window is a notification from the UI Detection Service, the main protagonist of this story.

session0detect

Get ready to click on “Show me the Message” as soon as you can! Starting an essentialy fake service through Sc.exe will eventually annoy the Service Control Manager (SCM), causing it to kill notepad behind your back (don’t worry if this happens, just use the sc start RabbitHole command again).

You should now be in Session 0 (and probably unable to read the continuation of this blog, in which case the author hopes you’ve been able to find your way back!) As you can notice, Session 0 is a rather deserted place, due to the lack of any sort of shell or even the Theme service, creating a Windows 2000-like look that may bring back tears of joy (or agony) to the more nostalgic of users.

Session0

On the other hand, this desolate session it does contain our Notepad, which you should’ve seen disappear if you stayed long enough — that would be the SCM reaching its timeout of how long it’s willing to wait around hoping for Notepad to send a “service start” message back (which it never will).

Note that you can’t start any program you want on Session 0 — Cmd.exe and Explorer.exe are examples of programs that for one reason or another won’t accept to be loaded this way. However, if you’re quick enough, you can use an old trick common to getting around early 90ies “sandbox” security applications found in many libraries and elementary schools — use the common dialog control (from File, Open) to browse executable files (switch the file type to *.*, All Files), go to the System32 folder, right-click on Explorer.exe, and select Open. Notepad will now spawn the shell, and even if the SCM kills Notepad, it will remain active — feel free to browse around (try to be careful not to browse around in IE too much, you are running with System privileges!)

That’s it for this introduction to this series. In part 2, we’ll look at what makes this service tick, and in part 3, we’ll look at a technique for spoofing the dialog to lie to the user about which service is actually requesting input. For now, let’s delete the RabbitHole, unless you want to keep it around for impressing your colleagues:

sc delete RabbitHole

15 Responses to “Inside Session 0 Isolation and the UI Detection Service – Part 1”

  1. kobyk says:

    Very nice post, Alex.

    It’d be interesting to go into the specifics of UI0Detect’s implementation. How does it learn of new windows appearing in Session 0′s WinSta0? Does it enumerate windows in the session every polling interval? Perhaps it uses SetWindowsHookEx with WH_CBT and monitors HCBT_CREATEWND events, or uses a similar API to receive notifications as windows are created there. How does the switching of sessions from the user session to the service session work? (presumably WTSConnectSession of the console session to session 0) and so forth.

  2. aionescu says:

    Thanks kobyk,

    We’re going to learn all about those specifics in Part 2, so let’s not spoil the audience! I’ll look forward to your comments.

    Best regards,
    Alex Ionescu

  3. ganesh says:

    Great post Alex ,I am looking forward to learn
    about Session 0 internals in your next post.

  4. [...] artigo do Alex Ionescu falava sobre esse aplicativo linha de comando usado para criar, iniciar e apagar serviços. Mesmo [...]

  5. Enter Pet Zone

    Step3: – Now you have you to do some settings in your PC. All the PCs should have a unique identification so that another computer on network can identify it. Just in human beings we know people with their names, in computers they identify each other w…

  6. yuhong says:

    “However, if you’re quick enough, you can use an old trick common to getting around early 90ies “sandbox” security applications found in many libraries and elementary schools — use the common dialog control (from File, Open) to browse executable files (switch the file type to *.*, All Files), go to the System32 folder, right-click on Explorer.exe, and select Open.”
    If this was an Office app, you could open VBA, and then type in the Immedite window, ‘Shell “explorer.exe”‘, to do the same thing.

  7. [...] Alex Ionescu article talks about this command line application used to create, initiate and remove services. Even not [...]

  8. [...] Alex Ionescu article talks about this command line application used to create, initiate and remove services. Even not [...]

  9. GuyL says:

    Great article!

    I’ve used an interactive service for many years to give me a cmd prompt, running as System, so that I can kill stuck processes, e.g. hung services, etc without having to reboot. I’ve done this with srvany.exe from one of the MS Resource Kits and you then just set a couple of registry parameters to tell it what to execute (cmd.exe) and an optional value for arguments (such as a script to set your environment, window title & colour and echo a warning that you are running as a very privileged user). Srvany communicates correctly with the SCM, such as flagging that it has started, so it won’t die as easily as say using cmd.exe directly. This still works with Vista which is useful, albeit on the “secure desktop”.

    Some people cry that it is a security liability but you have to be an administrator by default to start the service and you can further secure it using subinacl.exe if required. In fact, on my own laptop, I used subinacl the other way round to grant the user I use on Vista, which is a non-administrator for added protection, the rights to control my srvany based service.

  10. [...] how this all works, even under Windows XP: -          Inside Session 0 Isolation and the UI Detection Service – Part 1 -          Inside Session 0 Isolation and the UI [...]

  11. phinugget says:

    I have been trying to solve this problem I have with a Java server application made to run as aservice. The service is installed and started, the application works fine, just that it has to display a message in some cases. On Vista the Interactive Services Dialog Detection message does not popup. Instead, when I start the RabbitHole service, and I go to session 0 desktop, I can see there along with Notepad my application’s message too.
    Is there a reason my application’s message box is not detected and I am unable to go to session 0 desktop and actually see it?

    Thanks for the help!

  12. phinugget says:

    Sorry, I forgot to mention that I have configured the service as interactive. I know that it is working because on XP the message is displayed just fine.

  13. Auto says:

    Hello,

    Thanks for your articles about Session 0 Isolation.
    I have a question.

    Doing the following, we can swith to Session 0 if the UI0Detect.exe service is running:

    rundll32 winsta.dll,WinStationSwitchToServicesSession

    Than i saw that if you don’t do anything there, after a timeout (it seems 1 minute) you will be force out to the logon screen.

    Is there a way to tweak this timeout, or better, to avoid it?

    Thanks.

    Auto.

  14. programming says:

    programming…

    [...]Inside Session 0 Isolation and the UI Detection Service – Part 1 « Alex Ionescu’s Blog[...]…

Leave a Reply

You must be logged in to post a comment.