SucceedEgg

Hello,

I noticed that an interactive service cannot run in vista any more. This issue

is good to security, but bad news for me using an interactive service.

My service is simple and needs only 2 functions - one is getting cursor

position and the other is setting cursor position. These 2 functions can be

implemented through one other user application after user logon. But before

user logon, how can I do this job

Thank you in advance.

Sweating Egg;;



Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Aaron Margosis - MSFT

You probably need a different approach. Let's start with the underlying requirements: Why do you need to get/set cursor position from a service



Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Hello, there.

Our software is like the Stardock Multiplicity.

If you have never seen it before, you can check what it is in this site.

http://www.stardock.com/products/multiplicitypro/

 

To share keyboard/mouse even before user logon, cursor positioin check

is needed. That's why I need getting/setting cursor position in service.

 

Thanks again.

 

Sweating Egg;;

 





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Aaron Margosis - MSFT

Interesting. Did that work in previous OSes outside of session 0 E.g., WinXP with Fast User Switching (Log in, then Switch User and log in another user without logging out from the first session.)



Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

> Did that work in previous OSes outside of session 0

No. I think most our customers may be a single user for their computer

and our SW fits to those kind of users.

I've never heard their complaint about bad working outside of sesstion 0.

Please help me~~

Sweating Egg ;;





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Please help me~~~





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Matthew Braun - MSFT

Hello SucceedEgg,

How does your service communicate to your client application (if it does indeed do this) Does the service start when the computer starts Have you tried debugging your service to see whats going on Can you provide any detailed information on how your service is communicating with Windows / Client Application Does your application conform with the Session 0 Isolation mitigations provided here: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnlong/html/AppComp.asp

Thanks!

Matthew Braun






Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Hello, Mathew

 

> Does the service start when the computer starts

Yes. My service starts automatically when computer starts.

 

> How does your service communicate to your client application (if it does indeed do this)

My service can run stand-alone before user logon and after user logon, my service communicates with a client app using named event objects and a memory mapped file. I think that the communication is not problem and if that has a problem, I can solve it.

 My service calls GetCursorInfo(for Win2K, GetCursorPos works, but for WinXP, GetCursorPos does not work) to check cursor position. But in Vista, the GetCursorInfo call in my service does not work at all. I think the reason may be from not supporting an interactive service in Vista. As I mentioned early, after user logs on, client app can call this API and inform my service of the result. But before user logs on, how to check cursor position

Even before user logs on explicitly, can an user application run

Thanks in advance.

Egg





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Matthew Braun - MSFT

Hello SucceedEgg,

I think what is happening is that you are attempting to access the cursor information from the Session 0 Desktop (which is not allowed) (I think this is what you mean by stating "not supporting interactive service"). I am not an expert at WMI by any means however I did find the following WMI class Win32_UserDesktop http://msdn.microsoft.com/library/default.asp url=/library/en-us/wmisdk/wmi/win32_userdesktop.asp which seems to be able to get desktop settings / information of a specific user. Can you give this a try to see what happens I will continue to research this.

Thanks!

Matthew Braun






Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Hello, Matthew.

win32_userdesktop has 2 members - one is win32_useraccount and the other is win32_desktop. win32_useraccount and win32_desktop class do not have any member to indicate the current cursor position.

Thanks for your help~

Egg

 

 





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Matthew Braun - MSFT

Hello SucceedEgg,

I have been talking with some engineers internally and have gotten the same answer from everyone. As you know, in Vista Session 0 is isolated from the users sessions and desktop completely. This is a security feature that has been implimented to prevent backround services from hijacking the users space. The issue you are seeing is by design, the mitigation for it would be to have a client application running within the users session communicate with the service to get / set the users cursor position.

Thanks!

Matthew Braun






Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Hello Matthew.

I appreciate your kind support.

I think that in Session 0, the cursor position check API should be allowed for 3rd parties to use.

It's primitive and essential.

Egg





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Matthew Braun - MSFT

Hello SucceedEgg,

Actually I think I misread your question, you are wanting to get the cursor position before the user has even logged in. Which means there is no user session. Let me look into this a bit further, this might take a while longer as most of the engineers are on holiday this next week. I will get back to you as soon as I have more information.

Thanks!

Matthew Braun






Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

Aaron Margosis - MSFT

I think what you'll have to do is to break this into multiple processes -- basically one for each desktop in each session. Before I get into the specifics, please be aware that your code has to be very carefully threat-modeled, designed and written in order not to create security risks on the machines your program is installed on. Two references that I highly recommend you absorb are The Security Development Lifecycle and Writing Secure Code, Second Edition. (An update to the latter will be released this Spring: Writing Secure Code for Windows Vista).

I believe it goes like this -- you'll need to test to verify the details here: For each session on the system, there is a winlogon desktop, on which user credentials are collected. When a user logs on to a session, that session gets a "default" desktop (where apps generally run) and a screen-saver desktop (where screen savers run when the password-protection option is enabled). To interact with the logged-on users' desktops, I would recommend that you start a process when the user logs on, using an appropriate autorun technique such as HKLM\...\Run. To interact with the winlogon desktop(s), you'll need a service running as LocalSystem. It will need to register for session change notifications (when the service calls SetServiceStatus, include the SERVICE_ACCEPT_SESSIONCHANGE flag). When the service handler receives a SERVICE_CONTROL_SESSIONCHANGE notification with an event type of WTS_CONSOLE_CONNECT or WTS_REMOTE_CONNECT for a new session, spawn a process that runs in that session and that runs on the winlogon desktop. (You'll need to duplicate your token, change the session ID in the duplicate, and start the new process with that updated token. Set the STARTUPINFO's lpDesktop to "winsta0\Winlogon".) That new process should now be able to get/set the mouse cursor on the logon screen of the new session. (I haven't tested on Vista, but on XP with multiple FUS sessions, there could be multiple winlogon desktops, one of which was attached to the console. I would not be surprised to see the same in Vista.)

Your service code should studiously avoid creating any windows (visible or not) or exposing any unsecured access points (such as named pipes), and it should very carefully validate any data that it receives. The binaries and configuration settings should not be writable by any non-administrator.

HTH

-- Aaron Margosis
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/TableOfContents.aspx





Re: Application Compatibility for Windows Vista How to get(set) cursor position in my service before logon?

SucceedEgg

Dear Matthew,

That's correct. I want to know how to check cursor position when there is no user session.

Dear Aaron,

As I mentioned early, almost all of our SW users are a single user for their computer. I think they don't need user switching. Though it would be good to support all sessions, now it is sufficient to support correct operation in Session 0(before logon) and 1(after logon) only.

Let me record your recommendation for future SW upgrade.

Thank you guys~ Merry Christmas~

Egg