A Desktop of Your Own


I have run into a few scenarios where people want to be able to block access to Windows Explorer so that they can do something such as update the system in a machine that is otherwise publicly facing. One possibility is to create a desktop all your own.

The underlying architecture of Windows allows for something that may provide for this. Every instance of the operating system contains a collection of Sessions. Services run in Session 0, and interactive users run in Sessions 1, 2, 3, etc. (This is on Windows Vista – on Windows XP and earlier, the first interactive login shared Session 0 with services.) Each session contains a collection of Window Stations. Only one of these, WinSta0, is given access to display output, keyboard, and mouse. (Consequently, I haven’t come up with any use in anything I have developed for the ability to create more.) Each Window Station contains a collection of Desktops.

You can already see multiple desktops just by using Windows. When you get to the login screen, that is a desktop. When your screen saver activates (assuming you are using a secure secreen saver), that has its own desktop. When you are prompted with a UAC dialog in Windows Vista, by default that has its own desktop. And you can create more. You can use the CreateDesktop API to create a new one, and then the SetThreadDesktop and SwitchDesktop APIs to switch to it. Here is a very simple example:

 

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) {
  HDESK hdeskOriginalThread = GetThreadDesktop(GetCurrentThreadId());
  HDESK hdeskOriginalInput = OpenInputDesktop(0, FALSE, DESKTOP_SWITCHDESKTOP);
  HDESK hdeskNewDesktop = CreateDesktop(TEXT(“PrivateDesktop”), NULL, NULL, 0, GENERIC_ALL, NULL);
  SetThreadDesktop(hdeskNewDesktop);
  SwitchDesktop(hdeskNewDesktop);
  MessageBox(NULL, TEXT(“MessageBox on private desktop”), TEXT(“Private Desktop”), MB_OK);
  SwitchDesktop(hdeskOriginalInput);
  SetThreadDesktop(hdeskOriginalThread);
  CloseDesktop(hdeskNewDesktop);
  return 0;
}

 

This may immediately give you some ideas about kiosk applications. However, the desktop window manager (DWM) only runs on the primary desktop, so you won’t be able to use Glass on any additional desktops you create. (Incidentally, that’s also why UAC prompts are not rendered using glass.) So, if that’s a consideration, then you may want to think of other approaches. But for some edge case scenarios, it’s nice to know that you have this option available.

Comments (17)

  1. Mary says:

    Hi, Chris

    I run into a strange issue about desktop on Vista.

    If I create a 2nd desktop using CreateDesktop (with NULL for security attributes), and launch an IE using CreateProcess() on the 2nd desktop from default desktop, it will be created with medium integrity level and a pop up on the 2nd desktop mentioning that Admin rights is required w/o real IE displayed.

    However, launch an IE using CreateProcess() on default desktop directly is OK(and in low integriy level).

    Then I tried launching an IE using CreateProcess() on default desktop from 2nd desktop, it works fine with an IE with low integrity level on default desktop.

    So, how can I enable same beheavior on 2nd desktop as the default one – IE can be launched in low integrity level w/o any issue?

    BTW, I am testing under admin user account. What are the changes about desktop, explorer on Vista?

    Thanks in advance!

    Mary

  2. Big_Dick says:

    Hi, Chris

    I run into a strange issue about desktop on Vista.

    I created an app running in 1st desktop, that launches an app in the 2nd desktop. The app in the second desktop launches 3 more apps (notepad, paint & calculater). When I switch to the second desktop, the Aero feature of Vista is missing in the second Desktop. I wanted to know why is it so, is it a limitation on part of Vista or is it by design or am I missing something…

    Thanks in advance!

    Manoj

  3. cjacks says:

    Hi Manoj,

    Yes, that is by design. As I mentioned, "the desktop window manager (DWM) only runs on the primary desktop, so you won’t be able to use Glass on any additional desktops you create." So, any desktop other than the default desktop does not get glass.

  4. Big_Dick says:

    Hi, Chris

    Thanks for your response, but I still have some problem.

    My manager here, does not seem contented with the reply. Can you help me point so some articles/resources by Microsoft, which says that

    "the desktop window manager (DWM) only runs on the primary desktop, so you won’t be able to use Glass on any additional desktops you create."

    As of me, I am satisfied with your reply, but what to do with my manager???

    Please help me…

    Thanks in advance!

    Manoj

  5. cjacks says:

    Well, when I first discovered that limitation, I just shot an email to the team. One of the developers on the team is the person who verified this for me. I don’t know if this is documented in the SDK or not, since creating additional desktops is relatively rare.

  6. For some reason, the idea of multiple desktops was bubbling around in my head this morning and I suddenly…

  7. RichardRudek says:

    You wouldn’t happen to know whether it’s possible to create a desktop which is displayed on a separate monitor, would you ?

    The problem I’m trying to workaround is that some display cards (eg nVidia Quadro an other dual head cards) do not support the independent display feature, which you would normally do by using CreateDC("\DISPLAY.."). These display cards return an 1801 error (Printer name is invalid). So I’m trying to find other ways using windows to emulate the Independent Display behaviour. Hopefully I won’t need  try resorting to directly calling the display/video drivers, like Windows does. In other words, the secondary display cannot be part of the normal Windows desktop, accessible by anything else but my program(s).

  8. cjacks says:

    Richard, that is not something I have experimented with, so unfortunately I don’t have a lot of information to help you here. I don’t see any way to specify the device; there is an lpszDevice argument, but it is reserved and must be NULL.

    If you want to secure access to your desktop, you can provide a security descriptor in an argument to CreateDesktop(Ex), but it’s going to be difficult to keep processes from calling EnumDesktops and then calling OpenDesktop if other processes are running with the same credentials as yours are (unless you get creative).

  9. Alex Khristov says:

    Hey Chris,

    Do you know if there are any plans on making DWM support multiple desktops in future releases of Windows?  Thanks.  :-)

    Alex.

  10. cjacks says:

    I am not aware of any plans, but we are still fairly early on in the planning process. If you have a scenario or scenarios (the more details, the better – including the name of your org helps as well) feel free to send them to me via the email me link, and I will make sure that feedback gets into consideration for future releases.

  11. Projections says:

    I’ve been exploring using multiple desktops in Windows and found some great resources online: Chris Jackson

  12. I&#39;ve been exploring using multiple desktops in Windows and found some great resources online: Chris

  13. nbaskar1983 says:

    i created new desktop using CreateDesktop API,then i move to that desktop using SwitchDesktop API.

    here i couldnt able to access Flip 3D  (Windows key+Tab) .what is the solution Chris.

  14. cjacks says:

    Hi nbaskar1983,

    Above, I reference the lack of DWM in additional desktops: "However, the desktop window manager (DWM) only runs on the primary desktop, so you won’t be able to use Glass on any additional desktops you create."

    Unfortunately, Flip 3D is implemented by the DWM, so that’s gone also.

    Thanks,

    Chris

  15. nbaskar1983 says:

    Thanks for replay chris

    Any other solution for this.

  16. cjacks says:

    nbaskar1983-

    Erm … don’t switch to a separate desktop? Architecturally, the only desktop where the DWM operates (today – not sure if/when this will change) is the default desktop.

    Thanks,

    Chris

  17. As I am focusing more and more on Windows 7, I find that blogging now begins with web searching, to make