Communication between Windows Services and Applications in Windows Vista and higher

  • Article

Hello everyone,

If you are trying to migrate a Windows service that communicates with other applications via window messages to Windows Vista or higher (Vista, Server 2008 (+ R2), 7), or if you are implementing a new service, please remember: Windows Vista introduced a new concept called "Session 0 Isolation"!

Have a look at the following quote from the paper published here: https://msdn.microsoft.com/en-us/windows/hardware/gg463353

In Windows® XP, Windows Server® 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a way to elevate their own privilege level.

In Windows Vista®, Windows Server 2008, and later versions of Windows, the operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. Only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users’ applications and are therefore protected from attacks that originate in application code.

  

This has the following consequence:

A service tries to use window message functions such as SendMessage and PostMessage to communicate with an application. This does not work because the application is running in a different session and therefore has a different message queue. The messages never arrive at their destination. The same is true for applications that try to communicate with services through window messages.

 

Starting from Windows Vista, services are not able to communicate with applications via window messages anymore!

The paper also suggests alternatives to window messages:

Use a client/server mechanism such as remote procedure call (RPC) or named pipes rather than window messages to communicate with applications.

 

I hope this was useful to anyone. Many people are not aware of the session 0 isolation and don't expect this behavior.

Cheers,

Helge Mahrt