Wednesday, January 29, 2014

On Sesssions, Windows and Desktops

In this article/blog we will discuss the following entities and their relationships. This post is a pre-requisite read up for the upcoming post on session 0 isolation. Please consult the following diagram Figure1 as you read about the individual entities below:

                         Fig1: Entity Relationship Diagram (click on image to enlarge)


Of all the entities we will discuss the first two to come in to play are the process and the session.  Once the windows boot process reaches the invocation of the Session Manager Sub-System (SMSS), and after a little system initialization the processes are started under Session 0 and Session 1. Session 0 is where init/wininit (wininit.exe) process is started and Session 1 (or some other number higher than 0) is where the processes for getting the user on board are started. The most notable of the processes run on session 1 is the winlogon process (winlogon.exe).
Each user that logs on the system gets a new session. For e.g. a logged on user may be using the session 3, when another user logs on the system using remote desktop, a new session is created for the user. Each session contains a Window Station discussed below.
Session - 0 is where all windows services are started.


Processes are containers of threads and other contextual information. The processes on a windows system have a unique process id which is unique throughout the system. Technically speaking processes win the race of starting before sessions as the system idle process discussed here:
Is also a process, it is started at the beginning of the system and does not belong to any session.
The part of the process that actually engages the processor and runs the instructions of the application and system programs is called a ‘Thread’.
Relationship with other objects
·         A process can change the window station it is attached to.
·         A process cannot change it’s session once it has started, that is why services remain in Session 0.
·         Threads, which are the running components of a process, are associated with desktops

Window Station

Windows Stations is a container that holds the clipboard, the atom table and a group of desktop objects. Each window station belongs to only one session.
Window Stations are securable objects, it is associated with the process that creates it and assigned to the current session. These are two relationships, the Session is the parent of the Window Station where as the Creating process is the employer of the Window Station.
Each Session has multiple Window Stations but the only window station that can interact with the user i.e. display output and receive input is the ‘Winsta0’ window station. For the interactive session on the machine say ‘session 3’ the window station named ‘Windsta0’ will be the one that contains the desktop objects that interact with the user. Similarly while the user is interacting with the system another user establishes a Remote Desktop Connection on ‘Session 4’, the only Window Station to interact with the user will be ‘Winsta0’ on Session 4. Both the mentioned ‘Winsta0’ have the same name and are on two different sessions. This tells that the name of the window station will be unique only within the containing Session. The user which is using the interactive window station is called the ‘interactive user’.
The session a window station belongs to cannot be changed.
Relationship with other objects
·         A window station contains the desktop.
·         A window station is associated with the process that creates.
·         A windows station belongs to a Session.


A desktop is what the user actually sees on the screen. It is a logical display area, the actual display is handled by the graphics driver and related programs but the logical desktop is what the window station deals with.  There are four types of desktops
o   Default desktop the one we work on, it is also referred to as the active desktop.
o   Logon Desktop: The desktop on which the user enters his credentials when interactively logging on to a machine. When we press ‘Window key + L’ the Logon Desktop comes up.
o   Secure Screen Saver: When a screen saver is protected by password it runs in secure server Desktop. A screen saver which is not protected runs on the default desktop.
o   Secure Desktop: used by the UAC prompt that asks you to approve of a transaction; which is a dimmed version of the interactive desktop’s background. It assures the user that no malicious application is asking for any information.
A desktop itself is a securable object and contains further interface objects like menus, windows and hooks.
Applications, usually, cannot switch to another desktop as the security descriptors of the desktops require higher privileged access, which user land applications do not have.
Relationship with other objects
·         The Desktops are contained within the Window Stations.
·         Desktops are associated with processes through Window Stations.
·         Desktops are associate with threads.
·         A desktop belongs to a single Window Station and through that Window Station to a Single Session.
·         A Window is a child object of the desktop. They are contained in the desktop. For example the UAC window is a child object of the secure desktop, although this can be changed and the UAC windows can be configured to be launched from the default desktop.


As stated above in the last point, a window is a child object of the desktop. On same interactive desktop there can be multiple Windows of different privilege levels.

About the Author: Saquib Farooq Malik, is a senior Information Security Consultant at ITButler e-Services( . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment