Download PDF version [opens new window]
In 2006, Microsoft released the Windows Vista operating system and incorporated several new security features. One significant change was called “Session 0 Isolation” and continues to form a part of the services enhancements first introduced in Windows Vista and supported in later versions of Windows. In this article we will focus on what sessions are and how they work.
Windows services are computer applications which usually handle low-level tasks that operate quietly in the background. Services like networking, hardware and remote access are essential for Windows to function properly. In addition, several third-party applications like firewalls and antivirus also run partially or fully as services. For example, developers can use services to create executable applications that:
Services are suitable in scenarios where long-running functionality is needed that does not interrupt the day to day workflow of users working on the computer. However, features like these make an attractive target for virus writers as services are usually run in a high-privilege account and usually start when the system boots up, and stop only when the operating system shuts down.
Each user that logs on to Windows is placed in a separate session. During start-up, Session 0 is created, and additional sessions are created as needed. Services are always run in Session 0. However, in Windows XP and earlier versions of Windows, Session 0 can also run user applications. With Fast User Switching enabled in Windows XP, Session 0 is assigned to the first logged-on user together with any applications that the user runs in that session. The second user is assigned to Session 1 and so on.
There are several security issues that arise when running both services and user applications in the same session. For example, a virus could wreak havoc on a user’s system if it does not install itself as a service and runs from a high privilege account.
Starting from Windows Vista, Microsoft introduced two important changes in Session 0 to alleviate these issues:
With the changes to how sessions interact with services and service-hosted drivers, we will now turn to review potential implications that may affect applications and drivers.
Some drivers will be affected by the Session 0 changes if they are loaded within services or processes running in Session 0. Some driver classes affected include:
Application classes affected by this feature includes any service or a service-hosted driver that assumes the user is running in Session 0; these will not work correctly in Windows Vista or later versions of Windows. Some affected application classes include:
An example of this change affecting an application within versions of Windows Vista or later would be the backup and synchronization programs SyncBackFree, SyncBackSE and SyncBackPro developed by 2BrightSparks. There is a setting in these programs to automatically close live applications that are still running before commencing the backup job. However, this auto-close setting will not work with scheduled profiles while the user has logged off from the computer. This is because processes running via the scheduler are in Session 0 and will not have access to the desktop/application processes, which are within the user logged-on sessions of 1 or greater. One workaround would be to change the scheduler settings to run only if the user is logged on. An issue with this setting enabled is that scheduled jobs will not run when the user is not logged on. Hence, the backup profile will not run when you want it to while you are logged off (for example, an overnight backup).
By learning the concept of Windows sessions, we better understand how versions of Windows Vista or later use session 0 to segregate services from user applications and its possible impact on applications like SyncBackFree/SE/Pro that occasionally requires circumstantial interaction with Session 0.