Monday, March 05, 2007 11:08 PM
Windows Vista - WinSta0 isolation explained
Time for another security feature in Windows Vista: WinSta0 isolation. The first question that might pop up in your head is "So, what exactly is WinSta0?". Keith Brown has the answer.
The problem with WinSta0 is the possibility for Windows Services to display a UI prompt in the window station. Pre-Vista, this prompt just appears on top of the desktop of the user logged on to the system. Because of this, the service is exceeding its boundary of isolation and the inware user is providing information across that "trust boundary".
Windows Vista reduces this risk by isolating WinSta0 from the active user's desktop; a user has to provide his/her consent to switch to the bare WinSta0 when that screams for attention (which is detected by an executable called UI0Detect.exe as displayed below):
When you see this kind of message, the app you're dealing with has "partial incompatibility with Windows Vista". The message to developers: fix it - Windows doesn't like the old approach anymore! An example I've been faced with in practice is the HP LaserJet 1020 software that uses WinSta0 to show out of paper messages and other printer maintenance messages.
In this post, I'm showing you the code for a demo of a WinSta0 isolation demo I gave some time ago, together with demonstration instructions.
Step 1 - Creating an interactive Windows Service
So, for sake of the demo, let's create something we really shouldn't have created: an interactive Windows Service. Open Visual Studio 2005 and create a new Windows Service project called "WinSta0Inspector" in C#:
Next, go to Service1.cs and change the service name to WinSta0Inspector:
Right-click the designer surface and choose Add Installer. This will create a new file ProjectInstaller.cs that makes the executable installutil.exe-able. In there, select the serviceProcessInstaller1 "control" and set the Account property to Local System (to make things really bad):
In order to make the service interactive, we'll create a simple Windows Form. Right click the project in the Solution Explorer, choose Add New Item and add a Windows Form called ExecuteCommand.cs. Design it so that it looks like this:
Hook up event handlers for both LinkLabels, with definitions like this:
private void linkLabel1_LinkClicked(object sender, LinkLabelLinkClickedEventArgs e)
private void linkLabel2_LinkClicked(object sender, LinkLabelLinkClickedEventArgs e)
DialogResult = DialogResult.OK;
Don't forget to import System.Diagnostics in order to have access to the Process class. Now go back to Service1.cs and switch to the code view. Define the Service1 class as follows:
public partial class Service1 : ServiceBase
private ExecuteCommand dialog = new ExecuteCommand();
protected override void OnStart(string args)
protected override void OnCustomCommand(int command)
MessageBox.Show("Welcome to WinSta0.", "WinSta0 is calling you!", MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
You'll need to import System.Windows.Forms to have access to MessageBox. This completes our interactive service.
Step 2 - Installing it
Compile the solution and switch to a Visual Studio 2005 Command Prompt which runs elevated with administrator privileges. Install the service using installutil -i WinSta0Inspector.exe. Then open the Services MMC snap-in (services.msc), locate the WinSta0Inspector service and change its properties to make it interactive:
Command-line freaks could also use the following command to install the service directly as an interactive service; no need to run installtutil then, just do this:
sc create WinSta0Inspector binPath= WinSta0Inspector.exe type= interact DisplayName= "WinSta0 Inspector"
Step 3 - Action!
In order to see it in action, start the service and send it a custom command. You could write another app to send the custom command using the System.Service.ServiceController::ExecuteCommand method, but sc.exe has everything we need:
First, we started the service using net start WinSta0Inspector. Next, we sent a command to the service by using sc control WinSta0Inspector 129 (valid commands should be higher than 128, other values are system-reserved). Right away you'll see the Interactive services dialog detection dialog popping up in the background:
Click Show me the message and Vista will bring you to the raw WinSta0 environment which should look somewhat like this:
Press OK in our message box; the WinForms dialog will show up now:
Feel free to take a look around WinSta0 using the command-prompt link on the form. For example, run whoami /all to find out about your SYSTEM power :-)
If you have a hacker's mindset you might find HKLM\SECURITY\SAM an attractive place to visit while you're the Windows übermensch :o. Below you can see a few other screenshots of what it is like to be in WinSta0 (e.g. how did I create the screenshots?):
| Digg It
Filed under: Security, Windows Vista