INFO: Services, Desktops, and Window Stations (171890)

SUMMARY

A Microsoft Windows NT, Windows 2000, and Windows XP service has a Window station and Desktop combination associated with it. This is based on which account the service is running in:

If the service is running in the LocalSystem account and is not interactive (that is, the service type does not include the SERVICE_INTERACTIVE_PROCESS flag), the service will use the following Window station and Desktop:
Service-0x0-3e7$\default
where "Service-0x0-3e7$" is the name of the Window station and "default" is the name of the desktop.

This is a noninteractive Window station.
If the service is running in the LocalSystem account and is interacting with the desktop (that is, the service type includes the SERVICE_INTERACTIVE_PROCESS flag), the service will use the following Window station and Desktop:
Winsta0\default
This is an interactive Window station.
If the service is running in the security context of a user account, the system will create a unique noninteractive Window station and Desktop for that service. The name of the Window station will be based on the Logon Security Identifier (SID) of the user:

Service-0xZ1-Z2$\default where Z1 is the high part and Z2 is the low part of the Logon SID.

Additionally, two services that are running in the same security context (same service account name) will not receive the same Window station and Desktop because Logon Security Identifier's(SID) are unique to that logon session.

MORE INFORMATION

A Window station can either be interactive or noninteractive. (Only "Winsta0" can be an interactive Window station.) Any Desktops that are created on the interactive Window station can become active. An active Desktop encompasses the ability for user objects (such as windows and dialog boxes) created on the Desktop to be visible to the interactively logged-on user (that is, the user who logs on the system by pressing CTRL-ALT-DELETE) and receive user input.

When the interactively logged-on user launches any processes, these processes are associated with the "default" Desktop in the "Winsta0" Window station. The "default" Desktop is considered the active Desktop. A process on the active Desktop could switch Desktops such that another Desktop becomes the active Desktop such as the "Winlogon" Desktop. Only one Desktop can be the active Desktop at any one time. The SwitchDesktop API can be used to activate a desktop. For more information, see the Platform SDK online documentation.

Desktops associated with a noninteractive Window station can create user objects. These objects will never be visible to the interactively logged-on user and will never receive any user input. If you have a noninteractive Service running in the LocalSystem account, any user objects created by the service will not be visible to the interactively logged-on user. Additionally, any processes that are launched by the service will also not be visible.

Following is other important information concerning Window stations and desktops:

Window messages can only be sent between processes on the same Desktop. They cannot be sent across processes associated with different Desktops.
Application-defined hooks are limited in the same way that Windows messages are. The hook procedure of a process running in a particular desktop will only get messages targeted for windows created in the same desktop.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

327618 INFO: Security, Services and the Interactive Desktop