0

Is it me or GUI windows don't show up in the SYSTEM account session?

I don't want to interact with them, but they need to pop up since I have a script that interacts with the windows in an automated way.

I built a script that needs to interact with a software's windows to gather information. This works perfectly when done in a user's session but the problem is that when ran via SCCM and the "system" session (which is what we want since we don't want the user to see it happen), the software starts but it's windows are not generated apparently, therefore the script hangs.

Is it possible to somehow enable interactive windows to appear while it runs in SYSTEM session?

Rakha
  • 1,874
  • 3
  • 26
  • 60
  • 2
    If it's a program you can enable via "Allow users to interact with this program", in an application it is called "Allow users to view and interact with the program installation" but this of course is against your concept of "not wanting the user to see it happen" but it is just conceptually impossible to have it interactive and not interactive at the same time. In general it is a bad idea to do ui interaction via script so if at all possible I would advise to find a better way but I know that it is not always possible. Maybe try allowing the ui in sccm then hide it in with script. – Syberdoor Aug 03 '19 at 12:29
  • Yes, in the end we gave up and used another way of detecting the data. However it seems people misunderstand my question. It's not about doing anything in the user session. The question is only regarding whether or not gui windows pop up in the SYSTEM session, which it seems they do not. Everything is set to run in the SYSTEM account, but for some reason it would seem that gui windows don't show in that session. Am I correct in thinking this? – Rakha Aug 05 '19 at 11:47
  • 1
    I think the problem that leads to the misunderstanding is that sccm allows for some kinda hybrid approach. So you can start the program in the system session and then it will have no gui because of session-0 isolation and no form of ui interaction will work (because that is kinda one of the points of the concept). But you can also start the program with system rights in the user session and then it would work. The reason this was misunderstood is probably that in sccm ui the options session is never mentioned it is implicitly chosen based on the settings I named and if user has to be logged on – Syberdoor Aug 05 '19 at 13:29
  • Yes exactly. So I think this all confirms that no gui happens in session 0. – Rakha Aug 05 '19 at 13:44
  • 2
    I think for practical reasons we can say that's true. Technically I think it is a lot more complicated (I don't know e.g. if the option all system services have to "Allow service to interact with desktop" disables the session-0 isolation or just uses another sessions because which session something runs in is not all that trivial in windows) but these technicalities have really little use in real world scenarios. I would say MS really wants it to be that way and if it is in any way possible to bypass these limitations it's only with a lot of tricks and hacks that are not a great idea. – Syberdoor Aug 06 '19 at 08:27
  • @Syberdoor good points, thanks. – Rakha Aug 06 '19 at 12:04

2 Answers2

2

Little more insights on session 0.

  • Prior to Vista/2008 Server, all services ran in the same session as the first user who logged onto the console - this is Session 0. Well, running user apps and services in this session posed a security risk because services run at elevated privileges and can be targets for malicious code.
  • Now only system processes and services now run in Session 0. The first user who logs onto a machine does so in Session 1. Subsequent users log into Session 2, 3, 4, etc. Doing this isolation protects services and system processes from tasks ran in this session.
  • Session 0 run's the application in non-interactive way even if application is interactive.
  • I noticed same behavior while running my .vbs using task scheduler and when I created windows service for my application.
  • Refer below link to understand what are the cases when interactive application gets open in session 0. Example illustrate notepad.exe opened in session 0

Session0 Thing

Akshay barahate
  • 649
  • 8
  • 23
1

Answer is based on the comments above. The problem is that there are no GUI windows appearing in session-0 (SYSTEM), and it seems to be by design. The program runs but the windows aren't allowed to show apparently. So it's advised to find another way to gather the data if you ever encounter this situation.

Rakha
  • 1,874
  • 3
  • 26
  • 60