This post covers the basics of some concepts that can be pretty confusing even at the best of times – Sessions, Desktops and Windows Stations. So let’s dive right in …
A session consists of all of the processes and other system objects that represent a single user’s logon session. These objects include all windows, desktops and windows stations. A desktop is a session-specific paged pool area and loads in the kernel memory space. This area is where session-private GUI objects are allocated from. A windows station is basically a security boundary to contain desktops and processes. So, a session may contain more than one Windows Station and each windows station can have multiple desktops.
Only one windows station is permitted to interact with the user at the console; this is called Winsta0. Under Winsta0 there are three desktops loaded: Winlogon (the logon screen), Default (the user desktop) and Disconnect. All three of these have separate logical displays, which is why your main desktop disappears if you lock the workstation. When you lock the workstation, the display switches from Default to Winlogon and there is no user interaction between the two. In Windows Vista this is even a bit more extreme. When you get a UAC prompt for instance, it takes a screenshot of your Default desktop and then displays it dimmed out behind the UAC window in the foreground. The UAC window is part of the Secure Desktop (new for Vista and similar to the logon desktop) and will not allow you to interact with the Default desktop until you provide input.
Other windows stations exist that do not interact with the user. For example, services load under the ‘Service-0x0-3e7$’ non-interactive windows station. The exceptions to this are services that need to interact with the console user, so these load into Winsta0 instead.
All pages mapped to a specific user use the same memory pages, but each user has their own session space mapped in virtual memory. Session space is divided into four different areas:
- Session Structure – Memory management control structures including session Working Set List.
- Session Image Space – holds a private copy of Win32k.sys modified data, a single copy of Win32k.sys code and unmodified data and various session drivers.
- Session View Space – session mapped views including desktop heap
- Session Paged Pool – paged pool memory used for this session
As mentioned above, a desktop is an object under which a logical display surface loads. This contains windows, menus and hooks. Session 0 is the base session where services run and is typically also the console session. In Windows Vista this has been changed to exclusively run services, and the console session is typically Session 1. The diagrams below show the relationships between sessions, windows stations, desktops and services in Windows Vista as compared to earlier operating systems (this is from our earlier post on Session 0 Application Compatibility Issues)
- KB126962 “Out of Memory” error message appears when you have a large number of programs running
- KB142676 Overcoming User32.dll Initialization Failure Errors
- NT Debugging Blog: Desktop Heap Overview
Microsoft, Windows, Sessions, Desktop, Windows Stations, Architecture, Knowledgebase