Windows connect to session 0

TABLE OF CONTENTS

• What is Session 0?
• Deploy FireDaemon Zero and ZeroInput
• Reinstall your graphics drivers to avoid Session 0 black screen
• Fully patch Microsoft Windows
• Use specific service user accounts to avoid application issues on Session 0
• Keyboard and mouse does not work on Session 0 on Windows 10, 11, Server 2016, 2019, and 2022
• Session 0 is inaccessible on Windows Server Core variants
• Interactive Services Detection Service removed On Windows 10 Version 1803, 11, Server 2019, and 2022
• RDP Behaviour Changes on Windows 10, Server 2019, and 2022
• Legacy Console Mode
• Operating System Choice Considerations
• RDP Disconnections, Freezes and Hangs
  • Workaround 1
  • Workaround 2

What is Session 0?

Session 0 is a specialised Windows Session where all aspects of a Windows and FireDaemon Pro services including interactive GUI components (e.g. windows, dialogs, popups etc.) and other aspects (e.g. mapped drives, environment variables etc.) are displayed/instantiated in complete isolation from your regularly logged in Windows desktop session. This segregation is intentional, by design and enforced by the operating system. Session 0 Isolation first appeared in Windows Vista and Server 2008 to mitigate various security risks including shatter attacks. Session 0 Isolation is not present on earlier versions of Microsoft Windows, including Windows XP and Server 2003.

The Interactive Services Detection Service (UI0Detect) is a built-in Windows service that, when enabled, allows you to switch back and forth between your currently logged-in desktop session and session 0. The UI0Detect service has been removed from the most recent versions of Windows 10, 11, Server 2019, and Server 2022.

«Features» to note about Session 0:

1. You cannot log in to it directly — you must switch to it — akin to Fast User Switching or Switch User
2. It is «user-less» meaning there is no specific user account associated directly with Session 0
3. It has no «normal» session characteristics (e.g. Windows Explorer, 3D graphics acceleration, screen saver, screen lock and so forth)
4. It is inaccessible by default on all Windows installations. It must be enabled
5. Once enabled, you may be greeted with the Windows default Session 0 «nag dialog» in your logged-in session task tray. Use this dialog to switch to Session 0.
6. You may see errors or warnings in the Windows Event Logs concerning services running interactively in Session 0 being «invalid», «in error» or «disallowed». These can generally be safely ignored
7. You may lose all network connectivity if you switch to Session 0. This can be problematic if you are using RDP or other remote control software
8. You may see a black screen when you switch to Session 0
9. You may see badly redrawn application windows and dialogs on Session 0
10. You will be automatically logged out after 30 seconds of inactivity and returned to the Windows Login screen. If connecting via RDP, your RDP session will be terminated
11. If you are running Windows 10, 11, Server 2016, 2019, or 2022 your keyboard and mouse will be completely ignored on Session 0 (i.e. your keyboard and mouse will appear to not work)
12. Session 0 is available but inaccessible on Windows Server Core and other «headless» Windows operating system
13. Legacy applications that do not have an application manifest and cannot elevate properly may not work as expected when run under FireDaemon Pro, especially those that require UAC virtualization
14. Cut and paste between user sessions and Session 0 may not work.

Use specific service user accounts to avoid application issues on Session 0

Windows Services can run under a variety of user credentials. When using FireDaemon Pro the application will be run by default as the user LocalSystem. This account is a specialised highly privileged user account used by the Windows Service Control Manager. Running as this account might cause your application to not work properly. If you experience application issues, you should try and run the service as the specific user under which you installed the software originally. That user should always be a member of the local or domain administrator group, especially if your service is to interact with the desktop on Session 0. You can change the FireDaemon Pro Windows Service Logon Account in the logon section of that particular service.

Keyboard and mouse does not work on Session 0 on Windows 10, 11, Server 2016, 2019, and 2022

If you switch to Session 0 on Windows 10, 11, Server 2016, 2019, or 2022 your keyboard and mouse will not work. Please refer to this articlefor a detailed discussion and possible workarounds.

Session 0 is inaccessible on Windows Server Core variants

Server Core is the headless version of Microsoft Windows. Server Core is designed to be centrally managed via Server Manager. You can enable RDP on Server Core (via the sconfig utility) however, once you RDP in, you will only be presented with a single command prompt. Additionally, many GUI-based applications are not installed, or if they are installed you will need to launch them via the command line manually. Note that the Interactive Services Detection Service (UI0Detect) is not installed at all on Server Core. Whilst it’s possible to install FireDaemon Pro and set up FireDaemon Pro-based services, it’s impossible to switch to Session 0 by virtue of the Interactive Services Detection Service (UI0Detect) and all supporting features being absent.

Interactive Services Detection Service removed On Windows 10 Version 1803, 11, Server 2019, and 2022

Microsoft has removed the Interactive Services Detection Service (UI0Detect) on Windows 10 Version 1803, Windows 11, Server 2019 or later versions of Microsoft Windows.

RDP Behaviour Changes on Windows 10, Server 2019, and 2022

In the past, you could simply RDP to your machine and switch desktop to Session 0. The latest releases of Windows 10, 11, Server 2019, and 2022 impose the following restrictions:

• On Windows 10 1809 and Server 2019 when you switch back from Session 0 you will be returned to the Windows login prompt.
• On Server 2019, if you switch to Session 0 on the console session, all RDP sessions may freeze and may be terminated.
• On Windows 10 1903 and later, Server 2019, and Server 2022 or later you can now no longer switch desktop to Session 0 via RDP. Your RDP session will be terminated. You will need to use an alternate remote control product that provides access to the Windows Console Session such as VMware Remote Console, TeamViewer, TSplus or TightVNC. These products allow you to access your machine’s console session. If you use TightVNC ensure you deploy the DFMirage driver to ensure console applications running on Session 0 are displayed properly.
  

Legacy Console Mode

Recent versions of Microsoft Windows have a new console application mode which means console-based applications may not be displayed at all on Session 0. To ensure console applications are displayed properly you may need to enable Legacy Console Mode. This is set on a user-by-user basis. So if you are running an interactive FireDaemon Pro service then you will need to set this via the registry or manually. To set via the registry, logon as the user you intend to run the service as and set HKEY_CURRENT_USER\Console\ForceV2 to 0. Otherwise, you can set Legacy Console Mode by logging into your computer, starting a Windows Command Prompt then setting the Legacy Console Mode as per the screenshot below (right-click the top left icon in the Command Prompt):

Картинка с сайта: kb.firedaemon.com

Operating System Choice Considerations

If it’s imperative for you to continue to have access to Session 0 to manage your Interactive Windows service, then you still have the following options available to you (i.e. the operating system still has the UI0Detect / Interactive Services Detection Service present):

• Deploy Windows 8.1 or any version of Windows 10 up to and including Windows 10 1709.
• Deploy Windows 10 LTSC / LTSB instead of the retail version of Windows 10
• Deploy Server 2012 R2 or Server 2016.

RDP Disconnections, Freezes and Hangs

You may experience the following when switching to Session 0 over RDP:

• Your RDP Session will be immediately terminated or appear to hang
• You won’t be able to connect to the server again for a significant amount of time (e.g. 20+ minutes)
• All applications running in Session 0 that utilise the Microsoft message queue will freeze during that time, resuming once the blockage self-corrects.

This is a known bug in Microsoft Windows (specifically observed Windows Server operating systems). This is due to either the RDP display driver running on Session 0 crashing or the RDP User Mode Port Redirector crashing. Check the Windows Event logs to determine what is failing. This issue might also be caused by VMware’s SVGA Driver. Please see this article Switching to Session 0 Causes Desktop Failure on VMware Virtual Machines. We have no fix for this situation. Sorry about that. Try the following workarounds to see if they alleviate the problem:

Workaround 1

• Cease using RDP to connect to your machine entirely
• Use an alternate remote control product that gives you access to your machine’s console session, such as your hypervisor VM console (e.g. VMware vSphere Web Console or VMRC), TeamViewer, TSplus or TightVNC. Ensure you thoroughly test your setup to ensure access to your server and switching to Session 0 works as expected.

Workaround 2

• Ensure Windows is fully patched — everything — don’t skip anything
• Ensure you upgrade your network card and graphics drivers to the very latest available
• If your operating system is virtualised ensure your hypervisor is fully patched and you have the latest helper tools installed (e.g. VMware Tools)
• Ensure you have 3D hardware acceleration enabled for your video adapter (e.g. enable accelerate 3D graphics in VMware virtual machines and allocate at least 512MB to guest graphics memory)
• Ensure you are using the latest version of the RDP client (10.2 or later). If you are RDP’ing to Server 2016 or 2019 ensure you do so from Windows 10, 11 or other Server 2016 or 2019 computers. Avoid Windows 7, 8, or 8.1 RDP clients if possible.
• When you RDP to the problem server, ensure you have disabled all forms of drive, printer, clipboard, and audio mapping and redirection across the RDP session. This can be achieved by changing settings in your RDP client via Group Policy or Local Policy on the remote server. The screenshot below shows what needs to be changed in your RDP client configuration.

Картинка с сайта: kb.firedaemon.com

Картинка с сайта: kb.firedaemon.com