Tuesday, April 28, 2015

Remote Desktop Surprise: WTSGetActiveConsoleSessionId Possibly Unreliable

Native Windows developers should be aware that it's possible for zero (only seen from service), one, or multiple users to be logged onto a computer while their application is running. The WTSGetActiveConsoleSessionId API function can be used to get the session ID of the user physically logged in at the console... or can it?

Even if no user has logged in at the console since the machine rebooted, Remote Desktop creates a pseudo-session that belongs to nobody. (It does have a few of the critical processes, like winlogon, running in it.) This wouldn't be much of a problem, except that it is the ID of that session that is returned by the function in question. So, if you create a process on the session returned by this function, you'll create a window that nobody can ever see if the user is logged on with Remote Desktop.

This makes sense, considering that the function's name includes console, but I really wish it would return the "no user logged on" value of -1 rather than the ID of a useless session.

No comments:

Post a Comment