APP: Application Compatibility – Session 0 Isolation (Windows Vista +)


APPLICATION COMPATIBILITY – SESSION 0 ISOLATION



Description: Session 0 Isolation is a feature of Windows Vista and later operating systems. In previous versions of Windows, services run by default within the same session as the first user logon, called Session 0 (session zero). This poses a security and reliability threat due to services running at an elevated level and potentially being able to interact with the logged on user processes. In Windows Vista and newer, services run by default in Session 0, with all user logons running under subsequent sessions. In addition, Session 0 is marked as Non-Interactive in this case and should prevent many attack vectors.


 


Scoping the Issue:  Session 0 Isolation will typically be transparent and cause no noticeable difference in system operation. However, some custom or third-party services are written to require user or desktop interaction and will not be able to do this on Windows Vista or newer.


 


 


Data Gathering:  In all instances, collecting either MPS Reports with the General, Internet and Networking, Business Networks and Server Components diagnostics, or a Performance-oriented MSDT manifest must be done. 


 


Troubleshooting / Resolution:  If the application or service in question is an application developed in-house, then consulting with the appropriate Developer Support group within Microsoft is recommended.  If the application / service is third-party, then the third-party vendor should open a case with Microsoft Developer Support to modify the code to work properly on modern operating systems.  If, in the unlikely event that a Microsoft service will not run properly on Windows Vista or later operating systems as a result of Session 0 isolation, a case can be opened with either the group that owns that service, or the Windows Performance Team as a starting point.


 


Additional Resources: