The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation

Q&A: Why doesn’t “Allow service to interact with desktop” work?

  Our legacy Windows Service shows an alert box when it fails to print a document on our server 2012 R2 controller.

I went into the service, clicked on the properties and set it to be able to interact with the desktop. How come I still can’t see the alert windows? Do I need to change something else?

Allow service to interact with desktop

— Justin F.

Hi Justin.

Unfortunately that setting is from a bygone time. It no longer does what you expect. Let me explain.

Old versions of Windows supported interactive services

Old versions of Windows support interactive services

In Windows NT, 2000, XP and Server 2003 it was reasonable (and occasionally encouraged) for a service to create windows and other graphical elements. It was possible for someone logging in to the PC to see a service’s windows, happily intermingling with conventional applications on his desktop (like Word and Excel).

On those old operating systems, the “Allow service to interact with desktop” setting controlled the visibility of the service’s interface. If checked, the first person logging into the PC would see the service’s windows. If unchecked, the windows would not be visible. In short, the checkbox made sense.

However, in the mid-2000s, the concept of interactive services was exposed as a security risk. Hackers developed rogue Windows Services that would invade the desktop, requesting passwords, installing dangerous software and ultimately compromising a healthy computer. Those so called shatter attacks (because they visibly shatter the user’s secure environment) emerged as a serious threat.

Fortunately the folks in Redmond were quick to respond.

Interactive services are crippled (or eliminated) in current editions of Windows

Interactive services are crippled in current editions of Windows

Microsoft plugged the shatter attack security hole in Windows Vista. The remedy — known as Session 0 Isolation — is an architectural change that prevents a service’s windows from showing up on a regular desktop. Going forward, windows created by a service would be effectively hidden.

The change profoundly diminished the utility of the “Allow service to interact with desktop” option. Checking the box still enables a service to show its windows, but only on the hidden Session 0 desktop.

The reality is that on or off, the checkbox cannot empower a Windows Service to show itself on your own desktop.

But all is not lost for your situation…

However you can still see alerts from your service since you’re on Windows Server 2012

In versions of Windows where Session 0 is accessible — specifically Windows 8.1/8 and Server 2016/2012 — you can see the alerts from your service. You have to switch to Session 0 to see them though.

To make that possible:

  1. Enable interactive services.

    Start Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows and change the value of NoInteractiveServices from 1 to 0:

    Enable interactive services registry value
  2. Enable the Interactive Services Detection service.

    Launch Services, open the Interactive Services Detection service and change the Startup type to Automatic or Automatic (Delayed Start):

    Enable the Interactive Services Detection service

With that in place, Windows will pop up a window whenever your service is showing an alert in Session 0:

Interactive Services Detection prompt

Click View the message to switch to the austere Session 0 desktop where you should see your alert window.

And when you’re done, click Return now to go back to the safety of your regular desktop.

Note: There is no way to see your service’s alerts on Windows Server 2019

Unfortunately the solution for Server 2012 will not work on Server 2019 because Microsoft has completely removed access to Session 0 in their newest operating systems. There is simply no way to see an application running on the hidden desktop.

Please keep that in mind before upgrading your server!

Posted in Windows Services | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *