Most Windows professionals use sessions every day without realizing the depth of what they are. In this lecture, Pavel Yosifovich, Windows Internals expert and TrainSec instructor, explores sessions from the inside out. He explains not only what a session is but also how Windows uses them to isolate processes, manage desktops, and handle resources like clipboards and atom tables.
Key Takeaways
By watching this video, you will learn:
- The true definition of a session in Windows and how it differs from a logon session.
- Why Session 0 is unique and how it is used by system services.
- How processes are tied to sessions and why they cannot move between them.
- The structure of a session, including window stations, desktops, clipboards, and atom tables.
- The security and resource-isolation mechanisms that sessions provide.
- How tools like Task Manager and Sysinternals WinObj can reveal session internals.
Why This Matters for TrainSec Students
Understanding sessions is a cornerstone of Windows internals knowledge. Many advanced topics, such as security boundaries, malware injection, and forensic analysis, depend on how sessions, window stations, and desktops interact. For anyone aiming to advance in reverse engineering, malware analysis, or Windows security research, this lecture provides essential groundwork.
12 Questions answered in the video:
1. What are sessions in Windows?
Watch on video: 0:00 – 1:38
In Windows, a session is a kernel object that represents a container for shared resources among processes. Each session isolates processes and resources such as window stations, desktops, clipboard data, and atom tables, ensuring that one user’s or service’s environment does not interfere with another’s.
2. What does the term “session” mean in the context of Windows?
Watch on video: 0:00 – 1:38
The term “session” in Windows refers to a logical grouping of processes tied to a particular logon or system context. For example, Session 0 contains system services, Session 1 could represent an interactive user logged in locally, and Session 2 may represent a remote desktop connection. Each session ensures isolation between these environments.
3. What components exist inside a Windows session?
Watch on video: 0:00 – 1:38
A Windows session contains several important objects:
- Window stations, which are containers for desktops.
- Desktops, which are kernel objects used to display windows and manage UI elements.
- Clipboard, which is isolated per window station.
- Atom tables, which map strings to integers for use in UI APIs.
These components are shared by all processes within the same session.
4. Why would someone create additional window stations in Windows?
Watch on video: 3:50 – 7:26
Additional window stations can be created to isolate resources such as clipboard data and atom tables. This prevents processes from interfering with each other’s user interface elements and enhances security by ensuring separation of UI contexts.
5. What are desktops in Windows?
Watch on video: 3:50 – 7:26
In Windows, a desktop is a kernel object that provides the surface where windows and UI elements are created and managed. Each window station can contain multiple desktops. Common examples include the default desktop (used for normal user interaction), the Winlogon desktop (used when pressing CTRL+ALT+DELETE), and the screensaver desktop.
6. Where does the CTRL+ALT+DELETE secure screen come from?
Watch on video: 7:26 – 13:30
The CTRL+ALT+DELETE secure screen in Windows comes from the Winlogon desktop, a special protected desktop created by the Winlogon process. This ensures that the login and security options are displayed in a secure, isolated environment.
7. Does the secure screen replace my normal windows?
Watch on video: 7:26 – 13:30
No. When you press CTRL+ALT+DELETE, Windows does not replace your normal windows. Instead, the system uses the SwitchDesktop API to temporarily switch from the default desktop to the Winlogon desktop. Your normal desktop remains intact and is restored when you exit the secure screen.
8. Can another user see my clipboard data in Windows?
Watch on video: 7:26 – 13:30
No. Clipboard data in Windows is isolated per window station. This means that another user in a different session or another process in a separate window station cannot access or paste your clipboard contents.
9. What objects exist within a Windows desktop?
Watch on video: 7:26 – 13:30
A Windows desktop contains several types of objects:
- Windows, the rectangular UI areas used by applications.
- Menus, which are specialized windows.
- Hooks, installed with functions like SetWindowsHookEx, which can intercept messages but only within the same desktop.
These objects make up the visible and interactive components of the desktop environment.
Pick Your Path and Join the Elite
Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.
10. Can session information be viewed using tools?
Watch on video: 13:31 – 17:55
Yes. Tools such as Task Manager, WinObj (Sysinternals), and Object Explorer can display session information. These tools allow you to see session IDs, window stations, and named objects associated with each session.
11. Where are named objects like mutexes stored in Windows sessions?
Watch on video: 13:31 – 17:55
Named objects created by processes, such as mutexes, are stored in the session’s BaseNamedObjects directory within the kernel object namespace. Each session has its own directory, ensuring that objects with the same name in different sessions do not conflict.
12. What are window stations in Windows sessions?
Watch on video: 13:31 – 23:00
Window stations are kernel objects within a session that contain desktops and related resources. Every session has at least one window station, called WinSta0, which is the only interactive one capable of handling input and output. Additional window stations can be created for services or for isolation purposes, but they cannot interact with the user.
Keep Learning with TrainSec
This content is part of the free TrainSec Knowledge Library, where students can deepen their understanding of Windows internals, malware analysis, and reverse engineering.Subscribe for free and continue learning with us: https://trainsec.net/library
Liked the content?
Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.
