Resolution : Interactive Service Detection!

spyware

Kalau sempat baca post saya sebelumnya tentang malware yang dicurigai mengganggu saya satu bulan belakangan ini, I get the answer!

Interactive Service Detection!

*****

What is Interactive Services Detection and Why is it Blinking at Me?

UPDATE: If you are a developer (or want nerdy details), please read on. If you’re a Windows user trying to figure out what’s wrong with your PC, please check out my other post: Troubleshooting Interactive Services Detection.

Have seen this button flashing on the taskbar?

image

When you click on the button, you get this dialog.

image

If you click “View the message”, your screen blinks and you are taken to a blank desktop with a couple of dialog boxes.

Why is this Happening?

Services and system processes run in session 0. Prior to Vista, the console (first logged on user’s desktop) ran in session 0 as well. Vista introduced session 0 isolation to protect services from elevation of privilege exploits from the console desktop. Now, the first user’s desktop runs in session 1.

Interactive Services Detection (the blinking button on the taskbar) is a mitigation for legacy applications that detects if a service is trying to interact with the desktop. This is handled by the Interactive Services Detection (UI0Detect) service.

When you choose “View the message”, you are taken to session 0’s desktop and you can only interact with the dialog or message that services have tried to display on the desktop.

Behavior Depends on Your Bits

The Interactive Services Detection service is set to start “manually”. This means that it won’t start automatically when the system boots.

image

On a 32-bit version of Windows, the OS will detect desktop interaction and start the UI0Detect service and you will see the flashing taskbar button.

On a 64-bit version of Windows, if the service is a native 64-bit application, the OS will not start the UI0Detect service. Therefore, the service that is trying to interact with the desktop will appear to hang.  If you need the mitigation for a 64-bit service, you will need to be sure the service is running in order to get the mitigation.

Here’s the really weird part… If you have a 32-bit service on a 64-bit Windows, WOW64 will start the UI0Detect service and you will see the mitigation. The reason for this is that the WOW64 environment will behave as close to native 32-bit as possible – including mitigations. ( Special thanks to Maarten for his assistance on figuring this out.🙂 )

A way to play around with Interactive Services Detection is to use PsExec tool.

For example, if we try this:

> psexec \\localhost -i 0 calc.exe

This will launch the calculator application in session 0. This is a quick way to simulate a service interacting with the desktop. I find this example interesting.  PsExec is a 32 bit application. Therefore, UI0Detect will always get started even though calc.exe is 64-bit. Here’s a snip from Process Explorer.

image

We can see that UI0Detect service is started in session 0 which creates a new process in session 1.  The UI0Detect process in session 1 is the Interactive Service Detection dialog. PSEXESVC.exe is the PsExec command service and note that it is a 32-bit app in session 0. Calc.exe is started in session 0 because we specified session 0 as an argument to PsExec.

Fixing Multiple Issues with One Solution

If a service has this issue, it probably also has an issue with remote desktop services and/or fast user switching.  Session 0 isolation, remote desktop services and fast user switching all use the same session isolation plumbing. So, if you fix this issue, you are probably fixing several issues you may have not know you had.

The Services in Windows Vista whitepaper that talks about all the changes to services including Session 0 isolation. Also, check out this classic post on Session 0 Isolation with developer guidance.

*******

Troubleshooting Interactive Services Detection

My earlier post on Interactive Services Detection is very popular. It was targeted toward developers.  Based on the comments I receive, I think most readers are users looking for some help.  If you’re a developer, make sure to check out my previous post. If you are just a user trying to figure out why Interactive Services Detection is blinking at you and how to possibly troubleshoot the issue, this post is for you.

Why is this happening (when I boot; every 5 minutes; intermittently)?

First, some background… There are two main types of “processes” that run on Windows – desktop applications and services.

Desktop applications “interact” with the user through a user interface (windows, dialogs, etc.).

Services run in the “background” and do system stuff and communicate with other applications.

Services should not interact with the user. Windows 7 and Vista have a boundary that isolates services from trying to interact with the user. If the service tries to present some kind of user interface, you will get the Interactive Service Detection flashing toolbar button.

ISDButton

There could be a couple of reasons why this is occurring. However in most cases, the service experienced an “unhandled exception”. Unhandled exceptions are errors that the programmer didn’t expect and didn’t handle with code. Most people call this a “crash”.

Services generally start at boot time. Therefore, if the service is crashing when it starts, you will see the interactive services detection button at boot time. If you ignore the notification or select “Ask me later”, Interactive Services Detection will notify you again in 5 minutes.

If you only see the Interactive Services Detection intermittently, this is very likely the service crashing due to some unexpected condition. For example, I have 3rd party printer software on my personal laptop that crashes occasionally and I get a Interactive Services Detection notification. I’ll keep the brand name of the printer to myself Winking smile.

Identifying the Service

As a user, your best option is to identify what service is causing the notification. If you know what software is causing the notification, you can check the manufacturer’s website for an update or contact support.

The first thing to inspect is the Interactive Services Detection dialog. Be sure to click the “Show Program Details” button.

ISDDialog

This is a message from a service I created that has an intentional unhandled exception. If you look at the “Program path” this can give you some clues about the service that is crashing. The path can give you the company name, application, and most importantly the executable name. In most cases, you can search for the executable name (e.g. UISampleService.exe) using your favorite search engine.

More Clues

Next, you should select “View the Message”.  This will take you to the “secured desktop” where you can read the message.

CrashDialog

Here we can see some additional information about the crash. Collect this information and try searching using some of this information. If this was a real application, I would type the following into a search engine:UISampleService.exe “Microsoft Visual C++ Debug Library” R6010 “abort() has been called” and see if you can find any support articles, fixes, discussions, or updates for the issue.

If you can’t find anything with a search, you may want to consider contacting support for the product that is having the issue.  Keep all the information you collected so far to pass along to the support engineer.  Also, feel free to point the support engineer to this blog. Smile

Even More Clues…

If it is a crash that is causing the issue, you may also want to investigate what information is being collected.  The best way to see the history of the problem is with Reliability Monitor. Type “reliability” in the Start menu search box and click the “View reliability history” link.

StartReliability

This utility allows you to see the history of all the issues on your computer. If a service is crashing, it should show up here. We can see that there is an entry for my sample crashing service, UISampleService.exe.

ReliabilityMonitor

In this utility, you can identify when and how often the crash is occurring. You may want to try the “Check for a solution” action for the error.  This will check to see if the application vendor posted a solution for this issue on the Windows Error Reporting system.

The Tile Button is Displayed Too Quickly and I Can’t Click it Fast Enough

I received this question a few times in the comments. Great question! Here’s a technique you can use to troubleshoot the issue. You will need to create a custom view in the event viewer.

From the Start menu search box, type eventvwr to start the Event Viewer.

In the tree view in the left pane, right click Custom Views and select Create Custom View…

In the Custom View dialog, select the “By Source” radio button and then select Interactive Services detection in the “Event sources” drop down box.

Click Ok. In the “Save Filter” dialog, name your custom view. e.g. “Interactive Services Detection”. Click OK. You are now configured to capture these events when the occur.

If you ever see the Interactive Services Detection tile appear on the taskbar, you can return to the Event Viewer (eventvwr) and investigate the information that has been logged. Here is an example event where I “tricked” calculator to run in session 0 to cause the issue.

Can I Disable the Notification?

The short answer is yes but it is not recommended. The likely reason for the notification is there is something wrong with a service on your computer. You can disable the notification but you are not fixing the problem. Some good analogies would be putting black tape over the “Check Engine” warning light on your car dashboard or removing the battery from your smoke detector.

The Interactive Services Detection notification is initiated by the Interactive Services Detection Service. If you disable this service, you will no longer receive the notification for the problem service. Also, you will not receive notification for any misbehaving service on your system.

To disable the service, open the Services control panel by typing services.msc in the Start menu search box.

StartServices

In the Services control panel, find “Interactive Services Detection” in the list. Click the “stop” button to stop it if it is started.

ServicesControlPanel

Double click the Interactive Services Detection entry to open the Properties dialog. Set the “Startup type” to Disabled.

UI0DetectProperties

You are now blissfully unaware of any misbehaving services.

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout / Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout / Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout / Ubah )

Foto Google+

You are commenting using your Google+ account. Logout / Ubah )

Connecting to %s