Blog posts for year 2010

Update December 11, 2011: StackOverflow recently implemented removing nofollow links on high rated posts. It is very strict, but it's a start.

Update November 12, 2012: I don't know how many answers have nofollow removed, but I think it's a very, very, very small number. I'd bet much less than 0.1%.

For example see this accepted answer with 74 upvotes from a user with almost 100k reputation. The links are to MSDN (which is probably not spam by definition) and to a quoted source on techbubbles.com.

I personally chose to stop answering questions in the same capacity as I used to for the reasons outlined in this post.

Update November 16, 2012: The link mentioned on November 12th was fixed by StackOverflow's Kevin Montrose. I'm not sure if this had a wide effect on less strict nofollow removal, or if it was special cased to remove the nofollow.

---

Everyone with any exposure to HTML knows what a link element looks like:

<a  href="http://wwww.brianbondy.com">My Website</a>

This is a link called My Website with a link target of http://www.brianbondy.com. Links like this can be easily marked up with a rel attribute to add extra information about the link. One particular usage of the rel attribute is rel="nofollow".

<a  rel="nofollow" href="http://wwww.brianbondy.com">My Website</a>

The rel=nofollow attribute and value is used to inform a search engine that the link's target should not benefit in ranking from search engines.

What problem is nofollow supposed to solve?

nofollow was supposed to allow search engines to detect links on a page which could be subject to spam.

A perfect example of where this is useful would be on a blog site where comments are allowed.

The nofollow convention was created because in theory, if you take away the PageRank benefit from a link's target, spammers should feel discouraged from spamming their links on random blogs.

Who came up with the nofollow convention and who follows it?

Members of Google originally came up with nofollow mainly for blogger.com in 2005. This convention of not affecting page rank of the target was adopted by Google in 2005 and later by Yahoo and Bing as well.

Each search engine has its own interpretation of nofollow but in general they all agree that PageRank should not be attributed to the link's target.

Does nofollow work?

nofollow doesn't solve the problem it was intended to solve.

Spammers still want direct clicks into their site, and they have no guarantee that search engines will actually do like they say and ignore the links, so spamming is still useful to the spammers. Spammers also know that on many sites the content of the site is duplicated on other domains, sometimes these duplicated sites do not use the nofollow convention.

Repurposing nofollow

nofollow has since its original inception tried to be repurposed to be used for paid advertising links. However this affects an entire market of people who pay for links so that they get the benefit of SEO.

Internally to a site, for links inside that site nofollow has been used to indicate pages that aren't as important as other pages such as the privacy policy page.

What is nofollow abuse?

nofollow abuse is when a site uses nofollow not to indicate potential spam, but instead for its own selfish benefit.

In particular, if a site marks a link as nofollow when credit is due to the attributed source, and the site knows the link is not spam, then you have nofollow abuse.

Does abusing nofollow hurt the Internet?

Yes.

Abusing nofollow means that the sites that should get credit for good content no longer are getting credit for good content. This will in turn mean that you will receive search results that aren't the best possible ones.

Why do sites abuse nofollow?

The problem is that many sites want to be the highest rated site on searches from search engines. When the abusing site refers to sources, they will always mark the links to other sources with nofollow. That way the abusing sites will have a better chance of coming up in searches before the people they are quoting and referring to.

Sites do this for selfish benefit and also because they believe their site has the best content available on the Internet. If it is the best content on the Internet though they shouldn't need to do dirty tricks with nofollow.

Who abuses nofollow?

Many major players do, and many major players do not.

Particularly responsible are those sites with a reputation system in place. The site in particular that I want to talk about is stackoverflow.com.

Stackoverflow is a site for programming Q&A and is also the same framework used by many other Q&A sites on a variety of other subjects called StackExchange.

Stackoverflow and the entire StackExchange network are some of the biggest abusers of nofollow.

One of the co-founders and lead developers Jeff Atwood has stated:

You get a followed link in the "website" field of your user profile at 2000 reputation. Beyond that, everything outside the network is nofollowed as a simple matter of standard policy. Exactly like, and for all the same reasons as, Wikipedia.

The heart of the abuse though doesn't come from attributing user pages with a bonus link to their website.

The abuse comes into play when questions and answers link to references that their answers are based on. Links highlighted in orange indicate nofollow abuse.

In Jeff's quote above, he doesn't address the fact that Wikipedia and Stackoverflow are very different sites.

Wikipedia organizes it's content by topic only. Stackoverflow organizes it's content first by topic, and then by author. And each author has a reputation which could be used to determine if their answer is trustworthy. Each answer also gets up-votes which could be used to determine if the answer is trustworthy. Each open question is also not a closed question which counts as well.

Wikipedia adds nofollow to all of their external links, but this does not make them right. They are almost as guilty as Stackoverflow. Stackoverflow is even more guilty because they have a reputation system in place and they know that the users with enough reputation will not spam their site.

Stackoverflow does not want to compete with other sites over Google ranking positions, this is because over 87% of their incoming traffic comes from Google searches as of December 15th, 2010.

More on Stackoverflow nofollow abuse

Jon Skeet, the #1 user on Stackoverflow has 250k reputation, he is immune to many things; however, the links he posts have nofollow. You can see this on his about page, on his questions, on his answers, and on his comments.

Even answers which are highly voted up still use nofollow. The issue has been brought up on meta Stackoverflow many times in hopes of solving the abuse but it was declined each time:

nofollow Users with 3000+ reputation? Status Declined!
nofollow Questions of a certain age? Status Declined!

However within 1 hour of a meta post about a bug with nofollow not being added Status Completed!

Sponsored tags on Stackoverflow have nofollow, this was mentioned above as to Google trying to repurpose nofollow.

The problem is made worse in that all StackExchange sites behave in the same way. And also if you reference Stackoverflow from a StackExchange network they will actually remove the nofollow!

Stackoverflow is a nofollow Hypocrite

On this post entitled Attribution Required Jeff Atwood explains how the content that their community creates, if used, must be linked without nofollow:

By “directly”, I mean each hyperlink must point directly to our domain, and not use a tinyurl or any other form of obfuscation or redirection. Furthermore, the links must not be nofollowed.

This stance is good, it protects the content of the well deserved writers of Stackoverflow such as myself. I am within the top 50 users and hence have spent a lot of my time writing great answers. But these answers are not 100% of my own creation, they often build upon other people and other answers from other sites. It's simply wrong that these other sites are not attributed page rank when I link to them.

When Stackoverflow builds their answers upon other great articles, they fully abuse nofollow. Even when an answer is a complete copy of another page with a reference link. The link will be nofollow.

However when Stackoverflow benefits from not using nofollow they make sure that you don't abuse nofollow. Stackoverflow will always strip nofollow if the link you post is on the Stackoverflow domain or StackExchange network, but it will not strip it for any other attributed site.

Another place where they link back to their site is via the StackExchange flair which they want people to include on their websites. These links of course do not contain a nofllow.

Stackoverflow has always prided themselves as being less evil than experts-exchange.com. And in many ways they are less evil. But one area where this is not true is that nofollow is not used on all links in experts-exchange..

Do all sites abuse nofollow?

No.

Slashdot is an example of a website which does not abuse nofollow.

It is a site which Stackoverflow should look to for inspiration in this respect.

Slashdot has per user karma and they will selectively remove nofollow from trusted sources. I verified this for both their comments and their article posts.

How can we solve this problem?

One thing we can do is raise awareness of nofollow abuse. That way the offending sites may eventually get the point of not abusing nofollow.

I would hope that search engines will be powerful enough to not only ignore nofollow from abusing sites, but even punish these sites for trying to abuse the convention.

★★★★★ (5 stars out of 5)

As a kid I remember feeling uninspired because there were genius' out there, and I wasn't one of them.

How can I ever amount to anything when competing with such people?

Although there are people with amazing mental abilities, most of the people I now consider a genius have no special mental ability, just determination and hard work which enabled their breakthroughs.

I wanted to read this book because I spend a significant amount of time learning and doing work, and I figured this book would inspire me to stay along the same path. This book did indeed do what I wanted it to do, but the book covered a lot more as well.

We tend to attribute innovation to a moment's insight or a lucky accident, but the true story behind innovation is much more exciting than the false stories we believe. There is no magic element which allowed past innovations to happen, simply hard work. Hard work which is based upon, and combined with existing hard work. Everyone that does hard work makes mistakes, encounters obstacles, and has failures. The people who succeed are the people that embrace these mistakes and take the opportunity to learn from them.

This book inspires the reader to not only passively consume information and knowledge, but to be a creator instead.

This book also covers many other topics surrounding ideas and innovations including reasons why ideas fail and succeed. An idea needs to be able to fit its surrounding environment for it to succeed, and as an innovator we need to frame the correct problems to solve before trying to solve them.

The author (Scott Berkun) does an excellent job of not blindly giving his opinion, but backing up his claims with sources and situations throughout history. You can see the book The Myths of Innovation here.

★★★★★ (5 stars out of 5)

If like me, the last time you read about HTML you read that XHTML was the future, and you are wondering what happened since then, this book is for you.

Mark Pilgrim does a great job of showing you:

1. The direction that web standards are going
2. How web browsers and hence web standards have evolved to get to where they are today
3. Introduction to the main new HTML5 elements and DOM APIs
4. How HTML5 is already thriving, and how you can use it today. (Including the Javascript library Modernizr for detecting HTML5 features)

If you work on websites, web apps, have a blog, have a company website, or are just curious about how HTML is evolving, HTML5: Up and Running published by O'Reilly is for you.

Before reading this book I always had the feeling of: “how can I improve my blog and company website”. Now I have a long TODO list of things I know I can do to improve them.

HTML5 was designed around already existing browser features. The latest versions of Safari, Chrome, Firefox, IE9, and Opera all support most HTML5 features, and do it consistently according to what the standard says. Default browsers on iPhone, iPads, and Android phones also support most HTML5 features already, and also do it well. Many parts of HTML5 can be used with fallback methods if HTML5 support does not exist already for older browsers.

This book contains very enjoyable coverage on new HTML5 elements, new DOM APIs, and some other related web technologies. Some topics covered include: canvas, video, local storage, web workers, offline web applications, geolocation API, microformats, and adding semantics to your web pages. The book is a quick read and leaves you feeling that you have learnt something which will help you in the future.

I would have liked to see coverage on Drag-and-drop and also when to use SVG over the new canvas element and canvas APIs.

This book is derived from Dive into HTML5 which is by the author.

For fun I decided to look into Windows Phone 7 (WP7) Operating System (OS) development. Microsoft is definitely trying to reinvent its Mobile image with WP7 and they are spending over $400 million on marketing to do so. WP7 is a fresh platform for Microsoft and competes against iOS, Android, and Blackberry OS.

I currently own an Android HTC phone but I'm not so keen on developing for it since the primary development language is Java. Primarily I'm a Native C++ and .NET developer.

At first I didn't want to even look at WP7, but after spending a few hours reading about it I've changed my initial perception completely. I decided to write my equivalent to "Hello World" which is a Pi Memorize program that I made in MFC around 13 years ago. Pi Memorize is a small tool that helps you learn Pi to 10,000 digits.

WP7 is Microsoft's entirely new mobile OS and it is not compatible with the existing Windows Mobile which was based on Windows CE. WP7 is expected to be released in November of 2010 and unlike iOS and Blackberry OS, it is not a closed platform. Providers of the WP7 OS include HTC, Dell, Samsung, LG, and more. Apps made for Windows Mobile cannot be used directly on WP7.

WP7 development is based on Silverlight 3 (with some features from Silverlight 4), XNA Game Studio, and the .NET Compact Framework 4. I was a little disappointed to see that there is no native development with access to lower level things via writing a hypothetical native VC++ app. Windows Mobile had support for writing native apps with VC++ and also Windows Mobile had support for the .NET Compact Framework. Another missing feature that used to exist is multi-tasking, and finally cut, copy, and paste functionality.

Silverlight is the main way to make an app in WP7 and if you don't already know Silverlight is based on XAML and is similar but has a much nicer development stack (in my opinion) to Adobe's Flash. User interfaces in Silverlight are made in a declarative language called Extensible Application Markup Language (XAML). Silverlight is based on WPF and shares its XAML support.

XNA is familiar to game developers for Xbox and it is also based on the .NET Compact Framework.

To publish your application you need to buy a yearly renewable membership for $119 USD. The submission process works by submitting a .xap package which is just a renamed .zip with all of the application files. In order to successfully submit your app there is a known issue where you need to go to http://xbox.com/live and accept the agreement there first. Otherwise the "Submit a Windows Phone 7" button simply redirects you back to App Hub / create.msdn.com.

To get started in development you can download the WP7 development toolkit which includes an emulator, Visual Studio 2010 Express, XNA Game Studio, and the needed WP7 development tools. If you already have Visual Studio 2010 installed it will install the additional tools needed without installing Visual Studio 2010. From the Visual Studio New Project Window, you will notice you have additional tab pages for "XNA Game Studio 4.0 and "Silverlight for Windows Phone".

I developed only a small application, but from start to finish it only took me 5 hours, including downloading and installation, and I've never used Silverlight before; however, I have developed some apps with WPF.

Surprisingly the hardest part of the whole development was simply figuring out how to restrict a user to only be able to type numbers. To do this you can simply use a Textbox.InputScope element:

<TextBox Name="digitsText" TextWrapping="Wrap" Height="340" HorizontalAlignment="Left" Margin="-5,31,0,0" Text="" VerticalAlignment="Top" Width="460" VerticalScrollBarVisibility="Auto" HorizontalScrollBarVisibility="Disabled" DataContext="{Binding}" KeyDown="digitsKeyDown">
  <TextBox.InputScope>  
    <InputScope>
      <InputScopeName NameValue="TelephoneNumber"/>
    </InputScope>
  </TextBox.InputScope>
</TextBox>

This makes it so the textbox input consists of only the characters which are available to you when entering a phone number.

To restrict the keys in that input scope such as #, *, . and space I had to write some code behind via handling the KeyDown event:

private void digitsKeyDown(object sender, KeyEventArgs e)
{
    bool isValid = e.Key >= Key.NumPad0 
                        && e.Key <= Key.NumPad9;

    //Don't allow input if we have # or * or ...
    e.Handled = !isValid;
    //...
}

To embed the actual digits of Pi I simply added an embedded resource to the project called PiDigits.txt which contained Pi to 10,000 digits. I loaded that resource at runtime with the following code into a string variable called correctPiDigits.

Assembly asm = this.GetType().Assembly;  
Stream stream = asm.GetManifestResourceStream("PiMemorize.PiDigits.txt"); 
StreamReader reader = new StreamReader(stream);
correctPiDigits = reader.ReadToEnd();
//...

Here are some screenshots of the WP7 app that I made:

This post will answer some very simple questions about how Windows works. This post is meant to be read by people with a technical background, and at parts it will help if you have a little knowledge about programming in Windows.

If you don't fully know the answer to any of the questions below, then you should read this post:

• Ever wonder what happens when you lock your computer? What happens to all of the open programs? How about your task bar?
• What is so special about UAC anyway? How do they lock and dim the whole screen? Does it really protect me?
• Why don't software key loggers work anymore to capture a locked computer's password?
• What's so special about screen savers? How do they work?
• How can there be more than one user at a time logged onto the same computer at the same time?
• How does Terminal Services or Remote Desktop work?
• Why does your remote computer control software probably suck?
• What does the "Allow services to interact with desktop" checkbox do on the NT services property page?
• Why was Vista perceived to be so bad and Windows 7 so good?

To understand how all of the above works, you need to understand the concept of something called Sessions, Window Stations, and Desktops.

Some of the below may be a little heavy, but it's worth learning it to see how Windows really works.

A gentle introduction to Sessions:

Each program you have on your computer, when run is considered a process. A process is a program which is being executed. Each process is the program code, a collection of threads, and other resources relating to the program.

Each process in Windows belongs to a single user who started that process, and each process also belongs to something called a Session. Each Session in Windows hosts a collection of processes, windows, Window Stations, Desktops, and several other resources. Window Stations and Desktops will be covered later in this post.

You can see a list of all of the processes on your computer by going into Task Manager (taskmgr.exe) and clicking on the "Processes" tab. In this list you can see the Username of the user who started the process and also the Session that the process belongs to. By default Windows will not show you the Session each process belongs to but you can easily see it by clicking on the View menu item and then "Select Columns..." Turn on the option "Session ID".

Each process belongs to exactly 1 Session and each Session has a Session ID which identifies it. You cannot change a process' Session after the process is started. In Task Manager you will see at least 1 Session if you are using an operating system below Windows Vista and you will see at least 2 Sessions if you are using an operating system of Vista or above.

In Windows you are not limited to that initial number of Sessions though. There can be many different Sessions, there is a limit that can be reached but we'll say for the sake of conversation that you can potentially have infinite Sessions.

If you're using Vista or above, the first Session, Session 0 is where all of the NT services are started. The second Session above 0 is where the first logged on user's programs will be started.

More Sessions than what I mentioned will occur anytime you have multiple users logged into the same machine. You can have multiple users logged into the same machine via Terminal Services, Remote Desktop, or multi user logins onto the same machine via switch-user. For each additional login operation that you make, a new Session is made.

You can use CreateProcessAsUser to create a process in another Session. To do this you must use a user token which will contain the associated Session. To set the Session on the user token you can use the Win32 API SetUserToken with a token information class of TokenSessionId.

So to recap, so far we understand that inside your Windows operating system (OS) you have the following:

• Session 0
  
  • Process 0.1
    
  • Process 0.2
    
  • Process 0.3
    
  • ...
    
  • Process 0.N
    
• Session 1
  
  • Process 1.1
    
  • Process 1.2
    
  • Process 1.3
    
  • ...
    
  • Process 1.N
    
• ...
  
• Session M
  
  • Process M.1
    
  • Process M.2
    
  • Process M.3
    
  • ...
    
  • Process M.N
    

How Vista changes how Sessions work:

Before Windows Vista, the first logged in user and the NT services shared the first Session which was Session 0. This Session was also allowed to be interactive.

Windows Vista and above started to put user Sessions separate from NT service Sessions. It also made sure that Session 0 was not interactive.

These changes with Vista were made for security reasons. The security reason the change was made, was to ensure that services would be safe from application code. Why do services need to be protected? Because services run at an elevated privilege when run as the System account and hence have access to do things a user program shouldn't be able to control. More on this later in the section: "How to circumvent all security in Windows".

How Sessions worked Pre-Vista with 3 logged on users:

How Sessions worked Post-Vista with 3 logged on users:

The difference of the 2 diagrams being that the first logged on user has his own Session in the Post-Vista diagram.

Window Stations:

Each Session contains a collection of Window Stations, a clipboard, and more. Each Window station has a name unique to the Session it belongs to. Meaning within a Session each Window Station is unique. But across Sessions two Window Stations can share a name but they are completely distinct.
You can think of a Window Station as a security boundary. Once a Window Station is created, you cannot change the Session that it belongs to.

Each process belongs to a single Window Station but unlike Sessions vs. Processes, a single process can change its Window Station after startup time.

The following Win32 API can be used to deal with Window Stations: GetProcessWindowStation, SetProcessWindowStation, CreateWindowStation, and OpenWindowStation.

There is one special Window Station called Winsta0 for every session. WinSta0 is the only Window Station that can display a user interface and receive user input, it uses the keyboard, mouse and display. Other Window stations cannot display graphical user interfaces nor receive user input.

A process can set a Window Station, to associate itself with, by calling the Win32 API SetProcessWindowStation.
Once a process sets its Window Station it can then access things inside that Window Station such as Desktops, and the clipboard. Desktops will be discussed later.

Each process actually has a parent process. When your process gets started, if you aren't dealing with Window Station code directly it will put you in the same Window Station as your parent process. A process can create new Window stations with the Win32 API CreateWindowStation

So to recap , so far we understand that inside your Windows OS you have the following:

• Session 0
  
  • Winsta0
    
    • Some Processes
  • Winsta1
    
    • Some Processes
  • ...
    
  • WinstaN
    
    • Some Processes
• Session 1
  
  • Winsta0
    
    • Some Processes
  • Winsta1
    
    • Some Processes
  • ...
    
  • WinstaN
    
  • Some Processes
• ...
  
• Session M
  
  • Winsta0
    
    • Some Processes
  • Winsta1
    
    • Some Processes
  • ...
    
  • WinstaN
    
    • Some Processes

Windows Desktops

Each Window Station contains a collection of Desktops. A Desktop is loaded into kernel memory space and is a logical display surface. Any GUI object is allocated here.

Each Windows Desktop belongs to a single Session and also a single Window Station.

Only one Desktop at a time can be active (displayed) per Session. And by definition it must belong to WinSta0. The active Desktop is called the input Desktop. One can always get a handle to the active Desktop within ones own Session by calling OpenInputDesktop

WinSta0 has 3 Desktops loaded:

1. Winlogon (the logon screen)
2. Default (the user Desktop)
3. ScreenSaver

There is a 4th Desktop on Vista and higher called the "Secure Desktop" which is used by default in UAC prompts.

When you lock your workstation you perform a Desktop swtich from the Default Desktop to the WinLogon Desktop.

As far as NT services go, each NT service that has credentials specified will create its own Window Station and Desktop.

The following Win32 API can be used to deal with Desktops:

• To set a Desktop for a thread you can call SetThreadDesktop
• A process can create a new Desktop by calling CreateDesktopEx, when a new Desktop is created it will be assigned into the Window Station associated with the calling process.

When starting a process you can specify which Window Station and Desktop to start it in. You can do this with the STARTUP info structure and the lpDesktop member. Typically this is called from a function like CreateProcessAsUser or CreateProcess.

So to recap , so far we understand that inside your Windows OS you have the following:

• Session 0
  
  • Station Winsta0
    
    • Desktop Winlogon
      
      • Some processes
    • Desktop Default
      
      • Some processes
    • Desktop Screensaver
      
      • Some processes
    • Desktop UAC
      
      • Some processes
    • Some other Desktops
      
      • Some processes
  • Station Winsta1
    
    • Some other Desktops
      
      • Some processes
  • ...
    
  • Station WinstaN
    
    • Some other Desktops
      
      • Some processes
• Session 1
  
  • Station Winsta0
    
    • Desktop Winlogon
      
      • Some processes
    • Desktop Default
      
      • Some processes
    • Desktop Screensaver
      
      • Some processes
    • Desktop UAC
      
      • Some processes
    • Some other Desktops
      
      • Some processes
  • Station Winsta1
    
    • Some other Desktops
      
      • Some processes
  • ...
    
  • Station WinstaN
    
    • Some other Desktops
      
      • Some processes
• ...
  
• Session M
  
  • Station Winsta0
    
    • Desktop Winlogon
      
      • Some processes
    • Desktop Default
      
      • Some processes
    • Desktop Screensaver
      
      • Some processes
    • Desktop UAC
      
      • Some processes
    • Some other Desktops
      
      • Some processes
  • Station Winsta1
    
    • Some other Desktops
      
      • Some processes
  • ...
    
  • Station WinstaN
    
    • Some other Desktops
      
      • Some processes

Mysterious checkbox in the services tab (Optional Read)

There is a little mysterious checkbox that appears in the property page of each of your services called "Allow services to interact with Desktop".

This checkbox decides that your service will run under the Window Station Winsta0 or under a different Window Station that doesn't allow user interaction. This checkbox is not guaranteed to be supported forever, and will probably eventually disapear, but it is supported up to Windows 7 so far.

This checkbox can be turned on for any service via the registry, so this by itself may be a security risk. So I would think the checkbox will probably be removed.

If this checkbox is ON, then a new Session is created and a new Window Station called Winsta0. If the service tries to display a GUI, then active user Sessions in front of a GUI will get a notification that there is a GUI on another Desktop trying to be displayed. You can then click on it to view that GUI. A user can also chose to be reminded again in 5 minutes time about the GUI notification. When you view this new Desktop it will usually look like a blank screen except for the service GUI itself.

If this checkbox is OFF, and the service tries to display a GUI, nothing will happen to any visible Desktop. The service gets started in Session 0. The GUI calls will succeed but no GUI will ever be shown.

Windows Handles

Windows inside the Windows OS are children of Desktop objects.

A Window is any GUI element and is usually identified by a Windows handle (HWND). It is important to understand where Windows Handles fit into the whole picture because then you can understand what you can do across Desktops and what you cannot do across Desktops.

Communication across Sessions

Depending on the type of communication, inter-Session communication is possible.

Things like pipes, global events, and sockets allow you to communicate across Sessions.

Things like Windows Messages, and local events do not allow you to communicate across Sessions.

As I mentioned earlier Windows Vista made a gigantic change to how Windows works by starting all of the services inside Session 0. This meant that a ton of programs which were built as Windows services and used to display a GUI no longer could display that GUI.

The proper way to display a GUI for service code now is to do some kind of inter-Session communication such as a pipe and have the GUI program be a separate program which communicates with your service.

A second way to display a GUI from a service is to simply launch the process within another user's Session inside Winsta0 and the Default Desktop.

Communication across Desktops

Windows messages are not possible across Desktops. Windows messages are only possible within the same Desktop. As confirmed here: Inter-Desktop communication via message passing is not possible.

This means that Windows Hooks which allow you to monitor and get notifications for any message from another process can only be installed at a Desktop Level.

So a key logger for example wouldn't be allowed to have access to what is typed when a computer is locked in a different Desktop.

After enumerating the Desktops you can enumerate the windows inside each Desktop.
You can use the Win323 API EnumDesktopWindows to enumerate these Desktop windows. The purpose of me telling you this is that this function takes in a handle to a Desktop and it returns to you a handle to the Windows inside that Desktop. This reinforces what I've been saying about Windows being children of Desktops.

How to circumvent all security in Windows

It is actually possible to do anything you want in Windows in any Session, Window Station, or Desktop. The solution is to build a service running on your computer running as the Local System Account.

As long as this service is running elevated via a manifest file, it can obtain the token and linked token of any process in any Session, and start a helper program within that same token to do anything it wishes to. This is probably exactly how Windows Task Manager works.

//UAC creates 2 tokens.  The second one is the restricted token and the first one is the one returned by LogonUser
//Vista and above links the elevated token to the Logonuser token though :))))
TOKEN_LINKED_TOKEN tlt;
DWORD len;
if(GetTokenInformation(hToken
    , (TOKEN_INFORMATION_CLASS)TokenLinkedToken
    , &tlt, sizeof(TOKEN_LINKED_TOKEN)
    , &len))
{
    hLinkedToken = tlt.LinkedToken;
    //From here you can start elevated processes
}

Tying it all together

Now is the fun part when we can now answer each of the questions in turn:

Ever wonder what happens when you lock your computer? What happens to all of the open programs? How about your task bar?

When you lock your computer you are doing a Desktop switch from the Default Desktop to the Winlogon Desktop which are both within the same Window Station WinSta0. Both Desktops are also within the same Session of course.

This also means that there are many such login screens across Sessions and many different users logged in could each be at their own version of this screen at the same time on the same computer.

What is so special about UAC anyway? How do they lock and dim the whole screen? Does it really protect me?

When you get a UAC prompt, by default what happens is you switch from the Default Desktop to the Secure Desktop. UAC takes a screenshot of your Default Desktop, applies a dim to that image and then displays it behind the UAC window. The UAC window is part of the Secure Desktop The user can actually set if UAC prompts should run under the current Desktop (less secure) or the Secure Desktop.

Why don't software key loggers work anymore to capture a locked computer's password?

I remember as a kid writing a key logger and using it at school. I was able to see everyone's login password, then later I could login as them and see all of their files. Since then multi Session operating systems have been introduced though.

Because Software Keyloggers are based off of Windows Hooks which work with Windows messages. They get notified for every keystroke that occurs because each keystroke has its own set of Windows Messages (key down, key up, key pressed). Since the key logger is started on a different Desktop it cannot log a password.

I think it would be possible to build such a KeyLogger which would work across Sessions but I'm not aware of any that exist. To learn how see the section: "How to circumvent all security in Windows"

What's so special about screen savers? How do they work?

There's nothing special about a screensaver. It doesn't hide any of your GUI elements nor draw on top of them. It simply does a Desktop switch to the Screensaver Desktop. Remember, a Desktop is a logical graphical device.

How can there be more than one user at a time logged onto the same computer at the same time?

Easy, each user has its own Session, and each Session contains everything else. Each person using a Session sees their own Desktop which is part of that Session's WinSta0 Window Station.

How does Terminal Services or Remote Desktop work?

Terminal Services and Remote Desktop work by either giving you access to an already open Session, or creation a new Session. Each Session can be in a connected or disconnected state.

Why does your remote computer control software probably suck?

Some remote computer control software (not Terminal Services / Remote Desktop) are not Session aware and they only work with the first Session. This includes most VNC servers including FogCreek Copilot.

If you have a multi-Session computer you can't control each Session.

Can a process communicate across different Sessions?

Yes but you need to use the correct communication means.

Can a process communicate across Desktops with Windows messages?

No.

Why was Vista perceived to be so bad and Windows 7 so good?

Because Windows Vista was the first to implement these changes. Windows Vista therefore was the Operating System to break all of the existing changes. Many software development companies and their products took a lot of time to implement the changes needed to support Session 0 isolation. Most probably still don't fully understand it.

Since some of the changes weren't made in time, Windows Vista took the hit for looking bad. But of course it was Vista's fault in the first place for breaking compatibility.

I'm not claiming Vista was perfect, it was far from it; however, Vista took more of a hit than it deserved.

Further reading

• For further reading you can read a technical paper on Sessions, Desktops, and Window Stations and also visit the various MSDN articles linked in this article.

• The genius Raymond Chen from Microsoft also touches on Sessions, Window Stations and Desktops in various articles that he writes.

• The impact of Session 0 Isolation is a document which Microsoft released for software developers when they released Windows Vista.

• Exploring handle security in Windows