http://bugs.winehq.org/show_bug.cgi?id=58588

Bug ID: 58588 Summary: Tokens Acquired from WTSQueryUserToken do not set the session id for the token correctly Product: Wine Version: 10.12 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wtsapi32 Assignee: wine-bugs@winehq.org Reporter: katharina@hacked.xyz Distribution: ---

A service running under NTAUTHORITY\SYSTEM may use the Windows Terminal Server API to resolve user sessions. This is also works on non-terminalservers, that is, normal computers where only one simoultaneous session is allowed. My best guess is that Windows internally treats all sessions as terminal service sessions, so this API becomes canon.

If a service wants to then spawn a process attached to this user's session, so that the spawned process is able to open a window showing in the user's session, it may use CreateProcessAsUserW to do this, and supply a token to a users's Windows session.

The general principle is for example documented in this stackoverflow question: https://stackoverflow.com/questions/3128017/launching-a-process-in-user-s-se... A real-world user of this mechanism is the Dassault 3DEXPERIENCE Launcher, which is unfortunately not available without purchase.

The actual source of the token is not terribly important; the code I debugged uses WTSEnumerateSessions in conjunction with WTSQueryUserToken. The latter should return a token that has it's session ID set to the current users session ID; most likely 1.

A reproducer for this bug is available here: https://gitlab.winehq.org/hackathi/wtsqueryusertoken-bug