# Windows service (deployment)

**Status: SHIPPED.** The `PunktfunkHost` LocalSystem SCM service is the end-user way to run the host
on Windows, installed by the signed Inno Setup installer. Sources / details:

- `crates/punktfunk-host/src/windows/service.rs` — the supervisor.
- [`packaging/windows/README.md`](../packaging/windows/README.md) — installer + driver packaging.
- `punktfunk-host service --help` — install / start / stop / status / uninstall.

## Why it works the way it does (the durable rationale)

The host must capture the **secure desktop** (UAC / lock / login) and inject input there. Desktop
Duplication of the secure desktop and `SendInput` both require **SYSTEM**, while capture and injection
require the **interactive console session** — which a plain Session-0 service is *not* in. One process
must therefore be SYSTEM *and* in the interactive session.

The service resolves this the same way Sunshine/Apollo do: it runs as **LocalSystem in Session 0** but
**never captures**. Instead it duplicates its own LocalSystem token, retargets it to the active console
session (`SetTokenInformation(TokenSessionId)`), and launches the host there with
`CreateProcessAsUserW` (`lpDesktop = winsta0\default`) — supervising it across exits and console-session
switches, with a kill-on-close Job Object so a service crash never orphans the SYSTEM host.

`service run` is the **SCM entry point only** — don't run it by hand (it errors with a hint).

## Open item — graceful stop

A service stop currently `TerminateProcess`es the host, which **skips RAII teardown**, so a stale
virtual monitor can linger until the next start. The follow-up is a cooperative-stop signal
(event/pipe) that lets the host unwind cleanly before exit.