unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity
Files
main
punktfunk/design/windows-service.md
T
enricobuehler 7b99b41ede docs(design): trim shipped plans, consolidate cluster, add index 
Much of design/ described work that has since shipped. Trim each doc to
its durable rationale + still-open items (the code is the source of truth
for shipped detail; git history holds the full originals).

- Shipped plans -> status stubs: stats-capture, gamestream-host-plan,
  apple-stage2-presenter, windows-service.
- Trimmed completed-out / open-kept: implementation-plan, hdr-pipeline,
  host-latency, gpu-contention (fixed stale status table), game-library,
  linux-setup (fixed m0->spike + stale zero-copy claim),
  session-aware-host-followups, windows-client-bootstrap,
  windows-dualsense-{scoping,game-detection}, windows-virtual-display,
  security-review (per-finding status table; #12 still open),
  apollo-comparison (shipped backlog collapsed to one-liners).
- Windows-host cluster consolidated: windows-host.md -> redirect into
  windows-host-rewrite.md (whose stale scorecard is corrected -- goal1 is
  merged, M4 done); windows-secure-desktop.md archived (now a fallback
  behind IDD-push primary).
- Kept evergreen: ci.md, gamescope-multiuser.md, windows-build-and-packaging.md.
- New design/README.md: per-doc status table + consolidated open-items
  roll-up so nothing is tracked in only one buried doc.
- Repoint 5 code comments to the archived secure-desktop doc path.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 16:39:06 +00:00

1.7 KiB
Raw Permalink Blame History

Windows service (deployment)

Status: SHIPPED. The PunktfunkHost LocalSystem SCM service is the end-user way to run the host on Windows, installed by the signed Inno Setup installer. Sources / details:

  • crates/punktfunk-host/src/windows/service.rs — the supervisor.
  • packaging/windows/README.md — installer + driver packaging.
  • punktfunk-host service --help — install / start / stop / status / uninstall.

Why it works the way it does (the durable rationale)

The host must capture the secure desktop (UAC / lock / login) and inject input there. Desktop Duplication of the secure desktop and SendInput both require SYSTEM, while capture and injection require the interactive console session — which a plain Session-0 service is not in. One process must therefore be SYSTEM and in the interactive session.

The service resolves this the same way Sunshine/Apollo do: it runs as LocalSystem in Session 0 but never captures. Instead it duplicates its own LocalSystem token, retargets it to the active console session (SetTokenInformation(TokenSessionId)), and launches the host there with CreateProcessAsUserW (lpDesktop = winsta0\default) — supervising it across exits and console-session switches, with a kill-on-close Job Object so a service crash never orphans the SYSTEM host.

service run is the SCM entry point only — don't run it by hand (it errors with a hint).

Open item — graceful stop

A service stop currently TerminateProcesses the host, which skips RAII teardown, so a stale virtual monitor can linger until the next start. The follow-up is a cooperative-stop signal (event/pipe) that lets the host unwind cleanly before exit.

Reference in New Issue View Git Blame Copy Permalink