punktfunk/docs/windows-secure-desktop.md

Windows secure-desktop capture — two-process design

Status: design validated, implementation in progress. The WGC animation fix ships and works (host in user-mode); this doc is the plan for adding secure-desktop (UAC / lock / login) coverage on top of it, since WGC and the secure desktop need conflicting process tokens.

The constraint (verified live on the RTX 4090)

• WGC (the composed-desktop capture that fixes frozen HDR animations) will not activate under the SYSTEM account — CreateForMonitor → 0x80070424. Thread-level ImpersonateLoggedOnUser is insufficient (tested: impersonated=true, still 0x80070424). WGC needs the process to run as the interactive user.
• DDA + SendInput on the secure desktop (Winlogon: UAC/lock/login) require LOCAL_SYSTEM (attach to the Winlogon desktop). This is already shipped (task #17) when the host runs as SYSTEM.
• Therefore one process can't do both. Single-process (the simpler design) is out.

Architecture: SYSTEM host + USER-session WGC helper, AU-relay (no shared GPU texture)

• SYSTEM host (the existing m3-host, launched as SYSTEM in interactive Session 1 via the scheduled task → PsExec -s -i 1): owns the punktfunk/1 QUIC session, the single SudoVDA virtual output (+ isolate/restore RAII — the only topology owner), the DDA capture + NVENC encoder for the secure desktop, the single SendInput injector (serves both desktops), and the AU source mux that feeds the QUIC data plane.
• USER-session WGC helper (a new m3-host subcommand, spawned by the SYSTEM host via WTSQueryUserToken(activeConsoleSessionId) → DuplicateTokenEx(TokenPrimary) → CreateProcessAsUserW(lpDesktop="winsta0\\default", CREATE_NO_WINDOW)): runs the existing WGC → scRGB/PQ → NVENC pipeline and ships Annex-B AUs ({data, pts_ns, keyframe}) to the SYSTEM host over a named pipe. It captures the SAME SudoVDA output by GDI name only — it must NOT create its own virtual output / touch display topology (a second topology owner re-triggers the ACCESS_LOST born-lost storm).
• Mux: the SYSTEM host relays the helper's AUs onto QUIC while the input desktop is Default (normal — WGC, HDR/animation-correct), and switches to its own DDA encoder while it's Winlogon (secure — UAC/lock/login). The client sees one continuous stream; the encoder/FEC/AES-GCM/QUIC send path is untouched (same EncodedFrame flow). NVENC re-inits only on a size/format change across the swap (already handled); same-mode is a pointer re-register.
• Input: stays entirely in the SYSTEM host (only it can attach to Winlogon). One windowless SendInput thread, Sunshine's retry-on-failure-only model (cache HDESK thread-local; SendInput first; only on 0-injected re-OpenInputDesktop+SetThreadDesktop and retry once) — serves both desktops with no per-event reattach. (Ctrl+Alt+Del/SAS needs SendSAS, out of scope; clicking UAC Yes/No + typing the login password are plain SendInput on Winlogon.)

Rejected: a shared NT-handle GPU texture (MIC/SDDL pain SYSTEM→user, keyed-mutex ring at 240 Hz, nvenc pointer-cache churn — all for a static lock dialog). AU bytes over a pipe are far simpler.

Detection

DesktopWatcher: a dedicated thread polling the input-desktop NAME at 30–60 Hz — OpenInputDesktop(0,FALSE,0) + GetUserObjectInformationW(UOI_NAME) == "Winlogon" (secure) vs "Default" (normal) → Arc<AtomicU8>. This is the authoritative signal; WTS session notifications miss UAC entirely. (May also register WTSRegisterSessionNotification to short-circuit lock/unlock.)

Implementation steps (each independently buildable/testable on the 4090)

1. DesktopWatcher (capture/desktop_watch.rs, ~40 lines): the poll + atomic. Test: lock / trigger UAC over the existing stream, confirm the atomic flips Default↔Winlogon within a poll interval.
2. SendInput retry-on-failure model (inject/sendinput.rs): replace per-event reattach with the cached-HDESK + retry-once model. Test: normal input unchanged; click UAC + type the lock password land (works today via per-event reattach — this is a refactor).
3. WGC helper subcommand (m3-host wgc-helper or similar): the existing WGC pipeline → NVENC → Annex-B AUs over a named-pipe server. Test standalone: as the user it writes a valid .h265 to the pipe (capturing the SudoVDA output by GDI name, no topology changes).
4. Spawn + relay: SYSTEM host spawns the helper (CreateProcessAsUserW), connects the pipe, relays its AUs onto the live QUIC session. Test: normal-desktop stream sourced via the helper relay.
5. Source mux: relay helper AUs while Default, switch to the host's own DDA encoder while Winlogon (reusing the DesktopWatcher). Test: normal (WGC, HDR) → trigger UAC → stream shows the UAC dialog (DDA) → dismiss → back to WGC; QUIC session stays up throughout. Full-coverage milestone.
6. Relaunch watchdog + soak: SERVICE_CONTROL_SESSIONCHANGE-style relaunch of the helper on console connect/disconnect; soak a few hundred lock/unlock+UAC switches (cf. task #17's 1012-switch run) — no leak / black / disconnect. Cargo features for the fallback: Win32_System_Threading, Win32_System_Pipes, Win32_System_RemoteDesktop.

Risks / notes

• Validate on the real 4090 only (ssh "Enrico Bühler"@192.168.1.174, Session 1 via the Interactive scheduled task) — the headless build VM can't reproduce Winlogon-on-virtual-display or WGC.
• The helper MUST capture the SudoVDA by GDI name and never create a second virtual output (avoids the ACCESS_LOST born-lost storm — one isolate owner = the SYSTEM host).
• Confirm reisolate fires on a FRESH mid-session DDA open at the desktop boundary (task #17 only validated DDA recovery within an already-DDA session).
• Brief one-frame repeat/flicker at the WGC↔DDA boundary is acceptable (the local lock/UAC transition flickers too); never starve the encoder (repeat last frame across the swap gap).
• Pragmatic alternative if full coverage isn't worth the build: PromptOnSecureDesktop=0 (UAC renders on the normal desktop → WGC captures it) covers UAC (not lock/login) with one reversible registry change.