INFO: Changes in WM_TIMER Message Handling

This article was previously published under Q328665
This article has been archived. It is offered "as is" and will no longer be updated.
The SetTimer function creates a timer with a specified time-out value and cannot be used to associate a timer with a window that is owned by another process. The operating system maintains an internal list of timers that are created with the SetTimer function.

When two processes that are running in the interactive desktop have different privileges, the lower-privileged process can post a WM_TIMER message with a pointer to a callback procedure to a window created by a higher-privileged process. The callback procedure executes with the privileges of the higher-privileged service.

By design, all services in the interactive desktop are peers and, as discussed in Knowledge Base article Q327618, are supposed to have the same privileges. Nevertheless, allowing one process to impose a callback function on another process does provide a simple way to misuse services that run with extra privileges. Additionally, there is no reason for services to be able to issue timer functions for other processes.

After you install the Windows XP Service Pack 1, the WM_TIMER messages are handled differently. The change prevents the handling of WM_TIMER messages that are generated this way (as described earlier in this article) by validating the contents of the WM_TIMER message when processed by DispatchMessage. To validate a timer, DispatchMessage verifies that the callback procedure exists in the timer list and that the timer was created by the calling process.

IMPORTANT: This change does not change the recommendations that are made in Knowledge Base Q327618. Although this change does make it more difficult for one service to use the privileges of another service, the change does not make it impossible. As before, all services in the interactive desktop are peers and ultimately can make requests on each other.
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
327618 INFO: Security, Services and the Interactive Desktop
For more information about a supposed architectural flaw in Windows, visit the following Web site:For more information about timers, see the Platform SDK documentation about the SetTimer function.

Article ID: 328665 - Last Review: 02/27/2014 21:15:00 - Revision: 4.4

Microsoft Win32 Application Programming Interface

  • kbnosurvey kbarchive kbfix kbinfo kbqfe kbwndw KB328665