ActiveBatch Interactive Desktop Helper

Microsoft has been tightening the ability for a Windows Service to access the desktop. The major reason behind this is that many services operate at elevated privileges and launching windows on the desktop of a non-privileged user offers the possibility of compromising system security.

Beginning with Windows Vista, Microsoft added an “Interactive Services Detection” that intercepts any windows or message boxes launched from a Windows Service and requests that the user specifically confirm interest in examining the window or message box. This causes an "Interactive" ActiveBatch job (jobs are interactive by default) to hang when a message box pops up warning the user that a service (the ActiveBatch Execution Agent) is trying to access the desktop. While the reasons behind this approach are good, the approach itself creates a lot of inconvenience on the part of the user (especially if no one is there, monitoring the system to respond to a message box pop up on the Agent system. Since this Microsoft security feature cannot be disabled, and ASCI cannot use its Service application to create the process, another application (AbatIDH) was written to address this issue.

ActiveBatch provides a facility that maintains Microsoft’s security stance but also drastically lessens the inconvenience of ISD. An image named AbatIDH.exe, within the ActiveBatch Installation \bin sub directory, is a program which assists the ActiveBatch Execution Agent when an interactively marked program is scheduled to run. If AbatIDH is running, the Execution Agent communicates with its “helper” and has that program initiate the execution instead of the Windows Execution Agent service.

Since AbatIDH needs to run in the context of the interactive user, and only when the interactive user has logged in, it’s important that the following step be performed.

To use this facility, create a shortcut in your execution machine’s Startup folder for AbatIDH. Typically the Startup entry will be for a few specific users that these interactive applications are executed (as opposed to “All Users”). By adding the shortcut to Startup, the AbatIDH program will be executed whenever that user logs into the machine interactively. AbatIDH resides quietly in the System Tray and also makes announcements when an interactive program is asked to be run.

Note: If you elect not to use AbatIDH and you are on a system that is running Microsoft’s Interactive Services Detection, you can expect to see the system ask for confirmation of the ActiveBatch Execution Agent service desktop access whenever an interactive application needs to execute.

Note: A Process or Script job type with the Run Job Interactively property checked means the job will run interactively. This property is not checked by default. The Jobs Library has a couple of steps (Shell Command, EmbeddedScript) with an Interactive Mode property that means the same thing. Again, the property is not enabled by default.

Spotted a typo or can’t find help on a certain subject? Reach out to the Documentation team at docsupport@redwood.com.