Hi everyone, I'm new here :-)
As write in the title, which are the technical reason? Is there any work-around (for example give administrative right to the boinc* user..) ?
thanks
michele

There is a technical reason for this, yes. With as far as the developers can see, for now no workaround.

The problem is that when you install BOINC as a service (which the PAE mode is), that it runs with limited user accounts. These limited users are not allowed, by Vista, to handle the video driver framework. Only one display per user is allowed. It's the same bug as to why cuda won't work with the remote desktop: the video overlay is already in use.

So until that's fixed in Vista, there is no way around it other than not to install as a service.

---

Hi,

This is in fact due to design changes in Vista and is the same in Windows 7 - Impact of Session 0 Isolation on Services and Drivers in Windows Vista

This poses a threat to 24/7 crunching when for some reason the computer restarts unattended.

I have had to start utilizing the dreaded autologon feature, which is by default unsecure as the password is stored in clear in registry.

The workaround is to use Autologon for Windows v2.10 as it stores password encrypted.

The next security issue is of course that now the workstation is open to everyone until screensaver is activated (which in turn the unauthorized user can deactivate).

This can be solved by running a (logon)script that immediately locks the workstation.

I would very much like to see other options documented that ensure a close to running as a service funtionality, as a stable 24/7 operations is required (I myself live in an area where there have been 5 power outages in 2008.

Morten

It seems Nvidia have posted a workaround for this problem in

http://forums.nvidia.com/index.php?showtopic=93450 (registration required for the sample download)

I don't have a CUDA-card yet, so I'm not able to testrun it, but I guess some of the readers of this forum will be more than interested in trying this out...

---

Very good.
I this it should be reported to the dev-team: anyone can do it?

I forwarded it to the dev team yesterday. Just forwarded it to the BOINC Dev email list, just in case.

---

Does anyone know if there is a plan to actually implement this? It's been half a year since the OP's suggestion.

One could separate the CPU WUs from the GPU WUs, so that the CPU tasks run under the boinc service with the boinc special account and the GPU WUs simply run under the boinc manager in the user context, as before.

This would increase the security, as only the GPU WUs have access to the user data. Also the CPU WUs would start even if there is no user session.

Of course, an implementation of the session 0 service should be the golden goal. ;)

Of course, an implementation of the session 0 service should be the golden goal. ;)

Which isn't for BOINC to solve, but instead for Microsoft and the GPU (driver) manufacturers to figure out.

Apropos, my CUDA/CAL FAQ now shows why this is:

When I ran BOINC in XP as a service, it would detect the GPU. Now I have Windows Vista or Windows 7, when BOINC is installed as a service it won't detect the GPU. When will you fix that?
It is not something for BOINC to fix. This is a Microsoft security feature, where it stops your user account from running in the same session as your drivers and services are run from.

If it has to be fixed, it will have to come from Microsoft, or the GPU driver manufacturers have to find a way to run their drivers without using them as a service installation.

There's a document on this at Session 0 isolation (Word document, can be loaded in Open Office Writer, not in Wordpad).

An excerpt:
In Microsoft® Windows® XP, Microsoft Windows Server™ 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents who are looking for a way to elevate their own privilege level.

The Microsoft Windows Vista™ operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. In Windows Vista, only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users’ applications and are therefore protected from attacks that originate in application code.

What Is Affected
Any applications or drivers that are installed as a service are affected by the following implications. Some drivers are loaded within operating system services or processes that are running in Session 0, and those drivers are also affected by the implications of the Session 0 changes.

---

Thank you George for your clear explanation.

---

Bob Morton
free numerology blogger