Hello - Matthew here; I’m the guy doing most of the talking on the video above.I want to make a couple of clarifications / corrections:
At 3:48 in the video, I said that every window station has multiple desktops associated with it.More accurately, a window station may have multiple window station associated with it.It also may only have one desktop.
At 13:50, I said that user32.dll is the only DLL that creates objects that come out of session view space.
That should have been “user32.dll is the only DLL that creates objects that come out of
desktop heap.”Thereis another DLL that uses session view space: gdi32.dll.Of course, both of these user mode DLLs are indirect users of session view space.The kernel mode portion of both USER and GDI is implemented in win32k.sys, and it is the component that actually makes the session view allocations.